Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

Author Topic: ThinkPoint?  (Read 19360 times)

0 Members and 1 Guest are viewing this topic.

BigMac100

    Topic Starter


    Rookie

    ThinkPoint?
    « on: November 30, 2010, 03:55:53 PM »
    Developed a virus call "ThinkPoint" about a week ago. I could not get on internet or even shut computer down. Ran computer under safe mode to end process but still having issues. Cannot open a desktop icon to a link without  pop up window asking "choose the program you want to use to open this file". Computer running slow and have to restart just to get on internet. Please help. Ran AVG, program boggs system down.

    BigMac100

      Topic Starter


      Rookie

      Re: ThinkPoint?
      « Reply #1 on: November 30, 2010, 04:02:15 PM »
      Sorry, Service pack 2

      SuperDave

      • Malware Removal Specialist
      • Moderator


      • Genius
      • Thanked: 1020
      • Certifications: List
      • Experience: Expert
      • OS: Windows 10
      Re: ThinkPoint?
      « Reply #2 on: December 01, 2010, 12:48:00 PM »
      Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

      1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
      2. The fixes are specific to your problem and should only be used for this issue on this machine.
      3. If you don't know or understand something, please don't hesitate to ask.
      4. Please DO NOT run any other tools or scans while I am helping you.
      5. It is important that you reply to this thread. Do not start a new topic.
      6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
      7. Absence of symptoms does not mean that everything is clear.

      If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.

      Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
      Save Rkill to your desktop.

      There are 4 different versions. If one of them won't run then download and try to run the other one.
       
      Vista and Win7 users need to right click Rkill and choose Run as Administrator
       

      You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

      Rkill.exe
      Rkill.com
      Rkill.scr
      Rkill.pif

      Once you've gotten one of them to run then try to immediately run the following.
       
      Now download and Run exeHelper.

      Please download exeHelper from Raktor to your desktop.
      • Double-click on exeHelper.com to run the fix. A black window should pop up, press any key to close once the fix is completed. A log file named log.txt will be created in the directory where you ran exeHelper.com Attach the log.txt file to your next message.

        Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).
        ************************************************
        SUPERAntiSpyware

        If you already have SUPERAntiSpyware be sure to check for updates before scanning!


        Download SuperAntispyware Free Edition (SAS)
        * Double-click the icon on your desktop to run the installer.
        * When asked to Update the program definitions, click Yes
        * If you encounter any problems while downloading the updates, manually download and unzip them from here
        * Next click the Preferences button.

        •Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
        * Click the Scanning Control tab.
        * Under Scanner Options make sure only the following are checked:

        •Close browsers before scanning
        •Scan for tracking cookies
        •Terminate memory threats before quarantining
        Please leave the others unchecked

        •Click the Close button to leave the control center screen.

        * On the main screen click Scan your computer
        * On the left check the box for the drive you are scanning.
        * On the right choose Perform Complete Scan
        * Click Next to start the scan. Please be patient while it scans your computer.
        * After the scan is complete a summary box will appear. Click OK
        * Make sure everything in the white box has a check next to it, then click Next
        * It will quarantine what it found and if it asks if you want to reboot, click Yes

        •To retrieve the removal information please do the following:
        •After reboot, double-click the SUPERAntiSpyware icon on your desktop.
        •Click Preferences. Click the Statistics/Logs tab.

        •Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

        •It will open in your default text editor (preferably Notepad).
        •Save the notepad file to your desktop by clicking (in notepad) File > Save As...

        * Save the log somewhere you can easily find it. (normally the desktop)
        * Click close and close again to exit the program.
        *Copy and Paste the log in your post.
        *******************************************
        Please download Malwarebytes Anti-Malware from here.

        Double Click mbam-setup.exe to install the application.
        • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
        • If an update is found, it will download and install the latest version.
        • Once the program has loaded, select "Perform Full Scan", then click Scan.
        • The scan may take some time to finish,so please be patient.
        • When the scan is complete, click OK, then Show Results to view the results.
        • Make sure that everything is checked, and click Remove Selected.
        • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
        • Please save the log to a location you will remember.
        • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
        • Copy and paste the entire report in your next reply.
        Extra Note:

        If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
        **************************************************
        Download DDS from HERE or HERE and save it to your desktop.

        Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

        * XP users Double click on dds to run it.
        * If your antivirus or firewall try to block DDS then please allow it to run.
        * When finished DDS will open two (2) logs.

        1) DDS.txt
        2) Attach.txt

        * Save both logs to your desktop.
        * Please copy and paste the entire contents of both logs in your next reply.

        Note: DDS will instruct you to post the Attach.txt log as an attachment.
        Please just post it as you would any other log by copy and pasting it into the reply.
      Windows 8 and Windows 10 dual boot with two SSD's

      BigMac100

        Topic Starter


        Rookie

        Re: ThinkPoint?
        « Reply #3 on: December 02, 2010, 04:45:14 PM »
        exeHelper by Raktor
        Build 20100414
        Run at 18:40:18 on 12/02/10
        Now searching...
        Checking for numerical processes...
        Checking for sysguard processes...
        Checking for bad processes...
        Checking for bad files...
        Deleting file C:\WINDOWS\system32\sdra64.exe
        Error deleting C:\WINDOWS\system32\sdra64.exe - Set for removal on reboot - PLEASE REBOOT
        Checking for bad registry entries...
        Resetting filetype association for .exe
        Resetting filetype association for .com
        Resetting userinit and shell values...
        Resetting policies...
        --Finished--

        SuperDave

        • Malware Removal Specialist
        • Moderator


        • Genius
        • Thanked: 1020
        • Certifications: List
        • Experience: Expert
        • OS: Windows 10
        Re: ThinkPoint?
        « Reply #4 on: December 03, 2010, 12:42:07 PM »
        Were you able to run the other scans after you rebooted the computer? I need to see the logs.
        Windows 8 and Windows 10 dual boot with two SSD's

        BigMac100

          Topic Starter


          Rookie

          Re: ThinkPoint?
          « Reply #5 on: December 03, 2010, 03:32:03 PM »
          Sorry it took so long. I was unable to reboot. Had to go to safe mode to compile the info for you. Computer would not go to windows, just a black screen.

          SUPERAntiSpyware Scan Log
          http://www.superantispyware.com

          Generated 12/02/2010 at 09:14 PM

          Application Version : 4.46.1000

          Core Rules Database Version : 5934
          Trace Rules Database Version: 3746

          Scan type       : Complete Scan
          Total Scan Time : 02:20:58

          Memory items scanned      : 467
          Memory threats detected   : 0
          Registry items scanned    : 6444
          Registry threats detected : 6
          File items scanned        : 90972
          File threats detected     : 53

          Adware.Tracking Cookie
             C:\Documents and Settings\Owner\Cookies\owner@media6degrees[2].txt
             C:\Documents and Settings\Owner\Cookies\owner@realmedia[2].txt
             C:\Documents and Settings\Owner\Cookies\owner@2o7[1].txt
             C:\Documents and Settings\Owner\Cookies\owner@revsci[1].txt
             C:\Documents and Settings\Owner\Cookies\owner@collective-media[2].txt
             C:\Documents and Settings\Owner\Cookies\owner@pointroll[2].txt
             C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
             C:\Documents and Settings\Owner\Cookies\owner@casalemedia[2].txt
             C:\Documents and Settings\Owner\Cookies\owner@ru4[2].txt
             media.mtvnservices.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\D27KGRZX ]
             C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
             C:\Documents and Settings\NetworkService\Cookies\system@adbrite[2].txt
             C:\Documents and Settings\NetworkService\Cookies\system@adecn[1].txt
             C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
             C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
             C:\Documents and Settings\NetworkService\Cookies\system@advertise[2].txt
             C:\Documents and Settings\NetworkService\Cookies\system@advertising[2].txt
             C:\Documents and Settings\NetworkService\Cookies\system@adxpose[1].txt
             C:\Documents and Settings\NetworkService\Cookies\system@atdmt[1].txt
             C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
             C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
             C:\Documents and Settings\NetworkService\Cookies\system@collective-media[2].txt
             C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
             C:\Documents and Settings\NetworkService\Cookies\[email protected][3].txt
             C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[1].txt
             C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
             C:\Documents and Settings\NetworkService\Cookies\system@hitbox[1].txt
             C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[2].txt
             C:\Documents and Settings\NetworkService\Cookies\system@lucidmedia[1].txt
             C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
             C:\Documents and Settings\NetworkService\Cookies\system@media6degrees[1].txt
             C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
             C:\Documents and Settings\NetworkService\Cookies\system@overture[1].txt
             C:\Documents and Settings\NetworkService\Cookies\system@pointroll[2].txt
             C:\Documents and Settings\NetworkService\Cookies\system@realmedia[1].txt
             C:\Documents and Settings\NetworkService\Cookies\system@ru4[2].txt
             C:\Documents and Settings\NetworkService\Cookies\system@statcounter[2].txt
             C:\Documents and Settings\NetworkService\Cookies\system@tacoda[2].txt
             C:\Documents and Settings\NetworkService\Cookies\system@technoratimedia[2].txt
             C:\Documents and Settings\NetworkService\Cookies\system@trafficmp[1].txt
             C:\Documents and Settings\NetworkService\Cookies\system@zedo[1].txt
             media.mtvnservices.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\Z4WJR5GG ]
             secure-us.imrworldwide.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\Z4WJR5GG ]

          Trojan.Agent/Gen
             C:\WINDOWS\system32\lowsec\local.ds
             C:\WINDOWS\system32\lowsec\user.ds
             C:\WINDOWS\system32\lowsec\user.ds.lll
             C:\WINDOWS\system32\lowsec

          Backdoor.Bot[ZBot]
             HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6}
             HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6}
             HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905}
             HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905}

          Malware.Trace
             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network#uid [ HOME-GE8G9I9WSN_B75BA27F2A0474F3 ]
             HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON#USERINIT

          Trojan.Agent/Gen-IEFake
             C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\RARSFX0\H\IEXPLORE.EXE
             C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\RARSFX0\PROCS\IEXPLORE.EXE

          Trojan.Agent/Gen-IExplorer[Fake]
             C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\RARSFX0\NIRD\IEXPLORE.EXE

          Trojan.Agent/Gen-Nullo[Short]
             C:\SYSTEM VOLUME INFORMATION\_RESTORE{C289E17B-7714-4E43-B22E-77069D407D7C}\RP1532\A0147977.DLL
             C:\SYSTEM VOLUME INFORMATION\_RESTORE{C289E17B-7714-4E43-B22E-77069D407D7C}\RP1532\A0147978.EXE

          Trojan.Agent/Gen-SDRA
             C:\WINDOWS\SYSTEM32\SDRA64.EXE

          BigMac100

            Topic Starter


            Rookie

            Re: ThinkPoint?
            « Reply #6 on: December 03, 2010, 04:04:00 PM »
            Dave,

            The in the next step I'm to "please download Malwarebytes Anti-Malware from here"

            This link is not a valid link. Do I go to the homepage and then download it? It takes me to CNET.

            BigMac100

              Topic Starter


              Rookie

              Re: ThinkPoint?
              « Reply #7 on: December 03, 2010, 05:17:48 PM »
              Malwarebytes' Anti-Malware 1.50
              www.malwarebytes.org

              Database version: 5241

              Windows 5.1.2600 Service Pack 2 (Safe Mode)
              Internet Explorer 8.0.6001.18702

              12/3/2010 7:07:45 PM
              mbam-log-2010-12-03 (19-07-45).txt

              Scan type: Full scan (C:\|)
              Objects scanned: 241191
              Time elapsed: 56 minute(s), 21 second(s)

              Memory Processes Infected: 0
              Memory Modules Infected: 0
              Registry Keys Infected: 4
              Registry Values Infected: 4
              Registry Data Items Infected: 1
              Folders Infected: 4
              Files Infected: 21

              Memory Processes Infected:
              (No malicious items detected)

              Memory Modules Infected:
              (No malicious items detected)

              Registry Keys Infected:
              HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486} (Trojan.BHO) -> Quarantined and deleted successfully.
              HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
              HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{C48635AD-D6B5-3EE4-AAA2-540D5A173658} (Backdoor.Bot) -> Quarantined and deleted successfully.
              HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{C48635AD-D6B5-3EE4-AAA2-540D5A173658} (Backdoor.Bot) -> Quarantined and deleted successfully.

              Registry Values Infected:
              HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{AE68DCDA-8750-2C94-BD9A-9EE9347F3964} (Spyware.Passwords.XGen) -> Value: {AE68DCDA-8750-2C94-BD9A-9EE9347F3964} -> Quarantined and deleted successfully.
              HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rcudadi (Trojan.Hiloti.Gen) -> Value: Rcudadi -> Quarantined and deleted successfully.
              HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{BCF5C73A-CE2B-6071-3164-85F31BB12C73} (Trojan.ZbotR.Gen) -> Value: {BCF5C73A-CE2B-6071-3164-85F31BB12C73} -> Quarantined and deleted successfully.
              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RTHDBPL (Trojan.Agent) -> Value: RTHDBPL -> Quarantined and deleted successfully.

              Registry Data Items Infected:
              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

              Folders Infected:
              c:\documents and settings\Owner\application data\systemproc (Trojan.Agent) -> Quarantined and deleted successfully.
              c:\program files\mozilla firefox\extensions\{8ce11043-9a15-4207-a565-0c94c42d590d} (Trojan.Swisyn) -> Quarantined and deleted successfully.
              c:\program files\mozilla firefox\extensions\{8ce11043-9a15-4207-a565-0c94c42d590d}\chrome (Trojan.Swisyn) -> Quarantined and deleted successfully.
              c:\program files\mozilla firefox\extensions\{8ce11043-9a15-4207-a565-0c94c42d590d}\chrome\content (Trojan.Swisyn) -> Quarantined and deleted successfully.

              Files Infected:
              c:\documents and settings\Owner\application data\Qerie\itlu.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
              c:\WINDOWS\cdrcph4.dll (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.
              c:\documents and settings\networkservice\local settings\application data\725140.exe (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.
              c:\documents and settings\networkservice\local settings\application data\725141.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
              c:\documents and settings\networkservice\local settings\application data\734218.exe (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.
              c:\documents and settings\networkservice\local settings\application data\734219.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
              c:\documents and settings\networkservice\local settings\application data\762218.exe (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.
              c:\documents and settings\networkservice\local settings\application data\762219.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
              c:\documents and settings\Owner\local settings\Temp\tmp50116e99\r.exe (Spyware.Zbot) -> Quarantined and deleted successfully.
              c:\program files\AskSBar\bar\1.bin\A2HIGHIN.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
              c:\program files\AskSBar\bar\1.bin\A2PLUGIN.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
              c:\program files\AskSBar\bar\1.bin\NPASKSBR.DLL (Trojan.Agent) -> Quarantined and deleted successfully.
              c:\system volume information\_restore{c289e17b-7714-4e43-b22e-77069d407d7c}\RP1532\A0147958.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
              c:\system volume information\_restore{c289e17b-7714-4e43-b22e-77069d407d7c}\RP1532\A0147979.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
              c:\system volume information\_restore{c289e17b-7714-4e43-b22e-77069d407d7c}\RP1532\A0150999.exe (Spyware.Zbot) -> Quarantined and deleted successfully.
              c:\WINDOWS\temp\0.12006703198118596.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
              c:\WINDOWS\temp\5.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
              c:\WINDOWS\temp\6.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
              c:\WINDOWS\temp\kzdwuvqpfuwaane.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
              c:\documents and settings\Owner\application data\Owovy\ewow.exe (Trojan.ZbotR.Gen) -> Quarantined and deleted successfully.
              c:\program files\mozilla firefox\extensions\{8ce11043-9a15-4207-a565-0c94c42d590d}\chrome.manifest (Trojan.Swisyn) -> Quarantined and deleted successfully.

              BigMac100

                Topic Starter


                Rookie

                Re: ThinkPoint?
                « Reply #8 on: December 03, 2010, 06:45:03 PM »
                DDS (Ver_10-11-27.01) - NTFSx86 
                Run by Owner at 20:38:22.44 on Fri 12/03/2010
                Internet Explorer: 8.0.6001.18702
                Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.254.74 [GMT -5:00]

                FW: AVG Firewall *disabled*   {8decf618-9569-4340-b34a-d78d28969b66}

                ============== Running Processes ===============

                C:\WINDOWS\system32\svchost -k DcomLaunch
                svchost.exe
                C:\WINDOWS\System32\svchost.exe -k netsvcs
                svchost.exe
                svchost.exe
                C:\WINDOWS\system32\spoolsv.exe
                svchost.exe
                C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
                C:\Program Files\Bonjour\mDNSResponder.exe
                C:\Program Files\Java\jre6\bin\jqs.exe
                C:\Program Files\Kodak\printer\center\KodakSvc.exe
                C:\WINDOWS\System32\svchost.exe -k imgsvc
                C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
                C:\WINDOWS\system32\wuauclt.exe
                C:\WINDOWS\Explorer.EXE
                C:\WINDOWS\system32\wscntfy.exe
                C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
                C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
                C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
                C:\Program Files\QuickTime\qttask.exe
                C:\Program Files\iTunes\iTunesHelper.exe
                C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
                C:\Program Files\Java\jre6\bin\jusched.exe
                C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
                C:\WINDOWS\system32\ctfmon.exe
                C:\Program Files\Logitech\SetPoint\SetPoint.exe
                C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
                C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
                C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
                C:\Program Files\iPod\bin\iPodService.exe
                C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
                C:\WINDOWS\system32\wuauclt.exe
                C:\Program Files\Internet Explorer\iexplore.exe
                C:\Program Files\Internet Explorer\iexplore.exe
                C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\364IVJ9Z\dds[1].scr

                ============== Pseudo HJT Report ===============

                uStart Page = hxxp://www.columbus.rr.com/
                uSearch Page = hxxp://www.google.com
                uSearch Bar = hxxp://www.google.com/ie
                uInternet Connection Wizard,ShellNext = iexplore
                uInternet Settings,ProxyOverride = *.local
                uSearchAssistant = hxxp://www.google.com/ie
                uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
                mSearchAssistant =
                uURLSearchHooks: H - No File
                uURLSearchHooks: H - No File
                uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
                mWinlogon: Userinit=userinit.exe,
                BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
                BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
                BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
                BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
                BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
                BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
                BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
                BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
                BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
                TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
                TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
                TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
                TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
                TB: {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - No File
                EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
                uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
                uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
                uRun: [LDM] c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
                uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
                uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
                uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
                mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
                mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
                mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
                mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
                mRun: [MMTray] "c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe"
                mRun: [MimBoot] c:\progra~1\musicm~1\musicm~2\mimboot.exe
                mRun: [Webroot Desktop Firewall] c:\program files\webroot\webroot desktop firewall\WDF.exe
                mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
                mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
                mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
                mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
                mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
                mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
                mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
                mRun: [Dfesamiwokoje] rundll32.exe "c:\windows\ilihaxiqex.dll",Startup
                dRunOnce: [RunNarrator] Narrator.exe
                StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~2.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
                StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
                StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
                IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
                IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
                IE: Show All Original Images - c:\program files\netzero\qsacc\appres.dll/228
                IE: Show Original Image - c:\program files\netzero\qsacc\appres.dll/227
                IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
                IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
                IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
                IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
                IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
                IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
                IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
                Trusted Zone: musicmatch.com\online
                DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
                DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
                DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
                DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
                DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
                DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
                DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
                DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
                DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
                DPF: {83A4D5A6-E2C1-4EDD-AD48-1A1C50BD06EF} - hxxp://www.leaguelineup.com/_incl/uploader/ImageUploader6.cab
                DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
                DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
                DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
                DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
                DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} - hxxps://webmail.na.avon.com/dwa7W.cab
                DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} - hxxp://www.leaguelineup.com/XUpload.ocx
                Filter: text/html - {fa3b1927-c810-48b5-ac12-120ccacb512d} -
                Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
                Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
                Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
                Notify: igfxcui - igfxsrvc.dll
                SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

                ============= SERVICES / DRIVERS ===============

                R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
                R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
                R2 KodakSvc;Kodak AiO Device Service;c:\program files\kodak\printer\center\KodakSvc.exe [2008-2-28 18944]
                R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2010-6-24 92008]
                S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-11-8 38224]

                =============== Created Last 30 ================

                2010-11-30 23:50:14   --------   d-----w-   c:\docume~1\owner\applic~1\Qerie
                2010-11-30 23:50:14   --------   d-----w-   c:\docume~1\owner\applic~1\Owuvw
                2010-11-30 22:06:32   --------   d-----w-   c:\docume~1\owner\locals~1\applic~1\{9943D1B2-DB9A-4D3E-A0F2-583F318A9828}
                2010-11-30 21:09:15   230   ----a-w-   C:\agtyjkj.bat
                2010-11-27 19:47:04   --------   d-----w-   c:\docume~1\owner\applic~1\Ysez
                2010-11-27 19:47:04   --------   d-----w-   c:\docume~1\owner\applic~1\Xiurz
                2010-11-27 19:19:18   --------   d-----w-   c:\docume~1\owner\applic~1\Owovy
                2010-11-27 19:19:18   --------   d-----w-   c:\docume~1\owner\applic~1\Edgubo
                2010-11-25 21:06:05   --------   d-----w-   c:\windows\system32\drivers\AVG
                2010-11-25 02:56:29   12160   -c--a-w-   c:\windows\system32\dllcache\mouhid.sys
                2010-11-25 02:56:29   12160   ----a-w-   c:\windows\system32\drivers\mouhid.sys
                2010-11-25 01:45:52   --------   d-----w-   c:\windows\system32\wbem\repository\FS
                2010-11-25 01:45:52   --------   d-----w-   c:\windows\system32\wbem\Repository
                2010-11-24 23:59:49   --------   d-----w-   c:\program files\Loaris
                2010-11-09 19:13:46   --------   d--h--w-   C:\$AVG
                2010-11-08 22:29:39   --------   d-----w-   c:\docume~1\owner\applic~1\AVG10
                2010-11-08 22:23:59   --------   d--h--w-   c:\docume~1\alluse~1\applic~1\Common Files
                2010-11-08 22:19:59   --------   d-----w-   c:\docume~1\alluse~1\applic~1\AVG10
                2010-11-08 22:18:52   --------   d-----w-   c:\program files\AVG
                2010-11-08 22:11:59   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
                2010-11-08 22:11:51   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
                2010-11-08 22:11:50   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
                2010-11-08 21:36:35   --------   d-----w-   c:\docume~1\owner\locals~1\applic~1\Temp
                2010-11-08 21:15:19   4526   ----a-w-   c:\windows\system32\PerfStringBackup.TMP
                2010-11-08 20:44:59   --------   d-----w-   c:\docume~1\alluse~1\applic~1\MFAData

                ==================== Find3M  ====================


                =================== ROOTKIT  ====================

                Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
                Windows 5.1.2600 Disk: ST380011A rev.3.16 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

                device: opened successfully
                user: MBR read successfully

                Disk trace:
                called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x812DC446]<<
                _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x812e2504]; MOV EAX, [0x812e2580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX;  }
                1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x81367030]
                3 CLASSPNP[0xF92A305B] -> nt!IofCallDriver[0x804E37D5] -> [0x812FE550]
                \Driver\atapi[0x81359468] -> IRP_MJ_CREATE -> 0x812DC446
                kernel: MBR read successfully
                _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP;  }
                detected disk devices:
                \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST380011A_______________________________3.16____#4a33395641354a3
                3202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
                detected hooks:
                \Driver\atapi DriverStartIo -> 0x812DC292
                user != kernel MBR !!!
                sectors 156249998 (+255): user != kernel
                Warning: possible TDL4 rootkit infection !
                TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

                ============= FINISH: 20:40:58.51 ===============
                « Last Edit: December 09, 2010, 04:23:50 PM by SuperDave »

                BigMac100

                  Topic Starter


                  Rookie

                  Re: ThinkPoint?
                  « Reply #9 on: December 03, 2010, 06:47:15 PM »
                  UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
                  IF REQUESTED, ZIP IT UP & ATTACH IT

                  DDS (Ver_10-11-27.01)

                  Microsoft Windows XP Home Edition
                  Boot Device: \Device\HarddiskVolume2
                  Install Date: 9/10/2005 12:42:10 AM
                  System Uptime: 12/3/2010 8:33:34 PM (0 hours ago)

                  Motherboard: Dell Computer Corp. |  | 0C2425
                  Processor:               Intel(R) Pentium(R) 4 CPU 2.53GHz | Microprocessor | 2525/533mhz

                  ==== Disk Partitions =========================

                  C: is FIXED (NTFS) - 74 GiB total, 49.456 GiB free.
                  D: is CDROM ()
                  E: is CDROM ()

                  ==== Disabled Device Manager Items =============

                  ==== System Restore Points ===================

                  RP1441: 9/2/2010 3:54:43 PM - System Checkpoint
                  RP1442: 9/3/2010 4:22:20 PM - System Checkpoint
                  RP1443: 9/4/2010 4:48:39 PM - System Checkpoint
                  RP1444: 9/5/2010 5:21:23 PM - System Checkpoint
                  RP1445: 9/6/2010 5:48:49 PM - System Checkpoint
                  RP1446: 9/7/2010 6:50:48 PM - System Checkpoint
                  RP1447: 9/8/2010 3:00:24 AM - Software Distribution Service 3.0
                  RP1448: 9/9/2010 3:24:05 AM - System Checkpoint
                  RP1449: 9/10/2010 4:24:06 AM - System Checkpoint
                  RP1450: 9/11/2010 5:24:04 AM - System Checkpoint
                  RP1451: 9/12/2010 5:31:18 AM - System Checkpoint
                  RP1452: 9/13/2010 6:24:08 AM - System Checkpoint
                  RP1453: 9/14/2010 7:24:07 AM - System Checkpoint
                  RP1454: 9/15/2010 3:00:33 AM - Software Distribution Service 3.0
                  RP1455: 9/16/2010 3:20:35 AM - System Checkpoint
                  RP1456: 9/17/2010 3:34:33 AM - System Checkpoint
                  RP1457: 9/18/2010 3:43:54 AM - System Checkpoint
                  RP1458: 9/19/2010 4:34:33 AM - System Checkpoint
                  RP1459: 9/20/2010 5:12:04 AM - System Checkpoint
                  RP1460: 9/21/2010 6:00:57 AM - System Checkpoint
                  RP1461: 9/22/2010 6:02:18 AM - System Checkpoint
                  RP1462: 9/23/2010 6:49:58 AM - System Checkpoint
                  RP1463: 9/24/2010 7:49:57 AM - System Checkpoint
                  RP1464: 9/25/2010 8:49:58 AM - System Checkpoint
                  RP1465: 9/26/2010 8:51:28 AM - System Checkpoint
                  RP1466: 10/3/2010 4:27:04 PM - System Checkpoint
                  RP1467: 10/4/2010 3:00:28 AM - Software Distribution Service 3.0
                  RP1468: 10/5/2010 3:02:24 AM - System Checkpoint
                  RP1469: 10/5/2010 6:04:29 PM - Restore Operation
                  RP1470: 10/6/2010 3:00:29 AM - Software Distribution Service 3.0
                  RP1471: 10/7/2010 3:05:44 AM - System Checkpoint
                  RP1472: 10/8/2010 4:05:43 AM - System Checkpoint
                  RP1473: 10/9/2010 4:14:58 AM - System Checkpoint
                  RP1474: 10/10/2010 5:05:43 AM - System Checkpoint
                  RP1475: 10/11/2010 6:05:41 AM - System Checkpoint
                  RP1476: 10/12/2010 6:12:54 AM - System Checkpoint
                  RP1477: 10/13/2010 7:07:19 AM - System Checkpoint
                  RP1478: 10/14/2010 3:00:42 AM - Software Distribution Service 3.0
                  RP1479: 10/15/2010 3:07:17 AM - System Checkpoint
                  RP1480: 10/16/2010 3:18:26 AM - System Checkpoint
                  RP1481: 10/17/2010 4:18:26 AM - System Checkpoint
                  RP1482: 10/18/2010 5:18:31 AM - System Checkpoint
                  RP1483: 10/19/2010 6:18:26 AM - System Checkpoint
                  RP1484: 10/20/2010 6:18:59 AM - System Checkpoint
                  RP1485: 10/21/2010 7:19:03 AM - System Checkpoint
                  RP1486: 10/22/2010 7:39:39 AM - System Checkpoint
                  RP1487: 10/23/2010 8:39:40 AM - System Checkpoint
                  RP1488: 10/24/2010 8:40:45 AM - System Checkpoint
                  RP1489: 10/25/2010 9:39:40 AM - System Checkpoint
                  RP1490: 10/26/2010 10:39:40 AM - System Checkpoint
                  RP1491: 10/27/2010 11:54:12 AM - System Checkpoint
                  RP1492: 10/28/2010 11:54:32 AM - System Checkpoint
                  RP1493: 10/29/2010 11:55:17 AM - System Checkpoint
                  RP1494: 10/30/2010 12:08:52 PM - System Checkpoint
                  RP1495: 10/31/2010 12:56:23 PM - System Checkpoint
                  RP1496: 11/1/2010 1:05:31 PM - System Checkpoint
                  RP1497: 11/2/2010 1:55:18 PM - System Checkpoint
                  RP1498: 11/3/2010 3:08:22 PM - System Checkpoint
                  RP1499: 11/4/2010 3:27:06 PM - System Checkpoint
                  RP1500: 11/5/2010 3:27:37 PM - System Checkpoint
                  RP1501: 11/6/2010 4:23:07 PM - System Checkpoint
                  RP1502: 11/7/2010 7:07:32 PM - System Checkpoint
                  RP1503: 11/8/2010 4:09:44 PM - Restore Operation
                  RP1504: 11/8/2010 4:20:07 PM - Removed SUPERAntiSpyware Free Edition
                  RP1505: 11/8/2010 4:34:56 PM - avast! Free Antivirus Setup
                  RP1506: 11/8/2010 4:55:37 PM - avast! Free Antivirus Setup
                  RP1507: 11/8/2010 5:18:49 PM - Installed AVG 2011
                  RP1508: 11/8/2010 5:19:38 PM - Installed AVG 2011
                  RP1509: 11/9/2010 6:27:55 PM - System Checkpoint
                  RP1510: 11/10/2010 7:02:18 PM - System Checkpoint
                  RP1511: 11/11/2010 3:00:56 AM - Software Distribution Service 3.0
                  RP1512: 11/12/2010 3:02:23 AM - System Checkpoint
                  RP1513: 11/13/2010 4:02:22 AM - System Checkpoint
                  RP1514: 11/14/2010 5:02:19 AM - System Checkpoint
                  RP1515: 11/15/2010 5:12:44 AM - System Checkpoint
                  RP1516: 11/15/2010 9:58:10 PM - Removed AVG 2011
                  RP1517: 11/15/2010 10:00:31 PM - Removed AVG 2011
                  RP1518: 11/16/2010 10:51:00 PM - System Checkpoint
                  RP1519: 11/17/2010 10:56:11 PM - System Checkpoint
                  RP1520: 11/18/2010 11:50:59 PM - System Checkpoint
                  RP1521: 11/20/2010 12:51:03 AM - System Checkpoint
                  RP1522: 11/21/2010 1:51:00 AM - System Checkpoint
                  RP1523: 11/22/2010 2:51:01 AM - System Checkpoint
                  RP1524: 11/23/2010 4:41:13 PM - System Checkpoint
                  RP1525: 11/24/2010 8:44:13 PM - Restore Operation
                  RP1526: 11/25/2010 5:33:15 PM - Removed AVG 2011
                  RP1527: 11/25/2010 5:37:20 PM - Removed AVG 2011
                  RP1528: 11/25/2010 6:18:58 PM - Advanced Registry Optimizer 2010 - Before Installation
                  RP1529: 11/25/2010 6:20:22 PM - ADVANCED REGISTRY OPTIMIZER 2010- FIRST RUN
                  RP1530: 11/25/2010 6:32:34 PM - Software Distribution Service 3.0
                  RP1531: 11/25/2010 6:46:04 PM - Software Distribution Service 3.0
                  RP1532: 11/30/2010 4:54:23 PM - System Checkpoint

                  ==== Installed Programs ======================

                  Adobe AIR
                  Adobe Flash Player 10 ActiveX
                  Adobe Reader 9
                  Adobe Shockwave Player
                  Adobe SVG Viewer 3.0
                  aiofw
                  aioocr
                  aioprnt
                  aioscnnr
                  Apple Mobile Device Support
                  Apple Software Update
                  Ask Toolbar
                  Bonjour
                  center
                  Conexant D850 56K V.9x DFVc Modem
                  Cyber Security
                  Dell ResourceCD
                  FaxTools
                  FrostWire 4.13.5
                  Google Toolbar for Internet Explorer
                  Help_CTR
                  helptut
                  helpug
                  Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
                  Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
                  Hotfix for Windows XP (KB952287)
                  Hotfix for Windows XP (KB954550-v5)
                  Hotfix for Windows XP (KB961118)
                  Hotfix for Windows XP (KB970653-v3)
                  Hotfix for Windows XP (KB976098-v2)
                  Hotfix for Windows XP (KB979306)
                  Hotfix for Windows XP (KB981793)
                  Intel(R) Extreme Graphics Driver
                  iTunes
                  Java(TM) 6 Update 16
                  KODAK All-in-One Printer Software
                  ksdip
                  Logitech Desktop Messenger
                  Logitech SetPoint
                  Malwarebytes' Anti-Malware
                  MapSend DirectRoute North America
                  Microsoft .NET Framework 2.0 Service Pack 2
                  Microsoft .NET Framework 3.0 Service Pack 2
                  Microsoft .NET Framework 3.5 SP1
                  Microsoft Money 2004
                  Microsoft Money 2004 System Pack
                  Microsoft Office 2007 Service Pack 2 (SP2)
                  Microsoft Office Access MUI (English) 2007
                  Microsoft Office Access Setup Metadata MUI (English) 2007
                  Microsoft Office Excel MUI (English) 2007
                  Microsoft Office Outlook MUI (English) 2007
                  Microsoft Office PowerPoint MUI (English) 2007
                  Microsoft Office PowerPoint Viewer 2007 (English)
                  Microsoft Office Professional 2007
                  Microsoft Office Professional 2007 Trial
                  Microsoft Office Proof (English) 2007
                  Microsoft Office Proof (French) 2007
                  Microsoft Office Proof (Spanish) 2007
                  Microsoft Office Proofing (English) 2007
                  Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
                  Microsoft Office Publisher MUI (English) 2007
                  Microsoft Office Shared MUI (English) 2007
                  Microsoft Office Shared Setup Metadata MUI (English) 2007
                  Microsoft Office Word MUI (English) 2007
                  Microsoft Picture It! Photo Premium 9
                  Microsoft Silverlight
                  Microsoft Software Update for Web Folders  (English) 12
                  Microsoft Streets and Trips 2004
                  Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
                  Microsoft Visual C++ 2005 Redistributable
                  Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
                  Microsoft Word 2002
                  Microsoft Works
                  Microsoft Works Suite Add-in for Microsoft Word
                  MobileMe Control Panel
                  MSXML 4.0 SP2 (KB954430)
                  MSXML 4.0 SP2 (KB973688)
                  MSXML 6 Service Pack 2 (KB973686)
                  Musicmatch® Jukebox
                  netbrdg
                  QuickTime
                  Security Update for 2007 Microsoft Office System (KB2288621)
                  Security Update for 2007 Microsoft Office System (KB2289158)
                  Security Update for 2007 Microsoft Office System (KB2344875)
                  Security Update for 2007 Microsoft Office System (KB2345043)
                  Security Update for 2007 Microsoft Office System (KB969559)
                  Security Update for 2007 Microsoft Office System (KB976321)
                  Security Update for Microsoft Office Access 2007 (KB979440)
                  Security Update for Microsoft Office Excel 2007 (KB2345035)
                  Security Update for Microsoft Office InfoPath 2007 (KB979441)
                  Security Update for Microsoft Office Outlook 2007 (KB2288953)
                  Security Update for Microsoft Office PowerPoint 2007 (KB982158)
                  Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
                  Security Update for Microsoft Office Publisher 2007 (KB982124)
                  Security Update for Microsoft Office system 2007 (972581)
                  Security Update for Microsoft Office system 2007 (KB974234)
                  Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
                  Security Update for Microsoft Office Word 2007 (KB2344993)
                  Security Update for Windows Internet Explorer 8 (KB971961)
                  Security Update for Windows Internet Explorer 8 (KB976325)
                  Security Update for Windows Internet Explorer 8 (KB978207)
                  Security Update for Windows Internet Explorer 8 (KB981332)
                  Security Update for Windows Internet Explorer 8 (KB982381)
                  Security Update for Windows Media Player (KB911564)
                  Security Update for Windows Media Player (KB952069)
                  Security Update for Windows Media Player (KB954155)
                  Security Update for Windows Media Player (KB968816)
                  Security Update for Windows Media Player (KB973540)
                  Security Update for Windows Media Player (KB978695)
                  Security Update for Windows Media Player (KB979402)
                  Security Update for Windows Media Player 6.4 (KB925398)
                  Security Update for Windows Media Player 9 (KB917734)
                  Security Update for Windows Media Player 9 (KB936782)
                  Security Update for Windows XP (KB2229593)
                  Security Update for Windows XP (KB890046)
                  Security Update for Windows XP (KB893756)
                  Security Update for Windows XP (KB896358)
                  Security Update for Windows XP (KB896423)
                  Security Update for Windows XP (KB896424)
                  Security Update for Windows XP (KB896428)
                  Security Update for Windows XP (KB899587)
                  Security Update for Windows XP (KB899591)
                  Security Update for Windows XP (KB900725)
                  Security Update for Windows XP (KB901017)
                  Security Update for Windows XP (KB901214)
                  Security Update for Windows XP (KB902400)
                  Security Update for Windows XP (KB904706)
                  Security Update for Windows XP (KB905414)
                  Security Update for Windows XP (KB905749)
                  Security Update for Windows XP (KB908519)
                  Security Update for Windows XP (KB911562)
                  Security Update for Windows XP (KB911927)
                  Security Update for Windows XP (KB912919)
                  Security Update for Windows XP (KB913580)
                  Security Update for Windows XP (KB914388)
                  Security Update for Windows XP (KB914389)
                  Security Update for Windows XP (KB917344)
                  Security Update for Windows XP (KB917422)
                  Security Update for Windows XP (KB917953)
                  Security Update for Windows XP (KB918118)
                  Security Update for Windows XP (KB919007)
                  Security Update for Windows XP (KB920213)
                  Security Update for Windows XP (KB920670)
                  Security Update for Windows XP (KB920683)
                  Security Update for Windows XP (KB920685)
                  Security Update for Windows XP (KB921398)
                  Security Update for Windows XP (KB921883)
                  Security Update for Windows XP (KB922616)
                  Security Update for Windows XP (KB922819)
                  Security Update for Windows XP (KB923191)
                  Security Update for Windows XP (KB923414)
                  Security Update for Windows XP (KB923561)
                  Security Update for Windows XP (KB923689)
                  Security Update for Windows XP (KB923980)
                  Security Update for Windows XP (KB924191)
                  Security Update for Windows XP (KB924270)
                  Security Update for Windows XP (KB924496)
                  Security Update for Windows XP (KB924667)
                  Security Update for Windows XP (KB925902)
                  Security Update for Windows XP (KB926255)
                  Security Update for Windows XP (KB926436)
                  Security Update for Windows XP (KB927779)
                  Security Update for Windows XP (KB927802)
                  Security Update for Windows XP (KB928255)
                  Security Update for Windows XP (KB928843)
                  Security Update for Windows XP (KB929123)
                  Security Update for Windows XP (KB930178)
                  Security Update for Windows XP (KB931261)
                  Security Update for Windows XP (KB931784)
                  Security Update for Windows XP (KB932168)
                  Security Update for Windows XP (KB933729)
                  Security Update for Windows XP (KB935839)
                  Security Update for Windows XP (KB935840)
                  Security Update for Windows XP (KB936021)
                  Security Update for Windows XP (KB938127)
                  Security Update for Windows XP (KB938464)
                  Security Update for Windows XP (KB941202)
                  Security Update for Windows XP (KB941568)
                  Security Update for Windows XP (KB941569)
                  Security Update for Windows XP (KB941644)
                  Security Update for Windows XP (KB941693)
                  Security Update for Windows XP (KB943055)
                  Security Update for Windows XP (KB943460)
                  Security Update for Windows XP (KB943485)
                  Security Update for Windows XP (KB944338)
                  Security Update for Windows XP (KB944653)
                  Security Update for Windows XP (KB945553)
                  Security Update for Windows XP (KB946026)
                  Security Update for Windows XP (KB946648)
                  Security Update for Windows XP (KB947864)
                  Security Update for Windows XP (KB948590)
                  Security Update for Windows XP (KB948881)
                  Security Update for Windows XP (KB950749)
                  Security Update for Windows XP (KB950759)
                  Security Update for Windows XP (KB950760)
                  Security Update for Windows XP (KB950762)
                  Security Update for Windows XP (KB950974)
                  Security Update for Windows XP (KB951066)
                  Security Update for Windows XP (KB951376-v2)
                  Security Update for Windows XP (KB951376)
                  Security Update for Windows XP (KB951698)
                  Security Update for Windows XP (KB951748)
                  Security Update for Windows XP (KB952004)
                  Security Update for Windows XP (KB952954)
                  Security Update for Windows XP (KB953838)
                  Security Update for Windows XP (KB953839)
                  Security Update for Windows XP (KB954211)
                  Security Update for Windows XP (KB954600)
                  Security Update for Windows XP (KB955069)
                  Security Update for Windows XP (KB956390)
                  Security Update for Windows XP (KB956391)
                  Security Update for Windows XP (KB956572)
                  Security Update for Windows XP (KB956802)
                  Security Update for Windows XP (KB956803)
                  Security Update for Windows XP (KB956841)
                  Security Update for Windows XP (KB956844)
                  Security Update for Windows XP (KB957095)
                  Security Update for Windows XP (KB957097)
                  Security Update for Windows XP (KB958215)
                  Security Update for Windows XP (KB958470)
                  Security Update for Windows XP (KB958644)
                  Security Update for Windows XP (KB958687)
                  Security Update for Windows XP (KB958690)
                  Security Update for Windows XP (KB958869)
                  Security Update for Windows XP (KB959426)
                  Security Update for Windows XP (KB960225)
                  Security Update for Windows XP (KB960714)
                  Security Update for Windows XP (KB960715)
                  Security Update for Windows XP (KB960803)
                  Security Update for Windows XP (KB960859)
                  Security Update for Windows XP (KB961371)
                  Security Update for Windows XP (KB961373)
                  Security Update for Windows XP (KB961501)
                  Security Update for Windows XP (KB963027)
                  Security Update for Windows XP (KB968537)
                  Security Update for Windows XP (KB969059)
                  Security Update for Windows XP (KB969897)
                  Security Update for Windows XP (KB969898)
                  Security Update for Windows XP (KB969947)
                  Security Update for Windows XP (KB970238)
                  Security Update for Windows XP (KB970430)
                  Security Update for Windows XP (KB971468)
                  Security Update for Windows XP (KB971486)
                  Security Update for Windows XP (KB971557)
                  Security Update for Windows XP (KB971633)
                  Security Update for Windows XP (KB971657)
                  Security Update for Windows XP (KB971961)
                  Security Update for Windows XP (KB972260)
                  Security Update for Windows XP (KB972270)
                  Security Update for Windows XP (KB973346)
                  Security Update for Windows XP (KB973354)
                  Security Update for Windows XP (KB973507)
                  Security Update for Windows XP (KB973525)
                  Security Update for Windows XP (KB973869)
                  Security Update for Windows XP (KB973904)
                  Security Update for Windows XP (KB974112)
                  Security Update for Windows XP (KB974318)
                  Security Update for Windows XP (KB974392)
                  Security Update for Windows XP (KB974455)
                  Security Update for Windows XP (KB974571)
                  Security Update for Windows XP (KB975025)
                  Security Update for Windows XP (KB975467)
                  Security Update for Windows XP (KB975560)
                  Security Update for Windows XP (KB975561)
                  Security Update for Windows XP (KB975562)
                  Security Update for Windows XP (KB975713)
                  Security Update for Windows XP (KB976325)
                  Security Update for Windows XP (KB977165-v2)
                  Security Update for Windows XP (KB977816)
                  Security Update for Windows XP (KB977914)
                  Security Update for Windows XP (KB978037)
                  Security Update for Windows XP (KB978251)
                  Security Update for Windows XP (KB978262)
                  Security Update for Windows XP (KB978338)
                  Security Update for Windows XP (KB978542)
                  Security Update for Windows XP (KB978601)
                  Security Update for Windows XP (KB978706)
                  Security Update for Windows XP (KB979309)
                  Security Update for Windows XP (KB979482)
                  Security Update for Windows XP (KB979559)
                  Security Update for Windows XP (KB979683)
                  Security Update for Windows XP (KB980195)
                  Security Update for Windows XP (KB980218)
                  Security Update for Windows XP (KB980232)
                  SFR
                  SoundMAX
                  Spelling Dictionaries Support For Adobe Reader 8
                  SUPERAntiSpyware
                  TomTom HOME 2.7.5.2014
                  TomTom HOME Visual Studio Merge Modules
                  TWC Customer Controls
                  Uninstall Dual Mode Camera
                  Update for 2007 Microsoft Office System (KB967642)
                  Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
                  Update for Outlook 2007 Junk Email Filter (KB2443839)
                  Update for Windows Internet Explorer 8 (KB975364)
                  Update for Windows Internet Explorer 8 (KB976662)
                  Update for Windows Internet Explorer 8 (KB980182)
                  Update for Windows XP (KB898461)
                  Update for Windows XP (KB900485)
                  Update for Windows XP (KB908531)
                  Update for Windows XP (KB910437)
                  Update for Windows XP (KB911280)
                  Update for Windows XP (KB916595)
                  Update for Windows XP (KB920872)
                  Update for Windows XP (KB922582)
                  Update for Windows XP (KB925720)
                  Update for Windows XP (KB927891)
                  Update for Windows XP (KB930916)
                  Update for Windows XP (KB936357)
                  Update for Windows XP (KB938828)
                  Update for Windows XP (KB942763)
                  Update for Windows XP (KB951072-v2)
                  Update for Windows XP (KB955759)
                  Update for Windows XP (KB955839)
                  Update for Windows XP (KB967715)
                  Update for Windows XP (KB968389)
                  Update for Windows XP (KB971737)
                  Update for Windows XP (KB973687)
                  Update for Windows XP (KB973815)
                  Update for Windows XP (KB976749)
                  Walmart MP3 Music Downloads
                  WebFldrs XP
                  Windows Imaging Component
                  Windows Installer 3.1 (KB893803)
                  Windows Internet Explorer 8
                  Windows Media Format Runtime
                  Windows XP Hotfix - KB873339
                  Windows XP Hotfix - KB885835
                  Windows XP Hotfix - KB885836
                  Windows XP Hotfix - KB885884
                  Windows XP Hotfix - KB886185
                  Windows XP Hotfix - KB887472
                  Windows XP Hotfix - KB888302
                  Windows XP Hotfix - KB890859
                  Windows XP Hotfix - KB891781
                  Windows XP Service Pack 2
                  Yahoo! Browser Services
                  Yahoo! Install Manager
                  Yahoo! Internet Mail
                  Yahoo! Messenger
                  Yahoo! Toolbar

                  ==== Event Viewer Messages From Past Week ========

                  12/3/2010 7:11:29 PM, error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  IntelIde
                  12/3/2010 5:26:35 PM, error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  Fips intelppm OMCI SASDIFSV SASKUTIL
                  12/3/2010 5:25:23 PM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
                  12/1/2010 9:45:42 PM, error: Service Control Manager [7023]  - The iPod Service service terminated with the following error:  Security must be initialized before any interfaces are marshalled or unmarshalled. It cannot be changed once initialized.
                  12/1/2010 6:40:48 PM, error: Service Control Manager [7009]  - Timeout (30000 milliseconds) waiting for the iPod Service service to connect.
                  12/1/2010 6:40:48 PM, error: Service Control Manager [7000]  - The iPod Service service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
                  12/1/2010 6:40:06 PM, error: DCOM [10005]  - DCOM got error "%1053" attempting to start the service iPod Service with arguments "" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}
                  11/30/2010 5:05:35 PM, error: DCOM [10000]  - Unable to start a DCOM Server: {D0AAD3D6-EB93-4363-A24E-2C3D80CDBAC7}. The error: "%5" Happened while starting this command: "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe" -Embedding
                  11/30/2010 5:05:33 PM, error: Service Control Manager [7001]  - The SSDP Discovery Service service depends on the HTTP service which failed to start because of the following error:  Access is denied.
                  11/30/2010 5:05:31 PM, error: Service Control Manager [7000]  - The HTTP service failed to start due to the following error:  Access is denied.
                  11/30/2010 4:10:34 PM, error: Service Control Manager [7009]  - Timeout (30000 milliseconds) waiting for the Apple Mobile Device service to connect.
                  11/30/2010 4:10:34 PM, error: Service Control Manager [7000]  - The Apple Mobile Device service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
                  11/30/2010 4:09:58 PM, error: Service Control Manager [7034]  - The TomTomHOMEService service terminated unexpectedly.  It has done this 1 time(s).
                  11/30/2010 4:09:58 PM, error: Service Control Manager [7034]  - The Kodak AiO Device Service service terminated unexpectedly.  It has done this 1 time(s).
                  11/30/2010 4:09:58 PM, error: Service Control Manager [7031]  - The Apple Mobile Device service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
                  11/30/2010 4:09:49 PM, information: Windows File Protection [64001]  - File replacement was attempted on the protected system file mstsc.exe. This file was restored to the original version to maintain system stability. The file version of the bad file is 4.20.0.0, the version of the system file is 5.1.2600.2180.
                  11/27/2010 9:59:51 PM, error: DCOM [10005]  - DCOM got error "%1053" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
                  11/27/2010 8:05:44 PM, error: Service Control Manager [7022]  - The WebClient service hung on starting.
                  11/27/2010 5:31:17 PM, error: DCOM [10005]  - DCOM got error "%1053" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

                  ==== End Of File ===========================

                  BigMac100

                    Topic Starter


                    Rookie

                    Re: ThinkPoint?
                    « Reply #10 on: December 03, 2010, 06:50:20 PM »
                    Dave, I believe I have done everything as instructed even though I had to reboot twice during the DDS phase. Please let me know if there is anything you need.

                    Thank you!

                    SuperDave

                    • Malware Removal Specialist
                    • Moderator


                    • Genius
                    • Thanked: 1020
                    • Certifications: List
                    • Experience: Expert
                    • OS: Windows 10
                    Re: ThinkPoint?
                    « Reply #11 on: December 03, 2010, 07:40:45 PM »
                    Quote
                    This link is not a valid link. Do I go to the homepage and then download it? It takes me to CNET.
                    Yup. There's something amiss with that link. I'll have to check that out.

                    Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

                    Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

                    Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

                    Exit out of MessengerDisable then delete the two files that were put on the desktop.
                    ***********************************************
                    Please go to Jotti's malware scan
                    (If more than one file needs scanned they must be done separately and links posted for each one)

                    * Copy the file path in the below Code box:

                    Code: [Select]
                    C:\agtyjkj.bat
                     

                    * At the upload site, click once inside the window next to Browse.
                    * Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
                    * Next click Submit file
                    * Your file will possibly be entered into a queue which normally takes less than a minute to clear.
                    * This will perform a scan across multiple different virus scanning engines.
                    * Important: Wait for all of the scanning engines to complete.
                    * Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.
                    ************************************************
                    I strongly recommend that you remove Ask from your computer because it;

                    •Promotes its toolbars on sites targeted to kids.

                    •Promotes its toolbars through ads that appear to be part of other companies' sites.

                    •Promotes its toolbars through other companies' spyware.

                    •Installs without any disclosure whatsoever and without any consent whatsoever.

                    •Solicits installations via "deceptive door openers" that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link.

                    •Makes confusing changes to users' browsers -- increasing Ask's revenues while taking users to pages they didn't intend to visit.

                    See Here for more info.

                    If you choose to follow my recommendation then please go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

                    AskBarDis or anything related to Ask

                    Then please find and delete this folder in bold (if present):
                    C:\Program Files\AskBarDis. or anything related to Ask.
                    ****************************************************
                    P2P - I see you have P2P software installed on your machine (FrostWire). We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.

                    Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

                    I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.
                    ***********************************************
                    Download Security Check by screen317 from one of the following links and save it to your desktop.

                    Link 1
                    Link 2

                    * Unzip SecurityCheck.zip and a folder named Security Check should appear.
                    * Open the Security Check folder and double-click Security Check.bat
                    * Follow the on-screen instructions inside of the black box.
                    * A Notepad document should open automatically called checkup.txt
                    * Post the contents of that document in your next reply.

                    Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
                    ******************************************************
                    Download OTL to your desktop.

                    * Open OTL
                    * Copy and Paste the following text in the codebox into the Custom Scans/Fixes window.

                    Code: [Select]
                    :OTL

                    :otl
                    BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
                    TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
                    TB: {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - No File
                    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
                    mRun: [Dfesamiwokoje] rundll32.exe "c:\windows\ilihaxiqex.dll",Startup
                    dRunOnce: [RunNarrator] Narrator.exe
                    Trusted Zone: musicmatch.com\online

                    :COMMANDS
                    [resethosts]
                    [purity]
                    [clearrestorepoints]
                    [emptytemp]
                    [start explorer]

                    * Click Run Fix
                    * OTLI2 may ask to reboot the machine. Please do so if asked.
                    * Click OK
                    * A report will open. Copy and Paste that report in your next reply.

                    Note: You may need two or more posts to fit them all in.

                    ****************************************
                    Please open Command Prompt (Start > Run and type CMD and press OK [Vista/7: Start search: CMD and press enter])
                    Enter the following in to the black box, pressing enter after each line:

                    Code: [Select]
                    cd desktop

                    mbr.exe -f

                    exit

                    Post a log (MBR.log).
                    ******************************
                    Windows 8 and Windows 10 dual boot with two SSD's

                    BigMac100

                      Topic Starter


                      Rookie

                      Re: ThinkPoint?
                      « Reply #12 on: December 06, 2010, 04:27:25 PM »
                      Dave,

                      I'm a little confused. When trying to remove Windows Messenger, I click the link you give "Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger". It takes me to Majorgeek.com. When I scroll down I see....


                      "This utility will allow you to disable Windows Messenger on per-user basis, or on a machine wide basis. Download the ZIP file and extract MessengerDisable.exe to your hard drive. You can either double click the EXE file, or create a shortcut to it, as you prefer. You can, optionally, use this utility to remove Windows Messenger from your machine. You may need Administrator level privileges to run this program."

                      The words "hard drive" is a link that takes me to an IBM website. When I exit out of it all and go back into it, sometimes there is a like "download" and it takes me to a Sprint site.

                      What do I do?

                      SuperDave

                      • Malware Removal Specialist
                      • Moderator


                      • Genius
                      • Thanked: 1020
                      • Certifications: List
                      • Experience: Expert
                      • OS: Windows 10
                      Re: ThinkPoint?
                      « Reply #13 on: December 06, 2010, 04:39:38 PM »
                      I tried the link and it works for me. There is no link in "harddrive" when I checked it. Did you actually download the program and run it?
                      In any case, if you can't get it to work, proceed with the rest of the instructions. It's not a big deal. I'm just trying to be thorough.

                      Windows 8 and Windows 10 dual boot with two SSD's

                      BigMac100

                        Topic Starter


                        Rookie

                        Re: ThinkPoint?
                        « Reply #14 on: December 06, 2010, 04:58:40 PM »
                        Thanks Dave for trying to be thorough, No I did not download and run. The phrase "harddrive" is highlighted in green and when I put my cursor on it a pop-up appears and when I click on it, it takes me to a link. Is there something else I can try to rid computer of messenger?

                        Also, I am having difficulty on the next step also. I can access the link but when I copy the code, it will not allow me to CTRL+V it to the window next to BROWSE.

                        BigMac100

                          Topic Starter


                          Rookie

                          Re: ThinkPoint?
                          « Reply #15 on: December 06, 2010, 05:21:35 PM »
                          Nor will it allow me to type the code, copy/paste or CTRL+V

                          SuperDave

                          • Malware Removal Specialist
                          • Moderator


                          • Genius
                          • Thanked: 1020
                          • Certifications: List
                          • Experience: Expert
                          • OS: Windows 10
                          Re: ThinkPoint?
                          « Reply #16 on: December 06, 2010, 07:27:05 PM »
                          Please just skip that one and go on with the next one. We'll return to it later.
                          Windows 8 and Windows 10 dual boot with two SSD's

                          BigMac100

                            Topic Starter


                            Rookie

                            Re: ThinkPoint?
                            « Reply #17 on: December 09, 2010, 02:18:00 PM »
                            Dave, I continue to have a hard time completing the second set of instructions. As you know, I am unable to remove windows messenger, can not complete Jotti's malware scan and when I try to remove ASK, I get a pop up window that says:

                            RunDLL
                            Error loading c:\PROGRA~1\AskBar\bar\l.bin\AskSBar.dll
                            The specified could not be found

                            I continued to Security Check by screen 317 and the results are below.

                            Thanks

                            BigMac100

                              Topic Starter


                              Rookie

                              Re: ThinkPoint?
                              « Reply #18 on: December 09, 2010, 02:18:43 PM »
                               Results of screen317's Security Check version 0.99.6 
                               Windows XP Service Pack 2 
                               Out of date service pack!!
                               Internet Explorer 8 
                              ``````````````````````````````
                              Antivirus/Firewall Check:

                               Windows Firewall Disabled! 
                              ```````````````````````````````
                              Anti-malware/Other Utilities Check:

                               Malwarebytes' Anti-Malware   
                               Java(TM) 6 Update 16 
                               Out of date Java installed!
                               Adobe Flash Player   
                              Adobe Reader 9
                              Out of date Adobe Reader installed!
                              ````````````````````````````````
                              Process Check: 
                              objlist.exe by Laurent

                              ````````````````````````````````
                              DNS Vulnerability Check:

                               Request Timed Out (Wireless Internet connection/Disconnected Internet/Proxy?)

                              ``````````End of Log````````````

                              BigMac100

                                Topic Starter


                                Rookie

                                Re: ThinkPoint?
                                « Reply #19 on: December 09, 2010, 02:37:41 PM »
                                All processes killed
                                ========== OTL ==========
                                ========== OTL ==========
                                ========== COMMANDS ==========
                                C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
                                HOSTS file reset successfully
                                Error: Unable to interpret <[clearrestorepoints]> in the current context!
                                 
                                [EMPTYTEMP]
                                 
                                User: Administrator
                                ->Temp folder emptied: 311296 bytes
                                ->Temporary Internet Files folder emptied: 4949587 bytes
                                ->Flash cache emptied: 3270 bytes
                                 
                                User: All Users
                                 
                                User: Default User
                                ->Temp folder emptied: 0 bytes
                                ->Temporary Internet Files folder emptied: 33170 bytes
                                ->Flash cache emptied: 41044 bytes
                                 
                                User: LocalService
                                ->Temp folder emptied: 65984 bytes
                                ->Temporary Internet Files folder emptied: 102313967 bytes
                                ->Java cache emptied: 1100115 bytes
                                ->Flash cache emptied: 72568 bytes
                                 
                                User: NetworkService
                                ->Temp folder emptied: 0 bytes
                                ->Temporary Internet Files folder emptied: 538987481 bytes
                                ->Java cache emptied: 25082 bytes
                                ->Flash cache emptied: 20987 bytes
                                 
                                User: Owner
                                ->Temp folder emptied: 5210353 bytes
                                ->Temporary Internet Files folder emptied: 45875376 bytes
                                ->Java cache emptied: 9042236 bytes
                                ->Google Chrome cache emptied: 819568 bytes
                                ->Flash cache emptied: 2002126 bytes
                                 
                                %systemdrive% .tmp files removed: 0 bytes
                                %systemroot% .tmp files removed: 1126364 bytes
                                %systemroot%\System32 .tmp files removed: 7103 bytes
                                %systemroot%\System32\dllcache .tmp files removed: 0 bytes
                                %systemroot%\System32\drivers .tmp files removed: 0 bytes
                                Windows Temp folder emptied: 37926273 bytes
                                %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 64700720 bytes
                                %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 34767 bytes
                                RecycleBin emptied: 5795726 bytes
                                 
                                Total Files Cleaned = 782.00 mb
                                 
                                 
                                OTL by OldTimer - Version 3.2.17.3 log created on 12092010_162522

                                Files\Folders moved on Reboot...
                                File\Folder C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5
                                \WPGNQVQN\main_6;sz=300x250;kl=N;!c=6;k2=617;k2=592;klg=en;kvid=X2M1KNbF2sU;kpu=SouljaBoy;
                                kr=F;khd=0;kt=K;ko=c;kpid=6;afc=1;kga=-1;kp=1;u=X2M1KNbF2sU_6;kgg=-1;kcr=us;custp=bpqhOEGlI-[1].htm not found!
                                File\Folder C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\WPGNQVQN\
                                music_rockpop;sz=300x250;kl=N;klg=en;kt=K;kga=-1;kr=F;kw=kiss+me+through+the+phone;kgg=-1;kcr=us;dc_dedup=1;kmyd=ad_creative_1;tile=1;dcopt=ist;ord=254769617428592[2].37 not found!
                                File\Folder C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\072XKNW3\activity;src=1318077;met=1;v=1;pid=18708550;aid=211740135;ko=0;cid=30287582;rid=30305459;rv=1;&timestamp=
                                1234557888043;eid1=2;ecn1=1;etm1=5;eid2=40181;ecn2=1;etm2=0;[1].gif not found!
                                File\Folder C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\072XKNW3\main
                                _6;sz=300x250;kl=N;!c=6;k2=617;k2=35;kbz=1;klg=en;kvid=QhwQay4QiOw;kpu=universalmusicgroup;kr=F;khd=0;kt=K;
                                ko=p;kpid=6;afc=1;kga=-1;k1=hip%20hop;kp=1;u=QhwQay4QiOw_6;kg[1].htm not found!
                                File\Folder C:\Documents and Settings\Owner\Local Settings\Temp\~DF551E.tmp not found!
                                File\Folder C:\Documents and Settings\Owner\Local Settings\Temp\~DF58BD.tmp not found!
                                File\Folder C:\Documents and Settings\Owner\Local Settings\Temp\~DF60AB.tmp not found!
                                C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\PINY6JD0\topic,113160.0[1].html moved successfully.
                                C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\SuggestedSites.dat moved successfully.

                                Registry entries deleted on Reboot...
                                « Last Edit: December 09, 2010, 04:32:14 PM by SuperDave »

                                BigMac100

                                  Topic Starter


                                  Rookie

                                  Re: ThinkPoint?
                                  « Reply #20 on: December 09, 2010, 02:57:13 PM »
                                  Dave, I was able to complete some of the instructions as you can see. However, the last instruction, CMD.
                                  After entering cd desktop, I get this error when entering mbr.exe -f:

                                  'mbr.exe" is not recognized as an internal or external command, operable program or batch file

                                  Please let me know the next steps.

                                  Thank You!

                                  SuperDave

                                  • Malware Removal Specialist
                                  • Moderator


                                  • Genius
                                  • Thanked: 1020
                                  • Certifications: List
                                  • Experience: Expert
                                  • OS: Windows 10
                                  Re: ThinkPoint?
                                  « Reply #21 on: December 09, 2010, 04:40:09 PM »
                                    Update Your Java (JRE)

                                    Old versions of Java have vulnerabilities that malware can use to infect your system.


                                    First Verify your Java Version

                                    If there are any other version(s) installed then update now.

                                    Get the new version (if needed)

                                    If your version is out of date install the newest version of the Sun Java Runtime Environment.

                                    Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

                                    Be sure to close ALL open web browsers before starting the installation.

                                    Remove any old versions

                                    1. Download JavaRa and unzip the file to your Desktop.
                                    2. Open JavaRA.exe and choose Remove Older Versions
                                    3. Once complete exit JavaRA.
                                    4. Run CCleaner.

                                    Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.
                                    *****************************************
                                    Please download the newest version of Adobe Acrobat Reader from Adobe.com

                                    Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
                                    Go to the Control Panel and enter Add or Remove Programs.
                                    Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

                                    Once old versions are gone, please install the newest version.
                                    **************************************************
                                    Delete An Uninstall Entry

                                    •Start HijackThis

                                    •Click on the Open the Misc Tools section

                                    •Click on the Open Uninstall Manager button.

                                    •Highlight the entry you want to remove.
                                    Ask Toolbar

                                    •Click Delete this entry
                                    *********************************************
                                    This next tool I want you to use will not run with AVG Anti-Virus. If this is what you're using for you AV program you will have to uninstall it. First, download a free AV program from the list below and install it. Then, run the AVG removal tool provide below. Next, run the ComboFix scan and post the log.

                                    Remember to only install one antivirus!
                                     
                                    1) Avast! Home Edition
                                    2) AVG Free Edition
                                    3) Avira AntiVir Personal
                                    4) Microsoft Security Essentials for Windows Vista\Windows 7 - 64 bit Download
                                    4-a) Microsoft Security Essentials for Windows XP
                                    5) Comodo Antivirus (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" if you choose this one)
                                    6) PC Tools AntiVirus Free Edition

                                    It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.
                                    *******************************************
                                    AVG Antivirus - AVG Antivirus Remover utility

                                    **********************************************
                                    Please download ComboFix from BleepingComputer.com

                                    Alternate link: GeeksToGo.com

                                    Rename ComboFix.exe to commy.exe before you save it to your Desktop
                                    Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
                                    Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
                                    As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
                                    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console[/list]

                                    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

                                    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


                                    Click on Yes, to continue scanning for malware.
                                    When finished, it shall produce a log for you.  Please include the contents of C:\ComboFix.txt in your next reply.

                                    If you have problems with ComboFix usage, see How to use ComboFix
                                    Windows 8 and Windows 10 dual boot with two SSD's

                                    BigMac100

                                      Topic Starter


                                      Rookie

                                      Re: ThinkPoint?
                                      « Reply #22 on: December 09, 2010, 06:13:24 PM »
                                      JavaRa 1.15 Removal Log.

                                      Report follows after line.

                                      ------------------------------------

                                      The JavaRa removal process was started on Mon Oct 26 18:01:06 2009

                                      Found and removed: C:\Program Files\Java\jre1.5.0_01

                                      Found and removed: C:\Program Files\Java\jre1.6.0_03

                                      Found and removed: C:\Documents and Settings\Owner\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150010}

                                      Found and removed: C:\Windows\System32\jupdate-1.5.0_01-b08.log

                                      Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.5.0_01\

                                      Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_03\

                                      ------------------------------------

                                      Finished reporting.



                                      JavaRa 1.15 Removal Log.

                                      Report follows after line.

                                      ------------------------------------

                                      The JavaRa removal process was started on Mon Oct 26 18:02:15 2009

                                      ------------------------------------

                                      Finished reporting.



                                      JavaRa 1.16 Removal Log.

                                      Report follows after line.

                                      ------------------------------------

                                      The JavaRa removal process was started on Thu Dec 09 20:05:36 2010

                                      Found and removed: C:\Documents and Settings\Owner\Application Data\Sun\Java\jre1.6.0_16

                                      ------------------------------------

                                      Finished reporting.



                                      JavaRa 1.16 Removal Log.

                                      Report follows after line.

                                      ------------------------------------

                                      The JavaRa removal process was started on Thu Dec 09 20:06:26 2010

                                      ------------------------------------

                                      Finished reporting.



                                      JavaRa 1.16 Removal Log.

                                      Report follows after line.

                                      ------------------------------------

                                      The JavaRa removal process was started on Thu Dec 09 20:07:42 2010

                                      ------------------------------------

                                      Finished reporting.



                                      JavaRa 1.16 Removal Log.

                                      Report follows after line.

                                      ------------------------------------

                                      The JavaRa removal process was started on Thu Dec 09 20:11:26 2010

                                      ------------------------------------

                                      Finished reporting.




                                      SuperDave

                                      • Malware Removal Specialist
                                      • Moderator


                                      • Genius
                                      • Thanked: 1020
                                      • Certifications: List
                                      • Experience: Expert
                                      • OS: Windows 10
                                      Re: ThinkPoint?
                                      « Reply #23 on: December 10, 2010, 01:29:33 PM »
                                      Were you able to download and run the ComboFix scan?
                                      Windows 8 and Windows 10 dual boot with two SSD's

                                      BigMac100

                                        Topic Starter


                                        Rookie

                                        Re: ThinkPoint?
                                        « Reply #24 on: December 11, 2010, 07:34:12 PM »
                                        Dave, sorry It's taken so long to get the results of your instructions. I have to re-boot/shut down about every other time I try to do something. Here are the results of ComboFix. I did not get AVG Antivirus removed

                                        BigMac100

                                          Topic Starter


                                          Rookie

                                          Re: ThinkPoint?
                                          « Reply #25 on: December 11, 2010, 07:35:00 PM »
                                          ComboFix 10-12-11.03 - Owner 12/11/2010  21:11:11.3.1 - x86
                                          Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.254.53 [GMT -5:00]
                                          Running from: c:\documents and settings\Owner\Desktop\commy.exe
                                          AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
                                          AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
                                          FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
                                          FW: AVG Firewall *Enabled* {8decf618-9569-4340-b34a-d78d28969b66}
                                          .

                                          (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
                                          .

                                          c:\documents and settings\Owner\Application Data\completescan
                                          c:\documents and settings\Owner\Application Data\install
                                          c:\documents and settings\Owner\Application Data\Xiurz
                                          c:\documents and settings\Owner\Application Data\Ysez
                                          c:\documents and settings\Owner\Application Data\Ysez\zavi.vif
                                          c:\documents and settings\Owner\Local Settings\Application Data\{9943D1B2-DB9A-4D3E-A0F2-583F318A9828}
                                          c:\documents and settings\Owner\Local Settings\Application Data\{9943D1B2-DB9A-4D3E-A0F2-583F318A9828}\chrome.manifest
                                          c:\documents and settings\Owner\Local Settings\Application Data\{9943D1B2-DB9A-4D3E-A0F2-583F318A9828}\chrome\content\_cfg.js
                                          c:\documents and settings\Owner\Local Settings\Application Data\{9943D1B2-DB9A-4D3E-A0F2-583F318A9828}\chrome\content\overlay.xul
                                          c:\documents and settings\Owner\Local Settings\Application Data\{9943D1B2-DB9A-4D3E-A0F2-583F318A9828}\install.rdf
                                          c:\program files\Need2Find
                                          c:\program files\Need2Find\bar\1.bin\N2FFXTBR.JAR
                                          c:\program files\Need2Find\bar\1.bin\N2NTSTBR.JAR
                                          c:\program files\Need2Find\bar\1.bin\PARTNER.DAT
                                          c:\program files\Need2Find\bar\Cache\0066FA0F
                                          c:\program files\Need2Find\bar\Cache\00673A73
                                          c:\program files\Need2Find\bar\History\search
                                          c:\program files\Need2Find\bar\Settings\prevcfg.htm
                                          c:\program files\Shared
                                          c:\windows\system32\cache329
                                          c:\windows\system32\cache329\B_329_0_0_106800.htm
                                          c:\windows\system32\cache329\B_329_0_0_107400.htm
                                          c:\windows\system32\cache329\B_329_1_0_449200.htm
                                          c:\windows\system32\cache329\B_329_1_0_449600.htm
                                          c:\windows\system32\cache329\B_329_1_0_454300.htm
                                          c:\windows\system32\cache329\B_329_2_0_105300.htm
                                          c:\windows\system32\cache329\B_329_2_0_106800.htm
                                          c:\windows\system32\cache329\B_329_2_0_107400.htm
                                          c:\windows\system32\cache329\B_329_3_0_106800.htm
                                          c:\windows\system32\cache329\B_329_3_0_107400.htm
                                          c:\windows\system32\cache329\B_329_4_0_111600.htm
                                          c:\windows\system32\cache329\B_329_4_0_152400.htm
                                          c:\windows\system32\cache329\B_329_4_0_155300.htm
                                          c:\windows\system32\cache329\B_329_4_0_164100.htm
                                          c:\windows\system32\cache329\t_B_329_0_0_106800.htm
                                          c:\windows\system32\cache329\t_B_329_0_0_107400.htm
                                          c:\windows\system32\cache329\t_B_329_1_0_449200.htm
                                          c:\windows\system32\cache329\t_B_329_1_0_449600.htm
                                          c:\windows\system32\cache329\t_B_329_1_0_454300.htm
                                          c:\windows\system32\cache329\t_B_329_2_0_105300.htm
                                          c:\windows\system32\cache329\t_B_329_2_0_106800.htm
                                          c:\windows\system32\cache329\t_B_329_2_0_107400.htm
                                          c:\windows\system32\cache329\t_B_329_3_0_106800.htm
                                          c:\windows\system32\cache329\t_B_329_3_0_107400.htm
                                          c:\windows\system32\cache329\t_B_329_4_0_111600.htm
                                          c:\windows\system32\cache329\t_B_329_4_0_152400.htm
                                          c:\windows\system32\cache329\t_B_329_4_0_155300.htm
                                          c:\windows\system32\cache329\t_B_329_4_0_164100.htm
                                          c:\windows\system32\tmp.reg
                                          c:\windows\Tasks\At1.job
                                          c:\windows\Tasks\At10.job
                                          c:\windows\Tasks\At11.job
                                          c:\windows\Tasks\At12.job
                                          c:\windows\Tasks\At13.job
                                          c:\windows\Tasks\At14.job
                                          c:\windows\Tasks\At15.job
                                          c:\windows\Tasks\At16.job
                                          c:\windows\Tasks\At17.job
                                          c:\windows\Tasks\At18.job
                                          c:\windows\Tasks\At19.job
                                          c:\windows\Tasks\At2.job
                                          c:\windows\Tasks\At20.job
                                          c:\windows\Tasks\At21.job
                                          c:\windows\Tasks\At22.job
                                          c:\windows\Tasks\At23.job
                                          c:\windows\Tasks\At24.job
                                          c:\windows\Tasks\At25.job
                                          c:\windows\Tasks\At26.job
                                          c:\windows\Tasks\At27.job
                                          c:\windows\Tasks\At28.job
                                          c:\windows\Tasks\At29.job
                                          c:\windows\Tasks\At3.job
                                          c:\windows\Tasks\At30.job
                                          c:\windows\Tasks\At31.job
                                          c:\windows\Tasks\At32.job
                                          c:\windows\Tasks\At33.job
                                          c:\windows\Tasks\At34.job
                                          c:\windows\Tasks\At35.job
                                          c:\windows\Tasks\At36.job
                                          c:\windows\Tasks\At37.job
                                          c:\windows\Tasks\At38.job
                                          c:\windows\Tasks\At39.job
                                          c:\windows\Tasks\At4.job
                                          c:\windows\Tasks\At40.job
                                          c:\windows\Tasks\At41.job
                                          c:\windows\Tasks\At42.job
                                          c:\windows\Tasks\At43.job
                                          c:\windows\Tasks\At44.job
                                          c:\windows\Tasks\At45.job
                                          c:\windows\Tasks\At46.job
                                          c:\windows\Tasks\At47.job
                                          c:\windows\Tasks\At48.job
                                          c:\windows\Tasks\At5.job
                                          c:\windows\Tasks\At6.job
                                          c:\windows\Tasks\At7.job
                                          c:\windows\Tasks\At8.job
                                          c:\windows\Tasks\At9.job

                                          .
                                          \\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
                                          .
                                          (((((((((((((((((((((((((   Files Created from 2010-11-12 to 2010-12-12  )))))))))))))))))))))))))))))))
                                          .

                                          2010-12-12 01:52 . 2010-12-12 01:52   --------   d-----w-   c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
                                          2010-12-11 00:17 . 2010-12-11 00:17   --------   d-----w-   c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
                                          2010-12-11 00:17 . 2010-12-11 00:17   --------   d-----w-   c:\documents and settings\NetworkService\Application Data\Apple Computer
                                          2010-12-11 00:01 . 2010-09-07 15:47   17744   ----a-w-   c:\windows\system32\drivers\aswFsBlk.sys
                                          2010-12-11 00:01 . 2010-09-07 15:52   165584   ----a-w-   c:\windows\system32\drivers\aswSP.sys
                                          2010-12-11 00:01 . 2010-09-07 15:47   23376   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
                                          2010-12-11 00:01 . 2010-09-07 15:52   46672   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
                                          2010-12-11 00:01 . 2010-09-07 15:47   100176   ----a-w-   c:\windows\system32\drivers\aswmon2.sys
                                          2010-12-11 00:01 . 2010-09-07 15:47   94544   ----a-w-   c:\windows\system32\drivers\aswmon.sys
                                          2010-12-11 00:01 . 2010-09-07 15:46   28880   ----a-w-   c:\windows\system32\drivers\aavmker4.sys
                                          2010-12-11 00:00 . 2010-09-07 16:12   38848   ----a-w-   c:\windows\avastSS.scr
                                          2010-12-11 00:00 . 2010-09-07 16:11   167592   ----a-w-   c:\windows\system32\aswBoot.exe
                                          2010-12-10 23:17 . 2010-12-10 23:17   388096   ----a-r-   c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
                                          2010-12-10 23:05 . 2010-12-10 23:05   --------   d-----w-   c:\program files\Common Files\Adobe AIR
                                          2010-12-10 23:04 . 2010-12-10 23:04   --------   d-----w-   c:\documents and settings\All Users\Application Data\McAfee Security Scan
                                          2010-12-10 23:04 . 2010-12-10 23:04   --------   d-----w-   c:\program files\McAfee Security Scan
                                          2010-12-10 00:34 . 2010-12-10 00:34   --------   d-----w-   c:\program files\Common Files\Java
                                          2010-12-10 00:33 . 2010-09-15 09:50   472808   ----a-w-   c:\windows\system32\deployJava1.dll
                                          2010-12-09 21:25 . 2010-12-09 21:25   --------   d-----w-   C:\_OTL
                                          2010-12-02 23:05 . 2010-12-02 23:05   --------   d-sh--w-   c:\windows\system32\config\systemprofile\IETldCache
                                          2010-11-30 23:50 . 2010-12-04 00:07   --------   d-----w-   c:\documents and settings\Owner\Application Data\Qerie
                                          2010-11-30 23:50 . 2010-12-02 03:01   --------   d-----w-   c:\documents and settings\Owner\Application Data\Owuvw
                                          2010-11-30 21:09 . 2010-11-30 21:09   230   ----a-w-   C:\agtyjkj.bat
                                          2010-11-27 19:19 . 2010-12-04 00:07   --------   d-----w-   c:\documents and settings\Owner\Application Data\Owovy
                                          2010-11-27 19:19 . 2010-12-02 03:01   --------   d-----w-   c:\documents and settings\Owner\Application Data\Edgubo
                                          2010-11-25 22:50 . 2010-11-25 22:50   --------   d-----w-   c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
                                          2010-11-25 21:06 . 2010-12-10 23:47   --------   d-----w-   c:\windows\system32\drivers\AVG
                                          2010-11-25 02:56 . 2001-08-17 18:48   12160   -c--a-w-   c:\windows\system32\dllcache\mouhid.sys
                                          2010-11-25 02:56 . 2001-08-17 18:48   12160   ----a-w-   c:\windows\system32\drivers\mouhid.sys
                                          2010-11-25 01:45 . 2010-11-25 01:45   --------   d-----w-   c:\windows\system32\wbem\Repository
                                          2010-11-24 23:59 . 2010-11-24 23:59   --------   d-----w-   c:\program files\Loaris
                                          2010-11-24 21:48 . 2010-11-24 21:48   --------   d-----w-   c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
                                          2010-11-24 15:37 . 2010-11-24 15:38   --------   d-----w-   c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
                                          2010-11-24 12:17 . 2010-11-24 12:17   --------   d-sh--w-   c:\documents and settings\LocalService\IETldCache
                                          2010-11-23 23:19 . 2010-11-23 23:19   --------   d-sh--w-   c:\documents and settings\NetworkService\IETldCache

                                          .
                                          ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
                                          .
                                          2010-11-29 22:42 . 2010-11-08 22:11   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
                                          2010-11-29 22:42 . 2010-11-08 22:11   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
                                          2010-09-15 07:29 . 2009-10-26 21:50   73728   ----a-w-   c:\windows\system32\javacpl.cpl
                                          .

                                          (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
                                          .
                                          .
                                          *Note* empty entries & legit default entries are not shown
                                          REGEDIT4

                                          [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
                                          "Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2006-12-01 4662776]
                                          "LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-03-23 67128]
                                          "TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2010-06-24 247144]

                                          [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
                                          "IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]
                                          "HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
                                          "Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 50688]
                                          "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-01-20 28160]
                                          "MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2006-01-19 110592]
                                          "MimBoot"="c:\progra~1\MUSICM~1\MUSICM~2\mimboot.exe" [2006-01-19 11776]
                                          "EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2008-02-15 1052672]
                                          "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
                                          "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
                                          "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
                                          "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
                                          "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
                                          "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
                                          "avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]

                                          [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
                                          "RunNarrator"="Narrator.exe" [2006-10-04 53760]

                                          c:\documents and settings\All Users\Start Menu\Programs\Startup\
                                          Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-3-23 67128]
                                          Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-2-2 532480]
                                          McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
                                          Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

                                          [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
                                          "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

                                          [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
                                          2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL

                                          [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
                                          "EnableFirewall"= 0 (0x0)

                                          [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
                                          "%windir%\\system32\\sessmgr.exe"=
                                          "c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
                                          "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
                                          "c:\\Program Files\\FrostWire\\FrostWire.exe"=
                                          "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
                                          "c:\\Program Files\\iTunes\\iTunes.exe"=

                                          R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/10/2010 7:01 PM 165584]
                                          R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
                                          R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
                                          R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/10/2010 7:01 PM 17744]
                                          R2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\Printer\Center\KodakSvc.exe [2/28/2008 5:57 PM 18944]
                                          R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [6/24/2010 9:41 AM 92008]
                                          S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/10/2010 7:02 PM 136176]
                                          S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [11/8/2010 5:11 PM 38224]
                                          S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 7:49 AM 227232]
                                          .
                                          Contents of the 'Scheduled Tasks' folder

                                          2010-11-28 c:\windows\Tasks\AppleSoftwareUpdate.job
                                          - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

                                          2010-12-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
                                          - c:\program files\Google\Update\GoogleUpdate.exe [2010-12-11 00:02]

                                          2010-12-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
                                          - c:\program files\Google\Update\GoogleUpdate.exe [2010-12-11 00:02]

                                          2010-12-12 c:\windows\Tasks\User_Feed_Synchronization-{15BE7D63-A464-42B5-B135-F874DC36DC73}.job
                                          - c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
                                          .
                                          .
                                          ------- Supplementary Scan -------
                                          .
                                          uStart Page = hxxp://www.columbus.rr.com/
                                          uInternet Connection Wizard,ShellNext = iexplore
                                          uInternet Settings,ProxyOverride = *.local
                                          uSearchAssistant = hxxp://www.google.com/ie
                                          uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
                                          IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
                                          IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
                                          IE: Show All Original Images - c:\program files\NetZero\qsacc\appres.dll/228
                                          IE: Show Original Image - c:\program files\NetZero\qsacc\appres.dll/227
                                          IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
                                          IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
                                          IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
                                          Trusted Zone: musicmatch.com\online
                                          Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
                                          DPF: {83A4D5A6-E2C1-4EDD-AD48-1A1C50BD06EF} - hxxp://www.leaguelineup.com/_incl/uploader/ImageUploader6.cab
                                          .
                                          - - - - ORPHANS REMOVED - - - -

                                          URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
                                          Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
                                          WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
                                          HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
                                          HKLM-Run-Webroot Desktop Firewall - c:\program files\Webroot\Webroot Desktop Firewall\WDF.exe
                                          HKLM-Run-Adobe Photo Downloader - c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
                                          AddRemove-CS - c:\program files\CS\cs.exe



                                          **************************************************************************

                                          catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
                                          Rootkit scan 2010-12-11 21:24
                                          Windows 5.1.2600 Service Pack 2 NTFS

                                          scanning hidden processes ... 

                                          scanning hidden autostart entries ...

                                          scanning hidden files ... 

                                          scan completed successfully
                                          hidden files: 0

                                          **************************************************************************
                                          .
                                          --------------------- DLLs Loaded Under Running Processes ---------------------

                                          - - - - - - - > 'winlogon.exe'(624)
                                          c:\program files\SUPERAntiSpyware\SASWINLO.DLL
                                          c:\windows\system32\WININET.dll
                                          .
                                          Completion time: 2010-12-11  21:29:22
                                          ComboFix-quarantined-files.txt  2010-12-12 02:29
                                          ComboFix2.txt  2007-08-04 00:14

                                          Pre-Run: 53,781,041,152 bytes free
                                          Post-Run: 54,003,970,048 bytes free

                                          WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
                                          [boot loader]
                                          timeout=2
                                          default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
                                          [operating systems]
                                          c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
                                          UnsupportedDebug="do not select this" /debug
                                          multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

                                          - - End Of File - - 0265D77BE2C3088F354422474419C642

                                          BigMac100

                                            Topic Starter


                                            Rookie

                                            Re: ThinkPoint?
                                            « Reply #26 on: December 11, 2010, 07:38:39 PM »
                                            Please let me know what to do next. Thanks

                                            SuperDave

                                            • Malware Removal Specialist
                                            • Moderator


                                            • Genius
                                            • Thanked: 1020
                                            • Certifications: List
                                            • Experience: Expert
                                            • OS: Windows 10
                                            Re: ThinkPoint?
                                            « Reply #27 on: December 12, 2010, 01:30:49 PM »
                                            P2P - I see you have P2P software installed on your machine (FrostWire). We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.

                                            Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

                                            I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.
                                            *******************************************
                                            Re-running ComboFix to remove infections:

                                            • Close any open browsers.
                                            • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
                                            • Open notepad and copy/paste the text in the quotebox below into it:
                                              Quote
                                              KillAll::

                                              File::
                                              C:\agtyjkj.bat

                                            • Save this as CFScript.txt, in the same location as ComboFix.exe



                                            • Referring to the picture above, drag CFScript into ComboFix.exe
                                            • When finished, it shall produce a log for you at C:\ComboFix.txt
                                            • Please post the contents of the log in your next reply.
                                            **********************************************
                                            SysProt Antirootkit

                                            Download
                                            SysProt Antirootkit from the link below (you will find it at the bottom
                                            of the page under attachments, or you can get it from one of the
                                            mirrors).

                                            http://sites.google.com/site/sysprotantirootkit/

                                            Unzip it into a folder on your desktop.
                                            • Double click Sysprot.exe to start the program.
                                            • Click on the Log tab.
                                            • In the Write to log box select the following items.
                                              • Process << Selected
                                              • Kernel Modules << Selected
                                              • SSDT << Selected
                                              • Kernel Hooks << Selected
                                              • IRP Hooks << NOT Selected
                                              • Ports << NOT Selected
                                              • Hidden Files << Selected
                                            • At the bottom of the page
                                              • Hidden Objects Only << Selected
                                            • Click on the Create Log button on the bottom right.
                                            • After a few seconds a new window should appear.
                                            • Select Scan Root Drive. Click on the Start button.
                                            • When it is complete a new window will appear to indicate that the scan is finished.
                                            • The log will be saved automatically in the same folder Sysprot.exe was extracted to.

                                            Open the text file and copy/paste the log here.
                                            [/list].
                                            Windows 8 and Windows 10 dual boot with two SSD's

                                            BigMac100

                                              Topic Starter


                                              Rookie

                                              Re: ThinkPoint?
                                              « Reply #28 on: December 12, 2010, 03:36:22 PM »
                                              ComboFix 10-12-11.06 - Owner 12/12/2010  17:01:30.4.1 - x86
                                              Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.254.110 [GMT -5:00]
                                              Running from: c:\documents and settings\Owner\Desktop\commy.exe
                                              Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
                                              AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
                                              FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}

                                              FILE ::
                                              "C:\agtyjkj.bat"
                                              .

                                              (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
                                              .

                                              C:\agtyjkj.bat

                                              .
                                              (((((((((((((((((((((((((   Files Created from 2010-11-12 to 2010-12-12  )))))))))))))))))))))))))))))))
                                              .

                                              2010-12-12 01:52 . 2010-12-12 01:52   --------   d-----w-   c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
                                              2010-12-11 00:17 . 2010-12-11 00:17   --------   d-----w-   c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
                                              2010-12-11 00:17 . 2010-12-11 00:17   --------   d-----w-   c:\documents and settings\NetworkService\Application Data\Apple Computer
                                              2010-12-11 00:01 . 2010-09-07 15:47   17744   ----a-w-   c:\windows\system32\drivers\aswFsBlk.sys
                                              2010-12-11 00:01 . 2010-09-07 15:52   165584   ----a-w-   c:\windows\system32\drivers\aswSP.sys
                                              2010-12-11 00:01 . 2010-09-07 15:47   23376   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
                                              2010-12-11 00:01 . 2010-09-07 15:52   46672   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
                                              2010-12-11 00:01 . 2010-09-07 15:47   100176   ----a-w-   c:\windows\system32\drivers\aswmon2.sys
                                              2010-12-11 00:01 . 2010-09-07 15:47   94544   ----a-w-   c:\windows\system32\drivers\aswmon.sys
                                              2010-12-11 00:01 . 2010-09-07 15:46   28880   ----a-w-   c:\windows\system32\drivers\aavmker4.sys
                                              2010-12-11 00:00 . 2010-09-07 16:12   38848   ----a-w-   c:\windows\avastSS.scr
                                              2010-12-11 00:00 . 2010-09-07 16:11   167592   ----a-w-   c:\windows\system32\aswBoot.exe
                                              2010-12-10 23:17 . 2010-12-10 23:17   388096   ----a-r-   c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
                                              2010-12-10 23:05 . 2010-12-10 23:05   --------   d-----w-   c:\program files\Common Files\Adobe AIR
                                              2010-12-10 23:04 . 2010-12-10 23:04   --------   d-----w-   c:\documents and settings\All Users\Application Data\McAfee Security Scan
                                              2010-12-10 23:04 . 2010-12-10 23:04   --------   d-----w-   c:\program files\McAfee Security Scan
                                              2010-12-10 00:34 . 2010-12-10 00:34   --------   d-----w-   c:\program files\Common Files\Java
                                              2010-12-10 00:33 . 2010-09-15 09:50   472808   ----a-w-   c:\windows\system32\deployJava1.dll
                                              2010-12-09 21:25 . 2010-12-09 21:25   --------   d-----w-   C:\_OTL
                                              2010-12-02 23:05 . 2010-12-02 23:05   --------   d-sh--w-   c:\windows\system32\config\systemprofile\IETldCache
                                              2010-11-30 23:50 . 2010-12-04 00:07   --------   d-----w-   c:\documents and settings\Owner\Application Data\Qerie
                                              2010-11-30 23:50 . 2010-12-02 03:01   --------   d-----w-   c:\documents and settings\Owner\Application Data\Owuvw
                                              2010-11-27 19:19 . 2010-12-04 00:07   --------   d-----w-   c:\documents and settings\Owner\Application Data\Owovy
                                              2010-11-27 19:19 . 2010-12-02 03:01   --------   d-----w-   c:\documents and settings\Owner\Application Data\Edgubo
                                              2010-11-25 22:50 . 2010-11-25 22:50   --------   d-----w-   c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
                                              2010-11-25 21:06 . 2010-12-10 23:47   --------   d-----w-   c:\windows\system32\drivers\AVG
                                              2010-11-25 02:56 . 2001-08-17 18:48   12160   -c--a-w-   c:\windows\system32\dllcache\mouhid.sys
                                              2010-11-25 02:56 . 2001-08-17 18:48   12160   ----a-w-   c:\windows\system32\drivers\mouhid.sys
                                              2010-11-25 01:45 . 2010-11-25 01:45   --------   d-----w-   c:\windows\system32\wbem\Repository
                                              2010-11-24 23:59 . 2010-11-24 23:59   --------   d-----w-   c:\program files\Loaris
                                              2010-11-24 21:48 . 2010-11-24 21:48   --------   d-----w-   c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
                                              2010-11-24 15:37 . 2010-11-24 15:38   --------   d-----w-   c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
                                              2010-11-24 12:17 . 2010-11-24 12:17   --------   d-sh--w-   c:\documents and settings\LocalService\IETldCache
                                              2010-11-23 23:19 . 2010-11-23 23:19   --------   d-sh--w-   c:\documents and settings\NetworkService\IETldCache

                                              .
                                              ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
                                              .
                                              2010-11-29 22:42 . 2010-11-08 22:11   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
                                              2010-11-29 22:42 . 2010-11-08 22:11   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
                                              2010-09-15 07:29 . 2009-10-26 21:50   73728   ----a-w-   c:\windows\system32\javacpl.cpl
                                              .

                                              (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
                                              .
                                              .
                                              *Note* empty entries & legit default entries are not shown
                                              REGEDIT4

                                              [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
                                              "Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2006-12-01 4662776]
                                              "LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-03-23 67128]
                                              "TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2010-06-24 247144]

                                              [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
                                              "IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]
                                              "HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
                                              "Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 50688]
                                              "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-01-20 28160]
                                              "MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2006-01-19 110592]
                                              "MimBoot"="c:\progra~1\MUSICM~1\MUSICM~2\mimboot.exe" [2006-01-19 11776]
                                              "EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2008-02-15 1052672]
                                              "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
                                              "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
                                              "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
                                              "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
                                              "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
                                              "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
                                              "avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]

                                              [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
                                              "RunNarrator"="Narrator.exe" [2006-10-04 53760]

                                              c:\documents and settings\All Users\Start Menu\Programs\Startup\
                                              Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-3-23 67128]
                                              Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-2-2 532480]
                                              McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
                                              Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

                                              [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
                                              "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

                                              [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
                                              2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL

                                              [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
                                              "EnableFirewall"= 0 (0x0)

                                              [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
                                              "%windir%\\system32\\sessmgr.exe"=
                                              "c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
                                              "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
                                              "c:\\Program Files\\FrostWire\\FrostWire.exe"=
                                              "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
                                              "c:\\Program Files\\iTunes\\iTunes.exe"=

                                              R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/10/2010 7:01 PM 165584]
                                              R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
                                              R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
                                              R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/10/2010 7:01 PM 17744]
                                              S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [11/8/2010 5:11 PM 38224]
                                              .
                                              Contents of the 'Scheduled Tasks' folder

                                              2010-11-28 c:\windows\Tasks\AppleSoftwareUpdate.job
                                              - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

                                              2010-12-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
                                              - c:\program files\Google\Update\GoogleUpdate.exe [2010-12-11 00:02]

                                              2010-12-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
                                              - c:\program files\Google\Update\GoogleUpdate.exe [2010-12-11 00:02]

                                              2010-12-12 c:\windows\Tasks\User_Feed_Synchronization-{15BE7D63-A464-42B5-B135-F874DC36DC73}.job
                                              - c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
                                              .
                                              .
                                              ------- Supplementary Scan -------
                                              .
                                              uStart Page = hxxp://www.columbus.rr.com/
                                              uInternet Connection Wizard,ShellNext = iexplore
                                              uInternet Settings,ProxyOverride = *.local
                                              uSearchAssistant = hxxp://www.google.com/ie
                                              uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
                                              IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
                                              IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
                                              IE: Show All Original Images - c:\program files\NetZero\qsacc\appres.dll/228
                                              IE: Show Original Image - c:\program files\NetZero\qsacc\appres.dll/227
                                              IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
                                              IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
                                              IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
                                              Trusted Zone: musicmatch.com\online
                                              Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
                                              DPF: {83A4D5A6-E2C1-4EDD-AD48-1A1C50BD06EF} - hxxp://www.leaguelineup.com/_incl/uploader/ImageUploader6.cab
                                              .

                                              **************************************************************************

                                              catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
                                              Rootkit scan 2010-12-12 17:17
                                              Windows 5.1.2600 Service Pack 2 NTFS

                                              scanning hidden processes ... 

                                              scanning hidden autostart entries ...

                                              scanning hidden files ... 

                                              scan completed successfully
                                              hidden files: 0

                                              **************************************************************************
                                              .
                                              --------------------- DLLs Loaded Under Running Processes ---------------------

                                              - - - - - - - > 'winlogon.exe'(624)
                                              c:\program files\SUPERAntiSpyware\SASWINLO.DLL
                                              c:\windows\system32\WININET.dll

                                              - - - - - - - > 'explorer.exe'(3184)
                                              c:\windows\system32\WININET.dll
                                              c:\program files\Logitech\SetPoint\lgscroll.dll
                                              c:\windows\system32\ieframe.dll
                                              c:\windows\system32\webcheck.dll
                                              .
                                              ------------------------ Other Running Processes ------------------------
                                              .
                                              c:\program files\Alwil Software\Avast5\AvastSvc.exe
                                              c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
                                              c:\program files\Bonjour\mDNSResponder.exe
                                              c:\program files\Java\jre6\bin\jqs.exe
                                              c:\program files\Kodak\printer\center\KodakSvc.exe
                                              c:\progra~1\MUSICM~1\MUSICM~2\MMDiag.exe
                                              c:\program files\TomTom HOME 2\TomTomHOMEService.exe
                                              c:\windows\System32\wdfmgr.exe
                                              c:\program files\MUSICMATCH\Musicmatch Jukebox\mim.exe
                                              c:\program files\Common Files\Logitech\KHAL\KHALMNPR.EXE
                                              c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
                                              c:\windows\system32\wscntfy.exe
                                              c:\program files\iPod\bin\iPodService.exe
                                              .
                                              **************************************************************************
                                              .
                                              Completion time: 2010-12-12  17:31:19 - machine was rebooted
                                              ComboFix-quarantined-files.txt  2010-12-12 22:31
                                              ComboFix2.txt  2010-12-12 02:29
                                              ComboFix3.txt  2007-08-04 00:14

                                              Pre-Run: 54,277,595,136 bytes free
                                              Post-Run: 54,260,031,488 bytes free

                                              - - End Of File - - D6197011BB80546B85EE9F74A0B98483

                                              BigMac100

                                                Topic Starter


                                                Rookie

                                                Re: ThinkPoint?
                                                « Reply #29 on: December 12, 2010, 03:47:07 PM »
                                                SysProt AntiRootkit v1.0.1.0
                                                by swatkat

                                                ******************************************************************************************
                                                ******************************************************************************************

                                                No Hidden Processes found

                                                ******************************************************************************************
                                                ******************************************************************************************
                                                Kernel Modules:
                                                Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
                                                Service Name: ---
                                                Module Base: F04CA000
                                                Module End: F04E2000
                                                Hidden: Yes

                                                Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
                                                Service Name: ---
                                                Module Base: F97A6000
                                                Module End: F97A8000
                                                Hidden: Yes

                                                Module Name: \??\C:\commy\catchme.sys
                                                Service Name: catchme
                                                Module Base: F9542000
                                                Module End: F954A000
                                                Hidden: Yes

                                                Module Name: \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
                                                Service Name: ---
                                                Module Base: F97FC000
                                                Module End: F97FE000
                                                Hidden: Yes

                                                ******************************************************************************************
                                                ******************************************************************************************
                                                SSDT:
                                                Function Name: ZwClose
                                                Address: F0684CF0
                                                Driver Base: F067C000
                                                Driver End: F06A3000
                                                Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

                                                Function Name: ZwCreateKey
                                                Address: F0684BAC
                                                Driver Base: F067C000
                                                Driver End: F06A3000
                                                Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

                                                Function Name: ZwDeleteKey
                                                Address: F0685160
                                                Driver Base: F067C000
                                                Driver End: F06A3000
                                                Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

                                                Function Name: ZwDeleteValueKey
                                                Address: F068508A
                                                Driver Base: F067C000
                                                Driver End: F06A3000
                                                Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

                                                Function Name: ZwDuplicateObject
                                                Address: F0684782
                                                Driver Base: F067C000
                                                Driver End: F06A3000
                                                Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

                                                Function Name: ZwOpenKey
                                                Address: F0684C86
                                                Driver Base: F067C000
                                                Driver End: F06A3000
                                                Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

                                                Function Name: ZwOpenProcess
                                                Address: F06846C2
                                                Driver Base: F067C000
                                                Driver End: F06A3000
                                                Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

                                                Function Name: ZwOpenThread
                                                Address: F0684726
                                                Driver Base: F067C000
                                                Driver End: F06A3000
                                                Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

                                                Function Name: ZwQueryValueKey
                                                Address: F0684DA6
                                                Driver Base: F067C000
                                                Driver End: F06A3000
                                                Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

                                                Function Name: ZwRenameKey
                                                Address: F068522E
                                                Driver Base: F067C000
                                                Driver End: F06A3000
                                                Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

                                                Function Name: ZwRestoreKey
                                                Address: F0684D66
                                                Driver Base: F067C000
                                                Driver End: F06A3000
                                                Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

                                                Function Name: ZwSetValueKey
                                                Address: F0684EE6
                                                Driver Base: F067C000
                                                Driver End: F06A3000
                                                Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

                                                ******************************************************************************************
                                                ******************************************************************************************
                                                No Kernel Hooks found

                                                ******************************************************************************************
                                                ******************************************************************************************
                                                Hidden files/folders:
                                                Object: C:\QooBox\BackEnv\AppData.folder.dat
                                                Status: Access denied

                                                Object: C:\QooBox\BackEnv\Cache.folder.dat
                                                Status: Access denied

                                                Object: C:\QooBox\BackEnv\Cookies.folder.dat
                                                Status: Access denied

                                                Object: C:\QooBox\BackEnv\Desktop.folder.dat
                                                Status: Access denied

                                                Object: C:\QooBox\BackEnv\Favorites.folder.dat
                                                Status: Access denied

                                                Object: C:\QooBox\BackEnv\History.folder.dat
                                                Status: Access denied

                                                Object: C:\QooBox\BackEnv\LocalAppData.folder.dat
                                                Status: Access denied

                                                Object: C:\QooBox\BackEnv\LocalSettings.folder.dat
                                                Status: Access denied

                                                Object: C:\QooBox\BackEnv\Music.folder.dat
                                                Status: Access denied

                                                Object: C:\QooBox\BackEnv\NetHood.folder.dat
                                                Status: Access denied

                                                Object: C:\QooBox\BackEnv\Personal.folder.dat
                                                Status: Access denied

                                                Object: C:\QooBox\BackEnv\Pictures.folder.dat
                                                Status: Access denied

                                                Object: C:\QooBox\BackEnv\PrintHood.folder.dat
                                                Status: Access denied

                                                Object: C:\QooBox\BackEnv\Profiles.Folder.dat
                                                Status: Access denied

                                                Object: C:\QooBox\BackEnv\Profiles.Folder.folder.dat
                                                Status: Access denied

                                                Object: C:\QooBox\BackEnv\Programs.folder.dat
                                                Status: Access denied

                                                Object: C:\QooBox\BackEnv\Recent.folder.dat
                                                Status: Access denied

                                                Object: C:\QooBox\BackEnv\SendTo.folder.dat
                                                Status: Access denied

                                                Object: C:\QooBox\BackEnv\SetPath.bat
                                                Status: Access denied

                                                Object: C:\QooBox\BackEnv\StartMenu.folder.dat
                                                Status: Access denied

                                                Object: C:\QooBox\BackEnv\StartUp.folder.dat
                                                Status: Access denied

                                                Object: C:\QooBox\BackEnv\SysPath.dat
                                                Status: Access denied

                                                Object: C:\QooBox\BackEnv\Templates.folder.dat
                                                Status: Access denied

                                                Object: C:\QooBox\BackEnv\VikPev00
                                                Status: Access denied


                                                BigMac100

                                                  Topic Starter


                                                  Rookie

                                                  Re: ThinkPoint?
                                                  « Reply #30 on: December 12, 2010, 03:50:52 PM »
                                                    Dave, I believe I have done as instructed. Not real sure about "Open the text file and copy/paste the log here
                                                  " (Sysprot.exe)

                                                  I did copy the file and paste for you to see. Please let me know what is next. Seems like things are running a little better. Thanks

                                                  SuperDave

                                                  • Malware Removal Specialist
                                                  • Moderator


                                                  • Genius
                                                  • Thanked: 1020
                                                  • Certifications: List
                                                  • Experience: Expert
                                                  • OS: Windows 10
                                                  Re: ThinkPoint?
                                                  « Reply #31 on: December 12, 2010, 06:53:52 PM »
                                                  Ok. Let's try one more scan.

                                                  I'd like to scan your machine with ESET OnlineScan

                                                  •Hold down Control and click on the following link to open ESET OnlineScan in a new window.
                                                  ESET OnlineScan
                                                  •Click the button.
                                                  •For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
                                                  • Click on to download the ESET Smart Installer. Save it to your desktop.
                                                  • Double click on the icon on your desktop.
                                                  •Check
                                                  •Click the button.
                                                  •Accept any security warnings from your browser.
                                                  •Check
                                                  •Push the Start button.
                                                  •ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
                                                  •When the scan completes, push
                                                  •Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
                                                  •Push the button.
                                                  •Push
                                                  A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

                                                  Windows 8 and Windows 10 dual boot with two SSD's

                                                  BigMac100

                                                    Topic Starter


                                                    Rookie

                                                    Re: ThinkPoint?
                                                    « Reply #32 on: December 13, 2010, 04:24:48 PM »
                                                    C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\17\47b9e491-5cd80ec8   a variant of Java/TrojanDownloader.OpenStream.NAS trojan   deleted - quarantined
                                                    C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\58\2606caba-2b0bc1c3   multiple threats   deleted - quarantined
                                                    C:\Documents and Settings\Owner\Shared\monking bird.mp3   WMA/TrojanDownloader.GetCodec.C trojan   cleaned by deleting - quarantined
                                                    C:\Documents and Settings\Owner\Shared\yael naim-ima new soul.mp3   WMA/TrojanDownloader.GetCodec.C trojan   cleaned by deleting - quarantined
                                                    C:\QooBox\Quarantine\MBR_HardDisk0.mbr   Win32/Olmarik.ADA trojan   cleaned by deleting - quarantined
                                                    C:\System Volume Information\_restore{C289E17B-7714-4E43-B22E-77069D407D7C}\RP1508\A0135460.DLL   Win32/Toolbar.AskSBar application   cleaned by deleting - quarantined
                                                    C:\System Volume Information\_restore{C289E17B-7714-4E43-B22E-77069D407D7C}\RP1531\A0138914.exe   a variant of Win32/Kryptik.INB trojan   cleaned by deleting - quarantined
                                                    C:\System Volume Information\_restore{C289E17B-7714-4E43-B22E-77069D407D7C}\RP1531\A0138918.exe   a variant of Win32/Kryptik.INB trojan   cleaned by deleting - quarantined
                                                    C:\System Volume Information\_restore{C289E17B-7714-4E43-B22E-77069D407D7C}\RP1532\A0155017.exe   Win32/Spy.Zbot.YW trojan   cleaned by deleting - quarantined
                                                    C:\System Volume Information\_restore{C289E17B-7714-4E43-B22E-77069D407D7C}\RP1532\A0155018.dll   Win32/Cimag.DU trojan   cleaned by deleting - quarantined
                                                    C:\System Volume Information\_restore{C289E17B-7714-4E43-B22E-77069D407D7C}\RP1532\A0155019.exe   Win32/Cimag.DU trojan   cleaned by deleting - quarantined
                                                    C:\System Volume Information\_restore{C289E17B-7714-4E43-B22E-77069D407D7C}\RP1532\A0155020.exe   Win32/Adware.FakeAntiSpy.Q application   cleaned by deleting - quarantined
                                                    C:\System Volume Information\_restore{C289E17B-7714-4E43-B22E-77069D407D7C}\RP1532\A0155021.exe   Win32/Cimag.DU trojan   cleaned by deleting - quarantined
                                                    C:\System Volume Information\_restore{C289E17B-7714-4E43-B22E-77069D407D7C}\RP1532\A0155022.exe   Win32/Adware.FakeAntiSpy.Q application   cleaned by deleting - quarantined
                                                    C:\System Volume Information\_restore{C289E17B-7714-4E43-B22E-77069D407D7C}\RP1532\A0155023.exe   Win32/Cimag.DU trojan   cleaned by deleting - quarantined
                                                    C:\System Volume Information\_restore{C289E17B-7714-4E43-B22E-77069D407D7C}\RP1532\A0155024.exe   Win32/Adware.FakeAntiSpy.Q application   cleaned by deleting - quarantined
                                                    C:\System Volume Information\_restore{C289E17B-7714-4E43-B22E-77069D407D7C}\RP1532\A0155026.DLL   a variant of Win32/Toolbar.MyWebSearch application   cleaned by deleting - quarantined
                                                    C:\System Volume Information\_restore{C289E17B-7714-4E43-B22E-77069D407D7C}\RP1532\A0155028.exe   a variant of Win32/Kryptik.INB trojan   cleaned by deleting - quarantined
                                                    C:\System Volume Information\_restore{C289E17B-7714-4E43-B22E-77069D407D7C}\RP1538\A0164538.dll   a variant of Win32/Cimag.EV trojan   cleaned by deleting - quarantined
                                                    C:\System Volume Information\_restore{C289E17B-7714-4E43-B22E-77069D407D7C}\RP1538\A0166597.exe   a variant of Win32/Kryptik.INB trojan   cleaned by deleting - quarantined
                                                    C:\System Volume Information\_restore{C289E17B-7714-4E43-B22E-77069D407D7C}\RP1538\A0166598.exe   a variant of Win32/Kryptik.INB trojan   cleaned by deleting - quarantined
                                                    C:\System Volume Information\_restore{C289E17B-7714-4E43-B22E-77069D407D7C}\RP1538\A0166599.exe   a variant of Win32/Olmarik.AJE trojan   cleaned by deleting - quarantined
                                                    C:\System Volume Information\_restore{C289E17B-7714-4E43-B22E-77069D407D7C}\RP1538\A0166601.exe   a variant of Win32/Kryptik.INB trojan   cleaned by deleting - quarantined

                                                    BigMac100

                                                      Topic Starter


                                                      Rookie

                                                      Re: ThinkPoint?
                                                      « Reply #33 on: December 13, 2010, 04:27:46 PM »
                                                      Dave, ESET OnlineScan results are complete. Please let me know what is next. Thanks

                                                      BigMac100

                                                        Topic Starter


                                                        Rookie

                                                        Re: ThinkPoint?
                                                        « Reply #34 on: December 13, 2010, 04:33:27 PM »
                                                        Dave, I still have AVG on my computer. My windows security alert says it is "turned off" should it be removed completely?
                                                        You gave a link to remove it but I'm not sure which one to use.
                                                        Should I run:
                                                        AVG remover (32bit) etc....
                                                        AVG remover (64bit) etc....
                                                        or any of the other options.

                                                        I continue to have a "AVG Secure Search" bar on my machine. Thanks

                                                        SuperDave

                                                        • Malware Removal Specialist
                                                        • Moderator


                                                        • Genius
                                                        • Thanked: 1020
                                                        • Certifications: List
                                                        • Experience: Expert
                                                        • OS: Windows 10
                                                        Re: ThinkPoint?
                                                        « Reply #35 on: December 13, 2010, 04:45:41 PM »
                                                        Quote
                                                        You gave a link to remove it but I'm not sure which one to use.
                                                        Should I run:
                                                        AVG remover (32bit) etc....
                                                        AVG remover (64bit) etc....
                                                        or any of the other options.
                                                        Your computer is 32 bit.
                                                        How's your computer running now?

                                                        Windows 8 and Windows 10 dual boot with two SSD's

                                                        BigMac100

                                                          Topic Starter


                                                          Rookie

                                                          Re: ThinkPoint?
                                                          « Reply #36 on: December 14, 2010, 05:24:21 PM »
                                                          Dave, Computer running much better. Tried to uninstall AVG again and computer just kinda "sits there" and states that the program is not installed. Did one of the programs you had me run uninstall AVG? The "windows security alert" icon hasen't popped up with AVG on it like normal. I still have a red shield and yellow shield in the lower right side of my screen. Is this normal? and should I update whenever the yellow shield tells me there are updates?

                                                          Thanks.

                                                          SuperDave

                                                          • Malware Removal Specialist
                                                          • Moderator


                                                          • Genius
                                                          • Thanked: 1020
                                                          • Certifications: List
                                                          • Experience: Expert
                                                          • OS: Windows 10
                                                          Re: ThinkPoint?
                                                          « Reply #37 on: December 15, 2010, 01:03:55 PM »
                                                          Please try running this again.

                                                          Download Security Check by screen317 from one of the following links and save it to your desktop.

                                                          Link 1
                                                          Link 2

                                                          * Unzip SecurityCheck.zip and a folder named Security Check should appear.
                                                          * Open the Security Check folder and double-click Security Check.bat
                                                          * Follow the on-screen instructions inside of the black box.
                                                          * A Notepad document should open automatically called checkup.txt
                                                          * Post the contents of that document in your next reply.

                                                          Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
                                                          Windows 8 and Windows 10 dual boot with two SSD's

                                                          BigMac100

                                                            Topic Starter


                                                            Rookie

                                                            Re: ThinkPoint?
                                                            « Reply #38 on: December 20, 2010, 02:21:56 PM »
                                                            Dave, sorry it's been a few days, but this is the last instructions you gave me to do. Thanks. Please let me know what is next.

                                                            Results of screen317's Security Check version 0.99.8 
                                                             Windows XP Service Pack 2 
                                                             Out of date service pack!!
                                                             Internet Explorer 8 
                                                            ``````````````````````````````
                                                            Antivirus/Firewall Check:

                                                             Windows Firewall Disabled! 
                                                             avast! Free Antivirus   
                                                             ESET Online Scanner v3   
                                                             McAfee Security Scan Plus   
                                                            ```````````````````````````````
                                                            Anti-malware/Other Utilities Check:

                                                             Malwarebytes' Anti-Malware   
                                                             CCleaner     
                                                             Java(TM) 6 Update 22 
                                                             Out of date Java installed!
                                                             Adobe Flash Player   
                                                            Adobe Reader X
                                                            ````````````````````````````````
                                                            Process Check: 
                                                            objlist.exe by Laurent

                                                             Alwil Software Avast5 AvastSvc.exe 
                                                             Alwil Software Avast5 avastUI.exe 
                                                            ``````````End of Log````````````

                                                            SuperDave

                                                            • Malware Removal Specialist
                                                            • Moderator


                                                            • Genius
                                                            • Thanked: 1020
                                                            • Certifications: List
                                                            • Experience: Expert
                                                            • OS: Windows 10
                                                            Re: ThinkPoint?
                                                            « Reply #39 on: December 20, 2010, 04:27:41 PM »
                                                            Quote
                                                            Did one of the programs you had me run uninstall AVG?
                                                            Yes. Here it is again.

                                                            AVG Antivirus - AVG Antivirus Remover utility

                                                            Please let me know if it removes AVG.

                                                            Windows 8 and Windows 10 dual boot with two SSD's

                                                            BigMac100

                                                              Topic Starter


                                                              Rookie

                                                              Re: ThinkPoint?
                                                              « Reply #40 on: December 20, 2010, 05:00:36 PM »
                                                              Dave, from what I can see, It looks like AVG is uninstalled. The program you had me run the black screen with white lettering all shows things like "AVGAdmin Server is not installed", "AVG ID sf i l terw7x is not installed" among other  jarga, or "param empty" Does this lead you to believe it is uninstalled?

                                                              Machine is working much better.


                                                              SuperDave

                                                              • Malware Removal Specialist
                                                              • Moderator


                                                              • Genius
                                                              • Thanked: 1020
                                                              • Certifications: List
                                                              • Experience: Expert
                                                              • OS: Windows 10
                                                              Re: ThinkPoint?
                                                              « Reply #41 on: December 21, 2010, 01:13:21 PM »
                                                              Let's do some cleanup.

                                                              * Click START then RUN - Vista users press the Windows Key and the R keys together for the Run box.
                                                              * Now type commy /uninstall in the runbox
                                                              * Make sure there's a space between commy and /Uninstall
                                                              * Then hit Enter

                                                              * The above procedure will:
                                                              * Delete the following:
                                                              * ComboFix and its associated files and folders.
                                                              * Reset the clock settings.
                                                              * Hide file extensions, if required.
                                                              * Hide System/Hidden files, if required.
                                                              * Set a new, clean Restore Point.
                                                              If you have problems doing the above, please try this:

                                                              Delete the Combo-Fix.exe file, C:\Combo-Fix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combo-fix.txt and C:\Combo-Fix-quarantined-files.txt
                                                              Please let me know which method works for you.

                                                              Clean out your temporary internet files and temp files.

                                                              Download TFC by OldTimer to your desktop.

                                                              Double-click TFC.exe to run it.

                                                              Note: If you are running on Vista, right-click on the file and choose Run As Administrator

                                                              TFC will close all programs when run, so make sure you have saved all your work before you begin.

                                                              * Click the Start button to begin the cleaning process.
                                                              * Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
                                                              * Please let TFC run uninterrupted until it is finished.

                                                              Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
                                                              *******************************************
                                                              Use the Secunia Software Inspector to check for out of date software.

                                                              •Click Start Now

                                                              •Check the box next to Enable thorough system inspection.

                                                              •Click Start

                                                              •Allow the scan to finish and scroll down to see if any updates are needed.
                                                              •Update anything listed.
                                                              .
                                                              ----------

                                                              Go to Microsoft Windows Update and get all critical updates.

                                                              ----------

                                                              I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

                                                              SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
                                                              * Using SpywareBlaster to protect your computer from Spyware and Malware
                                                              * If you don't know what ActiveX controls are, see here

                                                              Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

                                                              Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

                                                              Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
                                                              Safe Surfing!
                                                              Windows 8 and Windows 10 dual boot with two SSD's

                                                              BigMac100

                                                                Topic Starter


                                                                Rookie

                                                                Re: ThinkPoint?
                                                                « Reply #42 on: January 02, 2011, 04:36:28 PM »
                                                                Dave,

                                                                The "Start then Run" option did not work for me. I had to Delete "Combo-Fix.exe file....etc

                                                                All other instructions are complete and machine seems to be running fine. I have to let it sit when I power it up for several minutes. Is it because Avast is updating? If I try to access the web, it just sits and tries to connect then after a while it will connect.

                                                                What programs can I uninstall and what programs do you "recommend" I continue to run and how frequently.

                                                                Thanks

                                                                SuperDave

                                                                • Malware Removal Specialist
                                                                • Moderator


                                                                • Genius
                                                                • Thanked: 1020
                                                                • Certifications: List
                                                                • Experience: Expert
                                                                • OS: Windows 10
                                                                Re: ThinkPoint?
                                                                « Reply #43 on: January 02, 2011, 07:07:18 PM »
                                                                Ok. Do this:
                                                                To turn off Windows XP System Restore:

                                                                NOTE: These instructions assume that you are using the default Windows XP Start Menu and have not changed to the Classic Start menu. To re-enable the default menu, right-click Start, click Properties, click Start menu (not Classic) and then click OK.

                                                                1. Click Start.
                                                                2. Right-click the My Computer icon, and then click Properties.
                                                                3. Click the System Restore tab.
                                                                4. Check "Turn off System Restore" or "Turn off System Restore on all drives"
                                                                5. Click Apply.
                                                                6.  When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
                                                                7. Click OK.
                                                                8. Restart the computer and follow the instructions in the next section to turn on System Restore.

                                                                To turn on Windows XP System Restore:

                                                                1. Click Start.
                                                                2. Right-click My Computer, and then click Properties.
                                                                3. Click the System Restore tab.
                                                                4. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives."
                                                                5. Click Apply, and then click OK.
                                                                This will give you a new, clean Restore Point.
                                                                ********************************************
                                                                Quote
                                                                Is it because Avast is updating? If I try to access the web, it just sits and tries to connect then after a while it will connect.
                                                                Yes, my computer does the same thing. I usually try to let it warm up for about 10 mins. so that it can get all the updates. That's the price we have to pay for added security.

                                                                The only ones you should keep are SAS and MBAM. Update them and run them on a regular basis.Anything else can be deleted or uninstalled.
                                                                Windows 8 and Windows 10 dual boot with two SSD's

                                                                BigMac100

                                                                  Topic Starter


                                                                  Rookie

                                                                  Re: ThinkPoint?
                                                                  « Reply #44 on: January 03, 2011, 04:40:47 PM »
                                                                  Dave,

                                                                  The above instructions are complete.

                                                                  Just to be sure, you recommend I keep SUPERAntiSpyware and Malwarebtyes Anti-Malware and run them frequently? Is this correct?

                                                                  Do I also keep Avast?

                                                                  And one last thing. When I power up my computer, I get a popup window in the lower right hand side from a Red shield with a little white "x" that state

                                                                  "Your computer might be at risk
                                                                    AVG Firewall is turned off
                                                                    Click this balloon to fix this problem"

                                                                  Is this something I want to do? I though we got rid of AVG

                                                                  Thanks

                                                                  SuperDave

                                                                  • Malware Removal Specialist
                                                                  • Moderator


                                                                  • Genius
                                                                  • Thanked: 1020
                                                                  • Certifications: List
                                                                  • Experience: Expert
                                                                  • OS: Windows 10
                                                                  Re: ThinkPoint?
                                                                  « Reply #45 on: January 04, 2011, 04:35:22 PM »
                                                                  Quote
                                                                  Just to be sure, you recommend I keep SUPERAntiSpyware and Malwarebtyes Anti-Malware and run them frequently? Is this correct?
                                                                  Do I also keep Avast?

                                                                  Yes. Run them about once a week. You will see that SAS will pick up some tracking cookies, some good, some bad and MBAM will usually come up clean.
                                                                  You need to keep Avast because that is your Anti-Virus program. The others are to keep malware, spyware etc out.

                                                                  Quote
                                                                  "Your computer might be at risk
                                                                    AVG Firewall is turned off
                                                                    Click this balloon to fix this problem"

                                                                  Is this something I want to do? I though we got rid of AVG
                                                                  If you ran the AVG Removal Tool, it should be gone. You can try running it again. You should turn on your Windows firewall or download and install one of the free ones below.
                                                                  If it still gives you that error after you run the tool again, please do this:


                                                                  •Start HijackThis
                                                                  •Click on the Misc Tools button
                                                                  •Click on the Open Uninstall Manager button.
                                                                  •Click on the Save list... button and specify where you would like to save this file. When you press Save button a Notepad will open with the contents of that file. Save the file to your desktop.
                                                                  Copy and paste this file in your next reply.
                                                                  ***********************************************

                                                                  Firewalls protect against hackers and malicious intruders. You need to download a free firewall from one of these reliable vendors.

                                                                  Remember only install ONE firewall

                                                                  1) Comodo Personal Firewall (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and uncheck any HopSurf and/or Ask.com options if you choose this one)
                                                                  2) Online Armor
                                                                  3) Agnitum Outpost
                                                                  4) PC Tools Firewall Plus

                                                                  If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.
                                                                  Windows 8 and Windows 10 dual boot with two SSD's