Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

Author Topic: Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade  (Read 33904 times)

0 Members and 1 Guest are viewing this topic.

lectrocrew

    Topic Starter


    Mentor

  • ole dog learning new tricks
  • Thanked: 21
    • Yes
    • Yes
    • My first self-built computer
  • Certifications: List
  • Computer: Specs
  • Experience: Familiar
  • OS: Windows 10
I have run NoAdware spyware software for about 5 years along with AVG Internet Security full version for 2 years, and previously with Norton Internet Security. NoAdware has been very effective at finding spyware that AVG and Norton paid no attention to.
 New situation = I just upgraded my AVG v7.5 to v8.0 and had some problems with slow surf speed and getting the firewall configured to work with my wireless router but after a re-install and a few hours of headaches the AVG 8.0 is working fine.
 My current problem is that after the AVG 8.0 upgrade, NoAdware v5.0 finds a directory file named "AntiVirusGold" in 'C/Program Files/AVG' and gives an option to remove this file from my computer. The NoAdware item description =
"Purports to be anti-spyware software, but has been known to be installed through extremely devious methods.".
 So what do I do; Allow NoAdware to remove the file, which will likely affect operation of AVG Internet Security, or add this "AntiVirusGold" file to the NoAdware ignore list? Or what other options do I have?

evilfantasy

  • Malware Removal Specialist
  • Moderator


  • Genius
  • Calm like a bomb
  • Thanked: 489
  • Experience: Familiar
  • OS: Windows 10
AntiVirusGold is a rouge program and isn't part of AVG.

lectrocrew

    Topic Starter


    Mentor

  • ole dog learning new tricks
  • Thanked: 21
    • Yes
    • Yes
    • My first self-built computer
  • Certifications: List
  • Computer: Specs
  • Experience: Familiar
  • OS: Windows 10
  Thanks  evilfantasy !!!
So I removed AntiVirusGold from the NoAdware 'ignore list', scanned again, and allowed this file to be removed.
 I guess NoAdware continues to be worth the $37 per year.  It found this file during a scan of 192,168 files on 2 hard drives in less than 4 minutes. The $52.95 per year AVG took over 2 hours to scan 288,277 files on those same drives and did not find the AntiVirusGold file.  What am I missing here?

evilfantasy

  • Malware Removal Specialist
  • Moderator


  • Genius
  • Calm like a bomb
  • Thanked: 489
  • Experience: Familiar
  • OS: Windows 10
I'm not very familiar with Noadware but it sounds like it is doing a good job.

It wouldn't hurt to post a Hijackthis log so we can see if there isn't anything else hiding.

Download and rename HijackThis (HJT)
  • Double-click on HJTInstall.
  • Click on the Install button.
  • It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe.
  • Upon install, HijackThis should open for you.
    • Close HijackThis and rename it.
    • Go to C:\Program Files\Trend Micro\HijackThis.exe
    • Right click on HijackThis.exe and select Rename.
    • Type in sniper.exe and press Enter.
    • Right-click on sniper.exe and select Send To > Desktop (create shortcut)
  • From the desktop open Hijackthis.
  • If using Windows Vista, Right-click and Run As Administrator.
  • Click on the Do a system scan and save a log file button
  • Hijackthis will scan and then a log will open in notepad.
  • Copy and then paste the entire contents of the log in your post.
    • Do not have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
Although we have renamed Hijackthis to sniper, we will still refer to it as Hijackthis or HJT.


lectrocrew

    Topic Starter


    Mentor

  • ole dog learning new tricks
  • Thanked: 21
    • Yes
    • Yes
    • My first self-built computer
  • Certifications: List
  • Computer: Specs
  • Experience: Familiar
  • OS: Windows 10
Done. Sorry it took so long, I had to get the grass cut before it rains.
 I clicked on the remove file from my computer button in NoAdware, but the 'AntiVirusGold' file showed up again after I restarted my computer and scanned again. I turned off system restore for all 3 drives {2 partitions on internal HD and 1 USB external drive}, clicked on remove file again in NoAdware then restarted again. The AntiVirusGold is still there after another scan with NoAdware.
This board will not let me post the HJT log file here. It says it exceeds the maximum character limit of 20000 characters. How should I post the log file results?

evilfantasy

  • Malware Removal Specialist
  • Moderator


  • Genius
  • Calm like a bomb
  • Thanked: 489
  • Experience: Familiar
  • OS: Windows 10
Save the Hijackthis log to your desktop then go here > http://savefile.com/

There is no need to sign up, just upload the file and then post the link to it back here.

lectrocrew

    Topic Starter


    Mentor

  • ole dog learning new tricks
  • Thanked: 21
    • Yes
    • Yes
    • My first self-built computer
  • Certifications: List
  • Computer: Specs
  • Experience: Familiar
  • OS: Windows 10
It won't let me upload my file due to invalid security code'. I typed the code correctly?

evilfantasy

  • Malware Removal Specialist
  • Moderator


  • Genius
  • Calm like a bomb
  • Thanked: 489
  • Experience: Familiar
  • OS: Windows 10
OK, take the log and copy and paste it into two different threads.

lectrocrew

    Topic Starter


    Mentor

  • ole dog learning new tricks
  • Thanked: 21
    • Yes
    • Yes
    • My first self-built computer
  • Certifications: List
  • Computer: Specs
  • Experience: Familiar
  • OS: Windows 10
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:31:36 PM, on 4/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Logitech\Easy Synchronization\servicestub.exe
C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
C:\WINDOWS\system32\lxdccoms.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Lexmark 1300 Series\lxdcamon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Logitech\SetPoint\LBTWiz.exe
C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Linksys EasyLink Advisor\Linksys EasyLink Advisor\LinksysAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NoAdware5.0\NoAdware5.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Program Files\Trend Micro\sniper.exe\sniper.exe.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

lectrocrew

    Topic Starter


    Mentor

  • ole dog learning new tricks
  • Thanked: 21
    • Yes
    • Yes
    • My first self-built computer
  • Certifications: List
  • Computer: Specs
  • Experience: Familiar
  • OS: Windows 10
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [lxdcmon.exe] "C:\Program Files\Lexmark 1300 Series\lxdcmon.exe"
O4 - HKLM\..\Run: [lxdcamon] "C:\Program Files\Lexmark 1300 Series\lxdcamon.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Logitech BT Wizard] LBTWiz.exe -silent
O4 - HKLM\..\Run: [Easy Synchronization] C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunOnce: [Easy Synchronization] C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe --ports
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NoAdware5] "C:\Program Files\NoAdware5.0\NoAdware5.exe" :Min:
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://sports.espn.go.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1205953650720
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/67/install/gtdownls.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://linksyssupport.webex.com/client/T26L/support/ieatgpc.cab
O18 - Protocol: bw+0 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: offline-8876480 - {C8CA643D-457A-40C4-B904-1EFD32A9B0D7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL,avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: HauppaugeTVServer - Hauppauge Computer Works - C:\PROGRA~1\WinTV\HCWTVS~1.EXE
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: Logitech Easy Synchronization - Unknown owner - C:\Program Files\Logitech\Easy Synchronization\servicestub.exe
O23 - Service: lxdcCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdcserv.exe
O23 - Service: lxdc_device -   - C:\WINDOWS\system32\lxdccoms.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
O24 - Desktop Component 0: (no name) - F:\vulcan_1024x768.jpg
O24 - Desktop Component 1: (no name) - F:\Nalu_1920x1440.jpg
O24 - Desktop Component 2: (no name) - F:\Adrianne_1400x1050.jpg
O24 - Desktop Component 3: (no name) - C:\Documents and Settings\Owner\My Documents\My Pictures\black_cat.jpg
O24 - Desktop Component 4: (no name) - C:\Documents and Settings\Owner\My Documents\My Pictures\cat13b.jpg
O24 - Desktop Component 5: (no name) - C:\Documents and Settings\Owner\My Documents\My Pictures\wanimal3t.gif

--
End of file - 22730 bytes

evilfantasy

  • Malware Removal Specialist
  • Moderator


  • Genius
  • Calm like a bomb
  • Thanked: 489
  • Experience: Familiar
  • OS: Windows 10
Open Hijackthis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O18 - Protocol: bwz0s <<Place a check next to ALL 77 of these with Logitech in the name


Important: Close all windows except for Hijackthis and then click Fix checked.

Exit Hijackthis.

----------

Please download Malwarebytes' Anti-Malware (MBAM) to your desktop from either of these two links.(It is free, the paid version has real time protection)
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
    • Click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad.
    • Please  copy and paste the log into your next reply
    Note: If you accidentally close the log it can be retrieved at any time from the Malwarebytes' Anti-Malware main screen.
    • Launch Malwarebytes' Anti-Malware.
    • Click the Logs tab.
    • Double-click log-mm.dd.yyyy [xxxxxx].txt
    ----------

    Next post please add
    MBAM log

    lectrocrew

      Topic Starter


      Mentor

    • ole dog learning new tricks
    • Thanked: 21
      • Yes
      • Yes
      • My first self-built computer
    • Certifications: List
    • Computer: Specs
    • Experience: Familiar
    • OS: Windows 10
    Malwarebytes' Anti-Malware 1.11
    Database version: 658

    Scan type: Full Scan (C:\|F:\|L:\|)
    Objects scanned: 134225
    Time elapsed: 48 minute(s), 10 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
    ===============
    Sorry it took so long. The scan took almost an hour and dinner with the family was ready just before the scan finished.
    As you can see, MBAM found nothing.
     Then I scaned with NoAdware again and found the AntiVirusGold is still there along with 16 not-critical cookies.
    What now?

    lectrocrew

      Topic Starter


      Mentor

    • ole dog learning new tricks
    • Thanked: 21
      • Yes
      • Yes
      • My first self-built computer
    • Certifications: List
    • Computer: Specs
    • Experience: Familiar
    • OS: Windows 10
    This AntiVirusGold is in the AVG 8.0 drivers, {C:\Program Files\AVG\AVG8\Drivers}.
    Here is my NoAdware log:

    Noadware 5.0

    ---------------------



    Removing Spyware Tracking Cookie...

    Removing Registry Tracking Cookie...

    Removing RegValues Tracking Cookie...

    Fixing RegValue dataTracking Cookie...

    Removing Cookies Tracking Cookie...



    [Deleted Cookie]

    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt



    [Deleted Cookie]

    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt



    [Deleted Cookie]

    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt



    [Deleted Cookie]

    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt



    [Deleted Cookie]

    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt



    [Deleted Cookie]

    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt



    [Deleted Cookie]

    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt



    [Deleted Cookie]

    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt



    [Deleted Cookie]

    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt



    [Deleted Cookie]

    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt

    Removing Files Tracking Cookie...

    Removing Folders Tracking Cookie...

    Removing Spyware AntiVirusGold...

    Removing Registry AntiVirusGold...

    Removing RegValues AntiVirusGold...

    Fixing RegValue dataAntiVirusGold...

    Removing Cookies AntiVirusGold...

    Removing Files AntiVirusGold...

    Removing Folders AntiVirusGold...



    [Removing Directory...]

    C:\Program Files\AVG



    Could not delete (C:\Program Files\AVG\AVG8\Drivers) error code = 145

    Could not delete (C:\Program Files\AVG) error code = 145

    [Directory Removal Failed (Not Empty or already removed)]

    C:\Program Files\AVG


    evilfantasy

    • Malware Removal Specialist
    • Moderator


    • Genius
    • Calm like a bomb
    • Thanked: 489
    • Experience: Familiar
    • OS: Windows 10
    Where did you download AVG from?

    This scan will only take a few minutes.

    Download SmitfraudFix (by S!Ri) to your Desktop.
    • Extract all the files to your Destop.
    • A folder named SmitfraudFix will be created on your Desktop.
    • Open the SmitfraudFix folder and double-click smitfraudfix.cmd
    • Select option #1 - Search by typing 1 and press Enter
      • This program will scan large amounts of files on your computer for known patterns so please be patient while it works.
      • When it is done, the results of the scan will be displayed and it will create a log named rapport.txt
        • This is in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.
      • Please attach that log in your next reply.
    • Note: process.exe ( which is used by SmitFraudFIx ) is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
    http://www.beyondlogic.org/consulting/processutil/processutil.htm[/LEFT]

    lectrocrew

      Topic Starter


      Mentor

    • ole dog learning new tricks
    • Thanked: 21
      • Yes
      • Yes
      • My first self-built computer
    • Certifications: List
    • Computer: Specs
    • Experience: Familiar
    • OS: Windows 10
    SmitFraudFix v2.315

    Scan done at  9:10:45.10, Sun 04/20/2008
    Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in normal mode

    Process

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\brsvc01a.exe
    C:\WINDOWS\system32\brss01a.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\PROGRA~1\AVG\AVG8\avgfws8.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\lxdccoms.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
    C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\AVG\AVG8\avgam.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\Program Files\Lexmark 1300 Series\lxdcamon.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Logitech\SetPoint\LBTWiz.exe
    C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\Program Files\Linksys EasyLink Advisor\Linksys EasyLink Advisor\LinksysAgent.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\NoAdware5.0\NoAdware5.exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
    C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\cmd.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe

    hosts


    C:\


    C:\WINDOWS


    C:\WINDOWS\system


    C:\WINDOWS\Web


    C:\WINDOWS\system32


    C:\WINDOWS\system32\LogFiles


    C:\Documents and Settings\Owner


    C:\Documents and Settings\Owner\Application Data


    Start Menu


    C:\DOCUME~1\Owner\FAVORI~1


    Desktop


    C:\Program Files


    Corrupted keys


    Desktop Components
     
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"="F:\\vulcan_1024x768.jpg"
    "SubscribedURL"="F:\\vulcan_1024x768.jpg"
    "FriendlyName"=""
     
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
    "Source"="F:\\Nalu_1920x1440.jpg"
    "SubscribedURL"="F:\\Nalu_1920x1440.jpg"
    "FriendlyName"=""
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\2]
    "Source"="F:\\Adrianne_1400x1050.jpg"
    "SubscribedURL"="F:\\Adrianne_1400x1050.jpg"
    "FriendlyName"=""

    IEDFix
    !!!Attention, following keys are not inevitably infected!!!

    IEDFix
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri


    VACFix
    !!!Attention, following keys are not inevitably infected!!!

    VACFix
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri


    Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    AppInit_DLLs
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"="C:\\PROGRA~1\\Google\\GOOGLE~2\\GOEC62~1.DLL,avgrsstx.dll"
    "LoadAppInit_DLLs"=dword:00000001


    Winlogon
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
    "System"=""


    Rustock



    DNS

    Description: Compact Wireless-G USB Adapter - Packet Scheduler Miniport
    DNS Server Search Order: 192.168.2.1

    HKLM\SYSTEM\CCS\Services\Tcpip\..\{4934C8E4-4A75-4AF3-BA5D-2403C2DCD3BD}: DhcpNameServer=192.168.2.1
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{4934C8E4-4A75-4AF3-BA5D-2403C2DCD3BD}: DhcpNameServer=192.168.2.1
    HKLM\SYSTEM\CS2\Services\Tcpip\..\{4934C8E4-4A75-4AF3-BA5D-2403C2DCD3BD}: DhcpNameServer=192.168.2.1
    HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
    HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
    HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1


    Scanning for wininet.dll infection


    End

    -----------------
    ALSO,
    To answer your question:
    I downloaded the AVG 8.0 file as a license upgrade from the Grisoft site here:
    http://www.grisoft.com/us.90223

    lectrocrew

      Topic Starter


      Mentor

    • ole dog learning new tricks
    • Thanked: 21
      • Yes
      • Yes
      • My first self-built computer
    • Certifications: List
    • Computer: Specs
    • Experience: Familiar
    • OS: Windows 10
    I went to work at 10pm last night till 7am so I probably won't stay awake much longer. I'll check back later to see if you've posted anything further or need more information. Thanks a ton for all your help!!!
    Mike

    evilfantasy

    • Malware Removal Specialist
    • Moderator


    • Genius
    • Calm like a bomb
    • Thanked: 489
    • Experience: Familiar
    • OS: Windows 10
    That didn't find it.

    More thorough scan....

    Please download Combofix by sUBs from one of the below links.
    (Try all three if necessary)Important! Combofix.exe MUST be saved to and ran from the Desktop.
    • Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting Combofix.
    • Important! Temporarily disable your antivirus, script blocking and any antispyware real time protection before performing a scan.
      • Click this link to see a list of security programs that should be disabled and how to disable them.
      • If yours is not listed and you don't know how to disable it, please ask.
    • Warning: Combofix disconnects your computer from the internet. The connection is automatically restored before Combofix completes its run.
    • Double click combofix.exe & follow the prompts.
      • Choose Yes to accept the Disclaimers.[
      • When finished, it will produce a log for you.
      • Post that log in your next reply.
      Warning: Do not mouseclick combofix's window while it is running. That may cause it to stall
      • If Combofix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your computer.
      • Important: Remember to re-enable your antivirus and antispyware before reconnecting to the Internet.
      If needed, see this Combofix tutorial with screenshots that will detail the downloading and running of combofix more thoroughly. Still be sure to rename combofix as detailed above.

      ----------

      Next post
      Combofix log

      lectrocrew

        Topic Starter


        Mentor

      • ole dog learning new tricks
      • Thanked: 21
        • Yes
        • Yes
        • My first self-built computer
      • Certifications: List
      • Computer: Specs
      • Experience: Familiar
      • OS: Windows 10
      Quote
      Click this link to see a list of security programs that should be disabled and how to disable them.

      If yours is not listed and you don't know how to disable it, please ask.

      I have Combofix.exe and Windows XP boot disk downloaded to my desktop and ready to run but:
      The instructions given in the link to disable AVG don't work for AVG8. It works for AVG 7.5, I've done that before. I cannot find a way to disable antivirus, antispyware or anti rootkit. All others I have disabled {firewall, e-mail scanner, resident sheild, anti spam, search sheild, active surf sheild ect.}
      The AVG website is not much help.
      http://www.grisoft.com/ww.faq.num-1209#faq_1209



      patio

      • Moderator


      • Genius
      • Maud' Dib
      • Thanked: 1723
        • Yes
      • Experience: Beginner
      • OS: Windows 7
      Disable the FireFox / AVG addon and see if this helps...
      Restart FireFox after doing so.
         
       
      " Anyone who goes to a psychiatrist should have his head examined. "

      lectrocrew

        Topic Starter


        Mentor

      • ole dog learning new tricks
      • Thanked: 21
        • Yes
        • Yes
        • My first self-built computer
      • Certifications: List
      • Computer: Specs
      • Experience: Familiar
      • OS: Windows 10
       I disabled the AVG add-ons but still don't see where to disable the anti virus, spyware, rootkit.
      I can terminate processes from the AVG system tools menu, but I'm not sure which process I need to terminate. I tried this route once but the 2nd process I terminated, ended the AVG control panel I was using although it returned after reboot.
       I don't know if terminating processes is even an optional way to disable the program, but since I can't find this control anywhere including advanced settings, will it work for what I'm trying to do?
      My terminate process options are:
      avgam.exe
      avgemc.exe

      lectrocrew

        Topic Starter


        Mentor

      • ole dog learning new tricks
      • Thanked: 21
        • Yes
        • Yes
        • My first self-built computer
      • Certifications: List
      • Computer: Specs
      • Experience: Familiar
      • OS: Windows 10
      Sorry
      I hit the enter button by mistake. I have more terminate process options. Please give me a moment to type them

      lectrocrew

        Topic Starter


        Mentor

      • ole dog learning new tricks
      • Thanked: 21
        • Yes
        • Yes
        • My first self-built computer
      • Certifications: List
      • Computer: Specs
      • Experience: Familiar
      • OS: Windows 10
      Additional options =
      avgfws8.exe
      avgnsx.exe
      avgrsx.exe
      avgsystx.exe
      avgtray.exe
      avgui.exe
      avgwdsvc.exe

      evilfantasy

      • Malware Removal Specialist
      • Moderator


      • Genius
      • Calm like a bomb
      • Thanked: 489
      • Experience: Familiar
      • OS: Windows 10
      Just try running Combofix. AVG may not block it from running. If it does block it then we will run it a different way.

      Combofix uses scripts that some AV's see as malicious.

      patio

      • Moderator


      • Genius
      • Maud' Dib
      • Thanked: 1723
        • Yes
      • Experience: Beginner
      • OS: Windows 7
      Sorry for jumpin in EF.
      I just finished reading AVG 8.0 installs an addon to Firefox and thought it may be the hangup.

      patio.
         
       
      " Anyone who goes to a psychiatrist should have his head examined. "

      evilfantasy

      • Malware Removal Specialist
      • Moderator


      • Genius
      • Calm like a bomb
      • Thanked: 489
      • Experience: Familiar
      • OS: Windows 10
      Any time Patio. Useful advice is always welcome.

      lectrocrew

        Topic Starter


        Mentor

      • ole dog learning new tricks
      • Thanked: 21
        • Yes
        • Yes
        • My first self-built computer
      • Certifications: List
      • Computer: Specs
      • Experience: Familiar
      • OS: Windows 10
      OK. Sorry for the delay. Another night at work. When I got home this morning I scanned with NoAdware again. Only 1 threat, AntiVirusGold. I then disabled NoAdware and what parts of AVG that I could, then I ran combofix per instructions I printed from the bleeping computer website.
      After it ran I saved the combofix logfile and I will try to post it in another reply, or 2 separate replies {it is large}..
      Immediately after running combofix, with no re-boot, I enabled NoAdware and scanned in quickscan mode. It found 5 threats as listed below. I did not allow NoAdware to remove any of the threats yet.
      ---------------------------------
      Noadware v5.0 --------------------------

      Reference File = C:\Program Files\NoAdware5.0\noadware4_041808.na

      ---------------------------



      Spyware Name = Kazaa

      Location = HKEY_CURRENT_USER\software\kazaa

      Type = RegKey

      Spyware Name = Kazaa

      Location = HKEY_CURRENT_USER\Software\Kazaa\LocalContent

      Type = RegKey

      Spyware Name = Backdoor.Bifrose

      Location = HKEY_CURRENT_USER\Software\Wget

      Type = RegKey

      Spyware Name = Trojan.PWS.Tanspy

      Location = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load

      Type = RegKey

      Spyware Name = AntiVirusGold

      Location = C:\Program Files\AVG

      Type = Directory



      ---------------------------------
       Next I started a scan with AVG.  I'll probably post this reply before it finishes it's scan due to time but so far it has scanned 474xxx objects and found 8 suspect files but list 0 as threats thus far. I'll post that log when it finishes.
      ------------------------
       

      lectrocrew

        Topic Starter


        Mentor

      • ole dog learning new tricks
      • Thanked: 21
        • Yes
        • Yes
        • My first self-built computer
      • Certifications: List
      • Computer: Specs
      • Experience: Familiar
      • OS: Windows 10
      My combofix log {part 1}:

      ComboFix 08-04-20.2 - Owner 2008-04-21  8:29:46.1 - NTFSx86
      Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.1548 [GMT -4:00]
      Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
      Command switches used :: C:\Documents and Settings\Owner\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
       * Created a new restore point
      .

      (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
      .

      C:\WINDOWS\system32\tmp70.tmp
      C:\WINDOWS\system32\tmp71.tmp
      C:\WINDOWS\system32\tmp72.tmp

      .
      (((((((((((((((((((((((((   Files Created from 2008-03-21 to 2008-04-21  )))))))))))))))))))))))))))))))
      .

      2008-04-20 09:10 . 2008-04-20 09:09   289,144   --a------   C:\WINDOWS\system32\VCCLSID.exe
      2008-04-20 09:10 . 2008-04-20 09:09   288,417   --a------   C:\WINDOWS\system32\SrchSTS.exe
      2008-04-20 09:10 . 2008-04-20 09:09   86,528   --a------   C:\WINDOWS\system32\VACFix.exe
      2008-04-20 09:10 . 2008-04-20 09:09   82,432   --a------   C:\WINDOWS\system32\IEDFix.exe
      2008-04-20 09:10 . 2008-04-20 09:09   53,248   --a------   C:\WINDOWS\system32\Process.exe
      2008-04-20 09:10 . 2008-04-20 09:09   51,200   --a------   C:\WINDOWS\system32\dumphive.exe
      2008-04-20 09:10 . 2008-04-20 09:09   25,600   --a------   C:\WINDOWS\system32\WS2Fix.exe
      2008-04-20 09:10 . 2008-04-20 09:10   3,318   --a------   C:\WINDOWS\system32\tmp.reg
      2008-04-19 18:40 . 2008-04-19 18:40   <DIR>   d--------   C:\Program Files\Malwarebytes' Anti-Malware
      2008-04-19 18:40 . 2008-04-19 18:40   <DIR>   d--------   C:\Documents and Settings\Owner\Application Data\Malwarebytes
      2008-04-19 18:40 . 2008-04-19 18:40   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Malwarebytes
      2008-04-19 15:06 . 2008-04-19 17:09   <DIR>   d--------   C:\Program Files\Trend Micro
      2008-04-18 22:36 . 2008-04-18 22:36   <DIR>   dr-h-----   C:\Documents and Settings\Owner\Application Data\SecuROM
      2008-04-18 22:36 . 2008-04-18 22:36   107,888   --a------   C:\WINDOWS\system32\CmdLineExt.dll
      2008-04-18 22:32 . 2008-04-18 22:32   <DIR>   d--------   C:\WINDOWS\system32\AGEIA
      2008-04-18 22:32 . 2008-04-18 22:32   <DIR>   d--------   C:\Program Files\Common Files\Wise Installation Wizard
      2008-04-18 22:32 . 2008-04-18 22:32   <DIR>   d--------   C:\Program Files\AGEIA Technologies
      2008-04-18 22:32 . 2005-05-26 15:34   2,297,552   --a------   C:\WINDOWS\system32\d3dx9_26.dll
      2008-04-18 22:21 . 2008-04-19 01:33   <DIR>   d--------   C:\Program Files\Rail Simulator
      2008-04-18 17:58 . 2008-04-20 16:08   <DIR>   d--------   C:\WINDOWS\system32\drivers\Avg
      2008-04-18 17:58 . 2008-04-18 17:58   96,520   --a------   C:\WINDOWS\system32\drivers\avgldx86.sys
      2008-04-18 17:58 . 2008-04-18 17:58   75,272   --a------   C:\WINDOWS\system32\drivers\avgtdix.sys
      2008-04-18 17:58 . 2008-04-18 17:58   12,424   --a------   C:\WINDOWS\system32\drivers\avgrkx86.sys
      2008-04-18 17:58 . 2008-04-18 17:58   10,520   --a------   C:\WINDOWS\system32\avgrsstx.dll
      2008-04-18 17:38 . 2008-04-18 17:38   45,568   --a------   C:\WINDOWS\system32\avgfwdx.dll
      2008-04-18 17:38 . 2008-04-18 17:38   22,528   --a------   C:\WINDOWS\system32\drivers\avgfwdx.sys
      2008-04-18 13:17 . 2008-04-20 15:16   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Avg8
      2008-04-17 09:11 . 2008-04-17 21:26   <DIR>   d--------   C:\Documents and Settings\Owner\Application Data\AVGTOOLBAR
      2008-04-17 09:11 . 2008-04-17 09:11   12,424   --a------   C:\WINDOWS\system32\drivers\avgrkx86.sys.install_backup
      2008-04-17 09:11 . 2008-04-17 09:11   10,520   --a------   C:\WINDOWS\system32\avgrsstx.dll.install_backup
      2008-04-17 09:10 . 2008-04-17 09:10   <DIR>   d--------   C:\Program Files\AVG
      2008-04-17 09:09 . 2008-04-17 20:57   <DIR>   d--------   C:\WINDOWS\SxsCaPendDel
      2008-04-07 20:02 . 2008-04-07 20:02   <DIR>   d--------   C:\Documents and Settings\Owner\Bluetooth Software
      2008-04-07 19:56 . 2008-04-07 19:56   <DIR>   d--------   C:\Documents and Settings\LocalService\Application Data\Logitech
      2008-04-07 19:56 . 2008-04-07 19:56   118,784   -r-------   C:\WINDOWS\bwUnin-7.2.0.157-8876480SL.exe
      2008-04-07 19:55 . 2008-04-07 20:01   <DIR>   d--------   C:\Documents and Settings\Owner\Application Data\Logitech
      2008-04-07 19:55 . 2008-04-07 19:55   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Logitech
      2008-04-07 19:55 . 2005-10-05 12:00   47,104   --a------   C:\WINDOWS\system32\drivers\vserial.sys
      2008-04-07 19:55 . 2005-10-05 12:00   18,167   --a------   C:\WINDOWS\system32\drivers\vsb.sys
      2008-04-07 19:54 . 2008-04-07 19:56   <DIR>   d--------   C:\Program Files\Logitech
      2008-04-07 19:54 . 2008-04-07 19:54   <DIR>   d--------   C:\Program Files\Common Files\Logitech
      2008-04-07 19:51 . 2008-04-07 19:51   <DIR>   d--------   C:\Program Files\WIDCOMM
      2008-04-07 16:48 . 2008-04-07 16:48   <DIR>   d--------   C:\Program Files\Safari
      2008-04-07 16:45 . 2008-04-07 16:45   <DIR>   d--------   C:\Program Files\iTunes
      2008-04-07 16:45 . 2008-04-07 16:45   <DIR>   d--------   C:\Program Files\iPod
      2008-04-07 16:44 . 2008-04-07 16:44   <DIR>   d--------   C:\Program Files\QuickTime
      2008-04-06 16:31 . 2008-04-07 07:49   <DIR>   d--------   C:\Documents and Settings\Owner\Application Data\Ulead Systems
      2008-04-06 16:29 . 2008-04-06 16:29   <DIR>   d--------   C:\Program Files\Ulead Systems
      2008-04-06 15:14 . 2005-11-24 19:51   245,248   --a------   C:\WINDOWS\system32\rt73.sys
      2008-04-06 15:14 . 2008-04-06 15:14   20,747   --a------   C:\WINDOWS\system32\drivers\AegisP.sys
      2008-04-06 15:14 . 2005-12-06 04:24   7,846   --a------   C:\WINDOWS\system32\rt73.cat
      2008-04-06 15:14 . 2008-04-06 15:14   1,361   --a------   C:\WINDOWS\system32\WLAN.INI
      2008-04-06 13:14 . 2008-04-06 16:29   <DIR>   d--------   C:\Program Files\Common Files\Ulead Systems
      2008-04-06 13:14 . 2008-04-06 16:30   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Ulead Systems
      2008-04-04 12:21 . 2006-12-28 13:12   290,816   --a------   C:\WINDOWS\system32\hcwzblast.dll
      2008-04-04 12:21 . 2007-03-28 07:16   90,175   --a------   C:\WINDOWS\system32\hcwblast.ocx
      2008-04-04 12:21 . 2007-03-28 07:15   65,603   --a------   C:\WINDOWS\system32\hcwIRblast.dll
      2008-04-04 12:21 . 2005-07-28 13:33   40,960   --a------   C:\WINDOWS\system32\GButton.ocx
      2008-04-04 12:21 . 2004-10-06 14:03   248   --a------   C:\WINDOWS\HCWBlast_sav.ini
      2008-04-04 12:21 . 2004-10-06 14:03   248   --a------   C:\WINDOWS\HCWBlast.ini
      2008-04-04 12:20 . 2008-04-04 12:20   <DIR>   d--------   C:\WINDOWS\system32\Hauppauge
      2008-04-04 12:20 . 2008-04-04 12:20   <DIR>   d--------   C:\Program Files\nanoPEG for WinTV
      2008-04-04 12:20 . 2008-04-04 12:20   <DIR>   d--------   C:\Program Files\Common Files\IviSDK
      2008-04-04 12:18 . 2008-04-18 18:51   <DIR>   d--------   C:\Program Files\WinTV
      2008-04-04 12:18 . 2008-04-06 07:58   <DIR>   d--------   C:\MyVideos
      2008-04-04 12:16 . 2004-08-03 23:10   85,376   --a------   C:\WINDOWS\system32\drivers\NABTSFEC.sys
      2008-04-04 12:15 . 2007-05-10 14:43   367,744   -ra------   C:\WINDOWS\system32\drivers\hcw18bda.sys
      2008-04-03 20:44 . 2008-04-03 20:44   <DIR>   d--------   C:\Documents and Settings\Owner\Application Data\vlc
      2008-04-03 20:43 . 2008-04-09 12:40   <DIR>   d--------   C:\Documents and Settings\Owner\Application Data\dvdcss
      2008-04-03 20:41 . 2008-04-03 20:41   <DIR>   d--------   C:\Program Files\VideoLAN
      2008-04-02 16:45 . 2008-04-18 18:06   54,156   --ah-----   C:\WINDOWS\QTFont.qfn
      2008-04-02 16:45 . 2008-04-02 16:45   1,409   --a------   C:\WINDOWS\QTFont.for
      2008-04-02 16:43 . 2008-04-02 16:43   <DIR>   d--------   C:\Program Files\Bonjour
      2008-04-02 16:43 . 2008-04-10 13:45   <DIR>   d--------   C:\Documents and Settings\Owner\Application Data\Apple Computer
      2008-04-02 16:42 . 2008-04-18 22:32   <DIR>   d----c---   C:\WINDOWS\system32\DRVSTORE
      2008-04-02 16:42 . 2008-04-02 16:42   <DIR>   d--------   C:\Program Files\Apple Software Update
      2008-04-02 16:42 . 2008-04-02 16:43   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Apple Computer
      2008-04-02 16:41 . 2008-04-02 16:41   <DIR>   d--------   C:\Program Files\Common Files\Apple
      2008-04-02 16:41 . 2008-04-02 16:41   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Apple
      2008-04-01 13:01 . 2008-04-01 13:01   <DIR>   d--------   C:\Documents and Settings\Owner\Application Data\CyberLink
      2008-04-01 12:54 . 2008-04-01 12:54   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\CyberLink
      2008-04-01 12:42 . 2008-04-01 12:43   <DIR>   d--------   C:\Program Files\CyberLink
      2008-03-31 21:46 . 2008-03-31 21:55   <DIR>   d--------   C:\WINDOWS\NV35842212.TMP
      2008-03-31 21:46 . 2007-12-10 14:24   159,458   --a------   C:\WINDOWS\system32\nvapps.nvb
      2008-03-31 21:44 . 2008-03-31 21:44   <DIR>   d--------   C:\NVIDIA
      2008-03-31 21:36 . 2008-03-31 21:36   <DIR>   d--------   C:\Program Files\SystemRequirementsLab
      2008-03-31 17:03 . 2008-03-31 17:03   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Ahead
      2008-03-31 17:01 . 2008-03-31 17:01   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Nero
      2008-03-31 13:18 . 2008-03-31 13:18   <DIR>   d--------   C:\Program Files\MSXML 4.0
      2008-03-31 12:40 . 2008-03-31 12:40   <DIR>   d--------   C:\Program Files\Windows Media Connect 2
      2008-03-31 12:40 . 2004-08-12 10:10   221,184   --a------   C:\WINDOWS\system32\wmpns.dll
      2008-03-31 12:38 . 2008-03-31 12:38   <DIR>   d--------   C:\WINDOWS\system32\LogFiles
      2008-03-31 12:38 . 2008-03-31 12:39   <DIR>   d--------   C:\WINDOWS\system32\drivers\UMDF
      2008-03-31 12:08 . 2008-04-15 07:39   69   --a------   C:\WINDOWS\NeroDigital.ini
      2008-03-31 10:59 . 2008-03-31 10:59   <DIR>   d--------   C:\Documents and Settings\Owner\Application Data\Ahead
      2008-03-31 10:54 . 2008-03-31 10:54   <DIR>   d--------   C:\Program Files\Nero
      2008-03-31 10:54 . 2008-03-31 17:02   <DIR>   d--------   C:\Program Files\Common Files\Ahead
      2008-03-28 23:37 . 2008-03-28 23:37   90,112   --a------   C:\WINDOWS\system32\QuickTimeVR.qtx
      2008-03-28 23:37 . 2008-03-28 23:37   57,344   --a------   C:\WINDOWS\system32\QuickTime.qts
      2008-03-25 10:34 . 2006-12-06 00:19   44   --a------   C:\WINDOWS\system32\lxdcrwrd.ini
      2008-03-25 10:33 . 2008-03-25 10:35   <DIR>   d--------   C:\Program Files\Lexmark 1300 Series
      2008-03-25 10:33 . 2007-05-17 09:54   323,584   --a------   C:\WINDOWS\system32\LXDChcp.dll
      2008-03-25 10:33 . 2007-05-17 10:09   286,720   --a------   C:\WINDOWS\system32\LXDCinst.dll
      2008-03-25 10:33 . 2008-03-25 10:34   131,959   --a------   C:\WINDOWS\system32\LexFiles.ulf
      2008-03-25 10:32 . 2007-03-28 09:16   344,064   -ra------   C:\WINDOWS\system32\lxdccoin.dll
      2008-03-25 10:32 . 2007-03-18 21:45   77,906   -ra------   C:\WINDOWS\system32\lxdccfg.dll
      2008-03-25 10:32 . 2007-05-25 05:19   1,827   -ra------   C:\WINDOWS\system32\lxdc.loc
      2008-03-24 16:13 . 2008-03-25 10:33   <DIR>   d--------   C:\Program Files\Lexmark Toolbar
      2008-03-24 16:03 . 2008-02-22 02:33   69,632   --a------   C:\WINDOWS\system32\javacpl.cpl
      2008-03-24 04:29 . 2008-03-24 04:29   <DIR>   d--------   C:\Documents and Settings\Owner\Application Data\Leadertech
      2008-03-24 03:02 . 2008-03-24 03:02   <DIR>   d--------   C:\WINDOWS\Sun
      2008-03-23 04:38 . 2008-03-23 04:38   <DIR>   d--------   C:\Program Files\Linksys Wireless-G Print Server
      2008-03-23 04:38 . 2006-10-18 18:32   37,248   --a------   C:\WINDOWS\system32\lknuhub.sys
      2008-03-23 04:38 . 2006-10-18 18:32   11,648   --a------   C:\WINDOWS\system32\lknucmp.sys
      2008-03-23 04:38 . 2006-10-18 18:35   1,393   --a------   C:\WINDOWS\system32\lknucmp.inf
      2008-03-23 04:38 . 2006-10-18 18:36   1,371   --a------   C:\WINDOWS\system32\lknuhub.inf
      2008-03-22 20:00 . 2008-03-22 20:01   16,826   --ah-----   C:\WINDOWS\system32\brdiag.GID
      2008-03-21 21:02 . 2008-03-22 14:37   247   --a------   C:\WINDOWS\BRMRCV.INI
      2008-03-21 20:53 . 2008-03-21 20:53   <DIR>   d--------   C:\Brother
      2008-03-21 18:22 . 2008-03-21 18:22   1,673,180   --a------   C:\Program Files\WRT54GSv7_7.50.5_fw_US_code.bin
      2008-03-21 17:52 . 2006-10-18 18:32   37,248   --a------   C:\WINDOWS\system32\drivers\lknuhub.sys
      2008-03-21 17:52 . 2006-10-18 18:32   11,136   --a------   C:\WINDOWS\system32\drivers\lknuhst.sys
      2008-03-21 17:51 . 2007-02-28 22:58   813   -ra------   C:\setup.iss
      2008-03-21 16:56 . 2008-03-23 05:41   <DIR>   d--------   C:\Program Files\Brownie
      2008-03-21 16:55 . 2008-03-22 19:58   <DIR>   d--------   C:\Program Files\Brother

      .
      ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
      .
      2008-04-20 17:43   ---------   d-----w   C:\Program Files\Lx_cats
      2008-04-08 00:02   19,372   ----a-w   C:\WINDOWS\system32\drivers\frmupgr.sys
      2008-04-07 23:56   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
      2008-04-06 19:14   ---------   d-----w   C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor
      2008-03-29 10:55   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\nView_Profiles
      2008-03-24 20:03   ---------   d-----w   C:\Program Files\Java
      2008-03-23 05:00   ---------   d-s---w   C:\Documents and Settings\All Users\Application Data\Memeo
      2008-03-23 00:13   ---------   d--h--w   C:\Documents and Settings\Owner\Application Data\GTek
      2008-03-21 20:55   ---------   d-----w   C:\Program Files\Common Files\InstallShield
      2008-03-21 20:28   ---------   d-----w   C:\Program Files\Common Files\Adobe
      2008-03-21 00:43   ---------   d-----w   C:\Program Files\Enroute Imaging
      2008-03-21 00:36   ---------   d-----w   C:\Program Files\OLYMPUS
      2008-03-20 21:58   ---------   d-----w   C:\Program Files\Analog Devices
      2008-03-20 21:02   ---------   d-----w   C:\Program Files\Picasa2
      2008-03-20 00:28   ---------   d-----w   C:\Program Files\Common Files\MySoftware
      2008-03-19 23:32   ---------   d-----w   C:\Program Files\Google
      2008-03-19 23:31   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\InstallShield
      2008-03-19 23:29   ---------   d-----w   C:\Program Files\Western Digital Technologies
      2008-03-19 22:23   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\NVIDIA
      2008-03-19 20:47   ---------   d-----w   C:\Documents and Settings\Owner\Application Data\Corel
      2008-03-19 20:45   ---------   d-----w   C:\Program Files\Intel
      2008-03-19 20:04   ---------   d-----w   C:\Program Files\WexTech
      2008-03-19 20:04   ---------   d-----w   C:\Program Files\Common Files\WexTech Shared
      2008-03-19 20:04   ---------   d-----w   C:\Program Files\Common Files\LHSPF
      2008-03-19 20:01   ---------   d-----w   C:\Program Files\Corel
      2008-03-19 20:01   ---------   d-----w   C:\Program Files\Borland
      2008-03-19 19:48   ---------   d-----w   C:\Documents and Settings\Owner\Application Data\Sonic
      2008-03-19 19:47   ---------   d-----w   C:\Program Files\Common Files\Sonic
      2008-03-19 19:46   ---------   d-----w   C:\Program Files\Sonic
      2008-03-19 18:32   ---------   d-----w   C:\Program Files\Linksys EasyLink Advisor
      2008-03-19 18:18   499,712   ----a-w   C:\WINDOWS\system32\msvcp71.dll
      2008-03-19 18:18   348,160   ----a-w   C:\WINDOWS\system32\msvcr71.dll
      2008-03-19 17:16   ---------   d-----w   C:\Program Files\Microsoft IntelliType Pro
      2008-03-19 17:16   ---------   d-----w   C:\Program Files\Microsoft IntelliPoint
      2008-03-19 14:48   ---------   d--ha-w   C:\Documents and Settings\All Users\Application Data\GTek
      2008-03-19 13:47   ---------   d-----w   C:\Program Files\Western Digital
      2008-03-19 13:47   ---------   d-----w   C:\Program Files\Common Files\Java
      2008-03-19 13:47   ---------   d-----w   C:\Program Files\B's Recorder GOLD5
      2008-03-19 13:47   ---------   d-----w   C:\Program Files\ArcSoft
      2008-03-19 13:47   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
      2008-03-19 09:47   1,845,248   ----a-w   C:\WINDOWS\system32\win32k.sys
      2008-03-19 02:55   ---------   d-----w   C:\Program Files\microsoft frontpage
      2008-03-01 13:06   826,368   ----a-w   C:\WINDOWS\system32\wininet.dll
      2008-02-23 02:38   43,872   ----a-w   C:\WINDOWS\system32\drivers\pxhelp20.sys
      2008-02-20 06:51   282,624   ----a-w   C:\WINDOWS\system32\gdi32.dll
      2008-02-20 05:32   45,568   ----a-w   C:\WINDOWS\system32\dnsrslvr.dll
      2008-01-29 16:02   107,368   ----a-w   C:\WINDOWS\system32\GEARAspi.dll
      .


      lectrocrew

        Topic Starter


        Mentor

      • ole dog learning new tricks
      • Thanked: 21
        • Yes
        • Yes
        • My first self-built computer
      • Certifications: List
      • Computer: Specs
      • Experience: Familiar
      • OS: Windows 10
      combofix {part 2}

      (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
      .
      .
      *Note* empty entries & legit default entries are not shown
      REGEDIT4

      [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
      2008-04-18 17:58   2051328   --a------   C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
      "{A057A204-BACC-4D26-9990-79A187E2698E}"= "C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL" [2008-04-18 17:58 2051328]

      [HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
      [HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

      [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
      "{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-04-18 17:58 2051328]

      [HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
      [HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

      [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 19:16 454784]
      "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 09:56 15360]
      "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 19:03 152872]
      "LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2008-04-07 19:56 36864]

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
      "nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
      "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-13 02:05 122939]
      "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35 94208]
      "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32 77824]
      "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36 114688]
      "ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [ ]
      "SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 14:42 1404928]
      "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
      "lxdcmon.exe"="C:\Program Files\Lexmark 1300 Series\lxdcmon.exe" [ ]
      "lxdcamon"="C:\Program Files\Lexmark 1300 Series\lxdcamon.exe" [2007-04-30 04:19 20480]
      "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
      "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-09-05 12:19 94208 C:\WINDOWS\KHALMNPR.Exe]
      "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-09-05 12:19 94208 C:\WINDOWS\KHALMNPR.Exe]
      "Logitech BT Wizard"="LBTWiz.exe" []
      "Easy Synchronization"="C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe" [2005-10-05 12:00 53248]

      C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
      Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-08-17 23:19:54 622653]
      Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2008-04-07 19:56:23 196608]
      Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-04-07 19:54:51 671744]

      [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
      Source= F:\vulcan_1024x768.jpg
      FriendlyName=

      [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
      Source= F:\Nalu_1920x1440.jpg
      FriendlyName=

      [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
      Source= F:\Adrianne_1400x1050.jpg
      FriendlyName=

      [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\3]
      Source= C:\Documents and Settings\Owner\My Documents\My Pictures\black_cat.jpg
      FriendlyName=

      [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\4]
      Source= C:\Documents and Settings\Owner\My Documents\My Pictures\cat13b.jpg
      FriendlyName=

      [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\5]
      Source= C:\Documents and Settings\Owner\My Documents\My Pictures\wanimal3t.gif
      FriendlyName=

      [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
      "{FE24CD78-7C63-465D-8787-4EDF7FC79895}"= C:\Program Files\Logitech\Easy Synchronization\shellexecutehook.dll [2005-10-05 12:00 69632]

      [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
      c:\program files\common files\logitech\bluetooth\LBTWlgn.dll 2006-10-25 19:01 65536 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWlgn.DLL

      [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
      "AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL,avgrsstx.dll

      [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
      "msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm
      "msacm.mpegacm"= mpegacm.acm

      [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoStart IR.lnk]
      path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoStart IR.lnk
      backup=C:\WINDOWS\pss\AutoStart IR.lnkCommon Startup

      [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Application Director 9.LNK]
      path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Desktop Application Director 9.LNK
      backup=C:\WINDOWS\pss\Desktop Application Director 9.LNKCommon Startup

      [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MySoftware InterCom.lnk]
      path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MySoftware InterCom.lnk
      backup=C:\WINDOWS\pss\MySoftware InterCom.lnkCommon Startup

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
      --a------ 2007-03-09 11:09 63712 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
      --a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
      --a------ 2008-04-18 17:58 1177368 C:\PROGRA~1\AVG\AVG8\avgtray.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
      --a------ 2008-03-19 19:32 1862144 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
      --a------ 2007-02-05 19:52 849280 C:\Program Files\Microsoft IntelliPoint\ipoint.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
      --a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
      --a------ 2006-11-21 21:08 813912 C:\Program Files\Microsoft IntelliType Pro\itype.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
      --a------ 2007-01-08 22:17 52256 C:\Program Files\CyberLink\PowerDVD\Language\Language.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
      --a------ 2007-03-01 15:57 153136 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSDiagnosticM]
      --a------ 2007-02-27 16:29 315392 C:\Program Files\Linksys Wireless-G Print Server\PSDiagnosticM.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
      --a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
      --------- 2007-01-08 22:26 68640 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ulead Quick-Drop]
      --------- 2006-06-06 11:47 118784 C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 5 SE\Ulead DVD MovieFactory 5\Quick-Drop.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
      --a------ 2004-01-07 02:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
      "WMPNetworkSvc"=3 (0x3)
      "UleadBurningHelper"=2 (0x2)
      "RichVideo"=2 (0x2)
      "NBService"=3 (0x3)
      "iPod Service"=3 (0x3)
      "gusvc"=3 (0x3)
      "GoogleDesktopManager"=3 (0x3)
      "Apple Mobile Device"=2 (0x2)

      [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
      "EnableFirewall"= 0 (0x0)

      [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
      "%windir%\\system32\\sessmgr.exe"=
      "C:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
      "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
      "C:\\WINDOWS\\system32\\lxdccoms.exe"=
      "C:\\Program Files\\Lexmark 1300 Series\\lxdcamon.exe"=
      "C:\\Program Files\\Lexmark 1300 Series\\app4r.exe"=
      "C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
      "C:\\Program Files\\iTunes\\iTunes.exe"=
      "C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
      "C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
      "C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
      "C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
      "C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdcpswx.exe"=
      "C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdcjswx.exe"=
      "C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdctime.exe"=

      [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
      "135:TCP"= 135:TCP:TCP Port 135
      "5000:TCP"= 5000:TCP:TCP Port 5000
      "5001:TCP"= 5001:TCP:TCP Port 5001
      "5002:TCP"= 5002:TCP:TCP Port 5002
      "5003:TCP"= 5003:TCP:TCP Port 5003
      "5004:TCP"= 5004:TCP:TCP Port 5004
      "5005:TCP"= 5005:TCP:TCP Port 5005
      "5006:TCP"= 5006:TCP:TCP Port 5006
      "5007:TCP"= 5007:TCP:TCP Port 5007
      "5008:TCP"= 5008:TCP:TCP Port 5008
      "5009:TCP"= 5009:TCP:TCP Port 5009
      "5010:TCP"= 5010:TCP:TCP Port 5010
      "5011:TCP"= 5011:TCP:TCP Port 5011
      "5012:TCP"= 5012:TCP:TCP Port 5012
      "5013:TCP"= 5013:TCP:TCP Port 5013
      "5014:TCP"= 5014:TCP:TCP Port 5014
      "5015:TCP"= 5015:TCP:TCP Port 5015
      "5016:TCP"= 5016:TCP:TCP Port 5016
      "5017:TCP"= 5017:TCP:TCP Port 5017
      "5018:TCP"= 5018:TCP:TCP Port 5018
      "5019:TCP"= 5019:TCP:TCP Port 5019
      "5020:TCP"= 5020:TCP:TCP Port 5020

      R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-04-18 17:58]
      R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-04-18 17:58]
      R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-04-18 17:57]
      R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-04-18 17:57]
      R2 avgfws8;AVG8 Firewall;C:\PROGRA~1\AVG\AVG8\avgfws8.exe [2008-04-18 17:57]
      R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-04-18 17:58]
      R2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepKE.sys [2006-10-25 19:10]
      R2 lxdc_device;lxdc_device;C:\WINDOWS\system32\lxdccoms.exe [2007-05-25 05:38]
      R3 Avgfwdx;Avgfwdx;C:\WINDOWS\system32\DRIVERS\avgfwdx.sys [2008-04-18 17:38]
      R3 hcw18bda;Hauppauge WinTV 418 Driver;C:\WINDOWS\system32\drivers\hcw18bda.sys [2007-05-10 14:43]
      R3 lknuhst;Linksys Network USB Host Controller;C:\WINDOWS\system32\DRIVERS\lknuhst.sys [2006-10-18 18:32]
      R3 LKNUHUB;Linksys Network USB Root Hub;C:\WINDOWS\system32\DRIVERS\lknuhub.sys [2006-10-18 18:32]
      S2 lxdcCATSCustConnectService;lxdcCATSCustConnectService;C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdcserv.exe [2007-05-25 05:38]
      S3 Avgfwfd;AVG network filter service;C:\WINDOWS\system32\DRIVERS\avgfwdx.sys [2008-04-18 17:38]
      S3 HauppaugeTVServer;HauppaugeTVServer;C:\PROGRA~1\WinTV\HCWTVS~1.EXE [2007-02-20 15:11]
      S3 ngrpci;NETGEAR FA310TX Fast Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\ngrpci.sys [2001-08-17 13:12]

      *Newly Created Service* - CATCHME
      *Newly Created Service* - GTNDIS5
      .
      **************************************************************************

      catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
      Rootkit scan 2008-04-21 08:31:35
      Windows 5.1.2600 Service Pack 2 NTFS

      scanning hidden processes ...

      scanning hidden autostart entries ...

      scanning hidden files ...


      **************************************************************************
      .
      Completion time: 2008-04-21  8:34:03
      ComboFix-quarantined-files.txt  2008-04-21 12:33:01

      Pre-Run: 18,073,759,744 bytes free
      Post-Run: 19,050,729,472 bytes free

      WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
      [boot loader]
      timeout=2
      default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
      [operating systems]
      multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
      C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

      384   --- E O F ---   2008-04-09 02:06:51

      evilfantasy

      • Malware Removal Specialist
      • Moderator


      • Genius
      • Calm like a bomb
      • Thanked: 489
      • Experience: Familiar
      • OS: Windows 10
      Did Noadware just start reporting this infection when you installed AVG8?

      Could this be a false positive?

      Use the Kaspersky Online Scanner
      • Click Accept.
      • Answer Yes, when prompted to install an ActiveX component.
      • The program will then begin downloading the latest definition files.
      • Once the files have been downloaded click on NEXT
      • Locate the Scan Settings button & configure to:
        • Scan using the following Anti-Virus database:

            • Extended[/COLOR]
            • Scan Options:

                • Scan Archives[/COLOR]
                  • Scan Mail Bases[/COLOR]
                • Click OK & have it scan My Computer
                When the scan is done, in the Scan is complete window (below), any infection is displayed.
                There is no option to clean/disinfect, however, we need to analyze the information on the report.

                To obtain the report:
                Click on: Save Report As...



                • Next, in the Save as prompt, Save in area, select: Desktop.
                • In the File name area, use KScan, or something similar.
                • In Save as type: click the drop arrow and select: Text file [*.txt]
                • Then, click: Save


                Please copy and paste the Kaspersky Online Scanner Report in your next post.

                ---------------

                Next post
                Kaspersky log

          lectrocrew

            Topic Starter


            Mentor

          • ole dog learning new tricks
          • Thanked: 21
            • Yes
            • Yes
            • My first self-built computer
          • Certifications: List
          • Computer: Specs
          • Experience: Familiar
          • OS: Windows 10
          Quote
          Did Noadware just start reporting this infection when you installed AVG8?
          Yes, I believe so. My NoAdware autoscans every morning {provided my computer is on, which it usually is}, at 6am while I'm at work, the last scan log for 4-17-2008 completed at 6:05am without the AntiVirusGold in it is here:
          =======================
          Noadware v5.0 --------------------------

          Reference File = C:\Program Files\NoAdware5.0\noadware4_040408.na

          ---------------------------



          Spyware Name = Tracking Cookie

          Location = adinterax

          Type = Cookie

          Spyware Name = Tracking Cookie

          Location = adopt.specificclick

          Type = Cookie

          Spyware Name = Tracking Cookie

          Location = specificclick

          Type = Cookie

          ======================

          The scan for 4-18-2008 completed at 6:04am is here:
          =======================

          Noadware v5.0 --------------------------

          Reference File = C:\Program Files\NoAdware5.0\noadware4_041608.na

          ---------------------------



          Spyware Name = Tracking Cookie

          Location = ad.yieldmanager

          Type = Cookie

          Spyware Name = Tracking Cookie

          Location = bluestreak

          Type = Cookie

          Spyware Name = Tracking Cookie

          Location = media.adrevolver

          Type = Cookie

          Spyware Name = Tracking Cookie

          Location = ssl-hints.netflame

          Type = Cookie

          Spyware Name = AntiVirusGold

          Location = C:\Program Files\AVG

          Type = Directory

          =======================
          Quote
          Could this be a false positive?

          I guess so, although you make that call. I didn't know there was such a thing as a false positive.

          Should I do anything about the files found after the combofix ran or continue to the "Kaspersky Online Scanner" now?






          evilfantasy

          • Malware Removal Specialist
          • Moderator


          • Genius
          • Calm like a bomb
          • Thanked: 489
          • Experience: Familiar
          • OS: Windows 10
          We will clean up the tools we have used when we are done.

          Go ahead with the kaspersky scan. It won't remove anything but the log will be very helpful.

          lectrocrew

            Topic Starter


            Mentor

          • ole dog learning new tricks
          • Thanked: 21
            • Yes
            • Yes
            • My first self-built computer
          • Certifications: List
          • Computer: Specs
          • Experience: Familiar
          • OS: Windows 10
          Sorry for the delay. That scan took about an hour. Results below:

          -------------------------------------------------------------------------------
           KASPERSKY ONLINE SCANNER REPORT
           Monday, April 21, 2008 4:18:40 PM
           Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
           Kaspersky Online Scanner version: 5.0.98.0
           Kaspersky Anti-Virus database last update: 21/04/2008
           Kaspersky Anti-Virus database records: 719150
          -------------------------------------------------------------------------------

          Scan Settings:
             Scan using the following antivirus database: extended
             Scan Archives: true
             Scan Mail Bases: true

          Scan Target - My Computer:
             C:\
             D:\
             E:\
             F:\
             L:\

          Scan Statistics:
             Total number of scanned objects: 97346
             Number of viruses found: 1
             Number of infected objects: 3
             Number of suspicious objects: 0
             Duration of the scan process: 00:56:47

          Infected Object Name / Virus Name / Last Action
          C:\Documents and Settings\All Users\Application Data\Avg8\Antispam\scoffset.bin.incr   Object is locked   skipped
          C:\Documents and Settings\All Users\Application Data\Avg8\AvgAm\avgam.lck   Object is locked   skipped
          C:\Documents and Settings\All Users\Application Data\Avg8\emc\Log\emc.log   Object is locked   skipped
          C:\Documents and Settings\All Users\Application Data\Avg8\Log\avgam.log   Object is locked   skipped
          C:\Documents and Settings\All Users\Application Data\Avg8\Log\avgcore.log   Object is locked   skipped
          C:\Documents and Settings\All Users\Application Data\Avg8\Log\avgcore.log.1   Object is locked   skipped
          C:\Documents and Settings\All Users\Application Data\Avg8\Log\avgfw8u.log   Object is locked   skipped
          C:\Documents and Settings\All Users\Application Data\Avg8\Log\avgns.log   Object is locked   skipped
          C:\Documents and Settings\All Users\Application Data\Avg8\Log\avgrs.log   Object is locked   skipped
          C:\Documents and Settings\All Users\Application Data\Avg8\Log\avgsched.log   Object is locked   skipped
          C:\Documents and Settings\All Users\Application Data\Avg8\Log\commonpriv.log   Object is locked   skipped
          C:\Documents and Settings\All Users\Application Data\Avg8\Log\commonpub.log   Object is locked   skipped
          C:\Documents and Settings\LocalService\Cookies\index.dat   Object is locked   skipped
          C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat   Object is locked   skipped
          C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG   Object is locked   skipped
          C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat   Object is locked   skipped
          C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat   Object is locked   skipped
          C:\Documents and Settings\LocalService\NTUSER.DAT   Object is locked   skipped
          C:\Documents and Settings\LocalService\ntuser.dat.LOG   Object is locked   skipped
          C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat   Object is locked   skipped
          C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG   Object is locked   skipped
          C:\Documents and Settings\NetworkService\NTUSER.DAT   Object is locked   skipped
          C:\Documents and Settings\NetworkService\ntuser.dat.LOG   Object is locked   skipped
          C:\Documents and Settings\Owner\Application Data\GTek\GTUpdate\AUpdate\EasyLinkAdvisor\gdql_lsa_LinksysAgent.log   Object is locked   skipped
          C:\Documents and Settings\Owner\Application Data\GTek\GTUpdate\AUpdate\EasyLinkAdvisor\glog.log   Object is locked   skipped
          C:\Documents and Settings\Owner\Application Data\GTek\GTUpdate\AUpdate\EasyLinkAdvisor\LinksysAgent.log   Object is locked   skipped
          C:\Documents and Settings\Owner\Application Data\GTek\GTUpdate\AUpdate\EasyLinkAdvisor\LinksysAgent_GTActions.log   Object is locked   skipped
          C:\Documents and Settings\Owner\Cookies\index.dat   Object is locked   skipped
          C:\Documents and Settings\Owner\Desktop\SmitfraudFix\SmitfraudFix\Reboot.exe   Infected: not-a-virus:RiskTool.Win32.Reboot.f   skipped
          C:\Documents and Settings\Owner\Desktop\SmitfraudFix.zip/SmitfraudFix/Reboot.exe   Infected: not-a-virus:RiskTool.Win32.Reboot.f   skipped
          C:\Documents and Settings\Owner\Desktop\SmitfraudFix.zip   ZIP: infected - 1   skipped
          C:\Documents and Settings\Owner\Local Settings\Application Data\Ahead\Nero Home\bl.db   Object is locked   skipped
          C:\Documents and Settings\Owner\Local Settings\Application Data\Ahead\Nero Home\is2.db   Object is locked   skipped
          C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat   Object is locked   skipped
          C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat   Object is locked   skipped
          C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG   Object is locked   skipped
          C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat   Object is locked   skipped
          C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012008042120080422\index.dat   Object is locked   skipped
          C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat   Object is locked   skipped
          C:\Documents and Settings\Owner\NTUSER.DAT   Object is locked   skipped
          C:\Documents and Settings\Owner\ntuser.dat.LOG   Object is locked   skipped
          C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\BWDocMap.pht   Object is locked   skipped
          C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\BWInfopakMap.pht   Object is locked   skipped
          C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\chandir.dat   Object is locked   skipped
          C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\chandir.idx   Object is locked   skipped
          C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\chn.dat   Object is locked   skipped
          C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\chn.idx   Object is locked   skipped
          C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\D0000000.FCS   Object is locked   skipped
          C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\inuse.txt   Object is locked   skipped
          C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\L0000003.FCS   Object is locked   skipped
          C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\main.log   Object is locked   skipped
          C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\prs.dat   Object is locked   skipped
          C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\prs.idx   Object is locked   skipped
          C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\prs_die.dat   Object is locked   skipped
          C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\prs_die.idx   Object is locked   skipped
          C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\prs_dnd.dat   Object is locked   skipped
          C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\prs_dnd.idx   Object is locked   skipped
          C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\prs_ext.dat   Object is locked   skipped
          C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\prs_ext.idx   Object is locked   skipped
          C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\prs_rcv.dat   Object is locked   skipped
          C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\prs_rcv.idx   Object is locked   skipped
          C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\storydb.dat   Object is locked   skipped
          C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\storydb.idx   Object is locked   skipped
          C:\System Volume Information\MountPointManagerRemoteDatabase   Object is locked   skipped
          C:\System Volume Information\_restore{C900D7EF-0604-4853-84B0-ADDDB2906470}\RP3\change.log   Object is locked   skipped
          C:\WINDOWS\Debug\PASSWD.LOG   Object is locked   skipped
          C:\WINDOWS\SchedLgU.Txt   Object is locked   skipped
          C:\WINDOWS\SoftwareDistribution\ReportingEvents.log   Object is locked   skipped
          C:\WINDOWS\system32\CatRoot2\edb.log   Object is locked   skipped
          C:\WINDOWS\system32\CatRoot2\tmp.edb   Object is locked   skipped
          C:\WINDOWS\system32\config\AppEvent.Evt   Object is locked   skipped
          C:\WINDOWS\system32\config\default   Object is locked   skipped
          C:\WINDOWS\system32\config\default.LOG   Object is locked   skipped
          C:\WINDOWS\system32\config\Internet.evt   Object is locked   skipped
          C:\WINDOWS\system32\config\SAM   Object is locked   skipped
          C:\WINDOWS\system32\config\SAM.LOG   Object is locked   skipped
          C:\WINDOWS\system32\config\SecEvent.Evt   Object is locked   skipped
          C:\WINDOWS\system32\config\SECURITY   Object is locked   skipped
          C:\WINDOWS\system32\config\SECURITY.LOG   Object is locked   skipped
          C:\WINDOWS\system32\config\software   Object is locked   skipped
          C:\WINDOWS\system32\config\software.LOG   Object is locked   skipped
          C:\WINDOWS\system32\config\SysEvent.Evt   Object is locked   skipped
          C:\WINDOWS\system32\config\system   Object is locked   skipped
          C:\WINDOWS\system32\config\system.LOG   Object is locked   skipped
          C:\WINDOWS\system32\h323log.txt   Object is locked   skipped
          C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR   Object is locked   skipped
          C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP   Object is locked   skipped
          C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER   Object is locked   skipped
          C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP   Object is locked   skipped
          C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP   Object is locked   skipped
          C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA   Object is locked   skipped
          C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP   Object is locked   skipped
          C:\WINDOWS\WindowsUpdate.log   Object is locked   skipped
          F:\System Volume Information\MountPointManagerRemoteDatabase   Object is locked   skipped
          F:\System Volume Information\_restore{C900D7EF-0604-4853-84B0-ADDDB2906470}\RP3\change.log   Object is locked   skipped
          L:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp   Object is locked   skipped
          L:\System Volume Information\MountPointManagerRemoteDatabase   Object is locked   skipped
          L:\System Volume Information\_restore{C900D7EF-0604-4853-84B0-ADDDB2906470}\RP3\change.log   Object is locked   skipped

          Scan process completed.

          evilfantasy

          • Malware Removal Specialist
          • Moderator


          • Genius
          • Calm like a bomb
          • Thanked: 489
          • Experience: Familiar
          • OS: Windows 10
          The log is clean. I am pretty sure that it was a false positive being given by Noadware.

          Let's clear out the programs we've been using to clean up your computer, they are not suitable for
          general malware removal and could cause damage if launched accidentally. These steps will also help secure the work you have done.
          .
          • Click START then RUN
          • Now type Combofix /u in the runbox
          • Make sure there's a space between Combofix and /u
          • Then hit Enter.
          .
          .
          The above procedure will:
          • Delete:
            • ComboFix and its associated files and folders.
            • VundoFix backups, if present
            • The C:\Deckard folder, if present
            • The C:_OtMoveIt folder, if present
            • Reset the clock settings.
            • Hide file extensions, if required.
            • Hide System/Hidden files, if required.
            • Set a new, clean Restore Point.
            .
            Download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop. (unless you already have it installed)

            1. Double click OTMoveIt2.exe to launch it.
            Vista users right click and choose Run As Administrator
            2. Click on the CleanUp! button.
            3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
            4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
            5. Once complete exit out of OTMoveIt2

            Set a New Restore Point to prevent possible reinfection from an old one
            Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.
            • Go to Start > Programs > Accessories > System Tools and click System Restore
            • Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
            • The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
            • Next go to Start > Run and type Cleanmgr
            • Click OK
            • Click the More Options Tab.
            • Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.
            .
            Use the Secunia Software Inspector to check for out of date software.
            • Click Start Now
            • Check the box next to Enable thorough system inspection.
            • Click Start
            • Allow the scan to finish and scroll down to see if any updates are needed.
            • Update anything listed.
            .

            Let me know how things are now.

            lectrocrew

              Topic Starter


              Mentor

            • ole dog learning new tricks
            • Thanked: 21
              • Yes
              • Yes
              • My first self-built computer
            • Certifications: List
            • Computer: Specs
            • Experience: Familiar
            • OS: Windows 10
            Quote
            Download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop. (unless you already have it installed)

            1. Double click OTMoveIt2.exe to launch it.
            Vista users right click and choose Run As Administrator
            2. Click on the CleanUp! button.
            When I click on the 'CleanUp button I get an error box that says:
            "OTMoveIt2
            I/O error 1784"
            I clicked the 'OK' in that box and tried clicking the CleanUp button again and got the same message.
            What did I miss?


            evilfantasy

            • Malware Removal Specialist
            • Moderator


            • Genius
            • Calm like a bomb
            • Thanked: 489
            • Experience: Familiar
            • OS: Windows 10
            Did the list load into the box under the yellow bar?

            lectrocrew

              Topic Starter


              Mentor

            • ole dog learning new tricks
            • Thanked: 21
              • Yes
              • Yes
              • My first self-built computer
            • Certifications: List
            • Computer: Specs
            • Experience: Familiar
            • OS: Windows 10

            evilfantasy

            • Malware Removal Specialist
            • Moderator


            • Genius
            • Calm like a bomb
            • Thanked: 489
            • Experience: Familiar
            • OS: Windows 10
            OK, open this attachment and copy then paste the entire list into the window under the yellow bar in OTMoveIt2. Then click the CleanUp button.

            [recovering space - attachment deleted by admin]

            lectrocrew

              Topic Starter


              Mentor

            • ole dog learning new tricks
            • Thanked: 21
              • Yes
              • Yes
              • My first self-built computer
            • Certifications: List
            • Computer: Specs
            • Experience: Familiar
            • OS: Windows 10
            Done but I get the same error message

            lectrocrew

              Topic Starter


              Mentor

            • ole dog learning new tricks
            • Thanked: 21
              • Yes
              • Yes
              • My first self-built computer
            • Certifications: List
            • Computer: Specs
            • Experience: Familiar
            • OS: Windows 10
            Below is a copy - paste of whats in that box.

            [nobackups]
            [deleteself]
            avenger.zip     <Avenger by Swandog46>
            avenger.exe
            Avenger
            avenger.txt
            bfu.zip         <BFU by Merijn>
            BFU
            combofix.exe    <ComboFix by sUBs>
            Combo-Fix.sys
            ComboFix
            erdnt
            QooBox
            ComboFix*.txt
            catchme         <delete service>
            catchme.exe
            fdsv.exe
            grep.exe
            moveex.exe
            nircmd.exe
            sed.exe
            swreg.exe
            Swsc.exe
            Swxcacls.exe
            VFind.exe
            WS2Fix.exe
            zip.exe
            tmp.reg
            dss.exe         <Deckard's System Scanner by Deckard>
            Deckard
            deljob.exe      <Author Unknown>
            deljob
            logit.txt
            FindAWF.exe     <FindAWF by noahdfear>
            AWF.txt
            fixwareout.exe  <FixWareout by LonnyRJones>
            fixwareout
            fsbl.exe        <F-Secure BlackLight>
            fsbl*.log
            gmer.exe        <GMER by Gmer>
            gmer.dll
            gmer.ini
            gmer.log
            gmer_uninstall.cmd
            gmer.sys
            gmer            <delete service>
            haxfix.exe      <Haxfix by Markie>
            haxfix.txt
            killbox.exe     <Killbox by Option^Explicit>
            !Killbox
            NoLop.exe       <NoLop by ?>
            NoLop.txt
            NoLopOLD.txt
            delete.bat
            OTMoveIt.exe    <OTMoveIt by OldTimer>
            OTMoveIt2.exe
            _OTMoveIt
            OTScanIt.exe    <OTScanIt by OldTimer>
            OTScanIt
            rustbfix.exe    <Rustbfix by Ejvindh>
            Rustbfix
            sdfix.exe       <SDFix by Andy_Manchesta>
            SDFix
            Silent Runners.vbs  <by Andrew ARONOFF>
            SmitfraudFix.exe <SmitfraudFix by S!Ri>
            SmitfraudFix
            rapport.txt
            SysInsite       <System Insite by Bobbi Flekman>
            VundoFix.exe    <VundoFix by Atribune>
            VundoFix Backups
            vundofix.txt
            vundofix.vft
            win32delfkil.exe <WinDelfKil by Markie>
            _backupD
            windelf.txt
            winpfind.exe    <WinPfind by OldTimer>
            WinPfind
            WinPFind3u.exe  <WinPFind3 by OldTimer>
            WinPFind3u
            WinPFind35u.exe  <WinPFind35 by OldTimer>
            WinPFind35u
            cleanup.txt

            evilfantasy

            • Malware Removal Specialist
            • Moderator


            • Genius
            • Calm like a bomb
            • Thanked: 489
            • Experience: Familiar
            • OS: Windows 10
            Strange.

            These are the files we are trying to delete with OTMoveIt2. You may have to go in and manually delete them.

            C:\WINDOWS\system32\VCCLSID.exe
            C:\WINDOWS\system32\SrchSTS.exe
            C:\WINDOWS\system32\VACFix.exe
            C:\WINDOWS\system32\IEDFix.exe
            C:\WINDOWS\system32\Process.exe
            C:\WINDOWS\system32\dumphive.exe
            C:\WINDOWS\system32\WS2Fix.exe
            C:\WINDOWS\system32\tmp.reg
            C:\Documents and Settings\Owner\Desktop\SmitfraudFix\SmitfraudFix\Reboot.exe
            C:\Documents and Settings\Owner\Desktop\SmitfraudFix.zip/SmitfraudFix/Reboot.exe
            C:\Documents and Settings\Owner\Desktop\SmitfraudFix.zip

            lectrocrew

              Topic Starter


              Mentor

            • ole dog learning new tricks
            • Thanked: 21
              • Yes
              • Yes
              • My first self-built computer
            • Certifications: List
            • Computer: Specs
            • Experience: Familiar
            • OS: Windows 10
            Ok. I've deleted 1 so far. Give me a few minutes.

            lectrocrew

              Topic Starter


              Mentor

            • ole dog learning new tricks
            • Thanked: 21
              • Yes
              • Yes
              • My first self-built computer
            • Certifications: List
            • Computer: Specs
            • Experience: Familiar
            • OS: Windows 10
            done, and only because I am trying to be cautious, do I now empty my 'Recycle Bin'?

            evilfantasy

            • Malware Removal Specialist
            • Moderator


            • Genius
            • Calm like a bomb
            • Thanked: 489
            • Experience: Familiar
            • OS: Windows 10
            Yep, then do the rest of the instructions.

            lectrocrew

              Topic Starter


              Mentor

            • ole dog learning new tricks
            • Thanked: 21
              • Yes
              • Yes
              • My first self-built computer
            • Certifications: List
            • Computer: Specs
            • Experience: Familiar
            • OS: Windows 10
            Quote
            Use the Secunia Software Inspector to check for out of date software.

            Click Start Now

            Check the box next to Enable thorough system inspection.

            Click Start

            Allow the scan to finish and scroll down to see if any updates are needed.
            Update anything listed.

            When I clicked the start button in Secunia Software Inspector, it showed a message saying I needed Sun Java from www.java.com for Secunia Software Inspector to run correctly. so I went to java.com and downloaded the latest java file and verified that I have the latest version, but it looks like Secunia still has a problem with a java applet issue. Below is the current status:


            Detection Statistics:

            0 Applications Detected in Total
            0 Insecure Versions Detected
            0 Secure Versions Detected

            Running For:
            0 minutes, 0 seconds

            Errors Detected:
            0 Errors Detected     
             Enable thorough system inspection.
            Enable the Secunia Software Inspector to search for software installed in non-default locations.

            Beta Test! 10 days left of beta period
            Beta test the 2nd generation Secunia NSI, the network aware edition of the Software Inspector. Download NSISetup.exe 
            Status / Currently Processing:

            *There might be problems loading the Java Applet in your browser
            -------------------
            *I wrapped the last sentence in bold myself.
            what now?
            BTW, did I mention that I really appreciate your time doing this!!!

             
             

            evilfantasy

            • Malware Removal Specialist
            • Moderator


            • Genius
            • Calm like a bomb
            • Thanked: 489
            • Experience: Familiar
            • OS: Windows 10
            You may need to restart the computer if you just downloaded the Java.

            lectrocrew

              Topic Starter


              Mentor

            • ole dog learning new tricks
            • Thanked: 21
              • Yes
              • Yes
              • My first self-built computer
            • Certifications: List
            • Computer: Specs
            • Experience: Familiar
            • OS: Windows 10
            I still get the same message. Is this the java download I need?
            http://www.java.com/en/

            evilfantasy

            • Malware Removal Specialist
            • Moderator


            • Genius
            • Calm like a bomb
            • Thanked: 489
            • Experience: Familiar
            • OS: Windows 10
            Yes thats it. Are you using Firefox or IE? It will work better in IE, but I just used it earlier today in Firefox so I am not sure what is going on. Try turning off your firewall and see if it works.

            lectrocrew

              Topic Starter


              Mentor

            • ole dog learning new tricks
            • Thanked: 21
              • Yes
              • Yes
              • My first self-built computer
            • Certifications: List
            • Computer: Specs
            • Experience: Familiar
            • OS: Windows 10
            I'm running IE7. I tried with my AVG firewall disabled and windows firewall is off as normal. Also in control panel > internet options > security, the value for "sripting of java applets" is 'enable'.

            evilfantasy

            • Malware Removal Specialist
            • Moderator


            • Genius
            • Calm like a bomb
            • Thanked: 489
            • Experience: Familiar
            • OS: Windows 10
            See if you can download and run the SECUNIA PSI Personal Edition - free also.

            https://psi.secunia.com/


            lectrocrew

              Topic Starter


              Mentor

            • ole dog learning new tricks
            • Thanked: 21
              • Yes
              • Yes
              • My first self-built computer
            • Certifications: List
            • Computer: Specs
            • Experience: Familiar
            • OS: Windows 10
            that worked fine. It shows I have 3 insecure programs and 83 patched:
            The 3 insecure are:

            Adobe flash player  9.x {active x control}
            Safari for windows 3.x
            Sun java JRE 1.5x / 5x

            I don't see how to copy paste or post a log with this?

            evilfantasy

            • Malware Removal Specialist
            • Moderator


            • Genius
            • Calm like a bomb
            • Thanked: 489
            • Experience: Familiar
            • OS: Windows 10
            Use the Adobe Online Uninstaller to fully uninstall all old versions of flash player.

            Then install the New Version

            ----------

            Go to add/remove programs and uninstall any old version of Java, leaving only the newest one 1.6.0.6

            ----------

            Update Safari - Not sure how since I don't use it.


            lectrocrew

              Topic Starter


              Mentor

            • ole dog learning new tricks
            • Thanked: 21
              • Yes
              • Yes
              • My first self-built computer
            • Certifications: List
            • Computer: Specs
            • Experience: Familiar
            • OS: Windows 10
            OK. I ran the 'Download Solution for all 3 insecure programs and re-scanned with Secunia PSI.
            This scan only shows 1 insecure program; Sun Java JRE 1.5x / 5.x
            I'll try uninstalling it and downloading again.

            evilfantasy

            • Malware Removal Specialist
            • Moderator


            • Genius
            • Calm like a bomb
            • Thanked: 489
            • Experience: Familiar
            • OS: Windows 10
            Go to C:\Program Files\Java and delete the 1.5x / 5.x folder.

            lectrocrew

              Topic Starter


              Mentor

            • ole dog learning new tricks
            • Thanked: 21
              • Yes
              • Yes
              • My first self-built computer
            • Certifications: List
            • Computer: Specs
            • Experience: Familiar
            • OS: Windows 10
            It won't let me delete it.
             I get a message:
            "cannot delete jusched.exe. access is denied. Make sure the disk is not full or write protected and that the file is not currently in use".

            evilfantasy

            • Malware Removal Specialist
            • Moderator


            • Genius
            • Calm like a bomb
            • Thanked: 489
            • Experience: Familiar
            • OS: Windows 10
            Hmm, try this.

            Download JavaRa.zip

            • Unzip the file and open the JavaRa.exe
            • Click Remove Older Versions
            • JavaRa will search for and remove any outdated version of Java and remove any that are found.
            • Exit JavaRa.

            lectrocrew

              Topic Starter


              Mentor

            • ole dog learning new tricks
            • Thanked: 21
              • Yes
              • Yes
              • My first self-built computer
            • Certifications: List
            • Computer: Specs
            • Experience: Familiar
            • OS: Windows 10
            done. Now I still have these folders in C/Program Files/Java/
            jre1.5.0_12
            jre1.6.0_05

            evilfantasy

            • Malware Removal Specialist
            • Moderator


            • Genius
            • Calm like a bomb
            • Thanked: 489
            • Experience: Familiar
            • OS: Windows 10
            Actually both of those are old lol.

            New version can be downloaded and installed HERE

            Then go to add/remove programs and uninstall all but the 1.6.0.6 that was just installed. Then go to program files and check for any old folders and delete them. All except for the 1.6.0.6 that was just installed.

            Sorry, forgot that it just updated again last week.

            lectrocrew

              Topic Starter


              Mentor

            • ole dog learning new tricks
            • Thanked: 21
              • Yes
              • Yes
              • My first self-built computer
            • Certifications: List
            • Computer: Specs
            • Experience: Familiar
            • OS: Windows 10
            Done.

            'java  6 update 6' is the only java showing in add / remeve programs

            In Program Files it added jre1.6.0_06, and let me delete jre1.6.0_05, but it still won't let me delete jre1.5.0_12


            evilfantasy

            • Malware Removal Specialist
            • Moderator


            • Genius
            • Calm like a bomb
            • Thanked: 489
            • Experience: Familiar
            • OS: Windows 10
            Is the jre1.5.0_12 folder in Program Files, or is it just the entry in add/remove programs that is there?

            lectrocrew

              Topic Starter


              Mentor

            • ole dog learning new tricks
            • Thanked: 21
              • Yes
              • Yes
              • My first self-built computer
            • Certifications: List
            • Computer: Specs
            • Experience: Familiar
            • OS: Windows 10
            jre1.5.0_12
            is in program files. It does not show up in add / remove programs

            evilfantasy

            • Malware Removal Specialist
            • Moderator


            • Genius
            • Calm like a bomb
            • Thanked: 489
            • Experience: Familiar
            • OS: Windows 10
            Download Unlocker 1.8.6 (scroll down the page a little)

            Use Unlocker to try and delete the file. You will just right click it and choose Unlocker, then select delete.

            If that doesn't work then try to delete it in safe mode.

            lectrocrew

              Topic Starter


              Mentor

            • ole dog learning new tricks
            • Thanked: 21
              • Yes
              • Yes
              • My first self-built computer
            • Certifications: List
            • Computer: Specs
            • Experience: Familiar
            • OS: Windows 10
            Unlocker 1.8.6 won't delete it. It ask if I wanted it to perform the delete operation at next start-up and I clicked yes. Should I re-start now to try?

            lectrocrew

              Topic Starter


              Mentor

            • ole dog learning new tricks
            • Thanked: 21
              • Yes
              • Yes
              • My first self-built computer
            • Certifications: List
            • Computer: Specs
            • Experience: Familiar
            • OS: Windows 10
            Oh, I'm sorry.  how do I delete it in safe mode?

            evilfantasy

            • Malware Removal Specialist
            • Moderator


            • Genius
            • Calm like a bomb
            • Thanked: 489
            • Experience: Familiar
            • OS: Windows 10
            See if it is gone after restarting. If not then restart in safe mode and try to delete it.

            Starting your computer in safe mode
            • If the computer is running, shut down Windows, and then turn off the power.
            • Wait 30 seconds, and then turn the computer on.
            • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
            • Ensure that the Safe Mode option is selected.
            • Press Enter. The computer then begins to start in Safe mode.
            • Login on your usual account.

            lectrocrew

              Topic Starter


              Mentor

            • ole dog learning new tricks
            • Thanked: 21
              • Yes
              • Yes
              • My first self-built computer
            • Certifications: List
            • Computer: Specs
            • Experience: Familiar
            • OS: Windows 10
            See if it is gone after restarting.
            It's gone. Yeah!!!

            I'm going to have to leave for work in a few minutes. I'm sure your getting tired anyway. I have an appointment after work in the morning but will log back on afterward. When you get time, I'll need to get instructions on deleting the files in the latest NoAdware scan shown below.
            Thanks again for all your help!!!

            Noadware v5.0 --------------------------

            Reference File = C:\Program Files\NoAdware5.0\noadware4_042108.na

            ---------------------------



            Spyware Name = Kazaa

            Location = HKEY_CURRENT_USER\software\kazaa

            Type = RegKey

            Spyware Name = Kazaa

            Location = HKEY_CURRENT_USER\Software\Kazaa\LocalContent

            Type = RegKey

            Spyware Name = Backdoor.Bifrose

            Location = HKEY_CURRENT_USER\Software\Wget

            Type = RegKey

            Spyware Name = Trojan.PWS.Tanspy

            Location = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load

            Type = RegKey

            Spyware Name = Tracking Cookie

            Location = 2o7

            Type = Cookie

            Spyware Name = Tracking Cookie

            Location = ad.yieldmanager

            Type = Cookie

            Spyware Name = Tracking Cookie

            Location = adinterax

            Type = Cookie

            Spyware Name = Tracking Cookie

            Location = adopt.specificclick

            Type = Cookie

            Spyware Name = Tracking Cookie

            Location = ads.pointroll

            Type = Cookie

            Spyware Name = Tracking Cookie

            Location = advertising

            Type = Cookie

            Spyware Name = Tracking Cookie

            Location = atdmt

            Type = Cookie

            Spyware Name = Tracking Cookie

            Location = bluestreak

            Type = Cookie

            Spyware Name = Tracking Cookie

            Location = DoubleClick

            Type = Cookie

            Spyware Name = Tracking Cookie

            Location = media.adrevolver

            Type = Cookie

            Spyware Name = Tracking Cookie

            Location = richmedia.yahoo

            Type = Cookie

            Spyware Name = Tracking Cookie

            Location = specificclick

            Type = Cookie

            Spyware Name = Tracking Cookie

            Location = ssl-hints.netflame

            Type = Cookie

            Spyware Name = Tracking Cookie

            Location = xiti

            Type = Cookie

            Spyware Name = AntiVirusGold

            Location = C:\Program Files\AVG

            Type = Directory



            evilfantasy

            • Malware Removal Specialist
            • Moderator


            • Genius
            • Calm like a bomb
            • Thanked: 489
            • Experience: Familiar
            • OS: Windows 10
            Try running Spybot and see if it gets rid of them. I am sort of wondering about Noadware now that I am positive it is seeing AVG as antivirusgold when it is clearly not that.

            http://www.filehippo.com/download_spybot_search_destroy/

            lectrocrew

              Topic Starter


              Mentor

            • ole dog learning new tricks
            • Thanked: 21
              • Yes
              • Yes
              • My first self-built computer
            • Certifications: List
            • Computer: Specs
            • Experience: Familiar
            • OS: Windows 10
            Good morning evilfantasy.
            I'm currently on another computer because mine has become so slow it took over 6 minutes to load this forum page after I clicked on the link in 'My Favorites'.
            I tried installing spybot but it's so slow that I got an error box before the file could download. The box says:
            "File Download
            Error sending request the operation timed out".
             My internet speed has been getting progressively slower during the time we have been trying to delete this AntiVirusGold file. Should I try removing some of those programs we have been using that are still on my desktop? There are a couple that run when I start my computer like Secunia and Unlocker assistant. Several icons on my desktop include
            OTMoveIt2
            Smithfraud
            mbam
            sniper.exe
            hjt
            kscan
            unlocker1.8.6

            Also, my AVG8 does not show any threats in the scan it did overnight, but it does ask if I want to remove 135 potentially dangerous files. Should I let it delete those files yet?


            evilfantasy

            • Malware Removal Specialist
            • Moderator


            • Genius
            • Calm like a bomb
            • Thanked: 489
            • Experience: Familiar
            • OS: Windows 10
            You can uninstall or delete
            OTMoveIt2
            Smithfraud
            sniper.exe
            hjt
            kscan
            unlocker1.8.6

            I would keep MBAM as it doesn't run unless you want it to and is great for an occasional scan.

            Try working through some of the steps HERE including Disk cleanup, disk defrag and Manage autostart items. See if that improves performance.


            lectrocrew

              Topic Starter


              Mentor

            • ole dog learning new tricks
            • Thanked: 21
              • Yes
              • Yes
              • My first self-built computer
            • Certifications: List
            • Computer: Specs
            • Experience: Familiar
            • OS: Windows 10
            Okay, I got most everything deleted and uninstalled and she's back running real well. Thanks so much for all your help!!!
             I'll go through the list of maintenance items listed in your link later this evening. We've had 2 other mechanics call in sick where I work the last 2 nights and I've been working my *censored* off keeping all the extra machinery running by myself.  And without much sleep the last few days, I won't be able to stay awake any longer enough to get all the maintenance steps done, not right anyway lol.
             Wow, we've spent a lot of time working on this AntiVirusGold thing which looks like nothing to worry about anyway. It has been a real good learning experience for me.
             Thank again!
            BTW, is there a link to contribute a donation to this board? It's been very helpfull to me a few times and since it doesn't have a bunch of advertisements bothering everything, I figure I should help out with the operations.  :)
            later,
            Mike

            evilfantasy

            • Malware Removal Specialist
            • Moderator


            • Genius
            • Calm like a bomb
            • Thanked: 489
            • Experience: Familiar
            • OS: Windows 10
            Glad everything is getting back to normal :) Sometimes the simple ones turn into real beasts when the layers begin to get un-peeled!

            We don't accept donations and I did ask this question once to the owner Nathan. Here is his response.

            Please refer users who're wanting to donate to the below link:

            http://www.computerhope.com/issues/ch000586.htm

            Although I've accepted donations in the past I originally created Computer Hope to help users and not make millions. The money I make from Google is enough to support me and Computer Hope and keep the site free without the need of donations.

            Let me know if there is anything else. I am sort of wondering about Noadware now. I don't think it is bad, but they shouldn't be flagging AVG as malicious. Spybot should get anything that is left over though.

            Cheers.

            lectrocrew

              Topic Starter


              Mentor

            • ole dog learning new tricks
            • Thanked: 21
              • Yes
              • Yes
              • My first self-built computer
            • Certifications: List
            • Computer: Specs
            • Experience: Familiar
            • OS: Windows 10
            My computer was running fine at the time I last posted, but over the last few days has become really slow again. Web surfing speed is intermittant. One minute it loads the page very quickly, then on the next click it times out and give me a message below:
             Internet Explorer cannot display the webpage
               
               Most likely causes:
            You are not connected to the Internet.
            The website is encountering problems.
            There might be a typing error in the address.
             
               What you can try:
                 Diagnose Connection Problems 
             
                 More information
             
            -------------------
            My wireless connection is "Very Good / 54 Mbps
            There are 2 other computers in the house on this DSL connection, {1 wired / 1 wireless} They have normal consistant browsing speed.
            Since I installed various new hardware devices back around early March, {250 Gb internal drive, 320 Gb external drive, 1Gb x 2 SDRAM, NVidia graphics card, CD-RW drive, DVD-RW drive, ect.}, my browsing speed has been fast and consistant. It wasn't until I found this AntiVirusGold ect. that I started having slow performance problems. I'm not saying the AntiVirusGold is the culprit, nor any other virus / spyware ect., but possibly something I did during the process of investigating this.

             Since I last posted I have
             preformed maintenance task listed in your guide,
             purchased the MBAM software paid version,
             re-installed Spybot,
             un-installed AVG8 then re-installed AVG 7.5 with no improvement, then un-installed AVG 7.5 / installed AVG8, {AVG had broken / partial fonts in the scan log results. After re-installing AVG8 this is still happening.} I don't see how to 'copy paste'  or 'save as' a scan log for AVG?
             un-installed NoAdware,
             installed Windows Defender,
             
             
             
              I've noticed on my computer is: the image I'm suppose to see on the Java test page does not show up as it is suppose to, but on the 'verify installation page it says,
            Verified Java Version

            "Congratulations!
             
            You have the recommended Java installed (1.6.0_06)."
            -----------------------
            ALSO,
            Somewhere along the way while investigating that AntiVirusGold I came up with an Ebay icon on my desktop. I did not click on it because I was suspicious and When I scanned with MBAM scan on 4-22-08 it found:
            "Files Infected:
            C:\Documents and Settings\Owner\Application Data\Desktopicon\eBayShortcuts.exe (Trojan.Agent)"
            But even after MBAM was supposed to have removed this Ebay threat, I still had an Ebay shortcut in my quick launch taskbar. I right clicked on it and tried to delete it, but it did not give me a drop-down menu with delete option. Then I dragged it to my desktop and tried to delete it there with the same result. It is still there. How do I get rid of this safely?

            MBAM scan log for 4-22-08 below followed by most recent scan log:
            =======================
            Malwarebytes' Anti-Malware 1.11
            Database version: 670

            Scan type: Full Scan (C:\|F:\|L:\|)
            Objects scanned: 130316
            Time elapsed: 48 minute(s), 56 second(s)

            Memory Processes Infected: 0
            Memory Modules Infected: 0
            Registry Keys Infected: 0
            Registry Values Infected: 0
            Registry Data Items Infected: 0
            Folders Infected: 0
            Files Infected: 1

            Memory Processes Infected:
            (No malicious items detected)

            Memory Modules Infected:
            (No malicious items detected)

            Registry Keys Infected:
            (No malicious items detected)

            Registry Values Infected:
            (No malicious items detected)

            Registry Data Items Infected:
            (No malicious items detected)

            Folders Infected:
            (No malicious items detected)

            Files Infected:
            C:\Documents and Settings\Owner\Application Data\Desktopicon\eBayShortcuts.exe (Trojan.Agent) -> Quarantined and deleted successfully.


            ========================
            SUPERAntiSpyware and MBAM log for today attached:











               

            [recovering space - attachment deleted by admin]

            lectrocrew

              Topic Starter


              Mentor

            • ole dog learning new tricks
            • Thanked: 21
              • Yes
              • Yes
              • My first self-built computer
            • Certifications: List
            • Computer: Specs
            • Experience: Familiar
            • OS: Windows 10
            SUPERAntiSpyware log attached

            [recovering space - attachment deleted by admin]

            evilfantasy

            • Malware Removal Specialist
            • Moderator


            • Genius
            • Calm like a bomb
            • Thanked: 489
            • Experience: Familiar
            • OS: Windows 10
            A few questions.

            Is there an entry in add/remove programs that is related to the new eBay icon?
            Have you tried to delete it in safe mode?
            Are the other computers are running AVG as well.

            Download Panda Anti-Rootkit.zip
            Unzip it and run the PAVARK.exe file.
            Tick the box that says In depth scan and follow the on screen instructions.
            Let me know the results in your reply and also post a new Hijackthis log.






            lectrocrew

              Topic Starter


              Mentor

            • ole dog learning new tricks
            • Thanked: 21
              • Yes
              • Yes
              • My first self-built computer
            • Certifications: List
            • Computer: Specs
            • Experience: Familiar
            • OS: Windows 10
            A few questions.

            Is there an entry in add/remove programs that is related to the new eBay icon?
            No, FYI, I did find another program that I missed earlier that I don't remember installing, "WebEx", so I un-installed it.
            Quote
            Have you tried to delete it in safe mode?
            I had not tried deleting in safe mode yet but did try this morning and the Ebay icon did delete.
            Quote
            Are the other computers are running AVG as well.
            The wired desktop computer is running AVG, the wired / wireless notebook is running Trend Micro.

            Quote
            Download Panda Anti-Rootkit.zip
            Unzip it and run the PAVARK.exe file.
            Tick the box that says In depth scan and follow the on screen instructions.
            Let me know the results in your reply and also post a new Hijackthis log.
            The first HJT log is from last night before deleting the ebay icon, 2nd HJT log is from today after deleting the Ebay icon. PAVARK is also after deleting Ebay icon.
            I have not deleted anything yet with HJT.
            -----------------
            Panda results = scanned 4785 items / rootkits detected  0
            -----------------
            BTW, I've surfed several sites after re-starting and performance seems to be doing extremely well so far.


            [recovering space - attachment deleted by admin]

            lectrocrew

              Topic Starter


              Mentor

            • ole dog learning new tricks
            • Thanked: 21
              • Yes
              • Yes
              • My first self-built computer
            • Certifications: List
            • Computer: Specs
            • Experience: Familiar
            • OS: Windows 10
            Quote from: evilfantasy
            ]Is there an entry in add/remove programs that is related to the new eBay icon?
            Quote from: lectrocrew
            No, FYI, I did find another program that I missed earlier that I don't remember installing, "WebEx", so I un-installed it.
            Never mind. I googled it and it is software provided by Cisco, which is the parent company of Linksys, the manufacturer of my wireless router, adapter and print server. I evidentally installed it when installing software for one of these devices.

            evilfantasy

            • Malware Removal Specialist
            • Moderator


            • Genius
            • Calm like a bomb
            • Thanked: 489
            • Experience: Familiar
            • OS: Windows 10
            Is there an entry in add/remove for Logitec Desktop Messenger? There is again multiple entries in the HJT log for this and it is un-necessary. Other than that it all looks OK.

            lectrocrew

              Topic Starter


              Mentor

            • ole dog learning new tricks
            • Thanked: 21
              • Yes
              • Yes
              • My first self-built computer
            • Certifications: List
            • Computer: Specs
            • Experience: Familiar
            • OS: Windows 10
            Yes, it was available in 'Add Remove Programs' and I removed it. My Logitech Bluetooth wireless keyboard and mouse still work fine after re-start so I guess I don't need Logitech messenger anyway.
             
             I have a few questions about some of the software I'm using so I'll be posting those in the appropriate section sometime soon, if I ever get a night off work {working 7 nights}.
            Well, thanks again to this board and for your time an expertise!

            evilfantasy

            • Malware Removal Specialist
            • Moderator


            • Genius
            • Calm like a bomb
            • Thanked: 489
            • Experience: Familiar
            • OS: Windows 10
            No problem.