Infected 100% def (Trojan Horse, Spyware Virus!) [Archive]

View Full Version : Infected 100% def (Trojan Horse, Spyware Virus!)

danib

2009-10-20, 23:17

In anticipation of much needed and appreciated help, may I first say - thank you; I too volunteer to help others less fortunate and have done so for many years.

I am a mature student who foolishly late last night (tired, doing uni work) clicked to update my flash at a site called, "celticKanedotcom"

Unfortunately, I was there trying to test the speed of my JavaScript, after a week of my PC showing the error message:

"A script on this page may be busy, or it may have stopped responding etc...."

In an attempt to resolve the issue I re-set the default timeout settings in about:config to 30 seconds; but, it was still slow, so I thought I'd try and find out a little more about it - stupid!

Who was it that said a little knowledge is dangerous?

"celticKanedotcom" recommended that I needed to update my flash; the logo was a perfect Adobe replicar, as was the image saying, 'click and install'.

AVG then notified me that two trojan horse virus' were found when I virus scanned the flash update that I had downloaded and installed. So, I immediately restored my PC to the day before.

After scanning MY PC overnight, they are still there and my google search engine will not work at all now, it has slowly attacked all my logins, so, I cannot even read my e-mail or back up my PC; it has also sent Mozilla crazy.

Overnight AVG scan found 3 infected files and the initial scan on the Flash file found 3 'user related spyware files; I have the paths (not detailed, as advised)

I have tried to follow the site instructions and hopefully I got them correct. Below is the hijack log; PLEASE, PLEASE, HELP.

I sit 14 hours every day at this PC, it is my work and my life at the minute; it has 3 years work on it.

Many thanks, I shall endeavour to make a donation.

dan.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:11:42, on 20/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Norton GoBack\GBPoll.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\shared\hpqwmi.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\VirginMedia\V Stuff Backup\v_stuff_backup.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Norton GoBack\GBTray.exe
C:\Program Files\VirginMedia\V Stuff Backup\AGMailAgent.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ntlworld.com/welcome
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EPSON Stylus DX4400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICAE.EXE /FU "C:\DOCUME~1\Owner\LOCALS~1\Temp\E_SD2.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [V Stuff Backup] "C:\Program Files\VirginMedia\V Stuff Backup\v_stuff_backup.exe" /delayed
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton GoBack\GBTray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1226352887000
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton GoBack\GBPoll.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

--
End of file - 9937 bytes

shelf life

2009-10-21, 22:54

hi,

lets start with Malwarebytes. Link and directions:

Please download Malwarebytes (http://www.malwarebytes.org/mbam.php) to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click *Remove Selected.*

*A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply.
NOTE: The free version must be updated manually.

danib

2009-10-22, 20:16

Dear Shelf Life,

Thank you so, so much for being kind enough to allow someone that you do not know both your time and expertise - I am really grateful.

For the last three days I have been unable to use the PC to work; therefore, while trying to do other things, I have been anxiously refreshing this forum's screen every 10 minutes to see if an offer of help had been made; apart from today when I was at uni.

For ref: AVG has found another 2 problems since I posted last;

- Infection in a 'restore' file in the: volume \information\ restore folder

- Worm/ rogue multiple disabled my security AVG said!

Here is the log that you requested - thanks again! dan.

*********************************************************

Malwarebytes' Anti-Malware 1.41
Database version: 3010
Windows 5.1.2600 Service Pack 3

22/10/2009 18:00:29
mbam-log-2009-10-22 (18-00-29).txt

Scan type: Full Scan (C:\|)
Objects scanned: 198417
Time elapsed: 2 hour(s), 42 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\10003284 (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\RECYCLER\S-1-5-21-839522115-813497703-725345543-1003\Dc3\i386\csrss.exe (Worm.Autorun.B) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-839522115-813497703-725345543-1003\Dc3\i386\dllhost.exe (Worm.Autorun.B) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-839522115-813497703-725345543-1003\Dc3\i386\explorer.exe (Worm.Autorun.B) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-839522115-813497703-725345543-1003\Dc3\i386\iexplore.exe (Worm.Autorun.B) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-839522115-813497703-725345543-1003\Dc3\i386\lsass.exe (Worm.Autorun.B) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-839522115-813497703-725345543-1003\Dc3\i386\rundll32.exe (Worm.Autorun.B) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-839522115-813497703-725345543-1003\Dc3\i386\services.exe (Worm.Autorun.B) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-839522115-813497703-725345543-1003\Dc3\i386\smss.exe (Worm.Autorun.B) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-839522115-813497703-725345543-1003\Dc3\i386\svchost.exe (Worm.Autorun.B) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-839522115-813497703-725345543-1003\Dc3\i386\userinit.exe (Worm.Autorun.B) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-839522115-813497703-725345543-1003\Dc3\i386\winlogon.exe (Worm.Autorun.B) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-839522115-813497703-725345543-1003\Dc3\i386\wmiprvse.exe (Worm.Autorun.B) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\10003284\10003284 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\10003284\pc10003284ins (Rogue.Multiple) -> Quarantined and deleted successfully.

shelf life

2009-10-23, 00:02

hi,

Your welcome. So far so good. We will get one more download to use and you can do a online scan.

Please download DDS (http://download.bleepingcomputer.com/sUBs/dds.scr) and save it to your desktop.
Disable any script blocking protection Double click dds.scr to run the tool. When done, DDS.txt will open.
You can save both reports to your desktop.
Copy/paste both logs in your reply.

ESET online scanner:

http://www.eset.com/onlinescan/

uses Internet Explorer only
check "YES" to accept terms
click start button
allow the ActiveX component to install
click the start button. the Scanner will update.
check both "Remove found threats" and "Scan unwanted applications"
click scan
when done you can find the scan log at:C:\Program Files\EsetOnlineScanner\log.txt
please copy/paste that log in next reply.

danib

2009-10-23, 01:25

I will try and be concise.

I tried to download eset; I accepted the terms, then this error message appeared:

" The instruction at "6x078a0068" referenced meory at "6x078a0068". The memory could not be "written".

Click to terminate programme
Click on cancel to debug programme

*********************************************************

I clicked on cancel to debug and Visual Studio de-bugger opened, as aways - I should have known!

Eset would then 'not' run in explorer; explorer kept moving me away from the eset hompage, after letting me view it for a few seconds, then it posted the message, 'we have moved away from this page to protect your computer' - or, something very close to that.

DDS was good though!

Here are the logs and thank you:

*********************************************************Log 1 - DDS Notepad
*********************************************************

DDS (Ver_09-10-13.01) - NTFSx86
Run by Owner at 23:38:53.79 on 22/10/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.virginmedia.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.ntlworld.com/welcome
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [EPSON Stylus DX4400 Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticae.exe /fu "c:\docume~1\owner\locals~1\temp\E_SD2.tmp" /EF "HKCU"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [iTunesHelper] c:\program files\itunes\iTunesHelper.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [BJCFD] c:\program files\broadjump\client foundation\CFD.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} - hxxp://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1226352887000
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\jhclkyun.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.virginmedia.com/
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

=============== Created Last 30 ================

2009-10-22 13:12 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-10-22 13:12 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-22 13:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-22 13:11 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-10-22 13:11 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-10-20 20:10 <DIR> --d----- c:\program files\Trend Micro
2009-10-20 15:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\VirginMedia
2009-10-20 15:16 <DIR> --d----- c:\program files\VirginMedia
2009-10-19 19:05 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-10-18 16:19 73,728 a------- c:\windows\system32\javacpl.cpl
2009-10-14 17:32 5 a------- c:\windows\system32\Band4
2009-10-14 17:32 7 a------- c:\windows\system32\Class11

==================== Find3M ====================

2009-10-06 00:09 206,124 a------- c:\windows\pchealth\helpctr\config\cache\Personal_32_1033.dat
2009-09-11 15:18 136,192 a------- c:\windows\system32\msv1_0.dll
2009-09-04 22:03 58,880 a------- c:\windows\system32\msasn1.dll
2009-08-29 09:08 916,480 a------- c:\windows\system32\wininet.dll
2009-08-27 11:50 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-27 11:50 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-26 09:00 247,326 a------- c:\windows\system32\strmdll.dll
2009-08-17 23:33 1,193,832 a------- c:\windows\system32\FM20.DLL
2009-08-05 10:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-04 20:44 2,189,184 a------- c:\windows\system32\ntoskrnl.exe
2009-08-04 15:20 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe
2009-07-31 15:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-01-06 15:53 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009010620090107\index.dat

============= FINISH: 23:43:29.09 ===============

*********************************************************Log 2 - Attach Notepad
*********************************************************

danib

2009-10-23, 01:29

Attach notepad log here - sorry, i'm was being too kean!

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-10-13.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 03/05/2006 15:46:26
System Uptime: 22/10/2009 18:04:01 (5 hours ago)

Motherboard: Hewlett-Packard | | 30AE
Processor: AMD Turion(tm) 64 Mobile Technology ML-32 | U23 | 787/mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 37 GiB total, 13.914 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

==== Installed Programs ======================

2007 Microsoft Office Suite Service Pack 1 (SP1)
ABBYY FineReader 6.0 Sprint
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.1.3
Adobe Shockwave Player
Athlon 64 Processor Driver
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
AVG Free 8.5
Broadcom 802.11 Wireless LAN Adapter
BroadJump Client Foundation
Camera RAW Plug-In for EPSON Creativity Suite
Compatibility Pack for the 2007 Office system
Conexant AC-Link Audio
Crimson Editor (remove only)
Critical Update for Windows Media Player 11 (KB959772)
CX4300_5500_DX4400 manual
Easy Internet Sign-up
EPSON Attach To Email
EPSON Copy Utility 3
EPSON Easy Photo Print
EPSON File Manager
EPSON Printer Software
EPSON Scan
EPSON Scan Assistant
EPSON Web-To-Page
ERUNT 1.1j
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Microsoft Visual Studio 2008 Professional Edition - ENU (KB971091)
Hotfix for Microsoft Visual Studio 2008 Professional Edition - ENU (KB973674)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
HP Help and Support
HP Update
HP User Guides 0012
HP Wireless Assistant 1.01 C1
HpSdpAppCoreApp
InterVideo WinDVD
iTunes
J2SE Runtime Environment 5.0 Update 5
Java(TM) 6 Update 16
LiveUpdate 3.0 (Symantec Corporation)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Document Explorer 2008
Microsoft Expression Blend 2
Microsoft Expression Design 2
Microsoft Expression Encoder 2
Microsoft Expression Media 2 SP2
Microsoft Expression Studio 2
Microsoft Expression Web 2
Microsoft Expression Web 2 MUI (English)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access 2007
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Project 2007 Service Pack 1 (SP1)
Microsoft Office Project MUI (English) 2007
Microsoft Office Project Professional 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Standard Edition 2003
Microsoft Office Visio 2007 Service Pack 1 (SP1)
Microsoft Office Visio MUI (English) 2007
Microsoft Office Visio Professional 2007
Microsoft Office Visual Web Developer 2007
Microsoft Office Visual Web Developer MUI (English) 2007
Microsoft Publisher 2002
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual Studio 2008 Professional Edition - ENU
Microsoft Visual Studio Web Authoring Component
Mozilla Firefox (3.5.3)
MSN
MSN Toolbar
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
Norton GoBack 4.0 (Symantec Corporation)
Quick Launch Buttons 5.20 D2
QuickTime
REALTEK Gigabit and Fast Ethernet NIC Driver
ScanToWeb
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Project 2007 (KB949046)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio 2007 (KB957831)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975467)
Soft Data Fax Modem with SmartCP
Sonic Audio Module
Sonic Copy Module
Sonic Data Module
Sonic Express Labeler
Sonic MyDVD Plus
Sonic Update Manager
Sun Download Manager 2.0 (web)
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515 drivers.
TIxx21
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Expression Web 2 (KB957827)
Update for Microsoft Visual Studio 2008 Professional Edition - ENU (KB972221)
Update for Windows Internet Explorer 8 (KB968220)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
V Stuff Backup v1.0.0.12705
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Imaging Component
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
XML Paper Specification Shared Components Pack 1.0

==== End Of File ===========================
=======

shelf life

2009-10-23, 01:44

hi,

Thanks for all the info. We will get one more download as a check for malware. Its called Combofix. There is a guide to read first. Read through the guide, download combofix to your desktop. Disable AV etc as explained in the guide, double click the combofix icon on your desktop and follow the prompts. Post the combofix log in your reply.
I saw you other questions in the Tavern, I will answer them once it all looks good as far as the malware goes.

Guide to using Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

danib

2009-10-23, 17:37

The bleepingcomputer.com instructions advise how to turn of resident shield, firewall and anti spyware in AVG 8.5.

* Turning off resident shield is no problem
* Turning off the AVG firewall and anti spyware IS A PROBLEM.

Here are the bleepingcomputer.com instructions for turning them off, along with my issues:

*********************************************************

"AVG Antivirus Plus Firewall" - Please navigate to the system tray on the bottom right hand corner and look for this sign.

* Right click it-> select Quit Control Center.
* A warning will pop up, click "Yes"
* You successfully disabled the AVG Antivirus Plus Firewall Guard.

THE ONLY OPTIONS I GET WHEN I RIGHT CLICK THE AVG LOGO IN THE TRAY ARE:

- OPEN AVG USER INTERFACE
- UPDATE NOW
- EXIT

*********************************************************

"AVG ANTI-SPYWARE"

* Launch AVG Anti-Spyware.
* From the "Status" menu, select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'.
* Then right click on AVG Anti-Spyware in the system tray and uncheck "Start with Windows".

IN THE AVG STATUS MENU THERE IS NO OPTION TO TICK OR UNTICK ANTI SPYWARE AND IT ALWAYS SHOWS AS ACTIVE.

WHEN I RIGHT CLICK THE AVG LOGO IN THE TRAY THERE IS NO OPTION TO UNCHECK - START WITH WINDOWS. AS DETAILED BEFORE I JUST GET:

- OPEN AVG USER INTERFACE
- UPDATE NOW
- EXIT

*********************************************************

All that said I can disable AVG resident shield and auto updates in the AVG user interface and I can switch off the firewall and the auto updates in the windows security centre; HOWEVER , anti spyware is STILL showing as active in the AVG user interface - IS THAT OK BEFORE I RUN COMBO FIX?

Please advise - thanks.

dan.

danib

2009-10-23, 20:31

Dear Shelf Life,

Thank you - you are the good guys (the internet's plain clothes police).

I look at it this way; my PC got stolen and your carrying out an investigation and recovering it for me.

By the way, my PC hasn't booted up this fast for as long as I can remember - a pleasant side affect!

*********************************************************

After a little more research, I guessed that I had to just turn off the updates and resident shield by means of the AVG user interface and then turn off the firewall and updates in the MS security center (or just bc's instruction part 1).

Then I ran Combo Fix - log is below! (however it did not fully recover my desk top. It showed the log and my wallpaper background, but NO icons or task bar - it appeared to stick).

I closed the log, then powered off and it seemed to boot OK!

Log:

*********************************************************
ComboFix 09-10-22.01 - Owner 23/10/2009 18:02.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.222.88 [GMT 1:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\jestertb.dll

.
((((((((((((((((((((((((( Files Created from 2009-09-23 to 2009-10-23 )))))))))))))))))))))))))))))))
.

2009-10-20 19:05 . 2009-10-20 19:06 -------- d-----w- c:\program files\ERUNT
2009-10-20 14:22 . 2009-10-20 14:22 -------- d-----w- c:\documents and settings\All Users\Application Data\VirginMedia
2009-10-20 14:21 . 2009-10-20 14:25 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\VirginMedia
2009-10-20 14:16 . 2009-10-20 14:16 -------- d-----w- c:\program files\VirginMedia
2009-10-19 18:05 . 2009-10-19 18:05 -------- d-----w- c:\windows\system32\wbem\Repository
2009-10-19 14:07 . 2009-10-19 16:12 -------- d-----w- c:\documents and settings\Owner\Application Data\FileZilla
2009-10-19 13:46 . 2009-10-19 17:39 -------- d-----w- c:\program files\FileZilla FTP Client
2009-10-14 22:36 . 2009-10-14 22:36 196128 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-22 16:56 . 2009-10-22 12:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-22 12:12 . 2009-10-22 12:12 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-10-22 12:12 . 2009-10-22 12:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-20 19:10 . 2009-10-20 19:10 -------- d-----w- c:\program files\Trend Micro
2009-10-20 14:41 . 2008-11-07 15:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-18 15:17 . 2006-06-20 17:25 -------- d-----w- c:\program files\Java
2009-09-29 17:16 . 2008-10-12 18:39 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
2009-09-22 15:05 . 2009-09-22 15:04 -------- d-----w- c:\program files\ACW
2009-09-18 12:46 . 2009-03-11 20:47 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-11 14:18 . 2004-08-04 13:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 13:54 . 2009-10-22 12:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 13:53 . 2009-10-22 12:11 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03 . 2004-08-04 13:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-01 14:25 . 2009-09-01 14:17 -------- d-----w- c:\documents and settings\Owner\Application Data\HpUpdate
2009-09-01 14:20 . 2006-06-20 17:02 -------- d-----w- c:\program files\Hp
2009-08-29 08:08 . 2004-08-04 13:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 11:07 . 2006-05-24 19:56 97048 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-27 10:50 . 2009-06-10 23:13 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-27 10:50 . 2009-06-10 23:12 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-27 10:50 . 2009-06-10 23:12 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-26 08:00 . 2004-08-04 13:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-24 19:31 . 2009-01-25 21:16 -------- d-----w- c:\program files\Common Files\Merge Modules
2009-08-17 22:33 . 2009-08-17 22:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-05 09:01 . 2004-08-04 13:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 19:44 . 2004-08-04 13:00 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-03 22:59 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-07-31 14:23 . 2009-06-28 13:47 411368 ----a-w- c:\windows\system32\deploytk.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-09-02 10:58 1107200 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-19 68856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-19 729178]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-06-20 98304]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-10-13 278528]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-05-04 794624]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-10-11 409600]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-08-01 233534]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 376912]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-09-27 344064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-17 2025752]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Norton GoBack.lnk - c:\program files\Norton GoBack\GBTray.exe [2004-8-13 803976]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-27 10:50 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Expression\\Media 2\\Media.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/06/2009 00:12 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/06/2009 00:13 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [11/06/2009 00:11 297752]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [20/06/2006 17:37 231424]
.
Contents of the 'Scheduled Tasks' folder

2009-05-07 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Easy Internet signup\HPSdpApp.exe [2005-03-03 10:04]

2009-10-23 c:\windows\Tasks\User_Feed_Synchronization-{F276F61A-8A9A-4329-9D79-3B39597419F7}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.virginmedia.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.ntlworld.com/welcome
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\jhclkyun.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.virginmedia.com/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-23 18:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????7?7?0?3??????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(672)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-10-23 18:18
ComboFix-quarantined-files.txt 2009-10-23 17:18

Pre-Run: 14,863,126,528 bytes free
Post-Run: 15,025,582,080 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - D05C2E60D415B9C7A80EE8CBE55C8995

shelf life

2009-10-24, 00:47

hi danib,

Ok thanks for all the information. Looks like you got combofix to run and the good news is I dont see any malware in the log. I believe you are malware free. Malwarebytes removed some items also. Hows it all looking on your end?

I went to that website where you were prompted to install "adobe flash"
I got the prompt/download also. There is one less compromised web site thanks to you. I sent a e-mail to the web site;

From: sean.p.kaneatgmaildotcom on behalf of Sean Kane (skane atceltickanedotcom)
Sent: Wed 10/21/09 3:46 PM
To: da dma (echoreplyathotmaildotcom)
Hello,

Thank you for notifying me of the security problem. I have fixed the issue.

Take care,
Sean

On Wed, Oct 21, 2009 at 4:58 PM, da dma <echoreplyathotmaildotcom> wrote:

your page is dishing out a prompt to install a fake adobe flash install that is malware. you are compromised, better check that code.

Even legit web sites can be compromised, at least until the site operator becomes aware of it anyway.

danib

2009-10-24, 15:20

Dear Shelf Life,

I am so please that we have been able to save another JavaScript tester from the gates of hell!

Thank you so much for sharing all your expertise, time and effort on my behalf; I will make a donation to the site as soon as I am able.

At my end, everything looks a lot better. Mozilla is still opening links into new windows though, and the only way I can search is through the search engine facility on some sites - non of my tool bar search engines work anymore.

I pressume I should re-install Mozilla and Explorer?

Once I knew 100% that I had a virus, I panicked at the thought of losing my work and quickly began using my providers on line back up service.

Q1. Could any of the files that I backed up be infected? Or, would the providers security have stopped them from being uploaded?

With regard to the modem or wireless routers, I am reluctant to run another PC from this modem or use a wireless router, in case I infect it, even after power off; Q2. Now the PC is clean should I have any concerns in this area?

Q3. Is there any advice that I should be aware of? (Apart from - only update software from the manufacturer's site in future)

I know you are really busy; but, perhaps you might be kind enough to add a quick response like - Q1 - Yes/No:

Q1 -
Q2 -
Q3 -

Thank you, once again - I owe you a big drink pal!

dan.

shelf life

2009-10-24, 19:01

hi danib

Your welcome.
Q1;Yes its possible for malware to infect other files. Based on your logs it looks like you do not have malware that infects other files. I am sure your off site back up provider has tools in place to prevent malware from getting on there server.

Q2; Once a machine is clean then you should have no worrys about using a computer via a router. Using another single computer with the same modem would be safe anytime. Malware dosnt infect modems.

Q3; I do have general tips that i post usually at the end when we are all done. Or you can see them at the link below now if you wish:
http://www.virusvault.us/index.html

Mozilla is still opening links into new windows though
You mean like random links to different websites on its own? Like it has a mind of its own?

The tool bars you might try uninstalling via the add/remove programs panel, reboot and re-install them.

danib

2009-10-24, 22:33

AVG FREE 9.0 IS OUT TODAY.

There is the 9.0.37 free version and a 9.0.698 free version update @

doubleudoubleudoubleu.avg.com/gb-en/download?prd=afg

*********************************************************

Dear Shelp Life,

I am so glad that you have asked me that; I was concerned that you may think that I was using you as an easy option because I couldn't be bothered to research this stuff myself; when actually, I have been trying to sort this out for pretty much two days now, on and off.

My next step was going to be the tavern, to give you a break.

You have done so much already to help, so, I feel a little guilty now asking for yet more; but, you did ask about Mozilla and it is still not sound and I have discovered explorer is the same.

Initially I thought it was virus connected, as my address bar and google search box stopped working on the very next search after AVG found the trojan horse.

Therefore, today, I have re-installed Mozilla - no change at all.

After researching the issue some more and using some common sense (or "cop on" in colloqial english dialect) I think it is a security issue - it must be if explorer is having the same trouble.

After typing any topic into the google search text box and pressing enter, the page just displays this message in Mozilla:

Unable to connect

Fire*fox can't establish a connection to the server at doubleudoubleudoubleu*google*com.
* The site could be temporarily unavailable or too busy. Try again in a few
moments.
* If you are unable to load any pages, check your computer's network
connection.
* If your computer or network is protected by a firewall or proxy, make sure
that Fire*fox is permitted to access the Web.

Explorer asks if I want XP to mend my connection - which it fails to do after trying.

*********************************************************

I am sure this is something to do with my firewall; so, I have searched AVG and AVG help for, 'how to change the firewall settings' - as far as I can see there aren't any in AVG free.

My next step, was to go to the XP security Center, where I allowed Mozilla as an exception in the firewall settings; then I deleted the exception, as per the Mozilla site advice at:

h*t*t*p*://kb.mozillazine.org/Error_loading_websites

No change!

So, what has XP done that i cannot undo please?

Unfortunately, I just cannot leave my PC like this and get on with my uni work again; it would drive me mad knowing something wasn't right.

Thank you,

dan.

danib

2009-10-24, 22:45

Just found this in a search through my hompages' search engine:

*********************************************************

@ - h*t*t*p*://support.mozilla.com/en-US/forum/1/433678

I have seen viruses cause this issue. You need to erase the entries in your hosts file that pertain to sites like google, yahoo, facebook, etc. It is a simple fix.

Follow these directions:
h*t*t*p*://doubleudoubleudoubleu.fpweb.net/support/managed-hosting/hostfile-editing-support.asp

*********************************************************

So, it could be virus related then!

Should I follow the instructions please? I shall await your instructions.

dan.

danib

2009-10-25, 00:28

Just before I retire for the night..

I have removed all the cookies in Mozilla (as per one forum's advice) with no joy!

and

In case the problem was connected to the JavaScript error that started all of this, I also undertook this Temporary Fix @:

h*t*t*p*s://wiki.mozilla.org/Firefox3_Timeout_Problem

Since this problem is made really bad with persistent connections we can disable this.

1. Open a new tab, and goto: about:config
2. Do not fear the dragons and click "I'll be careful, I promise!"
3. Search for the value: network.http.keep-alive
4. Right click on this value and click "toggle" to change it to false
5. Then restart Fire*fox

*********************************************************

I knew there would be no change as the explorer "google search box" is down too; I felt I had to try both and mention these changes, just in case you were to recommend them, when i had already tried them!

dan.

shelf life

2009-10-25, 02:19

hi,

You dont have a software firewall. I dont think the free version of AVG has one.

Resetting your host file wont do any harm. this is a much easier way:

Download the Hoster from here:

http://www.softpedia.com/get/Security/Security-Related/Hoster.shtml
It is a zip file, extract it to your desktop. Open the folder and click the icon:
Press 'Restore MS hosts file' and press 'OK'
Exit Program.

For IE you can try: open IE and click on Tools>Internet options>Advanced tab at the bottom click on the Reset...button.

check malwarebytes for any updates then do another scan and post the log please

danib

2009-10-25, 19:51

Hello Shelf Life.

Re-setting the 'host' file worked! - Thank you; explorer's and Mozilla's google search boxes work again!

Did malwarebytes scan (took 4 hours this time) after an update - Worryingly AVG found 2 Trojan Horse Agent files during the scan; a window popped open which said, AVG had found:

c_:_\system volume information\*_restore(5596361C3-81D7-4614 etc etc\R*P305\A00 etc)_executable

********************************************************

AVG put them in the virus vault - malwarebytes didn't seem to find them, although it was running at the time?

It all seems OK now - but, is something burried in a restore file that keeps re-inventing itself and can't be deleted?

I cannot understand how this virus survived the other scans or is it a new one?

Thanks.

Log here:

*********************************************************
Malwarebytes' Anti-Malware 1.41
Database version: 3029
Windows 5.1.2600 Service Pack 3

25/10/2009 18:04:33
mbam-log-2009-10-25 (18-04-33).txt

Scan type: Full Scan (C:\|)
Objects scanned: 199038
Time elapsed: 4 hour(s), 5 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

shelf life

2009-10-25, 23:30

hi,

ok good. The file AVG found is actually in your restore archive which we will clean out as a last step.
You can delete the combofix icon from your desktop. Always check Malwarebytes for updates before a scan. You can delete the hoster folder if you want to.

System restore, the why and how:

One of the features of Windows XP,Vista and Windows7 is the System Restore option, however if malware infects a computer it is possible that the malware could be backed up in the System Restore archive. Therefore, clearing the restore points is a good idea after malware is removed and your computer appears to be functioning ok.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore. (deletes old possibly infected restore point)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.(creates a new restore points on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK, then reboot

If you have any more questions post away. If all is good here are some tips for you:

10 Tips for Reducing/Preventing Your Risk To Malware:

Simply knowing what constitutes a safe action on a computer and what may not will help you tremendously.

1) It is essential to keep your OS (http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us),(Windows) browser (IE, FireFox) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update frequently or use the auto-update feature. Staying updated is also necessary for web based applications like Java, Adobe Flash/Reader, QuickTime etc. Check there version status here. (http://secunia.com/vulnerability_scanning/online/)

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and your then prompted to install software to remedy this. See also the signs (http://www.virusvault.us/signs1.html)that you may have malware on your computer.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If you frequently have malware then you should review your computer habits.

4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem.

5) Don't click on ads/pop ups or offers from websites requesting that you need to install software, media players or codecs to your computer--for any reason.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website?

7) Set up and use limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts (http://www.microsoft.com/protect/computer/advanced/useraccount.mspx) can help prevent *malware from installing and lessen its potential impact.*

8) Install and understand the limitations of a software firewall.

9) A tool (http://nsslabs.com/general/ie8-hardening-tool.html)for automatically hardening and securing Internet Explorer 8.0. Requires site registration for downloading. Changes some of the default settings of IE 8.0 Read the FAQ's.

10) Warez, cracks etc are very popular for carrying malware payloads. Avoid. If you install files via p2p (http://www.virusvault.us/p2p.html) networks then you are much more likely to encounter malicious code. Do you trust the source of the file? Do you really need another malware source?

A longer version in link below.

Happy Safe Surfing.

danib

2009-10-26, 01:16

Hello Shelf Life!

It took me about 10 times of un-creating a restore point, then re-booting and creating a resore point, before it worked.

I kept getting the error message:

"You system had an error try to enable/ disable one or more of your drives - re-boot and try again"

*********************************************************

There is a chance it was my fault, by trying to re-set the restore points before all the tray icons had an opportunity to start up properly and settle down; once I let everything start up, before trying to re-set the restore points - no errors.

It took ages! My butt is kicked tomorrow as I have some work to be in at university that I just haven't been able to do; without your help I would have lost so much more.

It has honestly been a pleasure; you are so patient, as I have a tendency to ramble on.

As I was reluctant to use a card through this machine to make a donation, I went to my parents house to use theirs; they were out, so I will do it this week - you have my word, I will try and look out for you guys too.

It will be what I can afford; but, I won't forget you guys in furture either. Anyway, my Mum's having trouble too (oh no, I hear you say!).

Let's hope your sell by date hasn't expired!

My most grateful thanks, I wish you all the very best in life!

dan.

PS/. PC is like Greased Lightening!!!!!!!!!!!!!!!!!!!!!

shelf life

2009-10-26, 10:53

hi danib,

ok your welcome. glad its all worked out ok.
I said just delete the combofix icon, which isnt the correct way-- actually you can use another tool to do it with; (one final download)

Please download OTCleanIt and save it to desktop.

http://oldtimer.geekstogo.com/OTC.exe

Double-click OTC.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.

Good luck to you at the University and Happy Safe Surfing 'out there'

danib

2009-10-30, 21:57

Hello Shelf Life,

Donation made!

It was what I can afford as a student; I will make another when I get my next student loan.

The only reason that I have mentioned the donation is to encourage other people who have received support and can afford to make a donation - to do so.

Thank you for the advice; I saw your reply the day after you posted it; however, I wanted to be able to say that I had kept my word before getting back to you.

Since we last spoke I have purchased the latest version of Norton anti-virus. It took some time for the salesman to talk me into buying it as Norton ground my PC to a standstill the last time I used it. I was assured that the latest version is a lot better though, and it does seem to be the case.

Ran OTCleanIt - but still have a few issues.

I am sure that the Norton installation did not give me the option to uninstall AVG; I know not to run two anti-virus apps in parallel, but AVG was still installed after Norton had completed the installation.

This was first discovered by noticing that some AVG processes were still active in task manager; therefore, I uninstalled AVG and then I did a search of the C drive for all file names containing the letters 'av'.

I found several AVG folders and file names still installed that I could not delete - message, 'you cannot delete these files' or something like that.

- Is this a problem?
- How can I get rid of them please?

You have already sorted out the major issues with my PC and no doubt you will have a long line of people awaiting your assistance.

I shall keep checking back for a reply - thanks.

dan.

PS/. By the way, I sent my tutor an e-mail and included a link to this post; he was understanding as PC issues cannot be considered when asking for extenuating circumstances.

shelf life

2009-10-31, 00:07

shelf life is currently loaded and will get back to you

shelf life

2009-10-31, 16:11

hi danib,

We thank you for the donation. You might have AVG still active on your machine? Its possible to have some files and folders left over. Do you see a AVG icon by the clock or active processes in task manager (ctrl-alt-delete)that might be AVG related?
Please post a DDS log, you may still have the original icon on your desktop, if not:

Please download DDS (http://download.bleepingcomputer.com/sUBs/dds.scr) and save it to your desktop.
Disable any script blocking protection Double click dds.scr to run the tool. When done, DDS.txt will open.
Save both reports to your desktop.
Copy/paste both logs in your reply.

danib

2009-11-01, 17:33

Hello Shelf Life,

The files requested are below.

A pop up window now appears when I shutdown. Foolishly, I omitted to write the details down, but, I'm pretty sure that it was titled:

- ccsvchst.exe

There is no AVG icon on my desktop anymore; some AVG files are still on the system though.

Thanks, dan.

*********************************************************

Attach log:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-10-26.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 03/05/2006 15:46:26
System Uptime: 11/01/2009 15:38:29 (7057 hours ago)

Motherboard: Hewlett-Packard | | 30AE
Processor: AMD Turion(tm) 64 Mobile Technology ML-32 | U23 | 1575/mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 37 GiB total, 17.199 GiB free.
D: is CDROM ()
E: is CDROM (CDFS)
F: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 25/10/2009 23:55:25 - System Checkpoint
RP2: 26/10/2009 22:08:51 - Removed AVG Free 9.0
RP3: 27/10/2009 21:05:37 - Removed AVG Free 9.0

==== Installed Programs ======================

2007 Microsoft Office Suite Service Pack 1 (SP1)
ABBYY FineReader 6.0 Sprint
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.1.3
Adobe Shockwave Player
Athlon 64 Processor Driver
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Broadcom 802.11 Wireless LAN Adapter
BroadJump Client Foundation
Camera RAW Plug-In for EPSON Creativity Suite
Compatibility Pack for the 2007 Office system
Conexant AC-Link Audio
Crimson Editor (remove only)
Critical Update for Windows Media Player 11 (KB959772)
CX4300_5500_DX4400 manual
Easy Internet Sign-up
EPSON Attach To Email
EPSON Copy Utility 3
EPSON Easy Photo Print
EPSON File Manager
EPSON Printer Software
EPSON Scan
EPSON Scan Assistant
EPSON Web-To-Page
GEAR driver installer for x86 and x64
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Microsoft Visual Studio 2008 Professional Edition - ENU (KB971091)
Hotfix for Microsoft Visual Studio 2008 Professional Edition - ENU (KB973674)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
HP Help and Support
HP Update
HP User Guides 0012
HP Wireless Assistant 1.01 C1
HpSdpAppCoreApp
InterVideo WinDVD
iTunes
J2SE Runtime Environment 5.0 Update 5
Java(TM) 6 Update 16
LiveUpdate 3.0 (Symantec Corporation)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Document Explorer 2008
Microsoft Expression Blend 2
Microsoft Expression Design 2
Microsoft Expression Encoder 2
Microsoft Expression Media 2 SP2
Microsoft Expression Studio 2
Microsoft Expression Web 2
Microsoft Expression Web 2 MUI (English)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access 2007
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Project 2007 Service Pack 1 (SP1)
Microsoft Office Project MUI (English) 2007
Microsoft Office Project Professional 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Standard Edition 2003
Microsoft Office Visio 2007 Service Pack 1 (SP1)
Microsoft Office Visio MUI (English) 2007
Microsoft Office Visio Professional 2007
Microsoft Office Visual Web Developer 2007
Microsoft Office Visual Web Developer MUI (English) 2007
Microsoft Publisher 2002
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual Studio 2008 Professional Edition - ENU
Microsoft Visual Studio Web Authoring Component
Mozilla Firefox (3.5.3)
MSN
MSN Toolbar
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
Norton 360
Norton GoBack 4.0 (Symantec Corporation)
Quick Launch Buttons 5.20 D2
QuickTime
REALTEK Gigabit and Fast Ethernet NIC Driver
ScanToWeb
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Project 2007 (KB949046)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio 2007 (KB957831)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975467)
Soft Data Fax Modem with SmartCP
Sonic Audio Module
Sonic Copy Module
Sonic Data Module
Sonic Express Labeler
Sonic MyDVD Plus
Sonic Update Manager
Sun Download Manager 2.0 (web)
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515 drivers.
TIxx21
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Expression Web 2 (KB957827)
Update for Microsoft Visual Studio 2008 Professional Edition - ENU (KB972221)
Update for Windows Internet Explorer 8 (KB968220)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
V Stuff Backup v1.0.0.12705
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Imaging Component
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
XML Paper Specification Shared Components Pack 1.0

==== Event Viewer Messages From Past Week ========

28/10/2009 17:35:05, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the N360 service.
26/10/2009 23:14:46, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the iPod Service service to connect.
26/10/2009 23:13:59, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service iPodService with arguments "-Service" in order to run the server: {7A7FB085-6068-4898-8CCA-480A9187277C}
26/10/2009 22:06:36, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the avg9wd service.
26/10/2009 12:10:49, error: ati2mtag [52225] - CPLIB :: Open Session - Failed to load the library
25/10/2009 23:41:50, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the HP WMI Interface service to connect.
25/10/2009 23:41:50, error: Service Control Manager [7000] - The HP WMI Interface service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
25/10/2009 23:41:45, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service hpqwmi with arguments "-Service" in order to run the server: {7DC5B2D7-CACC-47F2-836E-4DF85F026072}
25/10/2009 23:17:51, error: Service Control Manager [7000] - The Security Services Driver (x86) service failed to start due to the following error: The system cannot find the file specified.
25/10/2009 23:03:36, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the LiveUpdate service to connect.
25/10/2009 23:03:36, error: Service Control Manager [7000] - The LiveUpdate service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
25/10/2009 23:03:35, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service LiveUpdate with arguments "" in order to run the server: {03E0E6C2-363B-11D3-B536-00902771A435}
25/10/2009 21:45:51, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.
25/10/2009 21:45:51, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Netman service.

==== End Of File ===========================

*********************************************************

DDS log:

DDS (Ver_09-10-26.01) - NTFSx86
Run by Owner at 16:12:16.65 on 01/11/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.222.65 [GMT 0:00]

AV: Norton 360 *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
svchost.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton GoBack\GBPoll.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Norton GoBack\GBTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HPQ\shared\hpqwmi.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\spoolsv.exe
F:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.virginmedia.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.ntlworld.com/welcome
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\3.0.0.135\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\3.0.0.135\IPSBHO.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\3.0.0.135\coIEPlg.dll
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [iTunesHelper] c:\program files\itunes\iTunesHelper.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [BJCFD] c:\program files\broadjump\client foundation\CFD.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} - hxxp://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1226352887000
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\engine\3.0.0.135\CoIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\jhclkyun.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.virginmedia.com/
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

S? BHDrvx86;Symantec Heuristics Driver
S? ccHP;Symantec Hash Provider
S? EraserUtilRebootDrv;EraserUtilRebootDrv
S? HSFHWATI;HSFHWATI
S? IDSxpx86;IDSxpx86
S? N360;Norton 360
S? SymEFA;Symantec Extended File Attributes

=============== Created Last 30 ================

2009-10-26 21:25:23 0 d-----w- c:\docume~1\alluse~1\applic~1\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2009-10-26 21:23:09 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys
2009-10-26 21:22:44 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-10-26 21:22:44 7386 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-10-26 21:22:44 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-10-26 21:22:44 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-10-26 21:18:47 0 d-----w- c:\windows\system32\drivers\N360
2009-10-26 21:18:37 0 d-----w- c:\program files\Norton 360
2009-10-26 21:18:34 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton
2009-10-26 21:15:53 0 d-----w- c:\program files\NortonInstaller
2009-10-26 21:15:53 0 d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-10-26 13:06:32 0 d-----w- c:\windows\system32\NtmsData
2009-10-24 18:00:17 0 d-----w- C:\$AVG
2009-10-24 17:57:09 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2009-10-23 16:59:28 0 d-sha-r- C:\cmdcons
2009-10-23 16:56:17 236544 ----a-w- c:\windows\PEV.exe
2009-10-22 12:12:42 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2009-10-22 12:12:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-22 12:12:00 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-22 12:11:59 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-22 12:11:58 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-20 19:10:01 0 d-----w- c:\program files\Trend Micro
2009-10-20 14:22:35 0 d-----w- c:\docume~1\alluse~1\applic~1\VirginMedia
2009-10-20 14:16:21 0 d-----w- c:\program files\VirginMedia
2009-10-19 18:05:23 0 d-----w- c:\windows\system32\wbem\Repository
2009-10-18 15:19:30 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-10-14 16:32:29 5 ----a-w- c:\windows\system32\Band4
2009-10-14 16:32:28 7 ----a-w- c:\windows\system32\Class11

==================== Find3M ====================

2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08:21 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-17 22:33:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-05 09:01:48 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 19:44:46 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20:08 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-01-06 14:53:26 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009010620090107\index.dat

============= FINISH: 16:13:55.46 ===============

danib

2009-11-01, 17:41

The attach log shows that AVG was removed two days in a row; I thought that I was going mad when I switched my PC on and AVG was still there!

That is why I questioned whether there was an option to remove AVG during the Norton install - I was sure that I ticked to remove AVG; but, then pressumed I was wrong when AVG was still there.

I don't know if this helps

d.

shelf life

2009-11-02, 00:34

hi,
looks like ccsvchst.exe is related to a Norton product:
http://www.bleepingcomputer.com/startups/ccSvcHst.exe-17472.html

some AVG files are still on the system though
its possible to have left over files. Uninstallers can leave stuff behind. I dont see anything in the log that appears to be AVG.
Whats the path of the AVG files you see, like;
C:/Program Files/AVG?

danib

2009-11-07, 00:46

Drowning in Uni work - PM sent!

d.