Unsolved
This post is more than 5 years old
18 Posts
0
2958
Redirected searches on IE and Firefox - please help, I have tried all kinds of anti-spyware and nothing is working
I have a browser hijacker problem that I cannot figure out - by looking at another post it looks like I have a corrupted host file? I have tried SpyBot, SpyDoctor, MIcrosoft Security, Spyware Blaster, Avast, Malware Bytes....can anyone help me?
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:52:09 AM, on 3/29/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17055)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qwest.live.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.mg5.mail.yahoo.com/dc/launch?.gx=1&.rand=22iueibg12q0v
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yma3
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fp-yma3
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2061014
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: YSPManager - {25BC7718-0BFA-40EA-B381-4B2D9732D686} - C:\Program Files\Yahoo!\Search Protection\ysp.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\YTSingleInstance.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus CX5000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBVA.EXE /FU "C:\WINDOWS\TEMP\E_S229.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10m_ActiveX.exe -update activex
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: McAfee Security Scan Plus.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {BBF74FB9-ABCD-4678-880A-2511DAABB5E1} - C:\Program Files\Yahoo!\Search Protection\ysp.dll
O9 - Extra 'Tools' menuitem: Yahoo! Search Protection - {BBF74FB9-ABCD-4678-880A-2511DAABB5E1} - C:\Program Files\Yahoo!\Search Protection\ysp.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Qwest Live - {8F448DD6-D3BA-47F0-BC57-E6BA05E74983} - http://qwest.live.com (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo2.walgreens.com/WalgreensActivia.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Filter hijack: text/html - {7b6875a5-1610-458d-8f6a-f3f8cad928b4} - C:\WINDOWS\mark_32.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: Google Update Service (gupdate1c98a12e8536556) (gupdate1c98a12e8536556) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
--
End of file - 10022 bytes
kevin27_b3d29f
1.5K Posts
0
April 3rd, 2011 03:00
Hi Chzbrger,
Welcome to Dell Community Malware Removal Forums,
Sorry for the delay in getting to you, I'm K27 and i will be reviewing your log for you.
Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.
Please Print or Save to Notepad all instructions and please follow them carefully and if there's something you don't understand or that will not work please let me know and we will go through it together.
Please DO NOT use this system for anything apart from visiting this forum and other sites I direct you too, as this will only make the cleanup process all the more diffecult.
Failure to reply in three (3) days will result in this topic being closed and I will remove it from my notifications, If you require more time then that is fine but please let me know.
Download and scan with CCleaner
1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation. IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbar-free or Slim versions instead of the Standard Build.
2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
3. Then select the items you wish to clean up.
In the Windows Tab:
In the Applications Tab:
4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.
Then:
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
I then need to see some additional information about what is happening in your machine.
Please perform the following scan:
1. DDS.txt
2. Attach.txt
Please note: You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control HERE
Please copy/paste back the MBAM log and BOTH DDS logs for review.
Thanks.
chzbrger
18 Posts
0
April 3rd, 2011 19:00
Thank you for the response! Before I heard back I heard about the CWShredder application and it may have solved my problem - would you still recommend having my logs analyzed? (I'm sorry I didn't have a chance to change my post before your response.) Thanks!
kevin27_b3d29f
1.5K Posts
0
April 4th, 2011 01:00
Hi,
I would strongly recommend posting the logs, with redirect issues there is a high chance that you may have a Rootkit on board. If you would like to continue, please post the logs provided.
Thanks.
chzbrger
18 Posts
0
April 4th, 2011 20:00
OK, great, thanks. Here are the logs:
Malware Bytes log:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6271
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11
4/4/2011 9:05:18 PM
mbam-log-2011-04-04 (21-05-18).txt
Scan type: Full scan (C:\|D:\|)
Objects scanned: 190348
Time elapsed: 43 minute(s), 9 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
DDS logs:
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Eric DeYoung at 21:24:18.84 on Mon 04/04/2011
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.469 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Eric DeYoung\My Documents\Downloads\dds(1).com
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://us.mg5.mail.yahoo.com/dc/launch?.gx=1&.rand=22iueibg12q0v
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://qwest.live.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uWindow Title = Windows Internet Explorer
mDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yma3
mStart Page = hxxp://www.yahoo.com/?fr=fp-yma3
uInternet Settings,ProxyOverride =
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Yahooo Search Protection: {25bc7718-0bfa-40ea-b381-4b2d9732d686} - c:\program files\yahoo!\search protection\ysp.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn2\YTSingleInstance.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [EPSON Stylus CX5000 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatibva.exe /fu "c:\windows\temp\E_S229.tmp" /EF "HKLM"
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
uPolicies-system: DisableLockWorkstation = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {BBF74FB9-ABCD-4678-880A-2511DAABB5E1} - {25BC7718-0BFA-40EA-B381-4B2D9732D686} - c:\program files\yahoo!\search protection\ysp.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo2.walgreens.com/WalgreensActivia.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\ericde~1\applic~1\mozilla\firefox\profiles\518xzb96.default\
FF - plugin: c:\program files\canon\zoombrowser ex\program\NPCIG.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-3-23 371544]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-3-23 301528]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 MpKsl26e284da;MpKsl26e284da;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{628f997f-9bc3-4b0b-81e7-d2d4a869f1b6}\MpKsl26e284da.sys [2011-4-4 28752]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-3-23 19544]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-3-23 42184]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S1 aysavaxx;aysavaxx;\??\c:\windows\system32\drivers\aysavaxx.sys --> c:\windows\system32\drivers\aysavaxx.sys [?]
S1 dycihimh;dycihimh;\??\c:\windows\system32\drivers\dycihimh.sys --> c:\windows\system32\drivers\dycihimh.sys [?]
S1 gskrdqwk;gskrdqwk;\??\c:\windows\system32\drivers\gskrdqwk.sys --> c:\windows\system32\drivers\gskrdqwk.sys [?]
S1 hgcqpgrl;hgcqpgrl;\??\c:\windows\system32\drivers\hgcqpgrl.sys --> c:\windows\system32\drivers\hgcqpgrl.sys [?]
S1 htzwckvw;htzwckvw;\??\c:\windows\system32\drivers\htzwckvw.sys --> c:\windows\system32\drivers\htzwckvw.sys [?]
S1 ixthvmwc;ixthvmwc;\??\c:\windows\system32\drivers\ixthvmwc.sys --> c:\windows\system32\drivers\ixthvmwc.sys [?]
S1 kimezjsp;kimezjsp;\??\c:\windows\system32\drivers\kimezjsp.sys --> c:\windows\system32\drivers\kimezjsp.sys [?]
S1 lftjhcsc;lftjhcsc;\??\c:\windows\system32\drivers\lftjhcsc.sys --> c:\windows\system32\drivers\lftjhcsc.sys [?]
S1 njmctyra;njmctyra;\??\c:\windows\system32\drivers\njmctyra.sys --> c:\windows\system32\drivers\njmctyra.sys [?]
S1 nraokdhg;nraokdhg;\??\c:\windows\system32\drivers\nraokdhg.sys --> c:\windows\system32\drivers\nraokdhg.sys [?]
S1 nzjfxqjs;nzjfxqjs;\??\c:\windows\system32\drivers\nzjfxqjs.sys --> c:\windows\system32\drivers\nzjfxqjs.sys [?]
S1 obfvlddf;obfvlddf;\??\c:\windows\system32\drivers\obfvlddf.sys --> c:\windows\system32\drivers\obfvlddf.sys [?]
S1 pqpsozec;pqpsozec;\??\c:\windows\system32\drivers\pqpsozec.sys --> c:\windows\system32\drivers\pqpsozec.sys [?]
S1 qgffakcw;qgffakcw;\??\c:\windows\system32\drivers\qgffakcw.sys --> c:\windows\system32\drivers\qgffakcw.sys [?]
S1 rnhetqzs;rnhetqzs;\??\c:\windows\system32\drivers\rnhetqzs.sys --> c:\windows\system32\drivers\rnhetqzs.sys [?]
S1 sctxshpc;sctxshpc;\??\c:\windows\system32\drivers\sctxshpc.sys --> c:\windows\system32\drivers\sctxshpc.sys [?]
S1 sparyilh;sparyilh;\??\c:\windows\system32\drivers\sparyilh.sys --> c:\windows\system32\drivers\sparyilh.sys [?]
S1 tmvmfdhb;tmvmfdhb;\??\c:\windows\system32\drivers\tmvmfdhb.sys --> c:\windows\system32\drivers\tmvmfdhb.sys [?]
S1 tmywegcr;tmywegcr;\??\c:\windows\system32\drivers\tmywegcr.sys --> c:\windows\system32\drivers\tmywegcr.sys [?]
S1 vajeveck;vajeveck;\??\c:\windows\system32\drivers\vajeveck.sys --> c:\windows\system32\drivers\vajeveck.sys [?]
S1 vehhyiet;vehhyiet;\??\c:\windows\system32\drivers\vehhyiet.sys --> c:\windows\system32\drivers\vehhyiet.sys [?]
S2 gupdate1c98a12e8536556;Google Update Service (gupdate1c98a12e8536556);c:\program files\google\update\GoogleUpdate.exe [2009-2-8 133104]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
.
=============== Created Last 30 ================
.
2011-04-04 21:56:39 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{628f997f-9bc3-4b0b-81e7-d2d4a869f1b6}\MpKsl26e284da.sys
2011-04-04 21:55:50 6792528 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{628f997f-9bc3-4b0b-81e7-d2d4a869f1b6}\mpengine.dll
2011-04-03 19:34:58 -------- d-----w- c:\program files\CCleaner
2011-04-01 01:46:16 6792528 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-03-30 17:16:49 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-03-30 17:07:27 -------- d-----w- c:\program files\Microsoft Security Client
2011-03-29 13:49:10 388096 ----a-r- c:\docume~1\ericde~1\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-03-28 18:50:55 -------- d-----w- c:\documents and settings\eric deyoung\DoctorWeb
2011-03-26 20:40:12 -------- d-----w- c:\docume~1\ericde~1\applic~1\Malwarebytes
2011-03-26 20:39:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-26 20:39:49 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-03-26 20:39:38 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-26 20:39:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-25 20:35:48 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-25 20:35:48 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2011-03-25 19:38:59 1975768 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
2011-03-25 19:38:59 19416 ----a-w- c:\program files\mozilla firefox\AccessibleMarshal.dll
2011-03-25 19:38:59 1893336 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
2011-03-25 19:38:59 125912 ----a-w- c:\program files\mozilla firefox\crashreporter.exe
2011-03-25 19:28:55 -------- d-----w- c:\docume~1\ericde~1\locals~1\applic~1\Mozilla
2011-03-24 13:26:51 -------- d-----w- c:\program files\SpywareBlaster
2011-03-23 14:06:02 371544 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-03-23 14:05:40 40648 ----a-w- c:\windows\avastSS.scr
2011-03-23 13:44:15 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-03-23 13:44:15 -------- d-----w- c:\windows\system32\wbem\Repository
2011-03-23 13:23:43 -------- d-----w- c:\docume~1\ericde~1\applic~1\Sammsoft
2011-03-23 13:23:31 -------- d-----w- c:\program files\ARO 2011
.
==================== Find3M ====================
.
2011-04-01 13:36:15 502272 ----a-w- c:\windows\system32\winlogon.exe
2011-04-01 13:36:15 1033216 ----a-w- c:\windows\explorer.exe
2011-02-04 23:48:32 456192 ----a-w- c:\windows\system32\encdec.dll
2011-02-04 23:48:30 291840 ----a-w- c:\windows\system32\sbe.dll
2009-04-11 16:02:15 21068096 ----a-w- c:\program files\FTBDL.exe
.
============= FINISH: 21:25:54.17 ===============
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 10/20/2006 3:00:50 PM
System Uptime: 4/4/2011 2:08:38 AM (19 hours ago)
.
Motherboard: Dell Inc. | | 0KD882
Processor: Genuine Intel(R) CPU T2300 @ 1.66GHz | Microprocessor | 1661/133mhz
Processor: Genuine Intel(R) CPU T2300 @ 1.66GHz | Microprocessor | 1662/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 79 GiB total, 41.564 GiB free.
D: is FIXED (NTFS) - 27 GiB total, 26.447 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1: 3/17/2011 8:12:19 PM - System Checkpoint
RP2: 3/18/2011 8:22:43 PM - System Checkpoint
RP3: 3/19/2011 9:09:06 PM - System Checkpoint
RP4: 3/20/2011 9:37:19 PM - System Checkpoint
RP5: 3/21/2011 9:58:17 PM - System Checkpoint
RP6: 3/23/2011 8:23:31 AM - ARO 2011 - Before Installation
RP7: 3/23/2011 8:24:05 AM - ARO 2011 - FIRST RUN
RP8: 3/23/2011 8:32:26 AM - ARO 2011 Wed, Mar 23, 11 08:32
RP9: 3/23/2011 8:43:00 AM - Restore Operation
RP10: 3/23/2011 9:05:33 AM - avast! Free Antivirus Setup
RP11: 3/24/2011 9:26:35 AM - System Checkpoint
RP12: 3/25/2011 9:58:28 AM - System Checkpoint
RP13: 3/26/2011 4:15:15 PM - System Checkpoint
RP14: 3/28/2011 2:16:48 PM - System Checkpoint
RP15: 3/29/2011 8:49:07 AM - Installed HiJackThis
RP16: 3/30/2011 8:51:00 AM - System Checkpoint
RP17: 3/31/2011 9:15:37 AM - System Checkpoint
RP18: 3/31/2011 8:45:41 PM - Software Distribution Service 3.0
RP19: 4/2/2011 9:59:02 AM - Software Distribution Service 3.0
RP20: 4/3/2011 12:47:50 PM - Software Distribution Service 3.0
RP21: 4/4/2011 1:22:50 PM - System Checkpoint
RP22: 4/4/2011 4:55:16 PM - Software Distribution Service 3.0
RP23: 4/4/2011 8:16:06 PM - Removed NetWaiting
RP24: 4/4/2011 8:16:47 PM - Removed NetZeroInstallers
.
==== Installed Programs ======================
.
Actiontec Gateway
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0.8
AOLIcon
avast! Free Antivirus
Broadcom Management Programs
CANON iMAGE GATEWAY Task for ZoomBrowser EX
Canon Internet Library for ZoomBrowser EX
Canon MOV Decoder
Canon MOV Encoder
Canon MovieEdit Task for ZoomBrowser EX
Canon Utilities Digital Photo Professional 3.8
Canon Utilities EOS Utility
Canon Utilities Original Data Security Tools
Canon Utilities PhotoStitch
Canon Utilities Picture Style Editor
Canon Utilities WFT Utility
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
CCleaner
Compatibility Pack for the 2007 Office system
Conexant HDA D110 MDC V.92 Modem
Critical Update for Windows Media Player 11 (KB959772)
Dell Digital Jukebox Driver
Dell Support 3.2
Dell System Restore
Dell Wireless WLAN Card
Digital Content Portal
Digital Line Detect
DIGOpt
DIGReqEx
Documentation & Support Launcher
ELIcon
EPSON CX5000 Series User's Guide
EPSON Printer Software
EPSON Scan
EPSON Stylus CX5000 Scanner Driver Update
EPSON Web-To-Page
Family Tree Maker 2006
Games, Music, & Photos Launcher
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
Google Updater
High Definition Audio Driver Package - KB835221
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB888795)
Hotfix for Windows XP (KB891593)
Hotfix for Windows XP (KB895961)
Hotfix for Windows XP (KB896256)
Hotfix for Windows XP (KB899337)
Hotfix for Windows XP (KB899510)
Hotfix for Windows XP (KB902841)
Hotfix for Windows XP (KB906569)
Hotfix for Windows XP (KB908673)
Hotfix for Windows XP (KB909095)
Hotfix for Windows XP (KB912024)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB981793)
Intel(R) Graphics Media Accelerator Driver
Internet Service Offers Launcher
LiveUpdate 2.6 (Symantec Corporation)
Malwarebytes' Anti-Malware
MathPlayer
McAfee Security Scan Plus
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.0 Hotfix (KB930494)
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.0 Hotfix (KB979904)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Basic Edition 2003
Microsoft Office Outlook Connector
Microsoft Picture It! Library 9
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft RAW Image Thumbnailer and Viewer for Windows XP Version 1.0 (Build 50)
Microsoft Security Client
Microsoft Security Essentials
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox 4.0 (x86 en-US)
MSN
MSN Encarta Plus Support Files
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MSXML 6 Service Pack 2 (KB973686)
OneCare Advisor (Windows Live Toolbar)
Otto
Photo Transport
PowerDVD 5.7
QuickConnect
QuickTime
Qwest eChat Support Tools
RealPlayer Basic
SearchAssist
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
Smart Menus (Windows Live Toolbar)
Sonic Encoders
SpywareBlaster 4.4
Tweak UI
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB912945)
Update for Windows XP (KB914882)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
URL Assistant
WebEx Support Manager for Internet Explorer
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Toolbar Feed Detector (Windows Live Toolbar)
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885855
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB889673
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890927
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892627
Windows XP Hotfix - KB893056
Windows XP Media Center Edition 2005 KB2502898
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Yahoo! Search Protection
Yahoo! Software Update
Yahoo! Toolbar
.
==== Event Viewer Messages From Past Week ========
.
4/1/2011 8:16:06 AM, error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Bamital.L&threatid=2147643949 Name: Virus:Win32/Bamital.L ID: 2147643949 Severity: Severe Category: Virus Path: file:_C:\WINDOWS\system32\winlogon.exe;process:_pid:912 Detection Origin: Local machine Detection Type: Concrete Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: \??\C:\WINDOWS\system32\winlogon.exe Action: Clean Action Status: To finish removing malware and other potentially unwanted software, restart the computer. Error Code: 0x800704ec Error description: Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator. Signature Version: AV: 1.101.563.0, AS: 1.101.563.0, NIS: 0.0.0.0 Engine Version: AM: 1.1.6702.0, NIS: 0.0.0.0
4/1/2011 8:16:06 AM, error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Bamital.L&threatid=2147643949 Name: Virus:Win32/Bamital.L ID: 2147643949 Severity: Severe Category: Virus Path: file:_C:\WINDOWS\explorer.exe;process:_pid:268;winlogonshell:_HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\\SHELL:Explorer.exe Detection Origin: Local machine Detection Type: Concrete Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\WINDOWS\Explorer.EXE Action: Clean Action Status: To finish removing malware and other potentially unwanted software, restart the computer. Error Code: 0x800704ec Error description: Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator. Signature Version: AV: 1.101.563.0, AS: 1.101.563.0, NIS: 0.0.0.0 Engine Version: AM: 1.1.6702.0, NIS: 0.0.0.0
3/31/2011 8:49:13 PM, error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Bamital.L&threatid=2147643949 Name: Virus:Win32/Bamital.L ID: 2147643949 Severity: Severe Category: Virus Path: file:_C:\WINDOWS\system32\winlogon.exe;process:_pid:912 Detection Origin: Local machine Detection Type: Concrete Detection Source: Real-Time Protection User: D8CVMYB1\Eric DeYoung Process Name: \??\C:\WINDOWS\system32\winlogon.exe Action: Quarantine Action Status: To finish removing malware and other potentially unwanted software, restart the computer. Error Code: 0x800704ec Error description: Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator. Signature Version: AV: 1.101.563.0, AS: 1.101.563.0, NIS: 0.0.0.0 Engine Version: AM: 1.1.6702.0, NIS: 0.0.0.0
3/31/2011 8:49:13 PM, error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Bamital.L&threatid=2147643949 Name: Virus:Win32/Bamital.L ID: 2147643949 Severity: Severe Category: Virus Path: file:_C:\WINDOWS\explorer.exe;process:_pid:268;winlogonshell:_HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\\SHELL:Explorer.exe Detection Origin: Local machine Detection Type: Concrete Detection Source: Real-Time Protection User: D8CVMYB1\Eric DeYoung Process Name: C:\WINDOWS\Explorer.EXE Action: Quarantine Action Status: To finish removing malware and other potentially unwanted software, restart the computer. Error Code: 0x800704ec Error description: Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator. Signature Version: AV: 1.101.563.0, AS: 1.101.563.0, NIS: 0.0.0.0 Engine Version: AM: 1.1.6702.0, NIS: 0.0.0.0
3/31/2011 8:49:12 PM, error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Bamital.L&threatid=2147643949 Name: Virus:Win32/Bamital.L ID: 2147643949 Severity: Severe Category: Virus Path: file:_C:\WINDOWS\system32\winlogon.exe;process:_pid:912 Detection Origin: Local machine Detection Type: Concrete Detection Source: Real-Time Protection User: D8CVMYB1\Eric DeYoung Process Name: \??\C:\WINDOWS\system32\winlogon.exe Action: Clean Action Status: To finish removing malware and other potentially unwanted software, restart the computer. Error Code: 0x800704ec Error description: Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator. Signature Version: AV: 1.101.563.0, AS: 1.101.563.0, NIS: 0.0.0.0 Engine Version: AM: 1.1.6702.0, NIS: 0.0.0.0
3/31/2011 8:49:12 PM, error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Bamital.L&threatid=2147643949 Name: Virus:Win32/Bamital.L ID: 2147643949 Severity: Severe Category: Virus Path: file:_C:\WINDOWS\explorer.exe;process:_pid:268;winlogonshell:_HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\\SHELL:Explorer.exe Detection Origin: Local machine Detection Type: Concrete Detection Source: Real-Time Protection User: D8CVMYB1\Eric DeYoung Process Name: C:\WINDOWS\Explorer.EXE Action: Clean Action Status: To finish removing malware and other potentially unwanted software, restart the computer. Error Code: 0x800704ec Error description: Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator. Signature Version: AV: 1.101.563.0, AS: 1.101.563.0, NIS: 0.0.0.0 Engine Version: AM: 1.1.6702.0, NIS: 0.0.0.0
3/31/2011 8:48:52 PM, error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Bamital.L&threatid=2147643949 Name: Virus:Win32/Bamital.L ID: 2147643949 Severity: Severe Category: Virus Path: file:_C:\WINDOWS\system32\winlogon.exe;process:_pid:912 Detection Origin: Local machine Detection Type: Concrete Detection Source: Real-Time Protection User: D8CVMYB1\Eric DeYoung Process Name: \??\C:\WINDOWS\system32\winlogon.exe Action: Quarantine Action Status: To finish removing malware and other potentially unwanted software, restart the computer. Error Code: 0x800704ec Error description: Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator. Signature Version: AV: 1.101.563.0, AS: 1.101.563.0, NIS: 0.0.0.0 Engine Version: AM: 1.1.6702.0, NIS: 0.0.0.0
3/31/2011 8:48:52 PM, error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Bamital.L&threatid=2147643949 Name: Virus:Win32/Bamital.L ID: 2147643949 Severity: Severe Category: Virus Path: file:_C:\WINDOWS\explorer.exe;process:_pid:268;winlogonshell:_HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\\SHELL:Explorer.exe Detection Origin: Local machine Detection Type: Concrete Detection Source: Real-Time Protection User: D8CVMYB1\Eric DeYoung Process Name: C:\WINDOWS\Explorer.EXE Action: Quarantine Action Status: To finish removing malware and other potentially unwanted software, restart the computer. Error Code: 0x800704ec Error description: Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator. Signature Version: AV: 1.101.563.0, AS: 1.101.563.0, NIS: 0.0.0.0 Engine Version: AM: 1.1.6702.0, NIS: 0.0.0.0
3/31/2011 8:48:51 PM, error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Bamital.L&threatid=2147643949 Name: Virus:Win32/Bamital.L ID: 2147643949 Severity: Severe Category: Virus Path: file:_C:\WINDOWS\system32\winlogon.exe;process:_pid:912 Detection Origin: Local machine Detection Type: Concrete Detection Source: Real-Time Protection User: D8CVMYB1\Eric DeYoung Process Name: \??\C:\WINDOWS\system32\winlogon.exe Action: Clean Action Status: To finish removing malware and other potentially unwanted software, restart the computer. Error Code: 0x800704ec Error description: Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator. Signature Version: AV: 1.101.563.0, AS: 1.101.563.0, NIS: 0.0.0.0 Engine Version: AM: 1.1.6702.0, NIS: 0.0.0.0
3/31/2011 8:48:51 PM, error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Bamital.L&threatid=2147643949 Name: Virus:Win32/Bamital.L ID: 2147643949 Severity: Severe Category: Virus Path: file:_C:\WINDOWS\explorer.exe;process:_pid:268;winlogonshell:_HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\\SHELL:Explorer.exe Detection Origin: Local machine Detection Type: Concrete Detection Source: Real-Time Protection User: D8CVMYB1\Eric DeYoung Process Name: C:\WINDOWS\Explorer.EXE Action: Clean Action Status: To finish removing malware and other potentially unwanted software, restart the computer. Error Code: 0x800704ec Error description: Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator. Signature Version: AV: 1.101.563.0, AS: 1.101.563.0, NIS: 0.0.0.0 Engine Version: AM: 1.1.6702.0, NIS: 0.0.0.0
3/31/2011 8:33:30 PM, error: ipnathlp [32003] - The Network Address Translator (NAT) was unable to request an operation of the kernel-mode translation module. This may indicate misconfiguration, insufficient resources, or an internal error. The data is the error code.
3/30/2011 12:10:02 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 0.0.0.0 Update Source: Microsoft Update Server Update Stage: Download Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 0.0.0.0 Error code: 0x80240022 Error description: The program can't check for definition updates.
3/30/2011 12:10:02 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 0.0.0.0 Update Source: Microsoft Update Server Update Stage: Download Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 0.0.0.0 Error code: 0x80240022 Error description: The program can't check for definition updates.
.
==== End Of File ===========================
kevin27_b3d29f
1.5K Posts
0
April 5th, 2011 14:00
Hi,
Your system is still very heavily infected, There are system critical files that have been infected, if any security applications prompt to remove anything, please DO NOT allow it to do so.
Before we dive into the clean up, we need to take some precautions, first we need to remove one of them Anti-Virus programs that you have installed, having more than one AV is not a good idea, that will conflict with each other and leave your system just as vulnerable as not having any. Both Avast and MS Security Essentials are both very good so it is up to you which one you keep. Please pick one and then uninstall the other.
Please also uninstall:
LiveUpdate 2.6 (Symantec Corporation)
McAfee Security Scan Plus
And then reboot the system.
Then Please Open notepad and copy/paste the text in the quote box below into it:
Save this as search.bat
Choose to "Save type as - All Files"
Save it on your desktop.
It should look like this:
Double click on search.bat & allow it to run.
A black DOS window will open, please be patient. Even if it reports No file Found, just leave it for a while to find the files and wait for the Notepade file to open automatically.
Once the search has finished there will be a notepad file saved to your desktop, please copy/paste the contents of the notepad file be to me. And please let me know which AV you decided to keep so we can remove any remain of the other should we need to.
Thanks
K27
chzbrger
18 Posts
0
April 5th, 2011 18:00
Hi K27,
I kept the Avast and got rid of the Microsoft Security Essentials. Thanks for your help, here is the log file contents:
Volume in drive C has no label.
Volume Serial Number is 747B-4471
Directory of C:\i386
08/10/2004 05:00 AM 359,533 EXPLORER.EX_
08/10/2004 05:00 AM 181 EXPLORER.SC_
2 File(s) 359,714 bytes
Directory of C:\WINDOWS
04/01/2011 08:36 AM 1,033,216 explorer.exe
08/10/2004 05:00 AM 80 explorer.scf
2 File(s) 1,033,296 bytes
Directory of C:\WINDOWS\$hf_mig$\KB938828\SP2QFE
06/13/2007 06:26 AM 1,033,216 explorer.exe
1 File(s) 1,033,216 bytes
Directory of C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e
04/13/2008 07:12 PM 1,033,728 explorer.exe
1 File(s) 1,033,728 bytes
Directory of C:\WINDOWS\system32\dllcache
06/13/2007 05:23 AM 1,033,216 explorer.exe
1 File(s) 1,033,216 bytes
Total Files Listed:
7 File(s) 4,493,170 bytes
0 Dir(s) 44,741,414,912 bytes free
Volume in drive C has no label.
Volume Serial Number is 747B-4471
Directory of C:\i386
08/10/2004 05:00 AM 502,272 winlogon.exe
1 File(s) 502,272 bytes
Directory of C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e
04/13/2008 07:12 PM 507,904 winlogon.exe
1 File(s) 507,904 bytes
Directory of C:\WINDOWS\system32
04/01/2011 08:36 AM 502,272 winlogon.exe
1 File(s) 502,272 bytes
Total Files Listed:
3 File(s) 1,512,448 bytes
0 Dir(s) 44,741,414,912 bytes free
kevin27_b3d29f
1.5K Posts
0
April 6th, 2011 13:00
Hi,
Good Work,
Please Disable all Anti-virus/Anti-Spyware/FireWall on your machine(instructions via links below)
Please download ComboFix.exe. Please visit THIS webpage for download links, and instructions for running the tool:
ComboFix MUST be saved to your desktop before running the tool
* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
When prompted to install the recovery console please make sure to do so as this is a VERY IMPORTANT backup of ComboFix (XP only, Vista/Windows 7 will NOT be propmted to install the recovery console)
You will need to be conected to the net to install the recovery console, if you can not install it DO NOT run ComboFix,
Post back and we will install it manually.
DO NOT mouse click when ComboFix is running as this will cause ComboFix to Stall and it will not work as it should
EXTRA NOTES:
Please include the C:\ComboFix.txt in your next reply for further review.
Thanks,
K27.
chzbrger
18 Posts
0
April 6th, 2011 19:00
Hi,
I don't think I can install Windows Recovery Console? THanks.
kevin27_b3d29f
1.5K Posts
0
April 7th, 2011 00:00
Hi,
Please explain further, what is the exact problem.
Thanks.
chzbrger
18 Posts
0
April 7th, 2011 08:00
Sorry - not sure what I did wrong but tried again and got it installed. Even though I disabled Avast for an hour, it restarted when the computer restarted during ComboFix and I had to disable it again - doesn't seem like it interfered with ComboFix though.
Here is the ComboFix log:
ComboFix 11-04-06.03 - Eric DeYoung 04/07/2011 8:50.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.586 [GMT -5:00]
Running from: c:\documents and settings\Eric DeYoung\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Eric DeYoung\WINDOWS
.
c:\windows\system32\winlogon.exe . . . is infected!!
.
Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-03-07 to 2011-04-07 )))))))))))))))))))))))))))))))
.
.
2011-04-07 01:57 . 2002-01-08 22:00 176128 ----a-w- c:\windows\system32\RcdScan.dll
2011-04-07 01:57 . 2000-03-23 17:50 446464 ----a-r- c:\windows\system32\hhactivex.dll
2011-04-07 01:57 . 1999-05-07 18:24 645616 ----a-w- c:\windows\system32\MSCOMCT2.OCX
2011-04-07 01:57 . 1999-05-07 18:24 414944 ----a-w- c:\windows\system32\COMCT332.OCX
2011-04-07 01:57 . 1998-11-10 15:46 328480 ----a-w- c:\windows\system32\ssa3d30.ocx
2011-04-07 01:57 . 1998-06-18 04:00 89360 ----a-w- c:\windows\system32\VB5DB.DLL
2011-04-07 01:56 . 2000-01-04 10:39 212992 ----a-w- c:\program files\Common Files\InstallShield\Engine\6\Intel 32\ILog.dll
2011-04-05 23:58 . 2011-04-05 23:58 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-04-03 19:34 . 2011-04-03 19:35 -------- d-----w- c:\program files\CCleaner
2011-03-30 17:16 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-03-28 18:50 . 2011-03-28 18:50 -------- d-----w- c:\documents and settings\Eric DeYoung\DoctorWeb
2011-03-26 20:40 . 2011-03-26 20:40 -------- d-----w- c:\documents and settings\Eric DeYoung\Application Data\Malwarebytes
2011-03-26 20:39 . 2011-03-26 20:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-26 20:39 . 2011-04-07 01:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-25 20:35 . 2011-04-05 02:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-25 20:35 . 2011-04-05 02:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-03-25 19:28 . 2011-03-25 19:28 -------- d-----w- c:\documents and settings\Eric DeYoung\Local Settings\Application Data\Mozilla
2011-03-24 13:26 . 2011-04-07 13:44 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2011-03-24 13:26 . 2011-03-26 20:53 -------- d-----w- c:\program files\SpywareBlaster
2011-03-23 14:06 . 2011-02-23 13:56 301528 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-03-23 14:06 . 2011-02-23 13:54 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-03-23 14:06 . 2011-02-23 13:55 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-03-23 14:06 . 2011-02-23 13:56 371544 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-03-23 14:06 . 2011-02-23 13:55 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-03-23 14:06 . 2011-02-23 13:55 102232 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-03-23 14:06 . 2011-02-23 13:55 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-03-23 14:05 . 2011-02-23 13:54 30680 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-03-23 14:05 . 2011-02-23 14:04 40648 ----a-w- c:\windows\avastSS.scr
2011-03-23 14:05 . 2011-02-23 14:04 190016 ----a-w- c:\windows\system32\aswBoot.exe
2011-03-23 13:44 . 2011-03-23 13:44 -------- d-----w- c:\windows\system32\wbem\Repository
2011-03-23 13:23 . 2011-04-07 13:45 -------- d-----w- c:\documents and settings\Eric DeYoung\Application Data\Sammsoft
2011-03-22 21:17 . 2011-03-23 13:43 -------- d-----w- c:\program files\Microsoft Silverlight
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-05 13:16 . 2010-10-18 13:10 14744 ----a-w- c:\documents and settings\Eric DeYoung\Application Data\Microsoft\IdentityCRL\ppcrlconfig.dll
2011-04-01 13:36 . 2005-08-16 09:18 502272 ----a-w- c:\windows\system32\winlogon.exe
2011-02-04 23:48 . 2005-08-16 09:18 456192 ----a-w- c:\windows\system32\encdec.dll
2011-02-04 23:48 . 2005-08-16 09:18 291840 ----a-w- c:\windows\system32\sbe.dll
2009-04-11 16:02 . 2009-04-11 16:02 21068096 ----a-w- c:\program files\FTBDL.exe
2011-03-18 17:53 . 2011-03-25 19:39 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
.
[-] 2011-04-01 . A20FF80DCB922455C2387A68ABE9F7B8 . 502272 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe
[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-02-23 14:04 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-08 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-14 98304]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-02-23 3451496]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-10-14 24576]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableLockWorkstation"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [3/23/2011 9:06 AM 371544]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/23/2011 9:06 AM 301528]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/23/2011 9:06 AM 19544]
S1 aysavaxx;aysavaxx;\??\c:\windows\system32\drivers\aysavaxx.sys --> c:\windows\system32\drivers\aysavaxx.sys [?]
S1 dycihimh;dycihimh;\??\c:\windows\system32\drivers\dycihimh.sys --> c:\windows\system32\drivers\dycihimh.sys [?]
S1 gskrdqwk;gskrdqwk;\??\c:\windows\system32\drivers\gskrdqwk.sys --> c:\windows\system32\drivers\gskrdqwk.sys [?]
S1 hgcqpgrl;hgcqpgrl;\??\c:\windows\system32\drivers\hgcqpgrl.sys --> c:\windows\system32\drivers\hgcqpgrl.sys [?]
S1 htzwckvw;htzwckvw;\??\c:\windows\system32\drivers\htzwckvw.sys --> c:\windows\system32\drivers\htzwckvw.sys [?]
S1 ixthvmwc;ixthvmwc;\??\c:\windows\system32\drivers\ixthvmwc.sys --> c:\windows\system32\drivers\ixthvmwc.sys [?]
S1 kimezjsp;kimezjsp;\??\c:\windows\system32\drivers\kimezjsp.sys --> c:\windows\system32\drivers\kimezjsp.sys [?]
S1 lftjhcsc;lftjhcsc;\??\c:\windows\system32\drivers\lftjhcsc.sys --> c:\windows\system32\drivers\lftjhcsc.sys [?]
S1 njmctyra;njmctyra;\??\c:\windows\system32\drivers\njmctyra.sys --> c:\windows\system32\drivers\njmctyra.sys [?]
S1 nraokdhg;nraokdhg;\??\c:\windows\system32\drivers\nraokdhg.sys --> c:\windows\system32\drivers\nraokdhg.sys [?]
S1 nzjfxqjs;nzjfxqjs;\??\c:\windows\system32\drivers\nzjfxqjs.sys --> c:\windows\system32\drivers\nzjfxqjs.sys [?]
S1 obfvlddf;obfvlddf;\??\c:\windows\system32\drivers\obfvlddf.sys --> c:\windows\system32\drivers\obfvlddf.sys [?]
S1 pqpsozec;pqpsozec;\??\c:\windows\system32\drivers\pqpsozec.sys --> c:\windows\system32\drivers\pqpsozec.sys [?]
S1 qgffakcw;qgffakcw;\??\c:\windows\system32\drivers\qgffakcw.sys --> c:\windows\system32\drivers\qgffakcw.sys [?]
S1 rnhetqzs;rnhetqzs;\??\c:\windows\system32\drivers\rnhetqzs.sys --> c:\windows\system32\drivers\rnhetqzs.sys [?]
S1 sctxshpc;sctxshpc;\??\c:\windows\system32\drivers\sctxshpc.sys --> c:\windows\system32\drivers\sctxshpc.sys [?]
S1 sparyilh;sparyilh;\??\c:\windows\system32\drivers\sparyilh.sys --> c:\windows\system32\drivers\sparyilh.sys [?]
S1 tmvmfdhb;tmvmfdhb;\??\c:\windows\system32\drivers\tmvmfdhb.sys --> c:\windows\system32\drivers\tmvmfdhb.sys [?]
S1 tmywegcr;tmywegcr;\??\c:\windows\system32\drivers\tmywegcr.sys --> c:\windows\system32\drivers\tmywegcr.sys [?]
S1 vajeveck;vajeveck;\??\c:\windows\system32\drivers\vajeveck.sys --> c:\windows\system32\drivers\vajeveck.sys [?]
S1 vehhyiet;vehhyiet;\??\c:\windows\system32\drivers\vehhyiet.sys --> c:\windows\system32\drivers\vehhyiet.sys [?]
S2 gupdate1c98a12e8536556;Google Update Service (gupdate1c98a12e8536556);c:\program files\Google\Update\GoogleUpdate.exe [2/8/2009 12:30 PM 133104]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-07 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-06 14:54]
.
2011-04-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-08 17:30]
.
2011-04-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-08 17:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://us.mg5.mail.yahoo.com/dc/launch?.gx=1&.rand=22iueibg12q0v
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com/?fr=fp-yma3
uInternet Settings,ProxyOverride =
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Eric DeYoung\Application Data\Mozilla\Firefox\Profiles\518xzb96.default\
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-ModemOnHold - c:\program files\NetWaiting\netWaiting.exe
HKCU-Run-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe
HKCU-Run-Search Protection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe
HKLM-Run-Microsoft Works Update Detection - c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-07 09:02
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
C:\## aswSnx private storage
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2020)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\stsystra.exe
c:\windows\system32\dllhost.exe
c:\windows\eHome\ehmsas.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-04-07 09:06:11 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-07 14:06
.
Pre-Run: 44,271,521,792 bytes free
Post-Run: 44,328,632,320 bytes free
.
- - End Of File - - D4DF57D36DC19EC9E42D754EFFC83021
kevin27_b3d29f
1.5K Posts
0
April 8th, 2011 06:00
Hi,
Please let me know, do you have your Windows Installation disk.
Thanks.
chzbrger
18 Posts
0
April 8th, 2011 07:00
Yes I do.
kevin27_b3d29f
1.5K Posts
0
April 8th, 2011 12:00
Hi,
Please go to Virus Total where you will see a browse button in the middle of the screen.
c:\windows\system32\drivers\gskrdqwk.sys
c:\windows\system32\drivers\nzjfxqjs.sys
c:\windows\system32\drivers\tmywegcr.sys
Note: you may need to show hidden files to locate the files requested:
Please open any Windows Explorer window such as "My Computer" or "My Documents", any will do.
Remember to hide hidden files/folders by reversing the action when you have finished
Please post the three VT reports back for review.
Thanks.
chzbrger
18 Posts
0
April 8th, 2011 13:00
Hi,
I followed all the directions for showing the system files, but I can't find any of the 3 files mentioned above.I got an email about running Secunia, but I noticed that it wasn't in this thread - I was supposed to do that, right? I downloaded all the updates Secunia found, but when I ran Secunia again, it detected all the same updates again as if I hadn't installed them.
kevin27_b3d29f
1.5K Posts
0
April 8th, 2011 15:00
Hi,
The Secunia instructions were for someone else, I posted them to the wrong thread first, not to worry, no harm would have been done.
Insert your XP disc then reboot your machine and when the manafacture splash screen first shows up hit F2 (may be another F key) to take you into BIOS, use the arrow keys to navigate to boot options and make sure your DVD drive is at the top of the boot list. This is normally done by using the plus (+) and minus (-) keys to move a boot drive up and down.
Navigate to exit and be sure to sroll down to EXIT and SAVE changes
NOTE: The above instructions may differ slightly depending on your system and manufacture
Your machine will now reboot, watch the screen and when prompted to Press any key to boot from CD/DVD, please do so.
Give the machine some time to boot from the disc and on the first options screen once the disc's files have loaded, choose the second option, Repair, by hitting the R button.
You will the be asked to pick a Harddrive partition to repair, this is normally C:\, you will need to type the number next to your main boot drive and hit enter.
If you are asked for a administrator password please enter it or just press enter if you do not have one.
You will now be presented with a command prompt. C:\WINDOWS>_ (the underscore is where you need to start typing)
Please type the following and hit enter:
map
This command will bring up a list of your drives, you need to look for the CD/DVD drive which will be listed like this, D: \Device\CdRom0
In this case D: is the disc drive so we will use that as the example.
IF YOUR DISC DRIVE IS NOT "D:" THEN REPLACE THE "D" IN THE NEXT COMMANDS WITH WHAT EVER YOUR DISC DRIVE IS LISTED UNDER, FAILURE TO FOLLOW THIS WILL RESULT IN THIS NOT WORKING HOW IT SHOULD
Type the following bolded command exactly as it is typed below, replacing “D:” with your CD drive letter.
copy d:\i386\winlogon.ex_ c:\windows\system32 (note the space between "copy" and "d" and also between "_" and "C:") hit enter
You may then be asked "do you want to over write above file" type "Y" and hit enter
You should see the message “1 file(s) copied.” – this means it worked.
Then type EXIT at the command prompt and hit enter
The machine will now reboot, DO NOT hit any keys when prompted just let it boot as normal and then take your disc out.
Once back in normal Windows mode, please permanently disable Avast and then run Combofix again, If Combofix prompts for an update, please allow it to do so.
Please post the fresh Combofix log back for review.
Thanks.