• Welcome Guest, to the Spybot Forums! It's 2025, and we just upgraded our forum software.

    Today is Safer Internet Day, and with our new forum, you can finally use passkeys to login. That was about time!

    Of course, you could ask if a forum is still useful, with so many social media networks out there where you might already have an account, and met a lot of users. You can now use your login from some of those networks to log in here. And by posting here, your question and data is stored on our servers and not automatically shared with a whole social media network.

    We'll also start using the forum for small bits of information, announcements and more again.

Can't install ANYTHING!

S

sjeartc

New member
Hope someone can give me an alternative to reformatting my hard-drive.
I can't re-install Spybot after a bug appeared to crash it, (I get the message "Server name or address could not be resolved".)
Also can't install HJT to supply a log, or Windows Malicious Software Removal Tool, Malwarebytes or Adaware
HELP PLEASE!
 
Hi sjeartc

Please try to rename HijackThis installer and let me know if it helped.
 
Still no luck

Thanks for getting back to me Shaba.

I have tried renaming the HJT exe (and also tried renaming the folder and saving elsewhere under a different name.) Still won't run even after it appears to install.

(It now also seems to have taken over my administrator rights in Nero, and won't recognise my burning rights, and has started highjacking website links to related search pages.)
 
So let's try this:

Download gmer.zip and save to your desktop.
alternate download site
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other unning programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE"
Important! Please do not select the "Show all" checkbox during the scan.

If it doesn't run, try to rename it and run in safe mode.
 
GMER Log

Hi Again Shaba.
Gmer ran.
File is below:
GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-25 23:46:50
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF774987E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7749BFE]

Code 84BE26F0 ZwEnumerateKey
Code 84BE2888 ZwFlushInstructionCache
Code 84BE0716 IofCallDriver
Code 84BDFB16 IofCompleteRequest
Code 84BE2CED ZwSaveKey
Code 84BE392D ZwSaveKeyEx

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwSaveKey 804DD6E8 5 Bytes JMP 84BE2CF2
.text ntoskrnl.exe!ZwSaveKeyEx 804DD6FC 5 Bytes JMP 84BE3932
.text ntoskrnl.exe!IofCallDriver 804E37C5 5 Bytes JMP 84BE071B
.text ntoskrnl.exe!IofCompleteRequest 804E3BF6 5 Bytes JMP 84BDFB1B
PAGE ntoskrnl.exe!ZwEnumerateKey 80570D64 5 Bytes JMP 84BE26F4
PAGE ntoskrnl.exe!ZwFlushInstructionCache 80577693 5 Bytes JMP 84BE288C

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 01: copy of MBR
Disk \Device\Harddisk0\DR0 sector 02: copy of MBR
Disk \Device\Harddisk0\DR0 sector 03: copy of MBR
Disk \Device\Harddisk0\DR0 sector 04: copy of MBR
Disk \Device\Harddisk0\DR0 sector 05: copy of MBR
Disk \Device\Harddisk0\DR0 sector 06: copy of MBR
Disk \Device\Harddisk0\DR0 sector 07: copy of MBR
Disk \Device\Harddisk0\DR0 sector 08: copy of MBR
Disk \Device\Harddisk0\DR0 sector 09: copy of MBR
Disk \Device\Harddisk0\DR0 sector 10: copy of MBR
Disk \Device\Harddisk0\DR0 sector 11: copy of MBR
Disk \Device\Harddisk0\DR0 sector 12: copy of MBR
Disk \Device\Harddisk0\DR0 sector 13: copy of MBR
Disk \Device\Harddisk0\DR0 sector 14: copy of MBR
Disk \Device\Harddisk0\DR0 sector 15: copy of MBR
Disk \Device\Harddisk0\DR0 sector 16: copy of MBR
Disk \Device\Harddisk0\DR0 sector 17: copy of MBR
Disk \Device\Harddisk0\DR0 sector 18: copy of MBR
Disk \Device\Harddisk0\DR0 sector 19: copy of MBR
Disk \Device\Harddisk0\DR0 sector 20: copy of MBR
Disk \Device\Harddisk0\DR0 sector 21: copy of MBR
Disk \Device\Harddisk0\DR0 sector 22: copy of MBR
Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
Disk \Device\Harddisk0\DR0 sector 24: copy of MBR
Disk \Device\Harddisk0\DR0 sector 25: copy of MBR
Disk \Device\Harddisk0\DR0 sector 26: copy of MBR
Disk \Device\Harddisk0\DR0 sector 27: copy of MBR
Disk \Device\Harddisk0\DR0 sector 28: copy of MBR
Disk \Device\Harddisk0\DR0 sector 29: copy of MBR
Disk \Device\Harddisk0\DR0 sector 30: copy of MBR
Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
Disk \Device\Harddisk0\DR0 sector 32: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 33: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 34: copy of MBR
Disk \Device\Harddisk0\DR0 sector 35: copy of MBR
Disk \Device\Harddisk0\DR0 sector 36: copy of MBR
Disk \Device\Harddisk0\DR0 sector 37: copy of MBR
Disk \Device\Harddisk0\DR0 sector 38: copy of MBR
Disk \Device\Harddisk0\DR0 sector 39: copy of MBR
Disk \Device\Harddisk0\DR0 sector 40: copy of MBR
Disk \Device\Harddisk0\DR0 sector 41: copy of MBR
Disk \Device\Harddisk0\DR0 sector 42: copy of MBR
Disk \Device\Harddisk0\DR0 sector 43: copy of MBR
Disk \Device\Harddisk0\DR0 sector 44: copy of MBR
Disk \Device\Harddisk0\DR0 sector 45: copy of MBR
Disk \Device\Harddisk0\DR0 sector 46: copy of MBR
Disk \Device\Harddisk0\DR0 sector 47: copy of MBR
Disk \Device\Harddisk0\DR0 sector 48: copy of MBR
Disk \Device\Harddisk0\DR0 sector 49: copy of MBR
Disk \Device\Harddisk0\DR0 sector 50: copy of MBR
Disk \Device\Harddisk0\DR0 sector 51: copy of MBR
Disk \Device\Harddisk0\DR0 sector 52: copy of MBR
Disk \Device\Harddisk0\DR0 sector 53: copy of MBR
Disk \Device\Harddisk0\DR0 sector 54: copy of MBR
Disk \Device\Harddisk0\DR0 sector 55: copy of MBR
Disk \Device\Harddisk0\DR0 sector 56: copy of MBR
Disk \Device\Harddisk0\DR0 sector 57: copy of MBR
Disk \Device\Harddisk0\DR0 sector 58: copy of MBR
Disk \Device\Harddisk0\DR0 sector 59: copy of MBR
Disk \Device\Harddisk0\DR0 sector 60: copy of MBR
Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR

---- EOF - GMER 1.0.15 ----
 
Looks like a potential candidate of MBR rootkit.

Please download MBR.EXE by GMER. Save it to your desktop.
  1. Double click on mbr.exe to execute.
    If you recieve the "Publisher could not be verified" security warning, please press Run.
  2. A black CMD prompt window will open and close quickly, this is expected and normal.
    Upon completion, a file will be created on your desktop named "mbr.log"
  3. Double click the "mbr.log" file and Notepad should open.
  4. Copy and paste the contents of the files mbr.log in your next reply.
 
Mbr ran

Thanks Shaba. (this file doesn't seem to say much though)

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
BIOS signateure not found
 
It actually tells that you don't likely have MBR rootkit.

Let's see if you can run this:

Please download DDS and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds.scr to run the tool.
  • When done, DDS.txt will open.
  • Click Yes at the next prompt for Optional Scan.
  • Save both reports to your desktop.
---------------------------------------------------

Please include the contents of the following reports in your next reply:

DDS.txt
Attach.txt]
 
Dds done

Hi again Shaba (I really appreciate your time here.)
I did not get the 'Optional Scan' message but the 2 files are below:

*****
DDS (Ver_09-06-26.01) - NTFSx86
Run by Shaun at 0:38:37.56 on Sun 26/07/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.152 [GMT 10:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Safari\Safari.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Shaun.NONE-9CBF599228\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page =
uStart Page = hxxp://www.google.com.au/
uWindow Title =
uSearch Bar =
mWindow Title =
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com.au/
mSearchAssistant =
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {EEE6C35B-6118-11DC-9C72-001320C79847} - No File
uRun: [Google Update] "c:\documents and settings\shaun.none-9cbf599228\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [VTTimer] VTTimer.exe
mRun: [RaidTool] c:\program files\via\raid\raid_tool.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [RemoteControl] "c:\program files\asustek\asusdvd\PDVDServ.exe"
mExplorerRun: [Lsass Service] c:\documents and settings\shaun.none-9cbf599228\application data\microsoft\windows\lsass.exe
StartupFolder: c:\docume~1\shaun~1.non\startm~1\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\documents and settings\shaun.none-9cbf599228\start menu\startup\OpenOffice.org 2.4.lnk.disabled
StartupFolder: c:\documents and settings\all users.windows\start menu\programs\startup\WinZip Quick Pick.lnk.disabled
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {49232000-16E4-426C-A231-62846947304B} - hxxp://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1183342295500
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 85.255.112.191,85.255.112.78
TCP: {33B9378C-6384-41B3-89B1-294DDA944591} = 85.255.112.191,85.255.112.78
TCP: {654C3BDA-9AA7-40B9-B32B-7BE24EE8E496} = 85.255.112.191,85.255.112.78
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: c008249A - c008249A.mat
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\shaun~1.non\applic~1\mozilla\firefox\profiles\0fd3czad.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.sweetim.com/search.asp?src=2&q=
FF - prefs.js: browser.search.selectedEngine - SweetIM Search
FF - prefs.js: browser.startup.homepage - hxxp://home.sweetim.com
FF - prefs.js: keyword.URL - hxxp://search.sweetim.com/search.asp?src=2&q=
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\shaun.none-9cbf599228\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google updater\2.4.1636.7222\npCIDetect13.dll
FF - plugin: c:\program files\opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\picasa2\npPicasa2.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-7-19 64160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-3 327688]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-5-3 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-3 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-4 906520]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-5-3 298776]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-4 1029456]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-4 13592]

=============== Created Last 30 ================

2009-07-25 22:44 <DIR> --d----- c:\program files\HJTHS
2009-07-25 22:42 <DIR> --d----- c:\program files\HJTHIS
2009-07-25 22:39 69 a------- c:\windows\NeroDigital.ini
2009-07-25 19:45 2,916,352 -------- c:\windows\UNNMP.exe
2009-07-25 19:45 49,883 -------- c:\windows\UNNMP.cfg
2009-07-25 19:39 123,452 -------- c:\windows\UNNeroVision.cfg
2009-07-25 19:39 2,969,600 -------- c:\windows\UNNeroVision.exe
2009-07-25 19:38 364,544 -------- c:\windows\system32\TwnLib4.dll
2009-07-25 19:38 1,568,768 -------- c:\windows\system32\ImagX7.dll
2009-07-25 19:38 476,320 -------- c:\windows\system32\ImagXpr7.dll
2009-07-25 19:38 471,040 -------- c:\windows\system32\ImagXRA7.dll
2009-07-25 19:38 262,144 -------- c:\windows\system32\ImagXR7.dll
2009-07-25 17:38 23,936 -------- c:\windows\UNNeroBurnRights.cfg
2009-07-25 17:38 65,536 a------- c:\windows\system32\NeroCo.dll
2009-07-25 17:38 57,344 a------- c:\windows\system32\NeroBurnRights.cpl
2009-07-25 17:38 2,031,616 -------- c:\windows\UNNeroBurnRights.exe
2009-07-19 23:59 15,688 a------- c:\windows\system32\lsdelete.exe
2009-07-19 23:00 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-07-19 22:59 <DIR> -cd-h--- c:\docume~1\alluse~1.win\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-19 20:09 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\STOPzilla!
2009-07-19 18:20 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-19 18:20 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-19 18:20 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-19 18:20 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2009-07-19 18:02 <DIR> --d----- c:\program files\hthis
2009-07-19 00:22 54,156 a---h--- c:\windows\QTFont.qfn
2009-07-19 00:22 1,409 a------- c:\windows\QTFont.for
2009-07-09 20:05 <DIR> --dsh--- c:\documents and settings\shaun.none-9cbf599228\IECompatCache
2009-07-07 16:16 <DIR> --dsh--- c:\documents and settings\shaun.none-9cbf599228\PrivacIE
2009-07-06 21:09 <DIR> --dsh--- c:\documents and settings\shaun.none-9cbf599228\IETldCache
2009-07-06 15:09 102,912 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-07-06 15:09 <DIR> --d----- c:\windows\ie8updates
2009-07-06 15:07 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-07-06 15:07 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-07-06 15:04 <DIR> -cd-h--- c:\windows\ie8
2009-07-04 14:09 <DIR> --d----- c:\docume~1\shaun~1.non\applic~1\Uniblue
2009-06-28 22:03 <DIR> --d----- c:\program files\CCleaner
2009-06-26 07:21 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\AVG Security Toolbar

==================== Find3M ====================

2009-06-26 07:20 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-26 07:20 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-17 00:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-17 00:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-04 05:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-05-25 19:37 160,593 a------- c:\windows\Sqirlz Water Reflections Uninstaller.exe
2009-05-13 15:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-08 01:32 345,600 a------- c:\windows\system32\localspl.dll
2007-07-01 18:48 1,174,596 a------- c:\docume~1\shaun~1.non\applic~1\Install.dat
2003-10-08 15:07 545,792 a------- c:\program files\CRW5224AU_137.exe

============= FINISH: 0:39:05.15 ===============
*****


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-06-26.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 3/06/2007 6:36:58 PM
System Uptime: 25/07/2009 8:12:18 PM (4 hours ago)

Motherboard: | | P4VM800
Processor: Intel(R) Celeron(R) CPU 2.66GHz | CPUSocket | 2666/133mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 37 GiB total, 14.891 GiB free.
D: is CDROM ()
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 20/07/2009 1:54:31 AM - System Checkpoint
RP2: 21/07/2009 2:06:04 AM - System Checkpoint
RP3: 22/07/2009 1:00:14 AM - Software Distribution Service 3.0
RP4: 23/07/2009 1:07:10 AM - System Checkpoint
RP5: 25/07/2009 6:44:46 PM - Removed Nero - Burning Rom
RP6: 25/07/2009 6:46:48 PM - Removed Nero - Burning Rom
RP7: 25/07/2009 6:48:54 PM - Removed Nero - Burning Rom

==== Installed Programs ======================

µTorrent
ACDSee for PENTAX 3.0
Ad-Aware
Adobe Acrobat 5.0
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 8.1.4
Adobe Stock Photos 1.0
Alien Skin Xenofex 2.0
AnvSoft Flash to Video Converter 1.2.2
Apple Mobile Device Support
ArcSoft PhotoStudio 2000
ASUSDVD
AutoUpdate
AVG 8.5
Belarc Advisor 7.2
Bink and Smacker
Bonjour
BufferChm
C-Media 3D Audio
Caere Scan Manager 5.1
Canon CanoCraft CS-P 3.8
Canon ScanGear Toolbox CS 2.2
CCleaner (remove only)
CCScore
CoffeeCup Free FTP 4.0.1
CP_AtenaShokunin1Config
CP_CalendarTemplates1
cp_LightScribeConfig
cp_OnlineProjectsConfig
CP_Package_Basic1
CP_Panorama1Config
cp_PosterPrintConfig
cp_PrintOnCDConfig
cp_UpdateProjectsConfig
CueTour
CustomerResearchQFolder
D6100
D6100_D7100_D7300_Help
DeviceManagementQFolder
Digital Locker Assistant
DivX Converter
DivX Player
DivX Web Player
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
essvatgt
eSupportQFolder
Extensis PhotoTools 2.0
Eye Candy 3
fflink
Free Video to Flash Converter version 3.1
FullDPAppQFolder
Google Chrome
Google Earth
Google Updater
HP Customer Participation Program 7.0
HP Imaging Device Functions 7.0
HP Photosmart and Deskjet 7.0 Software
HP Photosmart Essential
HP Photosmart Premier Software 6.5
HP Solution Center 7.0
HP Update
hph_ProductContext
hph_readme
hph_software
hph_software_req
HPPhotoSmartExpress
HPProductAssistant
InstantShareDevices
InstantShareDevicesMFC
iTunes
Java(TM) 6 Update 3
Java(TM) 6 Update 4
Java(TM) 6 Update 5
kgcbaby
kgcbase
kgchday
kgchlwn
kgcinvt
kgckids
kgcmove
kgcvday
Kodak EasyShare software
LightScribe 1.4.39.1
Macromedia Contribute 3.11
Macromedia Dreamweaver 8
Macromedia Extension Manager
Macromedia Fireworks 8
Macromedia Flash 8
Macromedia Flash 8 Video Encoder
Macromedia HomeSite+
Malwarebytes' Anti-Malware
MarketResearch
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Premium
Microsoft Publisher 2000 SR-1
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.5)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Nero BurnRights
Nero Suite
netbrdg
Netscape Navigator (9.0.0.6)
OfotoXMI
OmniPage Pro 9.0
OpenOffice.org 2.4
Opera 9.52
OptionalContentQFolder
Painter 6
PanoStandAlone
PhotoGallery
Picasa 2
Platform
QuickTime
RandMap
S3GSetup
Safari
SC Audio Converter 7.4.0.2
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB973346)
SFR
SHASTA
skin0001
SkinsHP1
SKINXSDK
SlideShow
SlideShowMusic
SolutionCenter
Sonic_PrimoSDK
Sqirlz Water Reflections
staticcr
Status
Toolbox
tooltips
TopStyle Lite (Version 3.0)
TrayApp
Ulead DVD MovieFactory 4.0 SE
Ulead Particle.Plugin 1.0
Uninstall 1.0.0.0
Unload
Update for Windows Internet Explorer 8 (KB971930)
VIA Platform Device Manager
VIA/S3G Display Driver
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VPRINTOL
WebFldrs XP
WebReg
Windows Defender
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Player 11
Windows Movie Maker 2.0
Windows XP Service Pack 3
WinZip 12.1
WIRELESS

==== Event Viewer Messages From Past Week ========

25/07/2009 9:56:04 PM, error: Dhcp [1002] - The IP address lease 192.168.100.11 for the Network Card with network address 00111A6C20BE has been denied by the DHCP server 192.168.100.1 (The DHCP Server sent a DHCPNACK message).
25/07/2009 9:00:00 AM, error: Schedule [7901] - The At10.job command failed to start due to the following error: %%2147942402
25/07/2009 8:00:00 AM, error: Schedule [7901] - The At9.job command failed to start due to the following error: %%2147942402
25/07/2009 7:00:00 AM, error: Schedule [7901] - The At8.job command failed to start due to the following error: %%2147942402
25/07/2009 6:52:14 PM, error: ipnathlp [32003] - The Network Address Translator (NAT) was unable to request an operation of the kernel-mode translation module. This may indicate misconfiguration, insufficient resources, or an internal error. The data is the error code.
25/07/2009 6:48:55 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
25/07/2009 6:00:00 PM, error: Schedule [7901] - The At19.job command failed to start due to the following error: %%2147942402
25/07/2009 6:00:00 AM, error: Schedule [7901] - The At7.job command failed to start due to the following error: %%2147942402
25/07/2009 5:00:00 PM, error: Schedule [7901] - The At18.job command failed to start due to the following error: %%2147942402
25/07/2009 5:00:00 AM, error: Schedule [7901] - The At6.job command failed to start due to the following error: %%2147942402
25/07/2009 4:00:00 PM, error: Schedule [7901] - The At17.job command failed to start due to the following error: %%2147942402
25/07/2009 4:00:00 AM, error: Schedule [7901] - The At5.job command failed to start due to the following error: %%2147942402
25/07/2009 3:00:00 PM, error: Schedule [7901] - The At16.job command failed to start due to the following error: %%2147942402
25/07/2009 3:00:00 AM, error: Schedule [7901] - The At4.job command failed to start due to the following error: %%2147942402
25/07/2009 2:00:00 PM, error: Schedule [7901] - The At15.job command failed to start due to the following error: %%2147942402
25/07/2009 2:00:00 AM, error: Schedule [7901] - The At3.job command failed to start due to the following error: %%2147942402
25/07/2009 12:44:00 AM, error: Schedule [7901] - The At1.job command failed to start due to the following error: General access denied error
25/07/2009 12:00:00 PM, error: Schedule [7901] - The At13.job command failed to start due to the following error: %%2147942402
25/07/2009 11:00:00 AM, error: Schedule [7901] - The At12.job command failed to start due to the following error: %%2147942402
25/07/2009 10:00:00 AM, error: Schedule [7901] - The At11.job command failed to start due to the following error: %%2147942402
25/07/2009 1:00:00 PM, error: Schedule [7901] - The At14.job command failed to start due to the following error: %%2147942402
25/07/2009 1:00:00 AM, error: Schedule [7901] - The At2.job command failed to start due to the following error: %%2147942402
24/07/2009 9:00:00 PM, error: Schedule [7901] - The At22.job command failed to start due to the following error: %%2147942402
24/07/2009 8:00:00 PM, error: Schedule [7901] - The At21.job command failed to start due to the following error: %%2147942402
24/07/2009 7:00:00 PM, error: Schedule [7901] - The At20.job command failed to start due to the following error: %%2147942402
24/07/2009 11:00:00 PM, error: Schedule [7901] - The At24.job command failed to start due to the following error: %%2147942402
24/07/2009 10:00:00 PM, error: Schedule [7901] - The At23.job command failed to start due to the following error: %%2147942402
23/07/2009 8:41:43 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
23/07/2009 8:29:11 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
23/07/2009 8:27:00 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
23/07/2009 8:26:01 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 AvgTdiX BANTExt Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
23/07/2009 8:26:01 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
23/07/2009 8:26:01 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
23/07/2009 8:26:01 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
23/07/2009 8:26:01 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
23/07/2009 8:26:01 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

==== End Of File ===========================
 
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

µTorrent

I'd like you to read the this thread.

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

Please run a new DDS scan when finished and post the logs back here.
 
UTorrent uninstalled

Hi Shaba. I just got back to my PC.
I have uninstalled U.Torrent.
DDS.txt and Attach.txt follow:

DDS (Ver_09-06-26.01) - NTFSx86
Run by Shaun at 12:51:47.92 on Sun 26/07/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.120 [GMT 10:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Safari\Safari.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Shaun.NONE-9CBF599228\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page =
uStart Page = hxxp://www.google.com.au/
uWindow Title =
uSearch Bar =
mWindow Title =
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com.au/
mSearchAssistant =
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {EEE6C35B-6118-11DC-9C72-001320C79847} - No File
uRun: [Google Update] "c:\documents and settings\shaun.none-9cbf599228\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [VTTimer] VTTimer.exe
mRun: [RaidTool] c:\program files\via\raid\raid_tool.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [RemoteControl] "c:\program files\asustek\asusdvd\PDVDServ.exe"
mExplorerRun: [Lsass Service] c:\documents and settings\shaun.none-9cbf599228\application data\microsoft\windows\lsass.exe
StartupFolder: c:\docume~1\shaun~1.non\startm~1\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\documents and settings\shaun.none-9cbf599228\start menu\startup\OpenOffice.org 2.4.lnk.disabled
StartupFolder: c:\documents and settings\all users.windows\start menu\programs\startup\WinZip Quick Pick.lnk.disabled
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {49232000-16E4-426C-A231-62846947304B} - hxxp://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1183342295500
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 85.255.112.191,85.255.112.78
TCP: {33B9378C-6384-41B3-89B1-294DDA944591} = 85.255.112.191,85.255.112.78
TCP: {654C3BDA-9AA7-40B9-B32B-7BE24EE8E496} = 85.255.112.191,85.255.112.78
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: c008249A - c008249A.mat
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\shaun~1.non\applic~1\mozilla\firefox\profiles\0fd3czad.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.sweetim.com/search.asp?src=2&q=
FF - prefs.js: browser.search.selectedEngine - SweetIM Search
FF - prefs.js: browser.startup.homepage - hxxp://home.sweetim.com
FF - prefs.js: keyword.URL - hxxp://search.sweetim.com/search.asp?src=2&q=
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\shaun.none-9cbf599228\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google updater\2.4.1636.7222\npCIDetect13.dll
FF - plugin: c:\program files\opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\picasa2\npPicasa2.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-7-19 64160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-3 327688]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-5-3 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-3 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-4 906520]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-5-3 298776]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-4 1029456]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-4 13592]

=============== Created Last 30 ================

2009-07-25 22:44 <DIR> --d----- c:\program files\HJTHS
2009-07-25 22:42 <DIR> --d----- c:\program files\HJTHIS
2009-07-25 22:39 69 a------- c:\windows\NeroDigital.ini
2009-07-25 19:45 2,916,352 -------- c:\windows\UNNMP.exe
2009-07-25 19:45 49,883 -------- c:\windows\UNNMP.cfg
2009-07-25 19:39 123,452 -------- c:\windows\UNNeroVision.cfg
2009-07-25 19:39 2,969,600 -------- c:\windows\UNNeroVision.exe
2009-07-25 19:38 364,544 -------- c:\windows\system32\TwnLib4.dll
2009-07-25 19:38 1,568,768 -------- c:\windows\system32\ImagX7.dll
2009-07-25 19:38 476,320 -------- c:\windows\system32\ImagXpr7.dll
2009-07-25 19:38 471,040 -------- c:\windows\system32\ImagXRA7.dll
2009-07-25 19:38 262,144 -------- c:\windows\system32\ImagXR7.dll
2009-07-25 17:38 23,936 -------- c:\windows\UNNeroBurnRights.cfg
2009-07-25 17:38 65,536 a------- c:\windows\system32\NeroCo.dll
2009-07-25 17:38 57,344 a------- c:\windows\system32\NeroBurnRights.cpl
2009-07-25 17:38 2,031,616 -------- c:\windows\UNNeroBurnRights.exe
2009-07-19 23:59 15,688 a------- c:\windows\system32\lsdelete.exe
2009-07-19 23:00 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-07-19 22:59 <DIR> -cd-h--- c:\docume~1\alluse~1.win\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-19 20:09 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\STOPzilla!
2009-07-19 18:20 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-19 18:20 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-19 18:20 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-19 18:20 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2009-07-19 18:02 <DIR> --d----- c:\program files\hthis
2009-07-19 00:22 54,156 a---h--- c:\windows\QTFont.qfn
2009-07-19 00:22 1,409 a------- c:\windows\QTFont.for
2009-07-09 20:05 <DIR> --dsh--- c:\documents and settings\shaun.none-9cbf599228\IECompatCache
2009-07-07 16:16 <DIR> --dsh--- c:\documents and settings\shaun.none-9cbf599228\PrivacIE
2009-07-06 21:09 <DIR> --dsh--- c:\documents and settings\shaun.none-9cbf599228\IETldCache
2009-07-06 15:09 102,912 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-07-06 15:09 <DIR> --d----- c:\windows\ie8updates
2009-07-06 15:07 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-07-06 15:07 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-07-06 15:04 <DIR> -cd-h--- c:\windows\ie8
2009-07-04 14:09 <DIR> --d----- c:\docume~1\shaun~1.non\applic~1\Uniblue
2009-06-28 22:03 <DIR> --d----- c:\program files\CCleaner

==================== Find3M ====================

2009-06-26 07:20 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-26 07:20 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-17 00:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-17 00:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-04 05:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-05-25 19:37 160,593 a------- c:\windows\Sqirlz Water Reflections Uninstaller.exe
2009-05-13 15:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-08 01:32 345,600 a------- c:\windows\system32\localspl.dll
2007-07-01 18:48 1,174,596 a------- c:\docume~1\shaun~1.non\applic~1\Install.dat
2003-10-08 15:07 545,792 a------- c:\program files\CRW5224AU_137.exe

============= FINISH: 12:52:39.03 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-06-26.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 3/06/2007 6:36:58 PM
System Uptime: 25/07/2009 8:12:18 PM (16 hours ago)

Motherboard: | | P4VM800
Processor: Intel(R) Celeron(R) CPU 2.66GHz | CPUSocket | 2666/133mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 37 GiB total, 14.898 GiB free.
D: is CDROM ()
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 20/07/2009 1:54:31 AM - System Checkpoint
RP2: 21/07/2009 2:06:04 AM - System Checkpoint
RP3: 22/07/2009 1:00:14 AM - Software Distribution Service 3.0
RP4: 23/07/2009 1:07:10 AM - System Checkpoint
RP5: 25/07/2009 6:44:46 PM - Removed Nero - Burning Rom
RP6: 25/07/2009 6:46:48 PM - Removed Nero - Burning Rom
RP7: 25/07/2009 6:48:54 PM - Removed Nero - Burning Rom

==== Installed Programs ======================

ACDSee for PENTAX 3.0
Ad-Aware
Adobe Acrobat 5.0
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 8.1.4
Adobe Stock Photos 1.0
Alien Skin Xenofex 2.0
AnvSoft Flash to Video Converter 1.2.2
Apple Mobile Device Support
ArcSoft PhotoStudio 2000
ASUSDVD
AutoUpdate
AVG 8.5
Belarc Advisor 7.2
Bink and Smacker
Bonjour
BufferChm
C-Media 3D Audio
Caere Scan Manager 5.1
Canon CanoCraft CS-P 3.8
Canon ScanGear Toolbox CS 2.2
CCleaner (remove only)
CCScore
CoffeeCup Free FTP 4.0.1
CP_AtenaShokunin1Config
CP_CalendarTemplates1
cp_LightScribeConfig
cp_OnlineProjectsConfig
CP_Package_Basic1
CP_Panorama1Config
cp_PosterPrintConfig
cp_PrintOnCDConfig
cp_UpdateProjectsConfig
CueTour
CustomerResearchQFolder
D6100
D6100_D7100_D7300_Help
DeviceManagementQFolder
Digital Locker Assistant
DivX Converter
DivX Player
DivX Web Player
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
essvatgt
eSupportQFolder
Extensis PhotoTools 2.0
Eye Candy 3
fflink
Free Video to Flash Converter version 3.1
FullDPAppQFolder
Google Chrome
Google Earth
Google Updater
HP Customer Participation Program 7.0
HP Imaging Device Functions 7.0
HP Photosmart and Deskjet 7.0 Software
HP Photosmart Essential
HP Photosmart Premier Software 6.5
HP Solution Center 7.0
HP Update
hph_ProductContext
hph_readme
hph_software
hph_software_req
HPPhotoSmartExpress
HPProductAssistant
InstantShareDevices
InstantShareDevicesMFC
iTunes
Java(TM) 6 Update 3
Java(TM) 6 Update 4
Java(TM) 6 Update 5
kgcbaby
kgcbase
kgchday
kgchlwn
kgcinvt
kgckids
kgcmove
kgcvday
Kodak EasyShare software
LightScribe 1.4.39.1
Macromedia Contribute 3.11
Macromedia Dreamweaver 8
Macromedia Extension Manager
Macromedia Fireworks 8
Macromedia Flash 8
Macromedia Flash 8 Video Encoder
Macromedia HomeSite+
Malwarebytes' Anti-Malware
MarketResearch
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Premium
Microsoft Publisher 2000 SR-1
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.5)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Nero BurnRights
Nero Suite
netbrdg
Netscape Navigator (9.0.0.6)
OfotoXMI
OmniPage Pro 9.0
OpenOffice.org 2.4
Opera 9.52
OptionalContentQFolder
Painter 6
PanoStandAlone
PhotoGallery
Picasa 2
Platform
QuickTime
RandMap
S3GSetup
Safari
SC Audio Converter 7.4.0.2
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 8 (KB969897)
SFR
SHASTA
skin0001
SkinsHP1
SKINXSDK
SlideShow
SlideShowMusic
SolutionCenter
Sonic_PrimoSDK
Sqirlz Water Reflections
staticcr
Status
Toolbox
tooltips
TopStyle Lite (Version 3.0)
TrayApp
Ulead DVD MovieFactory 4.0 SE
Ulead Particle.Plugin 1.0
Uninstall 1.0.0.0
Unload
Update for Windows Internet Explorer 8 (KB971930)
VIA Platform Device Manager
VIA/S3G Display Driver
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VPRINTOL
WebFldrs XP
WebReg
Windows Defender
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Player 11
Windows Movie Maker 2.0
Windows XP Service Pack 3
WinZip 12.1
WIRELESS

==== Event Viewer Messages From Past Week ========

25/07/2009 9:56:04 PM, error: Dhcp [1002] - The IP address lease 192.168.100.11 for the Network Card with network address 00111A6C20BE has been denied by the DHCP server 192.168.100.1 (The DHCP Server sent a DHCPNACK message).
25/07/2009 9:00:00 AM, error: Schedule [7901] - The At10.job command failed to start due to the following error: %%2147942402
25/07/2009 8:00:00 AM, error: Schedule [7901] - The At9.job command failed to start due to the following error: %%2147942402
25/07/2009 7:00:00 AM, error: Schedule [7901] - The At8.job command failed to start due to the following error: %%2147942402
25/07/2009 6:52:14 PM, error: ipnathlp [32003] - The Network Address Translator (NAT) was unable to request an operation of the kernel-mode translation module. This may indicate misconfiguration, insufficient resources, or an internal error. The data is the error code.
25/07/2009 6:48:55 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
25/07/2009 6:00:00 PM, error: Schedule [7901] - The At19.job command failed to start due to the following error: %%2147942402
25/07/2009 6:00:00 AM, error: Schedule [7901] - The At7.job command failed to start due to the following error: %%2147942402
25/07/2009 5:00:00 PM, error: Schedule [7901] - The At18.job command failed to start due to the following error: %%2147942402
25/07/2009 5:00:00 AM, error: Schedule [7901] - The At6.job command failed to start due to the following error: %%2147942402
25/07/2009 4:00:00 PM, error: Schedule [7901] - The At17.job command failed to start due to the following error: %%2147942402
25/07/2009 4:00:00 AM, error: Schedule [7901] - The At5.job command failed to start due to the following error: %%2147942402
25/07/2009 3:00:00 PM, error: Schedule [7901] - The At16.job command failed to start due to the following error: %%2147942402
25/07/2009 3:00:00 AM, error: Schedule [7901] - The At4.job command failed to start due to the following error: %%2147942402
25/07/2009 2:00:00 PM, error: Schedule [7901] - The At15.job command failed to start due to the following error: %%2147942402
25/07/2009 2:00:00 AM, error: Schedule [7901] - The At3.job command failed to start due to the following error: %%2147942402
25/07/2009 12:44:00 AM, error: Schedule [7901] - The At1.job command failed to start due to the following error: General access denied error
25/07/2009 12:00:00 PM, error: Schedule [7901] - The At13.job command failed to start due to the following error: %%2147942402
25/07/2009 11:00:00 AM, error: Schedule [7901] - The At12.job command failed to start due to the following error: %%2147942402
25/07/2009 10:00:00 AM, error: Schedule [7901] - The At11.job command failed to start due to the following error: %%2147942402
25/07/2009 1:00:00 PM, error: Schedule [7901] - The At14.job command failed to start due to the following error: %%2147942402
25/07/2009 1:00:00 AM, error: Schedule [7901] - The At2.job command failed to start due to the following error: %%2147942402
24/07/2009 9:00:00 PM, error: Schedule [7901] - The At22.job command failed to start due to the following error: %%2147942402
24/07/2009 8:00:00 PM, error: Schedule [7901] - The At21.job command failed to start due to the following error: %%2147942402
24/07/2009 7:00:00 PM, error: Schedule [7901] - The At20.job command failed to start due to the following error: %%2147942402
24/07/2009 11:00:00 PM, error: Schedule [7901] - The At24.job command failed to start due to the following error: %%2147942402
24/07/2009 10:00:00 PM, error: Schedule [7901] - The At23.job command failed to start due to the following error: %%2147942402
23/07/2009 8:41:43 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
23/07/2009 8:29:11 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
23/07/2009 8:27:00 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
23/07/2009 8:26:01 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 AvgTdiX BANTExt Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
23/07/2009 8:26:01 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
23/07/2009 8:26:01 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
23/07/2009 8:26:01 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
23/07/2009 8:26:01 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
23/07/2009 8:26:01 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

==== End Of File ===========================
 
We will continue with ComboFix. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.
 
Combofix won't run.

Hi Shaba.
All firewalls, updaters, virus protection etc disabled, ....but Combofix exe won't run even if renamed.
 
Windows Recovery Console?

Sorry Shaba,
Combo fix needs Recovery Console and I can't download it in Safe Mode.
Do you have a download location for me?
 
Combo Fix complete

Hi Again Shaba.
Combofix has now run. (Sorry it took so long.)
Log file follows:

ComboFix 09-07-25.04 - Shaun 26/07/2009 22:31.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.126 [GMT 10:00]
Running from: c:\documents and settings\Shaun.NONE-9CBF599228\Desktop\fixCom.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Shaun.NONE-9CBF599228\Application Data\Install.dat
c:\recycler\S-1-5-21-1844237615-299502267-725345543-1004
c:\windows\Installer\1ee7b0b8.msi
c:\windows\Installer\6046953.msp
c:\windows\Installer\ad6451e.msp
c:\windows\Installer\WMEncoder.msi
c:\windows\system32\drivers\ESQULewbodkbwesplxwqbpfmfrqrdnemivkkf.sys
c:\windows\system32\ESQULhlwnpxrunkxhhopilwievxmbruddvisn.dll
c:\windows\system32\ESQULqwevpeoowqjwgjquhimrflnyitswyije.dll
c:\windows\system32\ESQULzcounter
c:\windows\system32\mdm.exe
c:\windows\system32\xpysys.dll


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ESQULserv.sys


((((((((((((((((((((((((( Files Created from 2009-06-26 to 2009-07-26 )))))))))))))))))))))))))))))))
.

2009-07-25 12:44 . 2009-07-25 12:44 -------- d-----w- c:\program files\HJTHS
2009-07-25 12:42 . 2009-07-25 12:45 -------- d-----w- c:\program files\HJTHIS
2009-07-25 09:45 . 2005-04-20 11:32 2916352 ------w- c:\windows\UNNMP.exe
2009-07-25 09:39 . 2005-07-01 13:56 2969600 ------w- c:\windows\UNNeroVision.exe
2009-07-25 09:38 . 2004-07-08 23:43 364544 ------w- c:\windows\system32\TwnLib4.dll
2009-07-25 09:38 . 2004-07-26 07:16 476320 ------w- c:\windows\system32\ImagXpr7.dll
2009-07-25 09:38 . 2004-07-26 07:16 471040 ------w- c:\windows\system32\ImagXRA7.dll
2009-07-25 09:38 . 2004-07-26 07:16 262144 ------w- c:\windows\system32\ImagXR7.dll
2009-07-25 09:38 . 2004-07-26 07:16 1568768 ------w- c:\windows\system32\ImagX7.dll
2009-07-25 09:38 . 2009-07-25 09:38 -------- d-----w- c:\program files\Common Files\Ahead
2009-07-25 09:38 . 2009-07-25 09:54 -------- d-----w- c:\program files\Ahead
2009-07-25 08:04 . 2009-07-25 08:04 137968 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-25 07:38 . 2004-08-05 05:58 65536 ----a-w- c:\windows\system32\NeroCo.dll
2009-07-25 07:38 . 2004-08-04 04:19 2031616 ------w- c:\windows\UNNeroBurnRights.exe
2009-07-20 13:00 . 2009-07-20 13:00 -------- d-sh--w- c:\documents and settings\NetworkService.NT AUTHORITY\IETldCache
2009-07-19 15:08 . 2009-07-19 15:08 -------- d-sh--w- c:\documents and settings\LocalService.NT AUTHORITY\IETldCache
2009-07-19 13:59 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-07-19 13:00 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-07-19 12:59 . 2009-07-19 12:59 -------- dc-h--w- c:\docume~1\ALLUSE~1.WIN\APPLIC~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-19 12:59 . 2009-07-19 13:00 -------- d-----w- c:\docume~1\ALLUSE~1.WIN\APPLIC~1\Lavasoft
2009-07-19 10:09 . 2009-07-19 10:23 -------- d-----w- c:\docume~1\ALLUSE~1.WIN\APPLIC~1\STOPzilla!
2009-07-19 08:20 . 2009-07-13 03:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-19 08:20 . 2009-07-19 08:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-19 08:20 . 2009-07-19 08:20 -------- d-----w- c:\docume~1\ALLUSE~1.WIN\APPLIC~1\Malwarebytes
2009-07-19 08:20 . 2009-07-13 03:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-19 08:02 . 2009-07-19 08:02 -------- d-----w- c:\program files\hthis
2009-07-18 07:25 . 2009-07-18 07:37 -------- d-----w- c:\documents and settings\Shaun.NONE-9CBF599228\Local Settings\Application Data\Temp
2009-07-17 05:32 . 2009-07-17 05:32 -------- d-----w- c:\documents and settings\Shaun.NONE-9CBF599228\Local Settings\Application Data\AVG Security Toolbar
2009-07-17 03:31 . 2009-07-19 05:58 -------- d-----w- c:\docume~1\ALLUSE~1.WIN\APPLIC~1\Google Updater
2009-07-16 08:33 . 2009-07-16 08:33 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-07-16 07:37 . 2009-07-16 07:37 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-07-09 10:05 . 2009-07-09 10:05 -------- d-sh--w- c:\documents and settings\Shaun.NONE-9CBF599228\IECompatCache
2009-07-07 06:16 . 2009-07-07 06:16 -------- d-sh--w- c:\documents and settings\Shaun.NONE-9CBF599228\PrivacIE
2009-07-06 11:09 . 2009-07-06 11:09 -------- d-sh--w- c:\documents and settings\Shaun.NONE-9CBF599228\IETldCache
2009-07-06 05:09 . 2009-06-02 10:12 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-07-06 05:09 . 2009-07-06 05:09 -------- d-----w- c:\windows\ie8updates
2009-07-06 05:07 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-07-06 05:07 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-07-06 05:04 . 2009-07-06 05:07 -------- dc-h--w- c:\windows\ie8
2009-07-04 04:09 . 2009-07-04 04:09 -------- d-----w- c:\documents and settings\Shaun.NONE-9CBF599228\Application Data\Uniblue
2009-06-28 12:03 . 2009-06-28 12:03 -------- d-----w- c:\program files\CCleaner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-26 02:50 . 2009-05-30 09:21 -------- d-----w- c:\documents and settings\Shaun.NONE-9CBF599228\Application Data\uTorrent
2009-07-25 12:57 . 2008-03-28 05:06 -------- d-----w- c:\documents and settings\Shaun.NONE-9CBF599228\Application Data\U3
2009-07-25 12:46 . 2008-11-08 04:47 -------- d-----w- c:\program files\Trend Micro
2009-07-19 12:59 . 2007-01-10 05:07 -------- d-----w- c:\program files\Lavasoft
2009-07-17 12:48 . 2008-05-05 13:07 -------- d-----w- c:\documents and settings\Shaun.NONE-9CBF599228\Application Data\OpenOffice.org2
2009-07-17 12:17 . 2008-05-05 13:09 1 ----a-w- c:\documents and settings\Shaun.NONE-9CBF599228\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-07-17 11:07 . 2008-05-03 05:28 -------- d-----w- c:\docume~1\ALLUSE~1.WIN\APPLIC~1\avg8
2009-07-17 03:31 . 2007-04-06 13:15 -------- d-----w- c:\program files\Google
2009-07-17 03:29 . 2008-12-06 06:36 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-17 03:29 . 2007-06-03 12:34 -------- d-----w- c:\docume~1\ALLUSE~1.WIN\APPLIC~1\Spybot - Search & Destroy
2009-07-11 05:40 . 2009-06-25 21:21 -------- d-----w- c:\docume~1\ALLUSE~1.WIN\APPLIC~1\AVG Security Toolbar
2009-06-28 12:07 . 2009-03-26 11:37 -------- d-----w- c:\program files\Yahoo!
2009-06-25 21:21 . 2009-06-25 21:21 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Application Data\AVGTOOLBAR
2009-06-25 21:20 . 2008-05-03 05:29 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-25 21:20 . 2008-05-03 05:29 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-25 21:20 . 2008-05-03 05:29 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-24 12:57 . 2008-08-31 09:08 -------- d-----w- c:\docume~1\ALLUSE~1.WIN\APPLIC~1\WinZip
2009-06-16 14:36 . 2006-02-28 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2006-02-28 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-03 19:09 . 2006-02-28 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-06-03 12:00 . 2009-06-03 11:54 -------- d-----w- c:\docume~1\ALLUSE~1.WIN\APPLIC~1\DriverCure
2009-06-03 11:55 . 2009-06-03 11:55 -------- d-----w- c:\documents and settings\Shaun.NONE-9CBF599228\Application Data\DriverCure
2009-05-25 09:37 . 2009-05-25 09:37 160593 ----a-w- c:\windows\Sqirlz Water Reflections Uninstaller.exe
2009-05-13 05:15 . 2006-02-28 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2006-02-28 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-04 20:54 . 2008-05-03 05:29 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2003-10-08 05:07 . 2003-10-08 05:07 545792 ----a-w- c:\program files\CRW5224AU_137.exe
2008-12-02 20:12 . 2008-12-17 09:15 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-14 06:07 1004800 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Shaun.NONE-9CBF599228\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-01-01 133104]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-17 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RaidTool"="c:\program files\VIA\RAID\raid_tool.exe" [2005-06-20 1056768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-25 1948440]
"RemoteControl"="c:\program files\ASUSTeK\ASUSDVD\PDVDServ.exe" [2004-11-02 32768]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2005-03-07 53248]

c:\documents and settings\Shaun\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-1-10 113664]

c:\documents and settings\Shaun.NONE-9CBF599228\Start Menu\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-1-10 113664]
OpenOffice.org 2.4.lnk.disabled [2008-5-5 870]

c:\docume~1\ALLUSE~1.WIN\STARTM~1\Programs\Startup\
WinZip Quick Pick.lnk.disabled [2008-1-10 1518]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-25 21:20 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSFox"=c:\docume~1\SHAUN~1.NON\LOCALS~1\Temp\xxx2558.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"NWEReboot"=
"VTTrayp"=VTtrayp.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\CoffeeCup Software\\FreeFTPFree-4.0.1\\FreeFTP.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [19/07/2009 11:00 PM 64160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/05/2008 3:29 PM 327688]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/05/2008 3:29 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [4/07/2008 6:41 AM 906520]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [3/05/2008 3:28 PM 298776]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [4/11/2006 12:19 PM 13592]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [4/07/2009 12:49 AM 1029456]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{EEE6C35D-6118-11DC-9C72-001320C79847} - (no file)
WebBrowser-{EEE6C35B-6118-11DC-9C72-001320C79847} - (no file)
HKLM-Explorer_Run-Lsass Service - c:\documents and settings\Shaun.NONE-9CBF599228\Application Data\Microsoft\Windows\lsass.exe
Notify-c008249A - c008249A.mat


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
mWindow Title =
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com.au/
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\docume~1\SHAUN~1.NON\APPLIC~1\Mozilla\Firefox\Profiles\0fd3czad.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.sweetim.com/search.asp?src=2&q=
FF - prefs.js: browser.search.selectedEngine - SweetIM Search
FF - prefs.js: browser.startup.homepage - hxxp://home.sweetim.com
FF - prefs.js: keyword.URL - hxxp://search.sweetim.com/search.asp?src=2&q=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\Shaun.NONE-9CBF599228\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1636.7222\npCIDetect13.dll
FF - plugin: c:\program files\Opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-26 22:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Lsass Service = c:\documents and settings\Shaun.NONE-9CBF599228\Application Data\Microsoft\Windows\lsass.exe???????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1644491937-362288127-1801674531-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2488)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\spool\drivers\w32x86\3\HPZIPM12.EXE
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-07-26 22:51 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-26 12:51

Pre-Run: 15,915,294,720 bytes free
Post-Run: 16,097,710,080 bytes free

249 --- E O F --- 2009-07-21 15:01
 
You must log in or register to reply here.
Back
Top