PDA

View Full Version : Can't install ANYTHING!



sjeartc
2009-07-23, 09:12
Hope someone can give me an alternative to reformatting my hard-drive.
I can't re-install Spybot after a bug appeared to crash it, (I get the message "Server name or address could not be resolved".)
Also can't install HJT to supply a log, or Windows Malicious Software Removal Tool, Malwarebytes or Adaware
HELP PLEASE!

Shaba
2009-07-24, 07:08
Hi sjeartc

Please try to rename HijackThis installer and let me know if it helped.

sjeartc
2009-07-25, 15:54
Thanks for getting back to me Shaba.

I have tried renaming the HJT exe (and also tried renaming the folder and saving elsewhere under a different name.) Still won't run even after it appears to install.

(It now also seems to have taken over my administrator rights in Nero, and won't recognise my burning rights, and has started highjacking website links to related search pages.)

Shaba
2009-07-25, 16:06
So let's try this:

Download gmer.zip (http://gmer.net/gmer.zip) and save to your desktop.
alternate download site (http://hype.free.googlepages.com/gmer.zip)

Unzip/extract the file to its own folder. (Click here (http://www.bleepingcomputer.com/tutorials/tutorial105.html) for information on how to do this if not sure. Win 2000 users click here (http://www.bleepingcomputer.com/tutorials/tutorial106.html).
When you have done this, disconnect from the Internet and close all running programs.
There is a small chance this application may crash your computer so save any work you have open.
Double-click on Gmer.exe to start the program.
Allow the gmer.sys driver to load if asked.
If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
Click on the Rootkit tab.
Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
Click on the "Scan" and wait for the scan to finish.
Note: Before scanning, make sure all other unning programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
Note: If you have any problems, try running GMER in SAFE MODE (http://www.bleepingcomputer.com/forums/tutorial61.html)"
Important! Please do not select the "Show all" checkbox during the scan.

If it doesn't run, try to rename it and run in safe mode.

sjeartc
2009-07-25, 16:50
Hi Again Shaba.
Gmer ran.
File is below:
GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-25 23:46:50
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF774987E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7749BFE]

Code 84BE26F0 ZwEnumerateKey
Code 84BE2888 ZwFlushInstructionCache
Code 84BE0716 IofCallDriver
Code 84BDFB16 IofCompleteRequest
Code 84BE2CED ZwSaveKey
Code 84BE392D ZwSaveKeyEx

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwSaveKey 804DD6E8 5 Bytes JMP 84BE2CF2
.text ntoskrnl.exe!ZwSaveKeyEx 804DD6FC 5 Bytes JMP 84BE3932
.text ntoskrnl.exe!IofCallDriver 804E37C5 5 Bytes JMP 84BE071B
.text ntoskrnl.exe!IofCompleteRequest 804E3BF6 5 Bytes JMP 84BDFB1B
PAGE ntoskrnl.exe!ZwEnumerateKey 80570D64 5 Bytes JMP 84BE26F4
PAGE ntoskrnl.exe!ZwFlushInstructionCache 80577693 5 Bytes JMP 84BE288C

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 01: copy of MBR
Disk \Device\Harddisk0\DR0 sector 02: copy of MBR
Disk \Device\Harddisk0\DR0 sector 03: copy of MBR
Disk \Device\Harddisk0\DR0 sector 04: copy of MBR
Disk \Device\Harddisk0\DR0 sector 05: copy of MBR
Disk \Device\Harddisk0\DR0 sector 06: copy of MBR
Disk \Device\Harddisk0\DR0 sector 07: copy of MBR
Disk \Device\Harddisk0\DR0 sector 08: copy of MBR
Disk \Device\Harddisk0\DR0 sector 09: copy of MBR
Disk \Device\Harddisk0\DR0 sector 10: copy of MBR
Disk \Device\Harddisk0\DR0 sector 11: copy of MBR
Disk \Device\Harddisk0\DR0 sector 12: copy of MBR
Disk \Device\Harddisk0\DR0 sector 13: copy of MBR
Disk \Device\Harddisk0\DR0 sector 14: copy of MBR
Disk \Device\Harddisk0\DR0 sector 15: copy of MBR
Disk \Device\Harddisk0\DR0 sector 16: copy of MBR
Disk \Device\Harddisk0\DR0 sector 17: copy of MBR
Disk \Device\Harddisk0\DR0 sector 18: copy of MBR
Disk \Device\Harddisk0\DR0 sector 19: copy of MBR
Disk \Device\Harddisk0\DR0 sector 20: copy of MBR
Disk \Device\Harddisk0\DR0 sector 21: copy of MBR
Disk \Device\Harddisk0\DR0 sector 22: copy of MBR
Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
Disk \Device\Harddisk0\DR0 sector 24: copy of MBR
Disk \Device\Harddisk0\DR0 sector 25: copy of MBR
Disk \Device\Harddisk0\DR0 sector 26: copy of MBR
Disk \Device\Harddisk0\DR0 sector 27: copy of MBR
Disk \Device\Harddisk0\DR0 sector 28: copy of MBR
Disk \Device\Harddisk0\DR0 sector 29: copy of MBR
Disk \Device\Harddisk0\DR0 sector 30: copy of MBR
Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
Disk \Device\Harddisk0\DR0 sector 32: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 33: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 34: copy of MBR
Disk \Device\Harddisk0\DR0 sector 35: copy of MBR
Disk \Device\Harddisk0\DR0 sector 36: copy of MBR
Disk \Device\Harddisk0\DR0 sector 37: copy of MBR
Disk \Device\Harddisk0\DR0 sector 38: copy of MBR
Disk \Device\Harddisk0\DR0 sector 39: copy of MBR
Disk \Device\Harddisk0\DR0 sector 40: copy of MBR
Disk \Device\Harddisk0\DR0 sector 41: copy of MBR
Disk \Device\Harddisk0\DR0 sector 42: copy of MBR
Disk \Device\Harddisk0\DR0 sector 43: copy of MBR
Disk \Device\Harddisk0\DR0 sector 44: copy of MBR
Disk \Device\Harddisk0\DR0 sector 45: copy of MBR
Disk \Device\Harddisk0\DR0 sector 46: copy of MBR
Disk \Device\Harddisk0\DR0 sector 47: copy of MBR
Disk \Device\Harddisk0\DR0 sector 48: copy of MBR
Disk \Device\Harddisk0\DR0 sector 49: copy of MBR
Disk \Device\Harddisk0\DR0 sector 50: copy of MBR
Disk \Device\Harddisk0\DR0 sector 51: copy of MBR
Disk \Device\Harddisk0\DR0 sector 52: copy of MBR
Disk \Device\Harddisk0\DR0 sector 53: copy of MBR
Disk \Device\Harddisk0\DR0 sector 54: copy of MBR
Disk \Device\Harddisk0\DR0 sector 55: copy of MBR
Disk \Device\Harddisk0\DR0 sector 56: copy of MBR
Disk \Device\Harddisk0\DR0 sector 57: copy of MBR
Disk \Device\Harddisk0\DR0 sector 58: copy of MBR
Disk \Device\Harddisk0\DR0 sector 59: copy of MBR
Disk \Device\Harddisk0\DR0 sector 60: copy of MBR
Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR

---- EOF - GMER 1.0.15 ----

Shaba
2009-07-25, 16:58
Looks like a potential candidate of MBR rootkit.

Please download MBR.EXE (http://www2.gmer.net/mbr/mbr.exe) by GMER. Save it to your desktop.
Double click on mbr.exe to execute.
If you recieve the "Publisher could not be verified" security warning, please press Run.
A black CMD prompt window will open and close quickly, this is expected and normal.
Upon completion, a file will be created on your desktop named "mbr.log"
Double click the "mbr.log" file and Notepad should open.
Copy and paste the contents of the files mbr.log in your next reply.

sjeartc
2009-07-25, 17:10
Thanks Shaba. (this file doesn't seem to say much though)

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
BIOS signateure not found

Shaba
2009-07-25, 17:32
It actually tells that you don't likely have MBR rootkit.

Let's see if you can run this:

Please download DDS (http://download.bleepingcomputer.com/sUBs/dds.scr) and save it to your desktop.
Disable any script blocking protection Double click dds.scr to run the tool. When done, DDS.txt will open. Click Yes at the next prompt for Optional Scan. Save both reports to your desktop.---------------------------------------------------

Please include the contents of the following reports in your next reply:

DDS.txt
Attach.txt]

sjeartc
2009-07-25, 17:44
Hi again Shaba (I really appreciate your time here.)
I did not get the 'Optional Scan' message but the 2 files are below:

*****
DDS (Ver_09-06-26.01) - NTFSx86
Run by Shaun at 0:38:37.56 on Sun 26/07/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.152 [GMT 10:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Safari\Safari.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Shaun.NONE-9CBF599228\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page =
uStart Page = hxxp://www.google.com.au/
uWindow Title =
uSearch Bar =
mWindow Title =
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com.au/
mSearchAssistant =
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {EEE6C35B-6118-11DC-9C72-001320C79847} - No File
uRun: [Google Update] "c:\documents and settings\shaun.none-9cbf599228\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [VTTimer] VTTimer.exe
mRun: [RaidTool] c:\program files\via\raid\raid_tool.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [RemoteControl] "c:\program files\asustek\asusdvd\PDVDServ.exe"
mExplorerRun: [Lsass Service] c:\documents and settings\shaun.none-9cbf599228\application data\microsoft\windows\lsass.exe
StartupFolder: c:\docume~1\shaun~1.non\startm~1\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\documents and settings\shaun.none-9cbf599228\start menu\startup\OpenOffice.org 2.4.lnk.disabled
StartupFolder: c:\documents and settings\all users.windows\start menu\programs\startup\WinZip Quick Pick.lnk.disabled
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {49232000-16E4-426C-A231-62846947304B} - hxxp://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1183342295500
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 85.255.112.191,85.255.112.78
TCP: {33B9378C-6384-41B3-89B1-294DDA944591} = 85.255.112.191,85.255.112.78
TCP: {654C3BDA-9AA7-40B9-B32B-7BE24EE8E496} = 85.255.112.191,85.255.112.78
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: c008249A - c008249A.mat
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\shaun~1.non\applic~1\mozilla\firefox\profiles\0fd3czad.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.sweetim.com/search.asp?src=2&q=
FF - prefs.js: browser.search.selectedEngine - SweetIM Search
FF - prefs.js: browser.startup.homepage - hxxp://home.sweetim.com
FF - prefs.js: keyword.URL - hxxp://search.sweetim.com/search.asp?src=2&q=
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\shaun.none-9cbf599228\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google updater\2.4.1636.7222\npCIDetect13.dll
FF - plugin: c:\program files\opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\picasa2\npPicasa2.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-7-19 64160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-3 327688]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-5-3 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-3 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-4 906520]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-5-3 298776]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-4 1029456]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-4 13592]

=============== Created Last 30 ================

2009-07-25 22:44 <DIR> --d----- c:\program files\HJTHS
2009-07-25 22:42 <DIR> --d----- c:\program files\HJTHIS
2009-07-25 22:39 69 a------- c:\windows\NeroDigital.ini
2009-07-25 19:45 2,916,352 -------- c:\windows\UNNMP.exe
2009-07-25 19:45 49,883 -------- c:\windows\UNNMP.cfg
2009-07-25 19:39 123,452 -------- c:\windows\UNNeroVision.cfg
2009-07-25 19:39 2,969,600 -------- c:\windows\UNNeroVision.exe
2009-07-25 19:38 364,544 -------- c:\windows\system32\TwnLib4.dll
2009-07-25 19:38 1,568,768 -------- c:\windows\system32\ImagX7.dll
2009-07-25 19:38 476,320 -------- c:\windows\system32\ImagXpr7.dll
2009-07-25 19:38 471,040 -------- c:\windows\system32\ImagXRA7.dll
2009-07-25 19:38 262,144 -------- c:\windows\system32\ImagXR7.dll
2009-07-25 17:38 23,936 -------- c:\windows\UNNeroBurnRights.cfg
2009-07-25 17:38 65,536 a------- c:\windows\system32\NeroCo.dll
2009-07-25 17:38 57,344 a------- c:\windows\system32\NeroBurnRights.cpl
2009-07-25 17:38 2,031,616 -------- c:\windows\UNNeroBurnRights.exe
2009-07-19 23:59 15,688 a------- c:\windows\system32\lsdelete.exe
2009-07-19 23:00 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-07-19 22:59 <DIR> -cd-h--- c:\docume~1\alluse~1.win\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-19 20:09 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\STOPzilla!
2009-07-19 18:20 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-19 18:20 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-19 18:20 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-19 18:20 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2009-07-19 18:02 <DIR> --d----- c:\program files\hthis
2009-07-19 00:22 54,156 a---h--- c:\windows\QTFont.qfn
2009-07-19 00:22 1,409 a------- c:\windows\QTFont.for
2009-07-09 20:05 <DIR> --dsh--- c:\documents and settings\shaun.none-9cbf599228\IECompatCache
2009-07-07 16:16 <DIR> --dsh--- c:\documents and settings\shaun.none-9cbf599228\PrivacIE
2009-07-06 21:09 <DIR> --dsh--- c:\documents and settings\shaun.none-9cbf599228\IETldCache
2009-07-06 15:09 102,912 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-07-06 15:09 <DIR> --d----- c:\windows\ie8updates
2009-07-06 15:07 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-07-06 15:07 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-07-06 15:04 <DIR> -cd-h--- c:\windows\ie8
2009-07-04 14:09 <DIR> --d----- c:\docume~1\shaun~1.non\applic~1\Uniblue
2009-06-28 22:03 <DIR> --d----- c:\program files\CCleaner
2009-06-26 07:21 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\AVG Security Toolbar

==================== Find3M ====================

2009-06-26 07:20 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-26 07:20 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-17 00:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-17 00:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-04 05:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-05-25 19:37 160,593 a------- c:\windows\Sqirlz Water Reflections Uninstaller.exe
2009-05-13 15:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-08 01:32 345,600 a------- c:\windows\system32\localspl.dll
2007-07-01 18:48 1,174,596 a------- c:\docume~1\shaun~1.non\applic~1\Install.dat
2003-10-08 15:07 545,792 a------- c:\program files\CRW5224AU_137.exe

============= FINISH: 0:39:05.15 ===============
*****


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-06-26.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 3/06/2007 6:36:58 PM
System Uptime: 25/07/2009 8:12:18 PM (4 hours ago)

Motherboard: | | P4VM800
Processor: Intel(R) Celeron(R) CPU 2.66GHz | CPUSocket | 2666/133mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 37 GiB total, 14.891 GiB free.
D: is CDROM ()
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 20/07/2009 1:54:31 AM - System Checkpoint
RP2: 21/07/2009 2:06:04 AM - System Checkpoint
RP3: 22/07/2009 1:00:14 AM - Software Distribution Service 3.0
RP4: 23/07/2009 1:07:10 AM - System Checkpoint
RP5: 25/07/2009 6:44:46 PM - Removed Nero - Burning Rom
RP6: 25/07/2009 6:46:48 PM - Removed Nero - Burning Rom
RP7: 25/07/2009 6:48:54 PM - Removed Nero - Burning Rom

==== Installed Programs ======================

µTorrent
ACDSee for PENTAX 3.0
Ad-Aware
Adobe Acrobat 5.0
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 8.1.4
Adobe Stock Photos 1.0
Alien Skin Xenofex 2.0
AnvSoft Flash to Video Converter 1.2.2
Apple Mobile Device Support
ArcSoft PhotoStudio 2000
ASUSDVD
AutoUpdate
AVG 8.5
Belarc Advisor 7.2
Bink and Smacker
Bonjour
BufferChm
C-Media 3D Audio
Caere Scan Manager 5.1
Canon CanoCraft CS-P 3.8
Canon ScanGear Toolbox CS 2.2
CCleaner (remove only)
CCScore
CoffeeCup Free FTP 4.0.1
CP_AtenaShokunin1Config
CP_CalendarTemplates1
cp_LightScribeConfig
cp_OnlineProjectsConfig
CP_Package_Basic1
CP_Panorama1Config
cp_PosterPrintConfig
cp_PrintOnCDConfig
cp_UpdateProjectsConfig
CueTour
CustomerResearchQFolder
D6100
D6100_D7100_D7300_Help
DeviceManagementQFolder
Digital Locker Assistant
DivX Converter
DivX Player
DivX Web Player
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
essvatgt
eSupportQFolder
Extensis PhotoTools 2.0
Eye Candy 3
fflink
Free Video to Flash Converter version 3.1
FullDPAppQFolder
Google Chrome
Google Earth
Google Updater
HP Customer Participation Program 7.0
HP Imaging Device Functions 7.0
HP Photosmart and Deskjet 7.0 Software
HP Photosmart Essential
HP Photosmart Premier Software 6.5
HP Solution Center 7.0
HP Update
hph_ProductContext
hph_readme
hph_software
hph_software_req
HPPhotoSmartExpress
HPProductAssistant
InstantShareDevices
InstantShareDevicesMFC
iTunes
Java(TM) 6 Update 3
Java(TM) 6 Update 4
Java(TM) 6 Update 5
kgcbaby
kgcbase
kgchday
kgchlwn
kgcinvt
kgckids
kgcmove
kgcvday
Kodak EasyShare software
LightScribe 1.4.39.1
Macromedia Contribute 3.11
Macromedia Dreamweaver 8
Macromedia Extension Manager
Macromedia Fireworks 8
Macromedia Flash 8
Macromedia Flash 8 Video Encoder
Macromedia HomeSite+
Malwarebytes' Anti-Malware
MarketResearch
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Premium
Microsoft Publisher 2000 SR-1
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.5)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Nero BurnRights
Nero Suite
netbrdg
Netscape Navigator (9.0.0.6)
OfotoXMI
OmniPage Pro 9.0
OpenOffice.org 2.4
Opera 9.52
OptionalContentQFolder
Painter 6
PanoStandAlone
PhotoGallery
Picasa 2
Platform
QuickTime
RandMap
S3GSetup
Safari
SC Audio Converter 7.4.0.2
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB973346)
SFR
SHASTA
skin0001
SkinsHP1
SKINXSDK
SlideShow
SlideShowMusic
SolutionCenter
Sonic_PrimoSDK
Sqirlz Water Reflections
staticcr
Status
Toolbox
tooltips
TopStyle Lite (Version 3.0)
TrayApp
Ulead DVD MovieFactory 4.0 SE
Ulead Particle.Plugin 1.0
Uninstall 1.0.0.0
Unload
Update for Windows Internet Explorer 8 (KB971930)
VIA Platform Device Manager
VIA/S3G Display Driver
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VPRINTOL
WebFldrs XP
WebReg
Windows Defender
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Player 11
Windows Movie Maker 2.0
Windows XP Service Pack 3
WinZip 12.1
WIRELESS

==== Event Viewer Messages From Past Week ========

25/07/2009 9:56:04 PM, error: Dhcp [1002] - The IP address lease 192.168.100.11 for the Network Card with network address 00111A6C20BE has been denied by the DHCP server 192.168.100.1 (The DHCP Server sent a DHCPNACK message).
25/07/2009 9:00:00 AM, error: Schedule [7901] - The At10.job command failed to start due to the following error: %%2147942402
25/07/2009 8:00:00 AM, error: Schedule [7901] - The At9.job command failed to start due to the following error: %%2147942402
25/07/2009 7:00:00 AM, error: Schedule [7901] - The At8.job command failed to start due to the following error: %%2147942402
25/07/2009 6:52:14 PM, error: ipnathlp [32003] - The Network Address Translator (NAT) was unable to request an operation of the kernel-mode translation module. This may indicate misconfiguration, insufficient resources, or an internal error. The data is the error code.
25/07/2009 6:48:55 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
25/07/2009 6:00:00 PM, error: Schedule [7901] - The At19.job command failed to start due to the following error: %%2147942402
25/07/2009 6:00:00 AM, error: Schedule [7901] - The At7.job command failed to start due to the following error: %%2147942402
25/07/2009 5:00:00 PM, error: Schedule [7901] - The At18.job command failed to start due to the following error: %%2147942402
25/07/2009 5:00:00 AM, error: Schedule [7901] - The At6.job command failed to start due to the following error: %%2147942402
25/07/2009 4:00:00 PM, error: Schedule [7901] - The At17.job command failed to start due to the following error: %%2147942402
25/07/2009 4:00:00 AM, error: Schedule [7901] - The At5.job command failed to start due to the following error: %%2147942402
25/07/2009 3:00:00 PM, error: Schedule [7901] - The At16.job command failed to start due to the following error: %%2147942402
25/07/2009 3:00:00 AM, error: Schedule [7901] - The At4.job command failed to start due to the following error: %%2147942402
25/07/2009 2:00:00 PM, error: Schedule [7901] - The At15.job command failed to start due to the following error: %%2147942402
25/07/2009 2:00:00 AM, error: Schedule [7901] - The At3.job command failed to start due to the following error: %%2147942402
25/07/2009 12:44:00 AM, error: Schedule [7901] - The At1.job command failed to start due to the following error: General access denied error
25/07/2009 12:00:00 PM, error: Schedule [7901] - The At13.job command failed to start due to the following error: %%2147942402
25/07/2009 11:00:00 AM, error: Schedule [7901] - The At12.job command failed to start due to the following error: %%2147942402
25/07/2009 10:00:00 AM, error: Schedule [7901] - The At11.job command failed to start due to the following error: %%2147942402
25/07/2009 1:00:00 PM, error: Schedule [7901] - The At14.job command failed to start due to the following error: %%2147942402
25/07/2009 1:00:00 AM, error: Schedule [7901] - The At2.job command failed to start due to the following error: %%2147942402
24/07/2009 9:00:00 PM, error: Schedule [7901] - The At22.job command failed to start due to the following error: %%2147942402
24/07/2009 8:00:00 PM, error: Schedule [7901] - The At21.job command failed to start due to the following error: %%2147942402
24/07/2009 7:00:00 PM, error: Schedule [7901] - The At20.job command failed to start due to the following error: %%2147942402
24/07/2009 11:00:00 PM, error: Schedule [7901] - The At24.job command failed to start due to the following error: %%2147942402
24/07/2009 10:00:00 PM, error: Schedule [7901] - The At23.job command failed to start due to the following error: %%2147942402
23/07/2009 8:41:43 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
23/07/2009 8:29:11 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
23/07/2009 8:27:00 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
23/07/2009 8:26:01 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 AvgTdiX BANTExt Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
23/07/2009 8:26:01 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
23/07/2009 8:26:01 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
23/07/2009 8:26:01 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
23/07/2009 8:26:01 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
23/07/2009 8:26:01 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

==== End Of File ===========================

Shaba
2009-07-25, 19:12
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

µTorrent

I'd like you to read the this thread (http://forums.spybot.info/showthread.php?t=282).

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

Please run a new DDS scan when finished and post the logs back here.

sjeartc
2009-07-26, 05:58
Hi Shaba. I just got back to my PC.
I have uninstalled U.Torrent.
DDS.txt and Attach.txt follow:

DDS (Ver_09-06-26.01) - NTFSx86
Run by Shaun at 12:51:47.92 on Sun 26/07/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.120 [GMT 10:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Safari\Safari.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Shaun.NONE-9CBF599228\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page =
uStart Page = hxxp://www.google.com.au/
uWindow Title =
uSearch Bar =
mWindow Title =
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com.au/
mSearchAssistant =
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {EEE6C35B-6118-11DC-9C72-001320C79847} - No File
uRun: [Google Update] "c:\documents and settings\shaun.none-9cbf599228\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [VTTimer] VTTimer.exe
mRun: [RaidTool] c:\program files\via\raid\raid_tool.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [RemoteControl] "c:\program files\asustek\asusdvd\PDVDServ.exe"
mExplorerRun: [Lsass Service] c:\documents and settings\shaun.none-9cbf599228\application data\microsoft\windows\lsass.exe
StartupFolder: c:\docume~1\shaun~1.non\startm~1\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\documents and settings\shaun.none-9cbf599228\start menu\startup\OpenOffice.org 2.4.lnk.disabled
StartupFolder: c:\documents and settings\all users.windows\start menu\programs\startup\WinZip Quick Pick.lnk.disabled
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {49232000-16E4-426C-A231-62846947304B} - hxxp://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1183342295500
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 85.255.112.191,85.255.112.78
TCP: {33B9378C-6384-41B3-89B1-294DDA944591} = 85.255.112.191,85.255.112.78
TCP: {654C3BDA-9AA7-40B9-B32B-7BE24EE8E496} = 85.255.112.191,85.255.112.78
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: c008249A - c008249A.mat
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\shaun~1.non\applic~1\mozilla\firefox\profiles\0fd3czad.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.sweetim.com/search.asp?src=2&q=
FF - prefs.js: browser.search.selectedEngine - SweetIM Search
FF - prefs.js: browser.startup.homepage - hxxp://home.sweetim.com
FF - prefs.js: keyword.URL - hxxp://search.sweetim.com/search.asp?src=2&q=
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\shaun.none-9cbf599228\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google updater\2.4.1636.7222\npCIDetect13.dll
FF - plugin: c:\program files\opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\picasa2\npPicasa2.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-7-19 64160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-3 327688]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-5-3 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-3 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-4 906520]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-5-3 298776]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-4 1029456]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-4 13592]

=============== Created Last 30 ================

2009-07-25 22:44 <DIR> --d----- c:\program files\HJTHS
2009-07-25 22:42 <DIR> --d----- c:\program files\HJTHIS
2009-07-25 22:39 69 a------- c:\windows\NeroDigital.ini
2009-07-25 19:45 2,916,352 -------- c:\windows\UNNMP.exe
2009-07-25 19:45 49,883 -------- c:\windows\UNNMP.cfg
2009-07-25 19:39 123,452 -------- c:\windows\UNNeroVision.cfg
2009-07-25 19:39 2,969,600 -------- c:\windows\UNNeroVision.exe
2009-07-25 19:38 364,544 -------- c:\windows\system32\TwnLib4.dll
2009-07-25 19:38 1,568,768 -------- c:\windows\system32\ImagX7.dll
2009-07-25 19:38 476,320 -------- c:\windows\system32\ImagXpr7.dll
2009-07-25 19:38 471,040 -------- c:\windows\system32\ImagXRA7.dll
2009-07-25 19:38 262,144 -------- c:\windows\system32\ImagXR7.dll
2009-07-25 17:38 23,936 -------- c:\windows\UNNeroBurnRights.cfg
2009-07-25 17:38 65,536 a------- c:\windows\system32\NeroCo.dll
2009-07-25 17:38 57,344 a------- c:\windows\system32\NeroBurnRights.cpl
2009-07-25 17:38 2,031,616 -------- c:\windows\UNNeroBurnRights.exe
2009-07-19 23:59 15,688 a------- c:\windows\system32\lsdelete.exe
2009-07-19 23:00 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-07-19 22:59 <DIR> -cd-h--- c:\docume~1\alluse~1.win\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-19 20:09 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\STOPzilla!
2009-07-19 18:20 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-19 18:20 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-19 18:20 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-19 18:20 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2009-07-19 18:02 <DIR> --d----- c:\program files\hthis
2009-07-19 00:22 54,156 a---h--- c:\windows\QTFont.qfn
2009-07-19 00:22 1,409 a------- c:\windows\QTFont.for
2009-07-09 20:05 <DIR> --dsh--- c:\documents and settings\shaun.none-9cbf599228\IECompatCache
2009-07-07 16:16 <DIR> --dsh--- c:\documents and settings\shaun.none-9cbf599228\PrivacIE
2009-07-06 21:09 <DIR> --dsh--- c:\documents and settings\shaun.none-9cbf599228\IETldCache
2009-07-06 15:09 102,912 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-07-06 15:09 <DIR> --d----- c:\windows\ie8updates
2009-07-06 15:07 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-07-06 15:07 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-07-06 15:04 <DIR> -cd-h--- c:\windows\ie8
2009-07-04 14:09 <DIR> --d----- c:\docume~1\shaun~1.non\applic~1\Uniblue
2009-06-28 22:03 <DIR> --d----- c:\program files\CCleaner

==================== Find3M ====================

2009-06-26 07:20 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-26 07:20 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-17 00:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-17 00:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-04 05:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-05-25 19:37 160,593 a------- c:\windows\Sqirlz Water Reflections Uninstaller.exe
2009-05-13 15:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-08 01:32 345,600 a------- c:\windows\system32\localspl.dll
2007-07-01 18:48 1,174,596 a------- c:\docume~1\shaun~1.non\applic~1\Install.dat
2003-10-08 15:07 545,792 a------- c:\program files\CRW5224AU_137.exe

============= FINISH: 12:52:39.03 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-06-26.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 3/06/2007 6:36:58 PM
System Uptime: 25/07/2009 8:12:18 PM (16 hours ago)

Motherboard: | | P4VM800
Processor: Intel(R) Celeron(R) CPU 2.66GHz | CPUSocket | 2666/133mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 37 GiB total, 14.898 GiB free.
D: is CDROM ()
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 20/07/2009 1:54:31 AM - System Checkpoint
RP2: 21/07/2009 2:06:04 AM - System Checkpoint
RP3: 22/07/2009 1:00:14 AM - Software Distribution Service 3.0
RP4: 23/07/2009 1:07:10 AM - System Checkpoint
RP5: 25/07/2009 6:44:46 PM - Removed Nero - Burning Rom
RP6: 25/07/2009 6:46:48 PM - Removed Nero - Burning Rom
RP7: 25/07/2009 6:48:54 PM - Removed Nero - Burning Rom

==== Installed Programs ======================

ACDSee for PENTAX 3.0
Ad-Aware
Adobe Acrobat 5.0
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 8.1.4
Adobe Stock Photos 1.0
Alien Skin Xenofex 2.0
AnvSoft Flash to Video Converter 1.2.2
Apple Mobile Device Support
ArcSoft PhotoStudio 2000
ASUSDVD
AutoUpdate
AVG 8.5
Belarc Advisor 7.2
Bink and Smacker
Bonjour
BufferChm
C-Media 3D Audio
Caere Scan Manager 5.1
Canon CanoCraft CS-P 3.8
Canon ScanGear Toolbox CS 2.2
CCleaner (remove only)
CCScore
CoffeeCup Free FTP 4.0.1
CP_AtenaShokunin1Config
CP_CalendarTemplates1
cp_LightScribeConfig
cp_OnlineProjectsConfig
CP_Package_Basic1
CP_Panorama1Config
cp_PosterPrintConfig
cp_PrintOnCDConfig
cp_UpdateProjectsConfig
CueTour
CustomerResearchQFolder
D6100
D6100_D7100_D7300_Help
DeviceManagementQFolder
Digital Locker Assistant
DivX Converter
DivX Player
DivX Web Player
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
essvatgt
eSupportQFolder
Extensis PhotoTools 2.0
Eye Candy 3
fflink
Free Video to Flash Converter version 3.1
FullDPAppQFolder
Google Chrome
Google Earth
Google Updater
HP Customer Participation Program 7.0
HP Imaging Device Functions 7.0
HP Photosmart and Deskjet 7.0 Software
HP Photosmart Essential
HP Photosmart Premier Software 6.5
HP Solution Center 7.0
HP Update
hph_ProductContext
hph_readme
hph_software
hph_software_req
HPPhotoSmartExpress
HPProductAssistant
InstantShareDevices
InstantShareDevicesMFC
iTunes
Java(TM) 6 Update 3
Java(TM) 6 Update 4
Java(TM) 6 Update 5
kgcbaby
kgcbase
kgchday
kgchlwn
kgcinvt
kgckids
kgcmove
kgcvday
Kodak EasyShare software
LightScribe 1.4.39.1
Macromedia Contribute 3.11
Macromedia Dreamweaver 8
Macromedia Extension Manager
Macromedia Fireworks 8
Macromedia Flash 8
Macromedia Flash 8 Video Encoder
Macromedia HomeSite+
Malwarebytes' Anti-Malware
MarketResearch
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Premium
Microsoft Publisher 2000 SR-1
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.5)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Nero BurnRights
Nero Suite
netbrdg
Netscape Navigator (9.0.0.6)
OfotoXMI
OmniPage Pro 9.0
OpenOffice.org 2.4
Opera 9.52
OptionalContentQFolder
Painter 6
PanoStandAlone
PhotoGallery
Picasa 2
Platform
QuickTime
RandMap
S3GSetup
Safari
SC Audio Converter 7.4.0.2
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 8 (KB969897)
SFR
SHASTA
skin0001
SkinsHP1
SKINXSDK
SlideShow
SlideShowMusic
SolutionCenter
Sonic_PrimoSDK
Sqirlz Water Reflections
staticcr
Status
Toolbox
tooltips
TopStyle Lite (Version 3.0)
TrayApp
Ulead DVD MovieFactory 4.0 SE
Ulead Particle.Plugin 1.0
Uninstall 1.0.0.0
Unload
Update for Windows Internet Explorer 8 (KB971930)
VIA Platform Device Manager
VIA/S3G Display Driver
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VPRINTOL
WebFldrs XP
WebReg
Windows Defender
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Player 11
Windows Movie Maker 2.0
Windows XP Service Pack 3
WinZip 12.1
WIRELESS

==== Event Viewer Messages From Past Week ========

25/07/2009 9:56:04 PM, error: Dhcp [1002] - The IP address lease 192.168.100.11 for the Network Card with network address 00111A6C20BE has been denied by the DHCP server 192.168.100.1 (The DHCP Server sent a DHCPNACK message).
25/07/2009 9:00:00 AM, error: Schedule [7901] - The At10.job command failed to start due to the following error: %%2147942402
25/07/2009 8:00:00 AM, error: Schedule [7901] - The At9.job command failed to start due to the following error: %%2147942402
25/07/2009 7:00:00 AM, error: Schedule [7901] - The At8.job command failed to start due to the following error: %%2147942402
25/07/2009 6:52:14 PM, error: ipnathlp [32003] - The Network Address Translator (NAT) was unable to request an operation of the kernel-mode translation module. This may indicate misconfiguration, insufficient resources, or an internal error. The data is the error code.
25/07/2009 6:48:55 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
25/07/2009 6:00:00 PM, error: Schedule [7901] - The At19.job command failed to start due to the following error: %%2147942402
25/07/2009 6:00:00 AM, error: Schedule [7901] - The At7.job command failed to start due to the following error: %%2147942402
25/07/2009 5:00:00 PM, error: Schedule [7901] - The At18.job command failed to start due to the following error: %%2147942402
25/07/2009 5:00:00 AM, error: Schedule [7901] - The At6.job command failed to start due to the following error: %%2147942402
25/07/2009 4:00:00 PM, error: Schedule [7901] - The At17.job command failed to start due to the following error: %%2147942402
25/07/2009 4:00:00 AM, error: Schedule [7901] - The At5.job command failed to start due to the following error: %%2147942402
25/07/2009 3:00:00 PM, error: Schedule [7901] - The At16.job command failed to start due to the following error: %%2147942402
25/07/2009 3:00:00 AM, error: Schedule [7901] - The At4.job command failed to start due to the following error: %%2147942402
25/07/2009 2:00:00 PM, error: Schedule [7901] - The At15.job command failed to start due to the following error: %%2147942402
25/07/2009 2:00:00 AM, error: Schedule [7901] - The At3.job command failed to start due to the following error: %%2147942402
25/07/2009 12:44:00 AM, error: Schedule [7901] - The At1.job command failed to start due to the following error: General access denied error
25/07/2009 12:00:00 PM, error: Schedule [7901] - The At13.job command failed to start due to the following error: %%2147942402
25/07/2009 11:00:00 AM, error: Schedule [7901] - The At12.job command failed to start due to the following error: %%2147942402
25/07/2009 10:00:00 AM, error: Schedule [7901] - The At11.job command failed to start due to the following error: %%2147942402
25/07/2009 1:00:00 PM, error: Schedule [7901] - The At14.job command failed to start due to the following error: %%2147942402
25/07/2009 1:00:00 AM, error: Schedule [7901] - The At2.job command failed to start due to the following error: %%2147942402
24/07/2009 9:00:00 PM, error: Schedule [7901] - The At22.job command failed to start due to the following error: %%2147942402
24/07/2009 8:00:00 PM, error: Schedule [7901] - The At21.job command failed to start due to the following error: %%2147942402
24/07/2009 7:00:00 PM, error: Schedule [7901] - The At20.job command failed to start due to the following error: %%2147942402
24/07/2009 11:00:00 PM, error: Schedule [7901] - The At24.job command failed to start due to the following error: %%2147942402
24/07/2009 10:00:00 PM, error: Schedule [7901] - The At23.job command failed to start due to the following error: %%2147942402
23/07/2009 8:41:43 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
23/07/2009 8:29:11 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
23/07/2009 8:27:00 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
23/07/2009 8:26:01 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 AvgTdiX BANTExt Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
23/07/2009 8:26:01 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
23/07/2009 8:26:01 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
23/07/2009 8:26:01 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
23/07/2009 8:26:01 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
23/07/2009 8:26:01 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

==== End Of File ===========================

Shaba
2009-07-26, 12:32
We will continue with ComboFix. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

sjeartc
2009-07-26, 13:10
Thanks Shaba. I will d/load and run combofix right now.

sjeartc
2009-07-26, 14:01
Hi Shaba.
All firewalls, updaters, virus protection etc disabled, ....but Combofix exe won't run even if renamed.

Shaba
2009-07-26, 14:20
Please attempt to run it in safe mode next :)

sjeartc
2009-07-26, 14:51
Sorry Shaba,
Combo fix needs Recovery Console and I can't download it in Safe Mode.
Do you have a download location for me?

Shaba
2009-07-26, 14:58
See here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix#manual_recovery).

Download it in normal mode and drag & drop it to combofix.exe in safe mode :)

sjeartc
2009-07-26, 16:03
Hi Again Shaba.
Combofix has now run. (Sorry it took so long.)
Log file follows:

ComboFix 09-07-25.04 - Shaun 26/07/2009 22:31.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.126 [GMT 10:00]
Running from: c:\documents and settings\Shaun.NONE-9CBF599228\Desktop\fixCom.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Shaun.NONE-9CBF599228\Application Data\Install.dat
c:\recycler\S-1-5-21-1844237615-299502267-725345543-1004
c:\windows\Installer\1ee7b0b8.msi
c:\windows\Installer\6046953.msp
c:\windows\Installer\ad6451e.msp
c:\windows\Installer\WMEncoder.msi
c:\windows\system32\drivers\ESQULewbodkbwesplxwqbpfmfrqrdnemivkkf.sys
c:\windows\system32\ESQULhlwnpxrunkxhhopilwievxmbruddvisn.dll
c:\windows\system32\ESQULqwevpeoowqjwgjquhimrflnyitswyije.dll
c:\windows\system32\ESQULzcounter
c:\windows\system32\mdm.exe
c:\windows\system32\xpysys.dll


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ESQULserv.sys


((((((((((((((((((((((((( Files Created from 2009-06-26 to 2009-07-26 )))))))))))))))))))))))))))))))
.

2009-07-25 12:44 . 2009-07-25 12:44 -------- d-----w- c:\program files\HJTHS
2009-07-25 12:42 . 2009-07-25 12:45 -------- d-----w- c:\program files\HJTHIS
2009-07-25 09:45 . 2005-04-20 11:32 2916352 ------w- c:\windows\UNNMP.exe
2009-07-25 09:39 . 2005-07-01 13:56 2969600 ------w- c:\windows\UNNeroVision.exe
2009-07-25 09:38 . 2004-07-08 23:43 364544 ------w- c:\windows\system32\TwnLib4.dll
2009-07-25 09:38 . 2004-07-26 07:16 476320 ------w- c:\windows\system32\ImagXpr7.dll
2009-07-25 09:38 . 2004-07-26 07:16 471040 ------w- c:\windows\system32\ImagXRA7.dll
2009-07-25 09:38 . 2004-07-26 07:16 262144 ------w- c:\windows\system32\ImagXR7.dll
2009-07-25 09:38 . 2004-07-26 07:16 1568768 ------w- c:\windows\system32\ImagX7.dll
2009-07-25 09:38 . 2009-07-25 09:38 -------- d-----w- c:\program files\Common Files\Ahead
2009-07-25 09:38 . 2009-07-25 09:54 -------- d-----w- c:\program files\Ahead
2009-07-25 08:04 . 2009-07-25 08:04 137968 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-25 07:38 . 2004-08-05 05:58 65536 ----a-w- c:\windows\system32\NeroCo.dll
2009-07-25 07:38 . 2004-08-04 04:19 2031616 ------w- c:\windows\UNNeroBurnRights.exe
2009-07-20 13:00 . 2009-07-20 13:00 -------- d-sh--w- c:\documents and settings\NetworkService.NT AUTHORITY\IETldCache
2009-07-19 15:08 . 2009-07-19 15:08 -------- d-sh--w- c:\documents and settings\LocalService.NT AUTHORITY\IETldCache
2009-07-19 13:59 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-07-19 13:00 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-07-19 12:59 . 2009-07-19 12:59 -------- dc-h--w- c:\docume~1\ALLUSE~1.WIN\APPLIC~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-19 12:59 . 2009-07-19 13:00 -------- d-----w- c:\docume~1\ALLUSE~1.WIN\APPLIC~1\Lavasoft
2009-07-19 10:09 . 2009-07-19 10:23 -------- d-----w- c:\docume~1\ALLUSE~1.WIN\APPLIC~1\STOPzilla!
2009-07-19 08:20 . 2009-07-13 03:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-19 08:20 . 2009-07-19 08:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-19 08:20 . 2009-07-19 08:20 -------- d-----w- c:\docume~1\ALLUSE~1.WIN\APPLIC~1\Malwarebytes
2009-07-19 08:20 . 2009-07-13 03:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-19 08:02 . 2009-07-19 08:02 -------- d-----w- c:\program files\hthis
2009-07-18 07:25 . 2009-07-18 07:37 -------- d-----w- c:\documents and settings\Shaun.NONE-9CBF599228\Local Settings\Application Data\Temp
2009-07-17 05:32 . 2009-07-17 05:32 -------- d-----w- c:\documents and settings\Shaun.NONE-9CBF599228\Local Settings\Application Data\AVG Security Toolbar
2009-07-17 03:31 . 2009-07-19 05:58 -------- d-----w- c:\docume~1\ALLUSE~1.WIN\APPLIC~1\Google Updater
2009-07-16 08:33 . 2009-07-16 08:33 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-07-16 07:37 . 2009-07-16 07:37 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-07-09 10:05 . 2009-07-09 10:05 -------- d-sh--w- c:\documents and settings\Shaun.NONE-9CBF599228\IECompatCache
2009-07-07 06:16 . 2009-07-07 06:16 -------- d-sh--w- c:\documents and settings\Shaun.NONE-9CBF599228\PrivacIE
2009-07-06 11:09 . 2009-07-06 11:09 -------- d-sh--w- c:\documents and settings\Shaun.NONE-9CBF599228\IETldCache
2009-07-06 05:09 . 2009-06-02 10:12 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-07-06 05:09 . 2009-07-06 05:09 -------- d-----w- c:\windows\ie8updates
2009-07-06 05:07 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-07-06 05:07 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-07-06 05:04 . 2009-07-06 05:07 -------- dc-h--w- c:\windows\ie8
2009-07-04 04:09 . 2009-07-04 04:09 -------- d-----w- c:\documents and settings\Shaun.NONE-9CBF599228\Application Data\Uniblue
2009-06-28 12:03 . 2009-06-28 12:03 -------- d-----w- c:\program files\CCleaner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-26 02:50 . 2009-05-30 09:21 -------- d-----w- c:\documents and settings\Shaun.NONE-9CBF599228\Application Data\uTorrent
2009-07-25 12:57 . 2008-03-28 05:06 -------- d-----w- c:\documents and settings\Shaun.NONE-9CBF599228\Application Data\U3
2009-07-25 12:46 . 2008-11-08 04:47 -------- d-----w- c:\program files\Trend Micro
2009-07-19 12:59 . 2007-01-10 05:07 -------- d-----w- c:\program files\Lavasoft
2009-07-17 12:48 . 2008-05-05 13:07 -------- d-----w- c:\documents and settings\Shaun.NONE-9CBF599228\Application Data\OpenOffice.org2
2009-07-17 12:17 . 2008-05-05 13:09 1 ----a-w- c:\documents and settings\Shaun.NONE-9CBF599228\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-07-17 11:07 . 2008-05-03 05:28 -------- d-----w- c:\docume~1\ALLUSE~1.WIN\APPLIC~1\avg8
2009-07-17 03:31 . 2007-04-06 13:15 -------- d-----w- c:\program files\Google
2009-07-17 03:29 . 2008-12-06 06:36 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-17 03:29 . 2007-06-03 12:34 -------- d-----w- c:\docume~1\ALLUSE~1.WIN\APPLIC~1\Spybot - Search & Destroy
2009-07-11 05:40 . 2009-06-25 21:21 -------- d-----w- c:\docume~1\ALLUSE~1.WIN\APPLIC~1\AVG Security Toolbar
2009-06-28 12:07 . 2009-03-26 11:37 -------- d-----w- c:\program files\Yahoo!
2009-06-25 21:21 . 2009-06-25 21:21 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Application Data\AVGTOOLBAR
2009-06-25 21:20 . 2008-05-03 05:29 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-25 21:20 . 2008-05-03 05:29 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-25 21:20 . 2008-05-03 05:29 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-24 12:57 . 2008-08-31 09:08 -------- d-----w- c:\docume~1\ALLUSE~1.WIN\APPLIC~1\WinZip
2009-06-16 14:36 . 2006-02-28 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2006-02-28 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-03 19:09 . 2006-02-28 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-06-03 12:00 . 2009-06-03 11:54 -------- d-----w- c:\docume~1\ALLUSE~1.WIN\APPLIC~1\DriverCure
2009-06-03 11:55 . 2009-06-03 11:55 -------- d-----w- c:\documents and settings\Shaun.NONE-9CBF599228\Application Data\DriverCure
2009-05-25 09:37 . 2009-05-25 09:37 160593 ----a-w- c:\windows\Sqirlz Water Reflections Uninstaller.exe
2009-05-13 05:15 . 2006-02-28 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2006-02-28 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-04 20:54 . 2008-05-03 05:29 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2003-10-08 05:07 . 2003-10-08 05:07 545792 ----a-w- c:\program files\CRW5224AU_137.exe
2008-12-02 20:12 . 2008-12-17 09:15 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-14 06:07 1004800 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Shaun.NONE-9CBF599228\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-01-01 133104]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-17 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RaidTool"="c:\program files\VIA\RAID\raid_tool.exe" [2005-06-20 1056768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-25 1948440]
"RemoteControl"="c:\program files\ASUSTeK\ASUSDVD\PDVDServ.exe" [2004-11-02 32768]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2005-03-07 53248]

c:\documents and settings\Shaun\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-1-10 113664]

c:\documents and settings\Shaun.NONE-9CBF599228\Start Menu\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-1-10 113664]
OpenOffice.org 2.4.lnk.disabled [2008-5-5 870]

c:\docume~1\ALLUSE~1.WIN\STARTM~1\Programs\Startup\
WinZip Quick Pick.lnk.disabled [2008-1-10 1518]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-25 21:20 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSFox"=c:\docume~1\SHAUN~1.NON\LOCALS~1\Temp\xxx2558.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"NWEReboot"=
"VTTrayp"=VTtrayp.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\CoffeeCup Software\\FreeFTPFree-4.0.1\\FreeFTP.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [19/07/2009 11:00 PM 64160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/05/2008 3:29 PM 327688]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/05/2008 3:29 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [4/07/2008 6:41 AM 906520]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [3/05/2008 3:28 PM 298776]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [4/11/2006 12:19 PM 13592]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [4/07/2009 12:49 AM 1029456]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{EEE6C35D-6118-11DC-9C72-001320C79847} - (no file)
WebBrowser-{EEE6C35B-6118-11DC-9C72-001320C79847} - (no file)
HKLM-Explorer_Run-Lsass Service - c:\documents and settings\Shaun.NONE-9CBF599228\Application Data\Microsoft\Windows\lsass.exe
Notify-c008249A - c008249A.mat


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
mWindow Title =
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com.au/
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\docume~1\SHAUN~1.NON\APPLIC~1\Mozilla\Firefox\Profiles\0fd3czad.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.sweetim.com/search.asp?src=2&q=
FF - prefs.js: browser.search.selectedEngine - SweetIM Search
FF - prefs.js: browser.startup.homepage - hxxp://home.sweetim.com
FF - prefs.js: keyword.URL - hxxp://search.sweetim.com/search.asp?src=2&q=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\Shaun.NONE-9CBF599228\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1636.7222\npCIDetect13.dll
FF - plugin: c:\program files\Opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-26 22:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Lsass Service = c:\documents and settings\Shaun.NONE-9CBF599228\Application Data\Microsoft\Windows\lsass.exe???????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1644491937-362288127-1801674531-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2488)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\spool\drivers\w32x86\3\HPZIPM12.EXE
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-07-26 22:51 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-26 12:51

Pre-Run: 15,915,294,720 bytes free
Post-Run: 16,097,710,080 bytes free

249 --- E O F --- 2009-07-21 15:01

Shaba
2009-07-26, 16:39
That looks better :) Let me know if you are now able to run HijackThis.

sjeartc
2009-07-26, 16:50
Hi gain Shaba.
HJT now runs.
I can't work out how to send you the results though?

Shaba
2009-07-26, 17:58
This will work:

Launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT use the AnalyseThis button, its findings are dangerous if misinterpreted.
DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

sjeartc
2009-07-26, 18:16
Hi Shaba.
I already had the log file right in front of me. (It's 1:30 AM in Sydney, I have to be up at 6am and I am starting to fade.)
Log follows:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:09:46 PM, on 26/07/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Shaun.NONE-9CBF599228\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OpenOffice.org 2.4.lnk.disabled
O4 - Global Startup: WinZip Quick Pick.lnk.disabled
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1183342295500
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 6345 bytes

Shaba
2009-07-26, 18:51
Maybe then better continue later :)

Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.

sjeartc
2009-07-26, 19:25
Hi again. Sorry...Cant install. I get the message that I don't have the system requirements. Not sure what I'm missing...System info from Belarc follows; Then I have to get some sleep. Thanks heaps Shaba!

Operating System System Model
Windows XP Home Edition Service Pack 3 (build 2600) No details
available
Processor a Main Circuit Board b
2.67 gigahertz Intel Celeron
16 kilobyte primary memory cache
256 kilobyte secondary memory cache Board: P4VM800 1.00
Bus Clock: 133 megahertz
BIOS: American Megatrends Inc. P1.50 02/14/2006
Drives Memory Modules c,d
40.01 Gigabytes Usable Hard Drive Capacity
15.90 Gigabytes Hard Drive Free Space

ASUS DRW-1608P3S USB Device [CD-ROM drive]
ATAPI CD-R/RW 16X10 [CD-ROM drive]
3.5" format removeable media [Floppy drive]

ST340014A [Hard drive] (40.02 GB) -- drive 0, s/n 5JX4X5FV, rev
3.06, SMART Status: Healthy 448 Megabytes Installed Memory

Slot '0' has 256 MB
Slot '1' has 256 MB
Local Drive Volumes

c: (NTFS on drive 0)40.01 GB15.90 GB free

Network Drives
None detected

Shaba
2009-07-26, 20:24
Did it prompt to install java?

sjeartc
2009-07-27, 08:35
Hi Shaba.
No.
I had no prompt to install Java.

Shaba
2009-07-27, 08:39
Were you trying to run scan with Safari?

It doesn't work with that; you will need to use either IE, Firefox or Opera.

If you tried to scan with Safari, please try again with some of those three browsers :)

sjeartc
2009-07-27, 09:18
I will try again via Opera and post again when done.

Shaba
2009-07-27, 09:44
Thanks for update :)

sjeartc
2009-07-27, 09:46
Sorry Shaba.
The download is going to ,take forever as I am down to download dregs until 31/7/09, and only getting about 8kps. I will post again when it finishes.

Shaba
2009-07-27, 10:08
No problem, take your time :)

sjeartc
2009-07-27, 16:43
Hi again Shaba. (And ongoing thanks)

Scans just completed. Its almost midnight here and it will be tomorrow (about 8pm) before I can get back on line though.

Kapersky Log and HJT report follow:

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Monday, July 27, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Monday, July 27, 2009 09:58:03
Records in database: 2554425
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 122029
Threat name: 1
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 03:33:54


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\ESQULhlwnpxrunkxhhopilwievxmbruddvisn.dll.vir Infected: Packed.Win32.Tdss.w 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ESQULqwevpeoowqjwgjquhimrflnyitswyije.dll.vir Infected: Packed.Win32.Tdss.w 1

The selected area was scanned.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:27:20 PM, on 27/07/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\VTTimer.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\Opera\opera.exe
C:\Documents and Settings\Shaun.NONE-9CBF599228\Local Settings\temp\jkos-Shaun\binaries\ScanningProcess.exe
C:\Program Files\hthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-1644491937-362288127-1801674531-500\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Administrator')
O4 - HKUS\S-1-5-21-1644491937-362288127-1801674531-501\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Guest')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OpenOffice.org 2.4.lnk.disabled
O4 - Global Startup: WinZip Quick Pick.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1183342295500
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 6554 bytes

Shaba
2009-07-27, 16:50
Empty this folder:

C:\Qoobox\Quarantine

Empty Recycle Bin.

Still problems?

sjeartc
2009-07-28, 08:35
Hi Shaba.

All deleted from Qoobox/Quarantine except
'MoveEx_SysHive_link.vir'

I get the message
"Cannot delete MoveEx_SysHive_link: It is being used by another person or program."

I will try again after closing this browser.

Also, although Spybot is now reinstalled and updated, on immunisation I still get 193 "unprotected".

Shaba
2009-07-28, 20:13
Were all browser closed when you attempted to immunize?

sjeartc
2009-07-29, 04:49
Hi again Shaba.

Yes, all browsers were closed. I've also tried with all security off and after a restart.

(Also,I just ran Windows Malicious Software Removal Tool and it picked up and deleted a trojan....Win32/Alureon.BU)

Shaba
2009-07-29, 07:00
OK so that might be then a bug.

Does Windows Malicious Software Removal Tool find something upon rescan?

sjeartc
2009-07-29, 10:22
Windows Malicious Softwarwe Removal Tool picked up said and Removed "Trojan: Win32/Aleuron.BU

Shaba
2009-07-29, 14:07
Well did it give any details?

Without them it is impossible to say if it is real deal or false positive.

sjeartc
2009-07-30, 12:27
Hi Shaba.
Sorry it took so long to get back to you. I have some health problems and have been in and out of hospital every couple of days for several weeks.

RE the bug Windows Malicious Software removal tool picked up (Win32/Alureon.BU)....it was gone on the rescan.

RE the file "MoveEx_SysHive_link.vir"........still can't it delete from Qoobox Quarantine. I still get the message that "it is being used by another person or program", even when I have closed everything else.

Re Spybot Immunisation. Still 193 files "Unprotected". All browsers were closed and all other protection disabled.

However....everything now seems to be working as before the glitch.

Shaba
2009-07-30, 12:29
Sorry to hear that :(

"RE the bug Windows Malicious Software removal tool picked up (Win32/Alureon.BU)....it was gone on the rescan."

So that is fine then.

"RE the file "MoveEx_SysHive_link.vir"........still can't it delete from Qoobox Quarantine. I still get the message that "it is being used by another person or program", even when I have closed everything else."

It will get removed later upon combofix uninstallation, nothing to worry about.

"Re Spybot Immunisation. Still 193 files "Unprotected". All browsers were closed and all other protection disabled."

Which items are unprotected there?

sjeartc
2009-07-30, 13:01
Hi Shaba.

I just tried the Spybot immunisation again and it has picked up all files.
Everything else also looks great!

Thank you so, so much for help and the hours you have put into helping me (and probably several hundred others.)
One last question....I should now uninstall Combofix?

Shaba
2009-07-30, 13:57
Yes, see below for my final instructions.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Looking over your log, it seems you don't have any evidence of a third party firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:

1) Comodo (http://www.personalfirewall.comodo.com/download_firewall.html) (Uncheck during installation "Install COMODO Antivirus (Recommended)"!, "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage")
2) Online Armor (http://www.tallemu.com/online_armor_free.html)
3) PC Tools (http://www.pctools.com/firewall/download/)
4) Sunbelt/Kerio (http://www.sunbelt-software.com/Kerio-Download.cfm)
5) ZoneAlarm (http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?dc=12bms&ctry=US&lang=en&lid=nav_za) (uncheck ZoneAlarm Spy Blocker during installation if you choose this one)

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

Now lets uninstall ComboFix:

Click START then RUN
Now type Combofix /u in the runbox and click OK

Next we remove all used tools.

Please download OTCleanIt (http://oldtimer.geekstogo.com/OTC.exe) and save it to desktop.

Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.


Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)

Re-enable system restore with instructions from tutorial above

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Update your AntiVirus Software and keep your other programs up-to-date
Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector (http://secunia.com/software_inspector/)
F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html)


Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Install Malwarebytes' Anti-Malware - Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:

Malwarebytes' Anti-Malware Setup Guide (http://www.lognrock.com/forum/index.php?showtopic=6926)

Malwarebytes' Anti-Malware Scanning Guide (http://www.lognrock.com/forum/index.php?showtopic=6913)


Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)


Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)

Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://forums.spybot.info/showthread.php?t=279)

Happy surfing and stay clean :bigthumb:

Shaba
2009-08-02, 11:01
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.