View Full Version : Spybot and HJT won't run
TassieWarrior
2009-11-15, 08:05
I think i have a malware problem and it isn't letting me run spybot, Something has changed the file names in the folder with what looks like (HGFDFTDYDFGYTDT) that! i have been through renaming the .scr and .exe files and it then will allow spybot to open and let me do anything except when you go to check for problems, it then just closes spybot and when you go to re open spybot it comes up with a windows box that says either the file is write-protected or the user does not have permission to access this file,
I then downloaded HJT and installed it alright i did a scan and save and it got halfway through it and the program shutdown and then now when you go to reopen it it comes up with the same box as with spybot. What can i do now please?
TassieWarrior
2009-11-15, 13:15
I was able to get a win32kdiag log, well part of it anyway, i will post it up here, hopefully it may help
Hi,
Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
@ECHO OFF
DIR /a/s C:\WINDOWS\scecli.dll C:\WINDOWS\netlogon.dll C:\WINDOWS\eventlog.dll C:\Windows\cngaudit.dll >Log.txt
START Log.txt
DEL %0
Double-click on fixes.bat file to execute it. Notepad should open up. Post back its contents, please.
TassieWarrior
2009-11-23, 12:58
This is the log file you requested, thank you for helping
Volume in drive C has no label.
Volume Serial Number is B8E0-0EAF
Directory of C:\WINDOWS\$NtServicePackUninstall$
28/02/2006 11:00 PM 180,224 scecli.dll
Directory of C:\WINDOWS\$NtServicePackUninstall$
28/02/2006 11:00 PM 407,040 netlogon.dll
Directory of C:\WINDOWS\$NtServicePackUninstall$
28/02/2006 11:00 PM 55,808 eventlog.dll
3 File(s) 643,072 bytes
Directory of C:\WINDOWS\ServicePackFiles\i386
14/04/2008 11:12 AM 181,248 scecli.dll
Directory of C:\WINDOWS\ServicePackFiles\i386
14/04/2008 11:12 AM 407,040 netlogon.dll
Directory of C:\WINDOWS\ServicePackFiles\i386
14/04/2008 11:11 AM 56,320 eventlog.dll
3 File(s) 644,608 bytes
Directory of C:\WINDOWS\system32
14/04/2008 11:12 AM 181,248 scecli.dll
Directory of C:\WINDOWS\system32
14/04/2008 11:12 AM 407,040 netlogon.dll
Directory of C:\WINDOWS\system32
14/04/2008 11:11 AM 61,952 eventlog.dll
3 File(s) 650,240 bytes
Total Files Listed:
9 File(s) 1,937,920 bytes
0 Dir(s) 12,910,960,640 bytes free
Hi again :)
Download The Avenger by Swandog46 from here (http://swandog46.geekstogo.com/avenger2/download.php).
Unzip/extract it to a folder on your desktop.
Double click on avenger.exe to run The Avenger.
Click OK.
Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
Files to move:
C:\WINDOWS\ServicePackFiles\i386\eventlog.dll|C:\WINDOWS\system32\eventlog.dll
In the avenger window, click the Paste Script from Clipboard, http://img220.imageshack.us/img220/8923/pastets4.png button.
Click the Execute button.
You will be asked Are you sure you want to execute the current script?.
Click Yes.
You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
Click Yes.
Your PC will now be rebooted.
Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
Please post this log in your next reply.
TassieWarrior
2009-11-24, 13:10
Here is the log
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
File move operation "C:\WINDOWS\ServicePackFiles\i386\eventlog.dll|C:\WINDOWS\system32\eventlog.dll" completed successfully.
Completed script processing.
*******************
Finished! Terminate.
Good. Let's continue.
Please save this (http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe) file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the Open box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
"%userprofile%\desktop\win32kdiag.exe" -f -r
Download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt
Save both reports to your desktop. Post them back to your topic.
TassieWarrior
2009-11-24, 13:35
the requsted logs
Running from: C:\Documents and Settings\Daddy\desktop\win32kdiag.exe
Log file at : C:\Documents and Settings\Daddy\Desktop\Win32kDiag.txt
Removing all found mount points.
Attempting to reset file permissions.
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...
Found mount point : C:\WINDOWS\addins\addins
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\addins\addins
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP10B.tmp\ZAP10B.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP10B.tmp\ZAP10B.tmp
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP11F.tmp\ZAP11F.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP11F.tmp\ZAP11F.tmp
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP134.tmp\ZAP134.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP134.tmp\ZAP134.tmp
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP20A.tmp\ZAP20A.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP20A.tmp\ZAP20A.tmp
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2BC.tmp\ZAP2BC.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2BC.tmp\ZAP2BC.tmp
Found mount point : C:\WINDOWS\assembly\temp\temp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\temp\temp
Found mount point : C:\WINDOWS\assembly\tmp\tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\tmp\tmp
Found mount point : C:\WINDOWS\Cache\Adobe Reader 6.0.1\Adobe Reader 6.0.1
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Cache\Adobe Reader 6.0.1\Adobe Reader 6.0.1
Found mount point : C:\WINDOWS\Config\Config
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Config\Config
Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard
Found mount point : C:\WINDOWS\Debug\UserMode\UserMode
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Debug\UserMode\UserMode
Found mount point : C:\WINDOWS\ftpcache\ftpcache
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ftpcache\ftpcache
Found mount point : C:\WINDOWS\ime\chsime\applets\applets
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\chsime\applets\applets
Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets
Found mount point : C:\WINDOWS\ime\imejp\applets\applets
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\imejp\applets\applets
Found mount point : C:\WINDOWS\ime\imejp98\imejp98
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\imejp98\imejp98
Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets
Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets
Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts
Found mount point : C:\WINDOWS\ime\shared\res\res
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\shared\res\res
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729
Found mount point : C:\WINDOWS\java\classes\classes
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\java\classes\classes
Found mount point : C:\WINDOWS\java\trustlib\trustlib
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\java\trustlib\trustlib
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files
Found mount point : C:\WINDOWS\msapps\msinfo\msinfo
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo
Found mount point : C:\WINDOWS\mui\mui
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\mui\mui
Found mount point : C:\WINDOWS\pchealth\ErrorRep\QHEADLES\QHEADLES
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\ErrorRep\QHEADLES\QHEADLES
Found mount point : C:\WINDOWS\pchealth\ErrorRep\QSIGNOFF\QSIGNOFF
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\ErrorRep\QSIGNOFF\QSIGNOFF
Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH
Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe
Attempting to restore permissions of : C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe
Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint
Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles
Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs
Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS
Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM
Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp
Found mount point : C:\WINDOWS\PIF\PIF
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\PIF\PIF
Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog
Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\5cfa09586faf6d9470f0c817d855bb6b\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\5cfa09586faf6d9470f0c817d855bb6b\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\9868363812bbe4a0a4d814b7943ba906\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\9868363812bbe4a0a4d814b7943ba906\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\b7b0631e184025ba37e5a4ec1d8637e7\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\b7b0631e184025ba37e5a4ec1d8637e7\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\d3767eab8f4479a8d252b47e8ec225c8\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\d3767eab8f4479a8d252b47e8ec225c8\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\de81b460c3abcfc5b8494c785a5f3944\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\de81b460c3abcfc5b8494c785a5f3944\backup\backup
Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment
Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel
Cannot access: C:\WINDOWS\system32\MRT.exe
Attempting to restore permissions of : C:\WINDOWS\system32\MRT.exe
Found mount point : C:\WINDOWS\temp\0ded3eab-b941-4455-81d3-51ab90b4c063\0ded3eab-b941-4455-81d3-51ab90b4c063
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\temp\0ded3eab-b941-4455-81d3-51ab90b4c063\0ded3eab-b941-4455-81d3-51ab90b4c063
Found mount point : C:\WINDOWS\temp\7ea24853-aeda-4ef8-9bbf-1fc9dd16f9dc\7ea24853-aeda-4ef8-9bbf-1fc9dd16f9dc
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\temp\7ea24853-aeda-4ef8-9bbf-1fc9dd16f9dc\7ea24853-aeda-4ef8-9bbf-1fc9dd16f9dc
Found mount point : C:\WINDOWS\temp\96907fcd-7dd1-4633-8931-2d8e5865706a\96907fcd-7dd1-4633-8931-2d8e5865706a
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\temp\96907fcd-7dd1-4633-8931-2d8e5865706a\96907fcd-7dd1-4633-8931-2d8e5865706a
Found mount point : C:\WINDOWS\temp\c8dd9e49-b1b0-424e-9763-b77c1de0589b\c8dd9e49-b1b0-424e-9763-b77c1de0589b
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\temp\c8dd9e49-b1b0-424e-9763-b77c1de0589b\c8dd9e49-b1b0-424e-9763-b77c1de0589b
Found mount point : C:\WINDOWS\temp\f681da11-17af-4ab4-8797-bd79291e258f\f681da11-17af-4ab4-8797-bd79291e258f
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\temp\f681da11-17af-4ab4-8797-bd79291e258f\f681da11-17af-4ab4-8797-bd79291e258f
Found mount point : C:\WINDOWS\temp\Google Toolbar\Google Toolbar
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\temp\Google Toolbar\Google Toolbar
Found mount point : C:\WINDOWS\temp\History\Results\Results
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\temp\History\Results\Results
Found mount point : C:\WINDOWS\temp\RtSigs\Data\Data
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\temp\RtSigs\Data\Data
Found mount point : C:\WINDOWS\temp\WDF13.tmp\WDF13.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\temp\WDF13.tmp\WDF13.tmp
Found mount point : C:\WINDOWS\temp\WDFE.tmp\WDFE.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\temp\WDFE.tmp\WDFE.tmp
Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp
Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2
Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303
Finished!
TassieWarrior
2009-11-24, 13:36
DDS (Ver_09-09-29.01) - NTFSx86
Run by Daddy at 22:33:47.70 on Tue 24/11/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3582.2823 [GMT 11:00]
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\iWin Games\iWinTrusted.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Daddy\Desktop\dds.com
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com.au/
uInternet Connection Wizard,ShellNext = hxxp://redirect.zonelabs.com/redirect/route?oem=1025&prod=0&mode=1&app=inclient&version=7.0.473.000&lang=en&locale=en-AU&date=-86400&link_id=4&dest=try_product&lic=j5hvqhisiu3s4he7bhx644bu4g0
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: iWin Toolbar: {ce0c2586-da36-452b-acdb-320d9bcb19bf} - c:\program files\iwin\tbiWi1.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: iWin Toolbar: {ce0c2586-da36-452b-acdb-320d9bcb19bf} - c:\program files\iwin\tbiWi1.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [DiscWizardMonitor.exe] c:\program files\seagate\discwizard\DiscWizardMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\seagate\discwizard\TimounterMonitor.exe
mRun: [Seagate Scheduler2 Service] "c:\program files\common files\seagate\schedule2\schedhlp.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\daddy\startm~1\programs\startup\webshots.lnk - c:\program files\webshots\Launcher.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Adobe Reader Speed Launch.lnk.disabled
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: bigpond.com\my
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: CShellExecuteHookImpl Object: {57b86673-276a-48b2-bae7-c6dbb3020eb8} - c:\program files\grisoft\avg anti-spyware 7.5\shellexecutehook.dll
LSA: Authentication Packages = msv1_0 relog_ap
============= SERVICES / DRIVERS ===============
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-7-8 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-7-8 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-7-8 108552]
R2 iWinTrusted;iWinTrusted;c:\program files\iwin games\iWinTrusted.exe [2009-9-3 78104]
R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\common files\seagate\schedule2\schedul2.exe [2008-6-24 431384]
S1 AVG Anti-Spyware Driver;AVG Anti-Spyware Driver;\??\c:\program files\grisoft\avg anti-spyware 7.5\guard.sys --> c:\program files\grisoft\avg anti-spyware 7.5\guard.sys [?]
S1 AvgAsCln;AVG Anti-Spyware Clean Driver;c:\windows\system32\drivers\avgascln.sys --> c:\windows\system32\drivers\AvgAsCln.sys [?]
S2 AVG Anti-Spyware Guard;AVG Anti-Spyware Guard;c:\program files\grisoft\avg anti-spyware 7.5\guard.exe --> c:\program files\grisoft\avg anti-spyware 7.5\guard.exe [?]
S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe --> c:\progra~1\avg\avg8\avgemc.exe [?]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-12 297752]
S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2009-7-28 152576]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
=============== Created Last 30 ================
2009-11-16 09:11 <DIR> --d-h--- c:\windows\PIF
2009-11-16 09:01 <DIR> --d----- c:\docume~1\daddy\applic~1\Malwarebytes
2009-11-16 09:01 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-16 09:01 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-11-16 09:01 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-11-16 09:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-15 16:54 <DIR> --d----- c:\program files\Trend Micro
2009-11-08 22:22 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-11-08 20:27 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-11-08 20:21 <DIR> --d----- c:\docume~1\daddy\applic~1\AVG8
2009-11-08 20:21 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-11-03 22:25 <DIR> --d----- C:\$AVG
2009-11-03 22:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-11-03 22:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg9
2009-11-03 12:39 <DIR> --d----- C:\ProgramData
2009-10-28 14:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Alawar Stargaze
==================== Find3M ====================
2009-11-03 22:24 12,464 a------- c:\windows\system32\avgrsstx(2).dll
2009-09-12 01:18 136,192 a------- c:\windows\system32\msv1_0.dll
2009-09-05 08:03 58,880 a------- c:\windows\system32\msasn1.dll
2009-08-29 19:08 916,480 a------- c:\windows\system32\wininet.dll
2008-09-16 21:32 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091620080917\index.dat
2008-09-16 21:32 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat
============= FINISH: 22:34:01.98 ===============
TassieWarrior
2009-11-24, 13:37
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-09-29.01)
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 7/07/2008 6:50:23 PM
System Uptime: 24/11/2009 10:06:28 PM (0 hours ago)
Motherboard: Gigabyte Technology Co., Ltd. | | GA-M52S-S3P
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 6000+ | Socket M2 | 3013/200mhz
==== Disk Partitions =========================
A: is Removable
C: is FIXED (NTFS) - 38 GiB total, 12.467 GiB free.
D: is CDROM ()
F: is Removable
G: is CDROM ()
H: is FIXED (NTFS) - 466 GiB total, 412.593 GiB free.
==== Disabled Device Manager Items =============
Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
Description: Nokia Windows Portable Device Driver
Device ID: ROOT\WPD\0000
Manufacturer: Nokia
Name: Nokia E51
PNP Device ID: ROOT\WPD\0000
Service: WUDFRd
Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
Description: Nokia 6120 classic
Device ID: ROOT\WPD\0001
Manufacturer: Nokia
Name: Nokia 6120 classic
PNP Device ID: ROOT\WPD\0001
Service: WUDFRd
==== System Restore Points ===================
RP394: 24/11/2009 10:31:16 PM - Software Distribution Service 3.0
==== Installed Programs ======================
Abdio Free MP4 Player (Free)
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0
Adobe Shockwave Player
Barbie(TM) Diaries High School Mystery
Bookworm Adventures 2 (remove only)
Bookworm Adventures: The Monkey King (remove only)
Cars Demo
Collapse! Crunch
Critical Update for Windows Media Player 11 (KB959772)
DigitImg
Disney-Pixar Ratatouille Demo
Disney-Pixar WALL-E
DVD Shrink 3.2
Eureka's 1000 Games
Farm Frenzy 2 (remove only)
Farm Frenzy 3 (remove only)
ffdshow [rev 2202] [2008-10-10]
Free DVD Creator version 2.0
FW LiveUpdate
Google Earth
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
HP Memories Disc
HP Software Update
iWin Games (remove only)
iWin Toolbar
Java(TM) 6 Update 12
Java(TM) 6 Update 4
Java(TM) 6 Update 7
K-Lite Codec Pack 4.9.0 (Standard)
Logitech QuickCam
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.5
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
MSVC80_x86
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser
Nero 7 Essentials
neroxml
Nokia Connectivity Cable Driver
Nokia Flashing Cable Driver
Nokia PC Suite
Nokia Software Updater
NVIDIA Drivers
OGA Notifier 1.7.0105.35.0
overland
PC Connectivity Solution
Photosmart 140,240,7200,7600,7700,7900 Series
Picture Package Music Transfer
PS7900
PSShortcuts
PSUsage
QFolder
RealArcade
Realtek Card Reader
REALTEK GbE & FE Ethernet PCI NIC Driver
Realtek High Definition Audio Driver
Rugrats in Paris
SAMSUNG CDMA Modem Driver Set
SAMSUNG Mobile Composite Device Software
SAMSUNG Mobile Modem Driver Set
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung PC Studio 3
Samsung PC Studio 3 USB Driver Installer
Seagate*DiscWizard
SeaTools for Windows
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Shockwave
Sony Picture Utility
SpecOps
Spybot - Search & Destroy
The Sims 2
The Sims 2 Glamour Life Stuff
The Sims 2 University
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB973815)
VideoLAN VLC media player 0.8.6d
WebFldrs XP
Webshots Desktop
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
Windows Driver Package - Nokia Modem (05/22/2008 3.8)
Windows Driver Package - Nokia Modem (05/22/2008 7.00.0.1)
Windows Driver Package - Nokia pccsmcfd (10/12/2007 6.85.4.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
Yahoo! Messenger
Yahoo! Toolbar
==== Event Viewer Messages From Past Week ========
24/11/2009 10:31:00 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC000003A' while processing the file 'addins' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
23/11/2009 9:46:45 PM, error: Service Control Manager [7031] - The .NET Runtime Optimization Service v2.0.50727_X86 service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 960000 milliseconds: Restart the service.
23/11/2009 9:44:24 PM, error: Service Control Manager [7031] - The .NET Runtime Optimization Service v2.0.50727_X86 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
23/11/2009 9:39:22 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AVG Anti-Spyware Driver AvgAsCln
23/11/2009 9:39:14 PM, error: Service Control Manager [7024] - The AVG8 WatchDog service terminated with service-specific error 3758161981 (0xE001003D).
23/11/2009 9:39:14 PM, error: Service Control Manager [7001] - The AVG8 E-mail Scanner service depends on the AVG8 WatchDog service which failed to start because of the following error: The service has returned a service-specific error code.
23/11/2009 9:39:14 PM, error: Service Control Manager [7000] - The AVG Anti-Spyware Guard service failed to start due to the following error: The system cannot find the file specified.
==== End Of File ===========================
Hi,
Download this (http://download.bleepingcomputer.com/sUBs/MiniFixes/Inherit.exe) file to c:\program files folder. Then goto the folder and drag'n'drop spybot - search & destroy folder to Inherit file.
Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode
On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
TassieWarrior
2009-11-25, 11:50
ComboFix 09-11-24.04 - Daddy 25/11/2009 20:21.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3582.2960 [GMT 11:00]
Running from: c:\documents and settings\Daddy\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\iWin Games\iWinGamesHookIE.dll
c:\program files\iWin\tbiWi1.dll
c:\program files\SGPSA
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
((((((((((((((((((((((((( Files Created from 2009-10-25 to 2009-11-25 )))))))))))))))))))))))))))))))
.
2009-11-25 09:00 . 2009-11-25 09:00 389120 ----a-w- c:\windows\system32\CF26019.exe
2009-11-25 08:17 . 2009-11-25 08:17 85504 ----a-w- c:\program files\Inherit.exe
2009-11-15 22:11 . 2009-11-24 11:31 -------- d--h--w- c:\windows\PIF
2009-11-15 22:01 . 2009-11-15 22:01 -------- d-----w- c:\documents and settings\Daddy\Application Data\Malwarebytes
2009-11-15 22:01 . 2009-09-10 03:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-15 22:01 . 2009-11-15 22:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-15 22:01 . 2009-11-15 22:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-15 22:01 . 2009-09-10 03:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-15 05:54 . 2009-11-15 05:54 -------- d-----w- c:\program files\Trend Micro
2009-11-08 11:22 . 2009-11-15 04:55 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-08 09:57 . 2009-11-08 09:57 79488 ----a-w- c:\documents and settings\Daddy\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-08 09:27 . 2009-11-08 09:27 -------- d-----w- c:\windows\system32\wbem\Repository
2009-11-08 09:21 . 2009-11-08 09:21 -------- d-----w- c:\documents and settings\Daddy\Application Data\AVG8
2009-11-08 09:21 . 2009-11-08 09:21 -------- d-----w- C:\$AVG8.VAULT$
2009-11-04 03:08 . 2009-11-04 03:09 -------- d-----w- c:\documents and settings\Mummy\Application Data\MissTeriTale3
2009-11-03 11:25 . 2009-11-03 11:28 -------- d-----w- C:\$AVG
2009-11-03 11:24 . 2009-11-07 06:19 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-11-03 11:24 . 2009-11-08 09:24 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-11-03 01:39 . 2009-11-03 01:39 -------- d-----w- C:\ProgramData
2009-11-02 21:44 . 2009-10-04 07:51 3510552 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-11-01 11:36 . 2009-11-01 11:36 -------- d-----w- c:\documents and settings\Mummy\Application Data\Magic Academy 2
2009-10-28 03:52 . 2009-10-28 03:52 -------- d-----w- c:\documents and settings\Mummy\Local Settings\Application Data\STARGAZE_IMAGE_CACHE
2009-10-28 03:52 . 2009-10-28 03:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Alawar Stargaze
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-25 09:29 . 2009-09-13 06:45 -------- d-----w- c:\program files\iWin Games
2009-11-25 09:29 . 2008-09-25 03:40 -------- d-----w- c:\program files\iWin
2009-11-25 09:13 . 2008-07-08 03:05 -------- d-----w- c:\program files\AVG
2009-11-25 09:09 . 2008-07-08 10:36 24056 ----a-w- c:\documents and settings\Daddy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-24 10:44 . 2009-10-19 08:54 0 ----a-w- c:\windows\win32k.sys
2009-11-15 05:04 . 2008-07-13 04:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-08 11:18 . 2008-07-30 07:00 -------- d-----w- c:\documents and settings\All Users\Application Data\WildTangent
2009-11-08 11:10 . 2008-08-18 05:23 -------- d-----w- c:\program files\MSN Games
2009-11-08 11:10 . 2008-09-08 06:35 -------- d-----w- c:\program files\Super Granny 3
2009-11-08 11:10 . 2008-12-28 08:05 -------- d-----w- c:\program files\Alawar
2009-11-08 11:09 . 2009-01-22 04:09 -------- d-----w- c:\program files\Snowy Treasure Hunter 3
2009-11-08 11:09 . 2008-09-08 06:35 -------- d-----w- c:\program files\Snowy Treasure Hunter 2
2009-11-08 11:09 . 2008-09-25 02:39 -------- d-----w- c:\program files\MumboJumbo
2009-11-08 11:08 . 2008-09-25 03:44 -------- d-----w- c:\program files\iWin.com
2009-11-08 11:05 . 2008-09-25 03:04 -------- d-----w- c:\program files\Fatman Adventures
2009-11-08 11:04 . 2008-09-25 02:37 -------- d-----w- c:\program files\Double Digger
2009-11-08 11:03 . 2008-09-01 02:56 -------- d-----w- c:\program files\Brave Dwarves Back For Treasures
2009-11-08 11:02 . 2008-11-23 07:45 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-08 10:56 . 2008-07-13 04:48 -------- d-----w- c:\program files\fuck off
2009-11-07 11:19 . 2008-07-08 03:05 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-11-04 03:44 . 2008-08-18 05:23 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-03 11:24 . 2008-07-08 03:06 12464 ----a-w- c:\windows\system32\avgrsstx(2).dll
2009-10-23 02:39 . 2008-12-15 01:24 -------- d-----w- c:\documents and settings\Mummy\Application Data\EleFun Games
2009-10-19 02:09 . 2009-09-30 02:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Merscom
2009-10-19 01:08 . 2009-10-19 01:08 -------- d-----w- c:\documents and settings\Mummy\Application Data\Alawar
2009-10-19 01:00 . 2009-01-19 22:38 -------- d-----w- c:\documents and settings\Mummy\Application Data\Meridian93
2009-10-19 00:24 . 2009-10-19 00:24 -------- d-----w- c:\documents and settings\All Users\Application Data\MythPeople
2009-10-16 23:27 . 2009-10-16 23:28 2025752 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe
2009-10-13 03:13 . 2009-10-13 03:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Becky Brogan
2009-10-09 02:20 . 2009-10-09 02:20 -------- d-----w- c:\documents and settings\All Users\Application Data\SOS
2009-10-06 10:42 . 2009-10-06 10:42 152576 ----a-w- c:\documents and settings\Daddy\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-10-04 07:51 . 2009-10-20 22:30 2064152 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-10-04 07:49 . 2009-10-08 06:28 1142552 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2009-09-30 02:05 . 2009-09-30 02:05 -------- d-----w- c:\documents and settings\Mummy\Application Data\Merscom
2009-09-26 11:45 . 2009-09-26 11:45 -------- d-----w- c:\documents and settings\Mummy\Application Data\FlyWheelGames
2009-09-11 14:18 . 2006-02-28 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2006-02-28 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-19 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-02-07 488984]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-12-04 176128]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"HPHmon05"="c:\windows\system32\hphmon05.exe" [2004-02-02 495616]
"DiscWizardMonitor.exe"="c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2008-06-24 1325848]
"AcronisTimounterMonitor"="c:\program files\Seagate\DiscWizard\TimounterMonitor.exe" [2008-06-24 904768]
"Seagate Scheduler2 Service"="c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2008-06-24 136472]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-09-17 1657376]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-06-13 16377344]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\Daddy\Start Menu\Programs\Startup\
Webshots.lnk - c:\program files\Webshots\Launcher.exe [2008-7-20 157000]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk.disabled [2008-11-2 1757]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-23 00:14 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HPHUPD05"=c:\program files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam10\QuickCam10.exe" /hide
"Name of App"=c:\program files\SAMSUNG\FW LiveUpdate\FWManager.exe r
"NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\iWin Games\\iWinGames.exe"=
"c:\\Program Files\\iWin Games\\WebUpdater.exe"=
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/07/2008 2:06 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/07/2008 2:06 PM 108552]
R2 iWinTrusted;iWinTrusted;c:\program files\iWin Games\iWinTrusted.exe [3/09/2009 4:30 AM 78104]
R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\Common Files\Seagate\Schedule2\schedul2.exe [24/06/2008 7:56 PM 431384]
S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe --> c:\progra~1\AVG\AVG8\avgemc.exe [?]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [12/07/2008 1:43 PM 297752]
S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [28/07/2009 8:39 PM 152576]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
.
Contents of the 'Scheduled Tasks' folder
2009-11-16 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\pexpress\hphped05.exe [2004-01-07 05:05]
2009-11-15 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-11-08 04:31]
2009-11-15 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2009-11-08 04:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uInternet Connection Wizard,ShellNext = hxxp://redirect.zonelabs.com/redirect/route?oem=1025&prod=0&mode=1&app=inclient&version=7.0.473.000&lang=en&locale=en-AU&date=-86400&link_id=4&dest=try_product&lic=j5hvqhisiu3s4he7bhx644bu4g0
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: bigpond.com\my
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe
SafeBoot-AVG Anti-Spyware Driver
AddRemove-Collapse! Crunch - c:\program files\RealArcade\Installer\bin\gameinstaller.exe c:\program files\RealArcade\Installer\installerMain.clf
AddRemove-NVIDIA Drivers - c:\windows\system32\nvuninst.exe UninstallGUI
AddRemove-RealArcade - c:\program files\RealArcade\Installer\bin\gameinstaller.exe c:\program files\RealArcade\Installer\installerMain.clf
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-25 20:37
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(912)
c:\windows\system32\relog_ap.dll
- - - - - - - > 'explorer.exe'(1908)
c:\windows\system32\WININET.dll
c:\program files\Common Files\Ahead\Lib\NeroSearchBar.dll
c:\program files\Common Files\Ahead\Lib\MFC71U.DLL
c:\program files\Common Files\Ahead\Lib\BCGCBPRO860un71.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 7\phonebrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\progra~1\Webshots\webshots.scr
c:\program files\HP\hpcoretech\comp\hptskmgr.exe
.
**************************************************************************
.
Completion time: 2009-11-25 20:45 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-25 09:45
ComboFix2.txt 2008-09-16 09:41
Pre-Run: 13,357,010,944 bytes free
Post-Run: 14,445,318,144 bytes free
- - End Of File - - 23F55B13A206101EF4C5369462083B9D
Hi again,
Open notepad and copy/paste the text in the quotebox below into it:
Rootkit::
c:\windows\win32k.sys
DirLook::
c:\program files\fuck off
DDS::
TB: {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - No File
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Disable AVG properly, close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Uninstall old Adobe Reader versions and get the latest one (9.2) here (http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm). Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here (http://pdfreaders.org/).
Uninstall your current Adobe shockwave player and shockwave entries and get the fresh one here (http://get.adobe.com/shockwave/) if needed.
Check here (http://www.adobe.com/software/flash/about/) to see if your Flash is up-to-date (do it separately with each of your browsers). If not, uninstall vulnerable versions by following instructions here (http://kb2.adobe.com/cps/141/tn_14157.html). Fresh version can be obtained here (http://get.adobe.com/flashplayer/).
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6 Update 17 (http://java.sun.com/javase/downloads/index.jsp).
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u17-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).
Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.
TassieWarrior
2009-11-26, 08:44
Hi again, when i ran combofix it tells me that avg is running but the only reference i can find of avg is 1 folder in program files with only a few files in it, it won't allow me to uninstall it or turn it off, it seemingly doesn't exist??
ComboFix 09-11-24.04 - Daddy 26/11/2009 10:28.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3582.3031 [GMT 11:00]
Running from: c:\documents and settings\Daddy\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Daddy\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((( Files Created from 2009-10-25 to 2009-11-25 )))))))))))))))))))))))))))))))
.
2009-11-25 23:16 . 2009-11-25 23:16 -------- d-----w- c:\program files\Java
2009-11-25 23:15 . 2009-11-25 23:15 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-11-25 23:15 . 2009-11-25 23:15 152576 ----a-w- c:\documents and settings\Daddy\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-25 22:54 . 2009-10-10 07:07 38208 ----a-w- c:\documents and settings\Daddy\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-11-25 22:54 . 2009-10-10 07:07 38208 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-11-25 22:54 . 2009-11-25 22:54 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-11-25 22:52 . 2009-11-25 22:52 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-11-25 22:52 . 2009-11-25 23:14 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-11-25 09:00 . 2009-11-25 09:00 389120 ----a-w- c:\windows\system32\CF26019.exe
2009-11-25 08:17 . 2009-11-25 08:17 85504 ----a-w- c:\program files\Inherit.exe
2009-11-15 22:11 . 2009-11-24 11:31 -------- d--h--w- c:\windows\PIF
2009-11-15 22:01 . 2009-11-15 22:01 -------- d-----w- c:\documents and settings\Daddy\Application Data\Malwarebytes
2009-11-15 22:01 . 2009-09-10 03:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-15 22:01 . 2009-11-15 22:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-15 22:01 . 2009-11-15 22:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-15 22:01 . 2009-09-10 03:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-15 05:54 . 2009-11-15 05:54 -------- d-----w- c:\program files\Trend Micro
2009-11-08 11:22 . 2009-11-15 04:55 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-08 09:57 . 2009-11-08 09:57 79488 ----a-w- c:\documents and settings\Daddy\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-08 09:27 . 2009-11-08 09:27 -------- d-----w- c:\windows\system32\wbem\Repository
2009-11-08 09:21 . 2009-11-08 09:21 -------- d-----w- c:\documents and settings\Daddy\Application Data\AVG8
2009-11-08 09:21 . 2009-11-08 09:21 -------- d-----w- C:\$AVG8.VAULT$
2009-11-04 03:08 . 2009-11-04 03:09 -------- d-----w- c:\documents and settings\Mummy\Application Data\MissTeriTale3
2009-11-03 11:25 . 2009-11-03 11:28 -------- d-----w- C:\$AVG
2009-11-03 11:24 . 2009-11-07 06:19 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-11-03 11:24 . 2009-11-08 09:24 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-11-03 01:39 . 2009-11-03 01:39 -------- d-----w- C:\ProgramData
2009-11-02 21:44 . 2009-10-04 07:51 3510552 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-11-01 11:36 . 2009-11-01 11:36 -------- d-----w- c:\documents and settings\Mummy\Application Data\Magic Academy 2
2009-10-28 03:52 . 2009-10-28 03:52 -------- d-----w- c:\documents and settings\Mummy\Local Settings\Application Data\STARGAZE_IMAGE_CACHE
2009-10-28 03:52 . 2009-10-28 03:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Alawar Stargaze
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-25 23:16 . 2008-12-03 07:39 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-25 22:56 . 2008-07-10 12:14 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-25 09:29 . 2009-09-13 06:45 -------- d-----w- c:\program files\iWin Games
2009-11-25 09:29 . 2008-09-25 03:40 -------- d-----w- c:\program files\iWin
2009-11-25 09:13 . 2008-07-08 03:05 -------- d-----w- c:\program files\AVG
2009-11-25 09:09 . 2008-07-08 10:36 24056 ----a-w- c:\documents and settings\Daddy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-15 05:04 . 2008-07-13 04:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-08 11:18 . 2008-07-30 07:00 -------- d-----w- c:\documents and settings\All Users\Application Data\WildTangent
2009-11-08 11:10 . 2008-08-18 05:23 -------- d-----w- c:\program files\MSN Games
2009-11-08 11:10 . 2008-09-08 06:35 -------- d-----w- c:\program files\Super Granny 3
2009-11-08 11:10 . 2008-12-28 08:05 -------- d-----w- c:\program files\Alawar
2009-11-08 11:09 . 2009-01-22 04:09 -------- d-----w- c:\program files\Snowy Treasure Hunter 3
2009-11-08 11:09 . 2008-09-08 06:35 -------- d-----w- c:\program files\Snowy Treasure Hunter 2
2009-11-08 11:09 . 2008-09-25 02:39 -------- d-----w- c:\program files\MumboJumbo
2009-11-08 11:08 . 2008-09-25 03:44 -------- d-----w- c:\program files\iWin.com
2009-11-08 11:05 . 2008-09-25 03:04 -------- d-----w- c:\program files\Fatman Adventures
2009-11-08 11:04 . 2008-09-25 02:37 -------- d-----w- c:\program files\Double Digger
2009-11-08 11:03 . 2008-09-01 02:56 -------- d-----w- c:\program files\Brave Dwarves Back For Treasures
2009-11-08 11:02 . 2008-11-23 07:45 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-08 10:56 . 2008-07-13 04:48 -------- d-----w- c:\program files\fuck off
2009-11-07 11:19 . 2008-07-08 03:05 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-11-04 03:44 . 2008-08-18 05:23 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-03 11:24 . 2008-07-08 03:06 12464 ----a-w- c:\windows\system32\avgrsstx(2).dll
2009-10-23 02:39 . 2008-12-15 01:24 -------- d-----w- c:\documents and settings\Mummy\Application Data\EleFun Games
2009-10-19 02:09 . 2009-09-30 02:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Merscom
2009-10-19 01:08 . 2009-10-19 01:08 -------- d-----w- c:\documents and settings\Mummy\Application Data\Alawar
2009-10-19 01:00 . 2009-01-19 22:38 -------- d-----w- c:\documents and settings\Mummy\Application Data\Meridian93
2009-10-19 00:24 . 2009-10-19 00:24 -------- d-----w- c:\documents and settings\All Users\Application Data\MythPeople
2009-10-16 23:27 . 2009-10-16 23:28 2025752 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe
2009-10-13 03:13 . 2009-10-13 03:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Becky Brogan
2009-10-09 02:20 . 2009-10-09 02:20 -------- d-----w- c:\documents and settings\All Users\Application Data\SOS
2009-10-06 10:42 . 2009-10-06 10:42 152576 ----a-w- c:\documents and settings\Daddy\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-10-04 07:51 . 2009-10-20 22:30 2064152 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-10-04 07:49 . 2009-10-08 06:28 1142552 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2009-09-30 02:05 . 2009-09-30 02:05 -------- d-----w- c:\documents and settings\Mummy\Application Data\Merscom
2009-09-11 14:18 . 2006-02-28 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2006-02-28 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2006-02-28 12:00 916480 ------w- c:\windows\system32\wininet.dll
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\program files\fuck off ----
2008-07-13 04:48 . 2008-01-28 01:43 5146448 --sha-r- c:\program files\fuck off\LGLVMLYWNBLRPT.scr
2008-07-13 04:48 . 2008-07-30 04:45 4891984 --sha-r- c:\program files\fuck off\SpybotSD.exe
((((((((((((((((((((((((((((( SnapShot@2009-11-25_09.37.16 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-25 23:42 . 2009-11-25 23:42 16384 c:\windows\temp\Perflib_Perfdata_7c0.dat
- 2008-07-08 10:13 . 2009-07-14 11:03 46080 c:\windows\system32\tzchange.exe
+ 2008-07-08 10:13 . 2009-10-28 15:07 46080 c:\windows\system32\tzchange.exe
+ 2009-11-25 22:59 . 2009-11-25 22:59 89101 c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2009-11-25 22:58 . 2009-11-25 22:58 87618 c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
- 2008-07-11 11:44 . 2008-06-17 06:11 94208 c:\windows\system32\Adobe\Shockwave 11\SwMenu.dll
+ 2009-10-29 05:27 . 2009-10-29 05:27 94208 c:\windows\system32\Adobe\Shockwave 11\SwMenu.dll
+ 2009-10-29 05:45 . 2009-10-29 05:45 67000 c:\windows\system32\Adobe\Director\SWDNLD.EXE
+ 2009-11-25 22:54 . 2009-11-25 22:54 21504 c:\windows\Installer\69efd.msi
+ 2009-11-25 22:54 . 2009-11-25 22:54 27648 c:\windows\Installer\69ef7.msi
+ 2009-11-25 10:17 . 2009-11-25 10:17 32768 c:\windows\Installer\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}\icon.exe
- 2008-07-11 11:44 . 2008-06-17 06:13 9216 c:\windows\system32\Adobe\Shockwave 11\DynaPlayer.dll
+ 2009-10-29 05:29 . 2009-10-29 05:29 9216 c:\windows\system32\Adobe\Shockwave 11\DynaPlayer.dll
+ 2009-11-25 23:16 . 2009-11-25 23:16 149280 c:\windows\system32\javaws.exe
+ 2009-11-25 23:16 . 2009-11-25 23:16 145184 c:\windows\system32\javaw.exe
+ 2009-11-25 23:16 . 2009-11-25 23:16 145184 c:\windows\system32\java.exe
+ 2009-10-29 04:55 . 2009-10-29 04:55 132472 c:\windows\system32\Adobe\Shockwave 11\SYMCCHECKER.DLL
+ 2009-10-29 05:27 . 2009-10-29 05:27 114688 c:\windows\system32\Adobe\Shockwave 11\SwInit.exe
- 2008-07-11 11:44 . 2008-06-17 06:15 114688 c:\windows\system32\Adobe\Shockwave 11\SwInit.exe
+ 2009-10-29 05:43 . 2009-10-29 05:43 464312 c:\windows\system32\Adobe\Shockwave 11\SwHelper_1152602.exe
+ 2009-10-29 05:29 . 2009-10-29 05:29 446464 c:\windows\system32\Adobe\Shockwave 11\Proj.dll
- 2008-07-11 11:44 . 2008-06-17 06:15 446464 c:\windows\system32\Adobe\Shockwave 11\Proj.dll
+ 2009-10-29 05:28 . 2009-10-29 05:28 372736 c:\windows\system32\Adobe\Shockwave 11\Plugin.dll
+ 2009-10-29 04:55 . 2009-10-29 04:55 713216 c:\windows\system32\Adobe\Shockwave 11\gi.dll
+ 2009-10-29 05:26 . 2009-10-29 05:26 503808 c:\windows\system32\Adobe\Shockwave 11\Control.dll
+ 2009-10-29 05:44 . 2009-10-29 05:44 210360 c:\windows\system32\Adobe\Director\SwDir.dll
+ 2009-10-29 05:28 . 2009-10-29 05:28 131072 c:\windows\system32\Adobe\Director\np32dsw.dll
+ 2009-11-25 10:17 . 2009-11-25 10:17 429568 c:\windows\Installer\26248e.msi
+ 2009-07-20 13:03 . 2009-07-20 13:03 1348432 c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9876.0_x-ww_a621d1d5\msxml4.dll
+ 2008-09-09 11:00 . 2009-07-30 23:05 1372672 c:\windows\system32\msxml6.dll
+ 2009-07-20 13:05 . 2009-07-20 13:05 1348432 c:\windows\system32\msxml4.dll
+ 2006-02-28 12:00 . 2009-07-31 04:35 1172480 c:\windows\system32\msxml3.dll
+ 2008-09-09 11:00 . 2009-07-30 23:05 1372672 c:\windows\system32\dllcache\msxml6.dll
+ 2008-11-12 06:22 . 2009-07-31 04:35 1172480 c:\windows\system32\dllcache\msxml3.dll
+ 2009-10-29 05:01 . 2009-10-29 05:01 1011712 c:\windows\system32\Adobe\Shockwave 11\iml32.dll
- 2008-07-11 11:44 . 2008-06-17 05:36 1798144 c:\windows\system32\Adobe\Shockwave 11\dirapi.dll
+ 2009-10-29 05:05 . 2009-10-29 05:05 1798144 c:\windows\system32\Adobe\Shockwave 11\dirapi.dll
+ 2009-11-25 22:56 . 2009-11-25 22:56 3940352 c:\windows\Installer\69f03.msi
+ 2009-11-25 23:16 . 2009-11-25 23:16 1757696 c:\windows\Installer\25ee3.msi
+ 2009-07-17 09:12 . 2009-07-17 09:12 1962160 c:\windows\Downloaded Program Files\CONFLICT.1\FP_AX_CAB_INSTALLER.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-19 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-02-07 488984]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-12-04 176128]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"HPHmon05"="c:\windows\system32\hphmon05.exe" [2004-02-02 495616]
"DiscWizardMonitor.exe"="c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2008-06-24 1325848]
"AcronisTimounterMonitor"="c:\program files\Seagate\DiscWizard\TimounterMonitor.exe" [2008-06-24 904768]
"Seagate Scheduler2 Service"="c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2008-06-24 136472]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-02 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-25 149280]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-09-17 1657376]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-06-13 16377344]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\Daddy\Start Menu\Programs\Startup\
Webshots.lnk - c:\program files\Webshots\Launcher.exe [2008-7-20 157000]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk.disabled [2008-11-2 1757]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-23 00:14 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HPHUPD05"=c:\program files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam10\QuickCam10.exe" /hide
"Name of App"=c:\program files\SAMSUNG\FW LiveUpdate\FWManager.exe r
"NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\iWin Games\\iWinGames.exe"=
"c:\\Program Files\\iWin Games\\WebUpdater.exe"=
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/07/2008 2:06 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/07/2008 2:06 PM 108552]
R2 iWinTrusted;iWinTrusted;c:\program files\iWin Games\iWinTrusted.exe [3/09/2009 4:30 AM 78104]
R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\Common Files\Seagate\Schedule2\schedul2.exe [24/06/2008 7:56 PM 431384]
S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe --> c:\progra~1\AVG\AVG8\avgemc.exe [?]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [12/07/2008 1:43 PM 297752]
S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [28/07/2009 8:39 PM 152576]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
.
Contents of the 'Scheduled Tasks' folder
2009-11-16 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\pexpress\hphped05.exe [2004-01-07 05:05]
2009-11-15 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-11-08 04:31]
2009-11-15 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2009-11-08 04:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uInternet Connection Wizard,ShellNext = hxxp://redirect.zonelabs.com/redirect/route?oem=1025&prod=0&mode=1&app=inclient&version=7.0.473.000&lang=en&locale=en-AU&date=-86400&link_id=4&dest=try_product&lic=j5hvqhisiu3s4he7bhx644bu4g0
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: bigpond.com\my
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-26 10:47
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(896)
c:\windows\system32\relog_ap.dll
- - - - - - - > 'explorer.exe'(3832)
c:\windows\system32\WININET.dll
c:\program files\Common Files\Ahead\Lib\NeroSearchBar.dll
c:\program files\Common Files\Ahead\Lib\MFC71U.DLL
c:\program files\Common Files\Ahead\Lib\BCGCBPRO860un71.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 7\phonebrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\progra~1\Webshots\webshots.scr
c:\program files\HP\hpcoretech\comp\hptskmgr.exe
.
**************************************************************************
.
Completion time: 2009-11-26 10:55 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-25 23:55
ComboFix2.txt 2009-11-25 09:45
ComboFix3.txt 2008-09-16 09:41
Pre-Run: 13,963,673,600 bytes free
Post-Run: 13,940,662,272 bytes free
- - End Of File - - EDCB3423938CBFC4E7ED7ACE53AEEE2E
TassieWarrior
2009-11-26, 08:47
Here is 2 kaspersky logs for critical and my computer scans
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, November 26, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, November 26, 2009 01:04:09
Records in database: 3291379
--------------------------------------------------------------------------------
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
F:\
G:\
H:\
Scan statistics:
Objects scanned: 184964
Threats found: 1
Infected objects found: 1
Suspicious objects found: 0
Scan duration: 02:40:24
File name / Threat / Threats count
C:\Documents and Settings\Daddy\My Documents\Cdvd.exe Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ak 1
Selected area has been scanned.
Kaspersky critical area scan
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, November 26, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, November 26, 2009 01:04:09
Records in database: 3291379
--------------------------------------------------------------------------------
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - Critical areas:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\Daddy\Start Menu\Programs\Startup
C:\Program Files
C:\WINDOWS
Scan statistics:
Objects scanned: 81721
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 01:06:25
No threats found. Scanned area is clean.
Selected area has been scanned.
TassieWarrior
2009-11-26, 08:48
Fresh dds.txt log
DDS (Ver_09-09-29.01) - NTFSx86
Run by Daddy at 17:39:02.03 on Thu 26/11/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3582.2685 [GMT 11:00]
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\iWin Games\iWinTrusted.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\Daddy\Desktop\dds.com
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com.au/
uInternet Connection Wizard,ShellNext = hxxp://redirect.zonelabs.com/redirect/route?oem=1025&prod=0&mode=1&app=inclient&version=7.0.473.000&lang=en&locale=en-AU&date=-86400&link_id=4&dest=try_product&lic=j5hvqhisiu3s4he7bhx644bu4g0
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [DiscWizardMonitor.exe] c:\program files\seagate\discwizard\DiscWizardMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\seagate\discwizard\TimounterMonitor.exe
mRun: [Seagate Scheduler2 Service] "c:\program files\common files\seagate\schedule2\schedhlp.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\daddy\startm~1\programs\startup\webshots.lnk - c:\program files\webshots\Launcher.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Adobe Reader Speed Launch.lnk.disabled
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: bigpond.com\my
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: CShellExecuteHookImpl Object: {57b86673-276a-48b2-bae7-c6dbb3020eb8} - c:\program files\grisoft\avg anti-spyware 7.5\shellexecutehook.dll
LSA: Authentication Packages = msv1_0 relog_ap
============= SERVICES / DRIVERS ===============
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-7-8 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-7-8 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-7-8 108552]
R2 iWinTrusted;iWinTrusted;c:\program files\iwin games\iWinTrusted.exe [2009-9-3 78104]
R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\common files\seagate\schedule2\schedul2.exe [2008-6-24 431384]
S1 AVG Anti-Spyware Driver;AVG Anti-Spyware Driver;\??\c:\program files\grisoft\avg anti-spyware 7.5\guard.sys --> c:\program files\grisoft\avg anti-spyware 7.5\guard.sys [?]
S1 AvgAsCln;AVG Anti-Spyware Clean Driver;c:\windows\system32\drivers\avgascln.sys --> c:\windows\system32\drivers\AvgAsCln.sys [?]
S2 AVG Anti-Spyware Guard;AVG Anti-Spyware Guard;c:\program files\grisoft\avg anti-spyware 7.5\guard.exe --> c:\program files\grisoft\avg anti-spyware 7.5\guard.exe [?]
S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe --> c:\progra~1\avg\avg8\avgemc.exe [?]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-12 297752]
S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2009-7-28 152576]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
=============== Created Last 30 ================
2009-11-26 10:27 <DIR> --d----- C:\ComboFix
2009-11-26 10:16 73,728 a------- c:\windows\system32\javacpl.cpl
2009-11-25 20:17 <DIR> a-dshr-- C:\cmdcons
2009-11-25 20:14 260,608 a------- c:\windows\PEV.exe
2009-11-25 20:14 77,312 a------- c:\windows\MBR.exe
2009-11-25 20:00 389,120 a------- c:\windows\system32\CF26019.exe
2009-11-25 19:17 85,504 a------- c:\program files\Inherit.exe
2009-11-16 09:11 <DIR> --d-h--- c:\windows\PIF
2009-11-16 09:01 <DIR> --d----- c:\docume~1\daddy\applic~1\Malwarebytes
2009-11-16 09:01 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-16 09:01 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-11-16 09:01 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-11-16 09:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-15 16:54 <DIR> --d----- c:\program files\Trend Micro
2009-11-08 22:22 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-11-08 20:27 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-11-08 20:21 <DIR> --d----- c:\docume~1\daddy\applic~1\AVG8
2009-11-08 20:21 <DIR> --d----- C:\$AVG8.VAULT$
2009-11-03 22:25 <DIR> --d----- C:\$AVG
2009-11-03 22:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-11-03 22:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg9
2009-11-03 12:39 <DIR> --d----- C:\ProgramData
2009-10-28 14:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Alawar Stargaze
==================== Find3M ====================
2009-11-26 10:16 411,368 a------- c:\windows\system32\deploytk.dll
2009-11-03 22:24 12,464 a------- c:\windows\system32\avgrsstx(2).dll
2009-09-12 01:18 136,192 a------- c:\windows\system32\msv1_0.dll
2009-09-05 08:03 58,880 a------- c:\windows\system32\msasn1.dll
2009-08-29 19:08 916,480 -------- c:\windows\system32\wininet.dll
2008-09-16 21:32 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091620080917\index.dat
2008-09-16 21:32 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat
============= FINISH: 17:39:19.39 ===============
Hi,
Try this (http://download.avg.com/filedir/util/avg_arm_sup_____.dir/avgremover.exe) AVG remover.
TassieWarrior
2009-11-26, 09:37
This is the log from the avgremover program, has it removed it?
2009-11-26 07:15:50,265 DEBUG Avg9Uninstall\Directories key failed to open (error: e0010013)
2009-11-26 07:15:50,281 DEBUG Avg8Uninstall\Directories key failed to open (error: e0010013)
2009-11-26 07:15:50,281 DEBUG Reading HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion:ProgramFilesDir (x86) value failed (error: e001003d)
2009-11-26 07:15:50,281 WARN AvgDir param empty.
2009-11-26 07:15:50,281 WARN AvgDataDir param empty.
2009-11-26 07:15:57,500 INFO AvgRemover runs in attempt number 1
2009-11-26 07:15:57,500 INFO ***** Services *****
2009-11-26 07:15:57,500 INFO Processing service avg8emc
2009-11-26 07:15:57,500 INFO Service avg8emc is not running
2009-11-26 07:15:57,500 DEBUG Service avg8emc Delete
2009-11-26 07:15:57,500 DEBUG Service avg8emc RegCleanup
2009-11-26 07:15:57,500 INFO Processing service avgfws8
2009-11-26 07:15:57,515 INFO Service avgfws8 is not installed
2009-11-26 07:15:57,515 DEBUG Service avgfws8 RegCleanup
2009-11-26 07:15:57,515 DEBUG Registry keys for service avgfws8 are not present
2009-11-26 07:15:57,515 INFO Processing service avg8wd
2009-11-26 07:15:57,515 DEBUG Service avg8wd BeforeStop
2009-11-26 07:15:57,562 WARN Service avg8wd Failed to SetStoppable command (error: e0010127)
2009-11-26 07:15:57,562 DEBUG Service avg8wd BeforeStop failed
2009-11-26 07:15:57,562 INFO Service avg8wd is not running
2009-11-26 07:15:57,562 DEBUG Service avg8wd Delete
2009-11-26 07:15:57,562 DEBUG Service avg8wd RegCleanup
2009-11-26 07:15:57,562 INFO Processing service AvgWFPx
2009-11-26 07:15:57,562 INFO Service AvgWFPx is not installed
2009-11-26 07:15:57,562 DEBUG Service AvgWFPx RegCleanup
2009-11-26 07:15:57,562 DEBUG Registry keys for service AvgWFPx are not present
2009-11-26 07:15:57,562 INFO Processing service AvgWFPa
2009-11-26 07:15:57,562 INFO Service AvgWFPa is not installed
2009-11-26 07:15:57,562 DEBUG Service AvgWFPa RegCleanup
2009-11-26 07:15:57,562 DEBUG Registry keys for service AvgWFPa are not present
2009-11-26 07:15:57,562 INFO Processing service AvgMfx86
2009-11-26 07:15:57,562 DEBUG Service AvgMfx86 Stop
2009-11-26 07:17:17,812 DEBUG Service AvgMfx86 Stop failed (error: e0010031), RESTART planned
2009-11-26 07:17:17,812 DEBUG Service AvgMfx86 Stop failed
2009-11-26 07:17:17,812 DEBUG Service AvgMfx86 Delete
2009-11-26 07:17:41,921 DEBUG Avg9Uninstall\Directories key failed to open (error: e0010013)
2009-11-26 07:17:41,921 DEBUG Avg8Uninstall\Directories key failed to open (error: e0010013)
2009-11-26 07:17:41,921 DEBUG Reading HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion:ProgramFilesDir (x86) value failed (error: e001003d)
2009-11-26 07:17:41,921 WARN AvgDir param empty.
2009-11-26 07:17:41,921 WARN AvgDataDir param empty.
2009-11-26 07:17:43,515 INFO AvgRemover runs in attempt number 1
2009-11-26 07:17:43,515 INFO ***** Services *****
2009-11-26 07:17:43,515 INFO Processing service avg8emc
2009-11-26 07:17:43,515 INFO Service avg8emc is not installed
2009-11-26 07:17:43,515 DEBUG Service avg8emc RegCleanup
2009-11-26 07:17:43,515 DEBUG Registry keys for service avg8emc are not present
2009-11-26 07:17:43,515 INFO Processing service avgfws8
2009-11-26 07:17:43,515 INFO Service avgfws8 is not installed
2009-11-26 07:17:43,515 DEBUG Service avgfws8 RegCleanup
2009-11-26 07:17:43,515 DEBUG Registry keys for service avgfws8 are not present
2009-11-26 07:17:43,515 INFO Processing service avg8wd
2009-11-26 07:17:43,515 INFO Service avg8wd is not installed
2009-11-26 07:17:43,515 DEBUG Service avg8wd RegCleanup
2009-11-26 07:17:43,515 DEBUG Registry keys for service avg8wd are not present
2009-11-26 07:17:43,515 INFO Processing service AvgWFPx
2009-11-26 07:17:43,515 INFO Service AvgWFPx is not installed
2009-11-26 07:17:43,515 DEBUG Service AvgWFPx RegCleanup
2009-11-26 07:17:43,515 DEBUG Registry keys for service AvgWFPx are not present
2009-11-26 07:17:43,515 INFO Processing service AvgWFPa
2009-11-26 07:17:43,515 INFO Service AvgWFPa is not installed
2009-11-26 07:17:43,515 DEBUG Service AvgWFPa RegCleanup
2009-11-26 07:17:43,515 DEBUG Registry keys for service AvgWFPa are not present
2009-11-26 07:17:43,515 INFO Processing service AvgMfx86
2009-11-26 07:17:43,515 DEBUG Service AvgMfx86 Stop
2009-11-26 07:18:02,234 DEBUG Avg9Uninstall\Directories key failed to open (error: e0010013)
2009-11-26 07:18:02,234 DEBUG Avg8Uninstall\Directories key failed to open (error: e0010013)
2009-11-26 07:18:02,234 DEBUG Reading HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion:ProgramFilesDir (x86) value failed (error: e001003d)
2009-11-26 07:18:02,234 WARN AvgDir param empty.
2009-11-26 07:18:02,234 WARN AvgDataDir param empty.
2009-11-26 07:18:03,484 INFO AvgRemover runs in attempt number 1
2009-11-26 07:18:03,484 INFO ***** Services *****
2009-11-26 07:18:03,484 INFO Processing service avg8emc
2009-11-26 07:18:03,484 INFO Service avg8emc is not installed
2009-11-26 07:18:03,484 DEBUG Service avg8emc RegCleanup
2009-11-26 07:18:03,484 DEBUG Registry keys for service avg8emc are not present
2009-11-26 07:18:03,484 INFO Processing service avgfws8
2009-11-26 07:18:03,484 INFO Service avgfws8 is not installed
2009-11-26 07:18:03,484 DEBUG Service avgfws8 RegCleanup
2009-11-26 07:18:03,484 DEBUG Registry keys for service avgfws8 are not present
2009-11-26 07:18:03,484 INFO Processing service avg8wd
2009-11-26 07:18:03,484 INFO Service avg8wd is not installed
2009-11-26 07:18:03,484 DEBUG Service avg8wd RegCleanup
2009-11-26 07:18:03,484 DEBUG Registry keys for service avg8wd are not present
2009-11-26 07:18:03,484 INFO Processing service AvgWFPx
2009-11-26 07:18:03,484 INFO Service AvgWFPx is not installed
2009-11-26 07:18:03,484 DEBUG Service AvgWFPx RegCleanup
2009-11-26 07:18:03,484 DEBUG Registry keys for service AvgWFPx are not present
2009-11-26 07:18:03,484 INFO Processing service AvgWFPa
2009-11-26 07:18:03,484 INFO Service AvgWFPa is not installed
2009-11-26 07:18:03,484 DEBUG Service AvgWFPa RegCleanup
2009-11-26 07:18:03,484 DEBUG Registry keys for service AvgWFPa are not present
2009-11-26 07:18:03,484 INFO Processing service AvgMfx86
2009-11-26 07:18:03,484 DEBUG Service AvgMfx86 Stop
2009-11-26 07:19:42,140 DEBUG Avg9Uninstall\Directories key failed to open (error: e0010013)
2009-11-26 07:19:42,156 DEBUG Avg8Uninstall\Directories key failed to open (error: e0010013)
2009-11-26 07:19:42,156 DEBUG Reading HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion:ProgramFilesDir (x86) value failed (error: e001003d)
2009-11-26 07:19:42,156 WARN AvgDir param empty.
2009-11-26 07:19:42,156 WARN AvgDataDir param empty.
2009-11-26 07:19:43,421 INFO AvgRemover runs in attempt number 1
2009-11-26 07:19:43,421 INFO ***** Services *****
2009-11-26 07:19:43,421 INFO Processing service avg8emc
2009-11-26 07:19:43,421 INFO Service avg8emc is not installed
2009-11-26 07:19:43,421 DEBUG Service avg8emc RegCleanup
2009-11-26 07:19:43,421 DEBUG Registry keys for service avg8emc are not present
2009-11-26 07:19:43,421 INFO Processing service avgfws8
2009-11-26 07:19:43,421 INFO Service avgfws8 is not installed
2009-11-26 07:19:43,421 DEBUG Service avgfws8 RegCleanup
2009-11-26 07:19:43,421 DEBUG Registry keys for service avgfws8 are not present
2009-11-26 07:19:43,421 INFO Processing service avg8wd
2009-11-26 07:19:43,421 INFO Service avg8wd is not installed
2009-11-26 07:19:43,421 DEBUG Service avg8wd RegCleanup
2009-11-26 07:19:43,421 DEBUG Registry keys for service avg8wd are not present
2009-11-26 07:19:43,437 INFO Processing service AvgWFPx
2009-11-26 07:19:43,437 INFO Service AvgWFPx is not installed
2009-11-26 07:19:43,437 DEBUG Service AvgWFPx RegCleanup
2009-11-26 07:19:43,437 DEBUG Registry keys for service AvgWFPx are not present
2009-11-26 07:19:43,437 INFO Processing service AvgWFPa
2009-11-26 07:19:43,437 INFO Service AvgWFPa is not installed
2009-11-26 07:19:43,437 DEBUG Service AvgWFPa RegCleanup
2009-11-26 07:19:43,437 DEBUG Registry keys for service AvgWFPa are not present
2009-11-26 07:19:43,437 INFO Processing service AvgMfx86
2009-11-26 07:19:43,437 DEBUG Service AvgMfx86 Stop
2009-11-26 07:21:05,265 DEBUG Avg9Uninstall\Directories key failed to open (error: e0010013)
2009-11-26 07:21:05,265 DEBUG Avg8Uninstall\Directories key failed to open (error: e0010013)
2009-11-26 07:21:05,265 DEBUG Reading HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion:ProgramFilesDir (x86) value failed (error: e001003d)
2009-11-26 07:21:05,265 WARN AvgDir param empty.
2009-11-26 07:21:05,265 WARN AvgDataDir param empty.
2009-11-26 07:21:06,656 INFO AvgRemover runs in attempt number 1
2009-11-26 07:21:06,656 INFO ***** Services *****
2009-11-26 07:21:06,656 INFO Processing service avg8emc
2009-11-26 07:21:06,656 INFO Service avg8emc is not installed
2009-11-26 07:21:06,656 DEBUG Service avg8emc RegCleanup
2009-11-26 07:21:06,656 DEBUG Registry keys for service avg8emc are not present
2009-11-26 07:21:06,656 INFO Processing service avgfws8
2009-11-26 07:21:06,656 INFO Service avgfws8 is not installed
2009-11-26 07:21:06,656 DEBUG Service avgfws8 RegCleanup
2009-11-26 07:21:06,656 DEBUG Registry keys for service avgfws8 are not present
2009-11-26 07:21:06,656 INFO Processing service avg8wd
2009-11-26 07:21:06,656 INFO Service avg8wd is not installed
2009-11-26 07:21:06,656 DEBUG Service avg8wd RegCleanup
2009-11-26 07:21:06,656 DEBUG Registry keys for service avg8wd are not present
2009-11-26 07:21:06,656 INFO Processing service AvgWFPx
2009-11-26 07:21:06,656 INFO Service AvgWFPx is not installed
2009-11-26 07:21:06,656 DEBUG Service AvgWFPx RegCleanup
2009-11-26 07:21:06,656 DEBUG Registry keys for service AvgWFPx are not present
2009-11-26 07:21:06,656 INFO Processing service AvgWFPa
2009-11-26 07:21:06,656 INFO Service AvgWFPa is not installed
2009-11-26 07:21:06,656 DEBUG Service AvgWFPa RegCleanup
2009-11-26 07:21:06,656 DEBUG Registry keys for service AvgWFPa are not present
2009-11-26 07:21:06,656 INFO Processing service AvgMfx86
2009-11-26 07:21:06,656 DEBUG Service AvgMfx86 Stop
2009-11-26 07:21:32,125 DEBUG Avg9Uninstall\Directories key failed to open (error: e0010013)
2009-11-26 07:21:32,125 DEBUG Avg8Uninstall\Directories key failed to open (error: e0010013)
2009-11-26 07:21:32,125 DEBUG Reading HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion:ProgramFilesDir (x86) value failed (error: e001003d)
2009-11-26 07:21:32,125 WARN AvgDir param empty.
2009-11-26 07:21:32,125 WARN AvgDataDir param empty.
2009-11-26 07:21:33,093 INFO AvgRemover runs in attempt number 1
2009-11-26 07:21:33,109 INFO ***** Services *****
2009-11-26 07:21:33,109 INFO Processing service avg8emc
2009-11-26 07:21:33,109 INFO Service avg8emc is not installed
2009-11-26 07:21:33,109 DEBUG Service avg8emc RegCleanup
2009-11-26 07:21:33,109 DEBUG Registry keys for service avg8emc are not present
2009-11-26 07:21:33,109 INFO Processing service avgfws8
2009-11-26 07:21:33,109 INFO Service avgfws8 is not installed
2009-11-26 07:21:33,109 DEBUG Service avgfws8 RegCleanup
2009-11-26 07:21:33,109 DEBUG Registry keys for service avgfws8 are not present
2009-11-26 07:21:33,109 INFO Processing service avg8wd
2009-11-26 07:21:33,109 INFO Service avg8wd is not installed
2009-11-26 07:21:33,109 DEBUG Service avg8wd RegCleanup
2009-11-26 07:21:33,109 DEBUG Registry keys for service avg8wd are not present
2009-11-26 07:21:33,109 INFO Processing service AvgWFPx
2009-11-26 07:21:33,109 INFO Service AvgWFPx is not installed
2009-11-26 07:21:33,109 DEBUG Service AvgWFPx RegCleanup
2009-11-26 07:21:33,109 DEBUG Registry keys for service AvgWFPx are not present
2009-11-26 07:21:33,109 INFO Processing service AvgWFPa
2009-11-26 07:21:33,109 INFO Service AvgWFPa is not installed
2009-11-26 07:21:33,109 DEBUG Service AvgWFPa RegCleanup
2009-11-26 07:21:33,109 DEBUG Registry keys for service AvgWFPa are not present
2009-11-26 07:21:33,109 INFO Processing service AvgMfx86
2009-11-26 07:21:33,109 DEBUG Service AvgMfx86 Stop
Post a fresh dds log taken after remover run, please.
TassieWarrior
2009-11-26, 09:52
DDS (Ver_09-09-29.01) - NTFSx86
Run by Daddy at 18:50:47.29 on Thu 26/11/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3582.2990 [GMT 11:00]
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\AVG\AVG8\avgrsx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
svchost.exe
C:\Program Files\iWin Games\iWinTrusted.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Daddy\Desktop\dds.com
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com.au/
uInternet Connection Wizard,ShellNext = hxxp://redirect.zonelabs.com/redirect/route?oem=1025&prod=0&mode=1&app=inclient&version=7.0.473.000&lang=en&locale=en-AU&date=-86400&link_id=4&dest=try_product&lic=j5hvqhisiu3s4he7bhx644bu4g0
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [DiscWizardMonitor.exe] c:\program files\seagate\discwizard\DiscWizardMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\seagate\discwizard\TimounterMonitor.exe
mRun: [Seagate Scheduler2 Service] "c:\program files\common files\seagate\schedule2\schedhlp.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\daddy\startm~1\programs\startup\webshots.lnk - c:\program files\webshots\Launcher.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Adobe Reader Speed Launch.lnk.disabled
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: bigpond.com\my
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: CShellExecuteHookImpl Object: {57b86673-276a-48b2-bae7-c6dbb3020eb8} - c:\program files\grisoft\avg anti-spyware 7.5\shellexecutehook.dll
LSA: Authentication Packages = msv1_0 relog_ap
============= SERVICES / DRIVERS ===============
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-7-8 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-7-8 108552]
R2 iWinTrusted;iWinTrusted;c:\program files\iwin games\iWinTrusted.exe [2009-9-3 78104]
R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\common files\seagate\schedule2\schedul2.exe [2008-6-24 431384]
S?1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-7-8 27784]
S1 AVG Anti-Spyware Driver;AVG Anti-Spyware Driver;\??\c:\program files\grisoft\avg anti-spyware 7.5\guard.sys --> c:\program files\grisoft\avg anti-spyware 7.5\guard.sys [?]
S1 AvgAsCln;AVG Anti-Spyware Clean Driver;c:\windows\system32\drivers\avgascln.sys --> c:\windows\system32\drivers\AvgAsCln.sys [?]
S2 AVG Anti-Spyware Guard;AVG Anti-Spyware Guard;c:\program files\grisoft\avg anti-spyware 7.5\guard.exe --> c:\program files\grisoft\avg anti-spyware 7.5\guard.exe [?]
S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2009-7-28 152576]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
=============== Created Last 30 ================
2009-11-26 10:27 <DIR> --d----- C:\ComboFix
2009-11-26 10:16 73,728 a------- c:\windows\system32\javacpl.cpl
2009-11-25 20:17 <DIR> a-dshr-- C:\cmdcons
2009-11-25 20:14 260,608 a------- c:\windows\PEV.exe
2009-11-25 20:14 77,312 a------- c:\windows\MBR.exe
2009-11-25 20:00 389,120 a------- c:\windows\system32\CF26019.exe
2009-11-25 19:17 85,504 a------- c:\program files\Inherit.exe
2009-11-16 09:11 <DIR> --d-h--- c:\windows\PIF
2009-11-16 09:01 <DIR> --d----- c:\docume~1\daddy\applic~1\Malwarebytes
2009-11-16 09:01 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-16 09:01 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-11-16 09:01 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-11-16 09:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-15 16:54 <DIR> --d----- c:\program files\Trend Micro
2009-11-08 22:22 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-11-08 20:27 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-11-08 20:21 <DIR> --d----- c:\docume~1\daddy\applic~1\AVG8
2009-11-08 20:21 <DIR> --d----- C:\$AVG8.VAULT$
2009-11-03 22:25 <DIR> --d----- C:\$AVG
2009-11-03 22:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-11-03 22:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg9
2009-11-03 12:39 <DIR> --d----- C:\ProgramData
2009-10-28 14:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Alawar Stargaze
==================== Find3M ====================
2009-11-26 10:16 411,368 a------- c:\windows\system32\deploytk.dll
2009-11-03 22:24 12,464 a------- c:\windows\system32\avgrsstx(2).dll
2009-09-12 01:18 136,192 a------- c:\windows\system32\msv1_0.dll
2009-09-05 08:03 58,880 a------- c:\windows\system32\msasn1.dll
2009-08-29 19:08 916,480 -------- c:\windows\system32\wininet.dll
2008-09-16 21:32 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091620080917\index.dat
2008-09-16 21:32 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat
============= FINISH: 18:51:27.92 ===============
Hi,
Seems to be still there but probably harmed by the infection that we cleaned.
Goto the folder and drag'n'drop AVG folder to Inherit file. See if you're able to uninstall AVG now.
TassieWarrior
2009-11-26, 10:34
Tried that and when trying to uninstall avg it came up with cannot delete avgcorex.dll access is denied and the folder still persists
Are you able to reinstall AVG?
TassieWarrior
2009-11-26, 11:19
will try that now
TassieWarrior
2009-11-26, 11:38
when i went to reinstall avg it came up with this error
Local machine: install actions planned
Installation:
Error: MSVC Redistributables installation failed. Installation of AVG can not continue.
Hi,
Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Copy Inherit.exe to c:\documents and settings\All Users\Application Data folder and drag 'n' drop avg8 folder to it. Does uninstalling still fail?
TassieWarrior
2009-11-26, 12:12
that seems to of worked i think, the only thing it has left is an avg antispyware folder, but the anti virus seems to be gone, now do i go back and do all those three scans again or just the combofix and dds logs?
Good. Post DDS log only. We'll see if there's still something to do before the final steps :)
TassieWarrior
2009-11-26, 12:16
New dds log
DDS (Ver_09-09-29.01) - NTFSx86
Run by Daddy at 21:15:37.90 on Thu 26/11/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3582.3027 [GMT 11:00]
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
svchost.exe
C:\Program Files\iWin Games\iWinTrusted.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Daddy\Desktop\dds.com
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com.au/
uInternet Connection Wizard,ShellNext = hxxp://redirect.zonelabs.com/redirect/route?oem=1025&prod=0&mode=1&app=inclient&version=7.0.473.000&lang=en&locale=en-AU&date=-86400&link_id=4&dest=try_product&lic=j5hvqhisiu3s4he7bhx644bu4g0
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [DiscWizardMonitor.exe] c:\program files\seagate\discwizard\DiscWizardMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\seagate\discwizard\TimounterMonitor.exe
mRun: [Seagate Scheduler2 Service] "c:\program files\common files\seagate\schedule2\schedhlp.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\daddy\startm~1\programs\startup\webshots.lnk - c:\program files\webshots\Launcher.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Adobe Reader Speed Launch.lnk.disabled
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: bigpond.com\my
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: CShellExecuteHookImpl Object: {57b86673-276a-48b2-bae7-c6dbb3020eb8} - c:\program files\grisoft\avg anti-spyware 7.5\shellexecutehook.dll
LSA: Authentication Packages = msv1_0 relog_ap
============= SERVICES / DRIVERS ===============
R2 iWinTrusted;iWinTrusted;c:\program files\iwin games\iWinTrusted.exe [2009-9-3 78104]
R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\common files\seagate\schedule2\schedul2.exe [2008-6-24 431384]
S1 AVG Anti-Spyware Driver;AVG Anti-Spyware Driver;\??\c:\program files\grisoft\avg anti-spyware 7.5\guard.sys --> c:\program files\grisoft\avg anti-spyware 7.5\guard.sys [?]
S1 AvgAsCln;AVG Anti-Spyware Clean Driver;c:\windows\system32\drivers\avgascln.sys --> c:\windows\system32\drivers\AvgAsCln.sys [?]
S2 AVG Anti-Spyware Guard;AVG Anti-Spyware Guard;c:\program files\grisoft\avg anti-spyware 7.5\guard.exe --> c:\program files\grisoft\avg anti-spyware 7.5\guard.exe [?]
S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2009-7-28 152576]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
=============== Created Last 30 ================
2009-11-26 10:27 <DIR> --d----- C:\ComboFix
2009-11-26 10:16 73,728 a------- c:\windows\system32\javacpl.cpl
2009-11-25 20:17 <DIR> a-dshr-- C:\cmdcons
2009-11-25 20:14 260,608 a------- c:\windows\PEV.exe
2009-11-25 20:14 77,312 a------- c:\windows\MBR.exe
2009-11-25 20:00 389,120 a------- c:\windows\system32\CF26019.exe
2009-11-25 19:17 85,504 a------- c:\program files\Inherit.exe
2009-11-16 09:11 <DIR> --d-h--- c:\windows\PIF
2009-11-16 09:01 <DIR> --d----- c:\docume~1\daddy\applic~1\Malwarebytes
2009-11-16 09:01 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-16 09:01 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-11-16 09:01 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-11-16 09:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-15 16:54 <DIR> --d----- c:\program files\Trend Micro
2009-11-08 22:22 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-11-08 20:27 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-11-08 20:21 <DIR> --d----- c:\docume~1\daddy\applic~1\AVG8
2009-11-03 22:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-11-03 22:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg9
2009-11-03 12:39 <DIR> --d----- C:\ProgramData
2009-10-28 14:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Alawar Stargaze
==================== Find3M ====================
2009-11-26 10:16 411,368 a------- c:\windows\system32\deploytk.dll
2009-09-12 01:18 136,192 a------- c:\windows\system32\msv1_0.dll
2009-09-05 08:03 58,880 a------- c:\windows\system32\msasn1.dll
2009-08-29 19:08 916,480 -------- c:\windows\system32\wininet.dll
2008-09-16 21:32 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091620080917\index.dat
2008-09-16 21:32 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat
============= FINISH: 21:16:04.07 ===============
TassieWarrior
2009-11-26, 12:18
Still shows up as avg running yet can't see where it would be? Should i do a restart on the computer to see if that helps cause it didn't ask me to reboot when i uninstalled avg
Hi,
Drag'n'drop these folders to Inherit file:
c:\program files\grisoft
c:\documents and settings\daddy\Application Data\AVG8
c:\documents and settings\All Users\Application Data\AVG Security Toolbar
c:\documents and settings\All Users\Application Data\avg9
Then try to run AVG remover tool I asked you to download earlier.
TassieWarrior
2009-11-27, 13:02
Hi again, this is the new dds log, i dragged all of those folders into the inherit file and then ran avgremover, it seems to of removed 3 of those folders but not the C:Program files\Grisoft folder, it won't let me manually remove the folder either as it comes up with "Error deleting file", Cannot delete shellexecutehook.dll Access is Denied
DDS (Ver_09-09-29.01) - NTFSx86
Run by Daddy at 21:55:31.93 on Fri 27/11/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3582.3103 [GMT 11:00]
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
svchost.exe
C:\Program Files\iWin Games\iWinTrusted.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Daddy\Desktop\dds.com
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com.au/
uInternet Connection Wizard,ShellNext = hxxp://redirect.zonelabs.com/redirect/route?oem=1025&prod=0&mode=1&app=inclient&version=7.0.473.000&lang=en&locale=en-AU&date=-86400&link_id=4&dest=try_product&lic=j5hvqhisiu3s4he7bhx644bu4g0
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [DiscWizardMonitor.exe] c:\program files\seagate\discwizard\DiscWizardMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\seagate\discwizard\TimounterMonitor.exe
mRun: [Seagate Scheduler2 Service] "c:\program files\common files\seagate\schedule2\schedhlp.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\daddy\startm~1\programs\startup\webshots.lnk - c:\program files\webshots\Launcher.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Adobe Reader Speed Launch.lnk.disabled
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: bigpond.com\my
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: CShellExecuteHookImpl Object: {57b86673-276a-48b2-bae7-c6dbb3020eb8} - c:\program files\grisoft\avg anti-spyware 7.5\shellexecutehook.dll
LSA: Authentication Packages = msv1_0 relog_ap
============= SERVICES / DRIVERS ===============
R2 iWinTrusted;iWinTrusted;c:\program files\iwin games\iWinTrusted.exe [2009-9-3 78104]
R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\common files\seagate\schedule2\schedul2.exe [2008-6-24 431384]
S1 AVG Anti-Spyware Driver;AVG Anti-Spyware Driver;\??\c:\program files\grisoft\avg anti-spyware 7.5\guard.sys --> c:\program files\grisoft\avg anti-spyware 7.5\guard.sys [?]
S1 AvgAsCln;AVG Anti-Spyware Clean Driver;c:\windows\system32\drivers\avgascln.sys --> c:\windows\system32\drivers\AvgAsCln.sys [?]
S2 AVG Anti-Spyware Guard;AVG Anti-Spyware Guard;c:\program files\grisoft\avg anti-spyware 7.5\guard.exe --> c:\program files\grisoft\avg anti-spyware 7.5\guard.exe [?]
S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2009-7-28 152576]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
=============== Created Last 30 ================
2009-11-26 10:27 <DIR> --d----- C:\ComboFix
2009-11-26 10:16 73,728 a------- c:\windows\system32\javacpl.cpl
2009-11-25 20:17 <DIR> a-dshr-- C:\cmdcons
2009-11-25 20:14 260,608 a------- c:\windows\PEV.exe
2009-11-25 20:14 77,312 a------- c:\windows\MBR.exe
2009-11-25 20:00 389,120 a------- c:\windows\system32\CF26019.exe
2009-11-25 19:17 85,504 a------- c:\program files\Inherit.exe
2009-11-16 09:11 <DIR> --d-h--- c:\windows\PIF
2009-11-16 09:01 <DIR> --d----- c:\docume~1\daddy\applic~1\Malwarebytes
2009-11-16 09:01 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-16 09:01 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-11-16 09:01 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-11-16 09:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-15 16:54 <DIR> --d----- c:\program files\Trend Micro
2009-11-08 22:22 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-11-08 20:27 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-11-03 12:39 <DIR> --d----- C:\ProgramData
==================== Find3M ====================
2009-11-26 10:16 411,368 a------- c:\windows\system32\deploytk.dll
2009-09-12 01:18 136,192 a------- c:\windows\system32\msv1_0.dll
2009-09-05 08:03 58,880 a------- c:\windows\system32\msasn1.dll
2008-09-16 21:32 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091620080917\index.dat
2008-09-16 21:32 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat
============= FINISH: 21:56:08.26 ===============
Hi,
Open notepad and copy/paste the text in the quotebox below into it:
Driver::
"AVG Anti-Spyware Driver"
AvgAsCln
"AVG Anti-Spyware Guard"
SecCenter::
{17DDD097-36FF-435F-9E1B-52D74245D6BF}
Folder::
c:\program files\grisoft
DDS::
Notify: avgrsstarter - avgrsstx.dll
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & fresh dds log.
TassieWarrior
2009-11-28, 08:14
ComboFix 09-11-27.04 - Daddy 28/11/2009 16:49.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3582.3136 [GMT 11:00]
Running from: c:\documents and settings\Daddy\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Daddy\Desktop\CFScript.txt
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_AVGASCLN
-------\Legacy_AVG_ANTI-SPYWARE_DRIVER
-------\Legacy_AVG_ANTI-SPYWARE_GUARD
-------\Service_AVG Anti-Spyware Driver
-------\Service_AVG Anti-Spyware Guard
-------\Service_AvgAsCln
((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-28 )))))))))))))))))))))))))))))))
.
2009-11-25 23:16 . 2009-11-25 23:16 -------- d-----w- c:\program files\Java
2009-11-25 23:15 . 2009-11-25 23:15 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-11-25 23:15 . 2009-11-25 23:15 152576 ----a-w- c:\documents and settings\Daddy\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-25 22:54 . 2009-10-10 07:07 38208 ----a-w- c:\documents and settings\Daddy\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-11-25 22:54 . 2009-10-10 07:07 38208 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-11-25 22:54 . 2009-11-25 22:54 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-11-25 22:52 . 2009-11-25 22:52 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-11-25 22:52 . 2009-11-25 23:14 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-11-25 09:00 . 2009-11-25 09:00 389120 ----a-w- c:\windows\system32\CF26019.exe
2009-11-25 08:17 . 2009-11-25 08:17 85504 ----a-w- c:\program files\Inherit.exe
2009-11-15 22:11 . 2009-11-24 11:31 -------- d--h--w- c:\windows\PIF
2009-11-15 22:01 . 2009-11-15 22:01 -------- d-----w- c:\documents and settings\Daddy\Application Data\Malwarebytes
2009-11-15 22:01 . 2009-09-10 03:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-15 22:01 . 2009-11-15 22:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-15 22:01 . 2009-11-15 22:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-15 22:01 . 2009-09-10 03:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-15 05:54 . 2009-11-15 05:54 -------- d-----w- c:\program files\Trend Micro
2009-11-08 11:22 . 2009-11-15 04:55 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-08 09:57 . 2009-11-08 09:57 79488 ----a-w- c:\documents and settings\Daddy\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-08 09:27 . 2009-11-08 09:27 -------- d-----w- c:\windows\system32\wbem\Repository
2009-11-04 03:08 . 2009-11-04 03:09 -------- d-----w- c:\documents and settings\Mummy\Application Data\MissTeriTale3
2009-11-03 01:39 . 2009-11-03 01:39 -------- d-----w- C:\ProgramData
2009-11-01 11:36 . 2009-11-01 11:36 -------- d-----w- c:\documents and settings\Mummy\Application Data\Magic Academy 2
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-25 23:16 . 2008-12-03 07:39 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-25 22:56 . 2008-07-10 12:14 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-25 09:29 . 2009-09-13 06:45 -------- d-----w- c:\program files\iWin Games
2009-11-25 09:29 . 2008-09-25 03:40 -------- d-----w- c:\program files\iWin
2009-11-25 09:09 . 2008-07-08 10:36 24056 ----a-w- c:\documents and settings\Daddy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-15 05:04 . 2008-07-13 04:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-08 11:18 . 2008-07-30 07:00 -------- d-----w- c:\documents and settings\All Users\Application Data\WildTangent
2009-11-08 11:10 . 2008-08-18 05:23 -------- d-----w- c:\program files\MSN Games
2009-11-08 11:10 . 2008-09-08 06:35 -------- d-----w- c:\program files\Super Granny 3
2009-11-08 11:10 . 2008-12-28 08:05 -------- d-----w- c:\program files\Alawar
2009-11-08 11:09 . 2009-01-22 04:09 -------- d-----w- c:\program files\Snowy Treasure Hunter 3
2009-11-08 11:09 . 2008-09-08 06:35 -------- d-----w- c:\program files\Snowy Treasure Hunter 2
2009-11-08 11:09 . 2008-09-25 02:39 -------- d-----w- c:\program files\MumboJumbo
2009-11-08 11:08 . 2008-09-25 03:44 -------- d-----w- c:\program files\iWin.com
2009-11-08 11:05 . 2008-09-25 03:04 -------- d-----w- c:\program files\Fatman Adventures
2009-11-08 11:04 . 2008-09-25 02:37 -------- d-----w- c:\program files\Double Digger
2009-11-08 11:03 . 2008-09-01 02:56 -------- d-----w- c:\program files\Brave Dwarves Back For Treasures
2009-11-08 11:02 . 2008-11-23 07:45 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-08 10:56 . 2008-07-13 04:48 -------- d-----w- c:\program files\fuck off
2009-11-04 03:44 . 2008-08-18 05:23 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-28 03:52 . 2009-10-28 03:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Alawar Stargaze
2009-10-23 02:39 . 2008-12-15 01:24 -------- d-----w- c:\documents and settings\Mummy\Application Data\EleFun Games
2009-10-19 02:09 . 2009-09-30 02:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Merscom
2009-10-19 01:08 . 2009-10-19 01:08 -------- d-----w- c:\documents and settings\Mummy\Application Data\Alawar
2009-10-19 01:00 . 2009-01-19 22:38 -------- d-----w- c:\documents and settings\Mummy\Application Data\Meridian93
2009-10-19 00:24 . 2009-10-19 00:24 -------- d-----w- c:\documents and settings\All Users\Application Data\MythPeople
2009-10-13 03:13 . 2009-10-13 03:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Becky Brogan
2009-10-09 02:20 . 2009-10-09 02:20 -------- d-----w- c:\documents and settings\All Users\Application Data\SOS
2009-10-06 10:42 . 2009-10-06 10:42 152576 ----a-w- c:\documents and settings\Daddy\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-09-30 02:05 . 2009-09-30 02:05 -------- d-----w- c:\documents and settings\Mummy\Application Data\Merscom
2009-09-11 14:18 . 2006-02-28 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2006-02-28 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-11-25_09.37.16 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-28 06:04 . 2009-11-28 06:04 16384 c:\windows\temp\Perflib_Perfdata_71c.dat
- 2008-07-08 10:13 . 2009-07-14 11:03 46080 c:\windows\system32\tzchange.exe
+ 2008-07-08 10:13 . 2009-10-28 15:07 46080 c:\windows\system32\tzchange.exe
+ 2009-11-25 22:59 . 2009-11-25 22:59 89101 c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2009-11-25 22:58 . 2009-11-25 22:58 87618 c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
- 2008-07-11 11:44 . 2008-06-17 06:11 94208 c:\windows\system32\Adobe\Shockwave 11\SwMenu.dll
+ 2009-10-29 05:27 . 2009-10-29 05:27 94208 c:\windows\system32\Adobe\Shockwave 11\SwMenu.dll
+ 2009-10-29 05:45 . 2009-10-29 05:45 67000 c:\windows\system32\Adobe\Director\SWDNLD.EXE
+ 2009-11-25 22:54 . 2009-11-25 22:54 21504 c:\windows\Installer\69efd.msi
+ 2009-11-25 22:54 . 2009-11-25 22:54 27648 c:\windows\Installer\69ef7.msi
+ 2009-11-25 10:17 . 2009-11-25 10:17 32768 c:\windows\Installer\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}\icon.exe
- 2008-07-11 11:44 . 2008-06-17 06:13 9216 c:\windows\system32\Adobe\Shockwave 11\DynaPlayer.dll
+ 2009-10-29 05:29 . 2009-10-29 05:29 9216 c:\windows\system32\Adobe\Shockwave 11\DynaPlayer.dll
+ 2009-11-25 23:16 . 2009-11-25 23:16 149280 c:\windows\system32\javaws.exe
+ 2009-11-25 23:16 . 2009-11-25 23:16 145184 c:\windows\system32\javaw.exe
+ 2009-11-25 23:16 . 2009-11-25 23:16 145184 c:\windows\system32\java.exe
+ 2009-10-29 04:55 . 2009-10-29 04:55 132472 c:\windows\system32\Adobe\Shockwave 11\SYMCCHECKER.DLL
+ 2009-10-29 05:27 . 2009-10-29 05:27 114688 c:\windows\system32\Adobe\Shockwave 11\SwInit.exe
- 2008-07-11 11:44 . 2008-06-17 06:15 114688 c:\windows\system32\Adobe\Shockwave 11\SwInit.exe
+ 2009-10-29 05:43 . 2009-10-29 05:43 464312 c:\windows\system32\Adobe\Shockwave 11\SwHelper_1152602.exe
+ 2009-10-29 05:29 . 2009-10-29 05:29 446464 c:\windows\system32\Adobe\Shockwave 11\Proj.dll
- 2008-07-11 11:44 . 2008-06-17 06:15 446464 c:\windows\system32\Adobe\Shockwave 11\Proj.dll
+ 2009-10-29 05:28 . 2009-10-29 05:28 372736 c:\windows\system32\Adobe\Shockwave 11\Plugin.dll
+ 2009-10-29 04:55 . 2009-10-29 04:55 713216 c:\windows\system32\Adobe\Shockwave 11\gi.dll
+ 2009-10-29 05:26 . 2009-10-29 05:26 503808 c:\windows\system32\Adobe\Shockwave 11\Control.dll
+ 2009-10-29 05:44 . 2009-10-29 05:44 210360 c:\windows\system32\Adobe\Director\SwDir.dll
+ 2009-10-29 05:28 . 2009-10-29 05:28 131072 c:\windows\system32\Adobe\Director\np32dsw.dll
+ 2009-11-25 10:17 . 2009-11-25 10:17 429568 c:\windows\Installer\26248e.msi
+ 2009-07-20 13:03 . 2009-07-20 13:03 1348432 c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9876.0_x-ww_a621d1d5\msxml4.dll
+ 2008-09-09 11:00 . 2009-07-30 23:05 1372672 c:\windows\system32\msxml6.dll
+ 2009-07-20 13:05 . 2009-07-20 13:05 1348432 c:\windows\system32\msxml4.dll
+ 2006-02-28 12:00 . 2009-07-31 04:35 1172480 c:\windows\system32\msxml3.dll
+ 2008-09-09 11:00 . 2009-07-30 23:05 1372672 c:\windows\system32\dllcache\msxml6.dll
+ 2008-11-12 06:22 . 2009-07-31 04:35 1172480 c:\windows\system32\dllcache\msxml3.dll
+ 2009-10-29 05:01 . 2009-10-29 05:01 1011712 c:\windows\system32\Adobe\Shockwave 11\iml32.dll
- 2008-07-11 11:44 . 2008-06-17 05:36 1798144 c:\windows\system32\Adobe\Shockwave 11\dirapi.dll
+ 2009-10-29 05:05 . 2009-10-29 05:05 1798144 c:\windows\system32\Adobe\Shockwave 11\dirapi.dll
+ 2009-11-25 22:56 . 2009-11-25 22:56 3940352 c:\windows\Installer\69f03.msi
+ 2009-11-25 23:16 . 2009-11-25 23:16 1757696 c:\windows\Installer\25ee3.msi
+ 2009-07-17 09:12 . 2009-07-17 09:12 1962160 c:\windows\Downloaded Program Files\CONFLICT.1\FP_AX_CAB_INSTALLER.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-19 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-02-07 488984]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-12-04 176128]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"HPHmon05"="c:\windows\system32\hphmon05.exe" [2004-02-02 495616]
"DiscWizardMonitor.exe"="c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2008-06-24 1325848]
"AcronisTimounterMonitor"="c:\program files\Seagate\DiscWizard\TimounterMonitor.exe" [2008-06-24 904768]
"Seagate Scheduler2 Service"="c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2008-06-24 136472]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-02 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-25 149280]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-09-17 1657376]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-06-13 16377344]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\Daddy\Start Menu\Programs\Startup\
Webshots.lnk - c:\program files\Webshots\Launcher.exe [2008-7-20 157000]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk.disabled [2008-11-2 1757]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HPHUPD05"=c:\program files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam10\QuickCam10.exe" /hide
"Name of App"=c:\program files\SAMSUNG\FW LiveUpdate\FWManager.exe r
"NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\iWin Games\\iWinGames.exe"=
"c:\\Program Files\\iWin Games\\WebUpdater.exe"=
R2 iWinTrusted;iWinTrusted;c:\program files\iWin Games\iWinTrusted.exe [3/09/2009 4:30 AM 78104]
R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\Common Files\Seagate\Schedule2\schedul2.exe [24/06/2008 7:56 PM 431384]
S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [28/07/2009 8:39 PM 152576]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
.
Contents of the 'Scheduled Tasks' folder
2009-11-27 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\pexpress\hphped05.exe [2004-01-07 05:05]
2009-11-15 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-11-08 04:31]
2009-11-15 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2009-11-08 04:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uInternet Connection Wizard,ShellNext = hxxp://redirect.zonelabs.com/redirect/route?oem=1025&prod=0&mode=1&app=inclient&version=7.0.473.000&lang=en&locale=en-AU&date=-86400&link_id=4&dest=try_product&lic=j5hvqhisiu3s4he7bhx644bu4g0
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: bigpond.com\my
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-28 17:04
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(864)
c:\windows\system32\relog_ap.dll
- - - - - - - > 'explorer.exe'(2584)
c:\windows\system32\WININET.dll
c:\program files\Common Files\Ahead\Lib\NeroSearchBar.dll
c:\program files\Common Files\Ahead\Lib\MFC71U.DLL
c:\program files\Common Files\Ahead\Lib\BCGCBPRO860un71.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 7\phonebrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\SCardSvr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\progra~1\Webshots\webshots.scr
c:\program files\HP\hpcoretech\comp\hptskmgr.exe
.
**************************************************************************
.
Completion time: 2009-11-28 17:11 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-28 06:11
ComboFix2.txt 2009-11-25 23:55
ComboFix3.txt 2009-11-25 09:45
ComboFix4.txt 2008-09-16 09:41
Pre-Run: 13,921,402,880 bytes free
Post-Run: 14,183,108,608 bytes free
- - End Of File - - 3DC61AACB7098DFA8CF9C03C9D7EECCD
TassieWarrior
2009-11-28, 08:15
and the dds log
DDS (Ver_09-09-29.01) - NTFSx86
Run by Daddy at 17:12:02.20 on Sat 28/11/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3582.3106 [GMT 11:00]
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\iWin Games\iWinTrusted.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Daddy\Desktop\dds.com
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com.au/
uInternet Connection Wizard,ShellNext = hxxp://redirect.zonelabs.com/redirect/route?oem=1025&prod=0&mode=1&app=inclient&version=7.0.473.000&lang=en&locale=en-AU&date=-86400&link_id=4&dest=try_product&lic=j5hvqhisiu3s4he7bhx644bu4g0
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [DiscWizardMonitor.exe] c:\program files\seagate\discwizard\DiscWizardMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\seagate\discwizard\TimounterMonitor.exe
mRun: [Seagate Scheduler2 Service] "c:\program files\common files\seagate\schedule2\schedhlp.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\daddy\startm~1\programs\startup\webshots.lnk - c:\program files\webshots\Launcher.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Adobe Reader Speed Launch.lnk.disabled
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: bigpond.com\my
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: CShellExecuteHookImpl Object: {57b86673-276a-48b2-bae7-c6dbb3020eb8} - c:\program files\grisoft\avg anti-spyware 7.5\shellexecutehook.dll
LSA: Authentication Packages = msv1_0 relog_ap
============= SERVICES / DRIVERS ===============
R2 iWinTrusted;iWinTrusted;c:\program files\iwin games\iWinTrusted.exe [2009-9-3 78104]
R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\common files\seagate\schedule2\schedul2.exe [2008-6-24 431384]
S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2009-7-28 152576]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
=============== Created Last 30 ================
2009-11-28 16:47 <DIR> --d----- C:\ComboFix
2009-11-26 10:16 73,728 a------- c:\windows\system32\javacpl.cpl
2009-11-25 20:17 <DIR> a-dshr-- C:\cmdcons
2009-11-25 20:14 260,608 a------- c:\windows\PEV.exe
2009-11-25 20:14 77,312 a------- c:\windows\MBR.exe
2009-11-25 20:00 389,120 a------- c:\windows\system32\CF26019.exe
2009-11-25 19:17 85,504 a------- c:\program files\Inherit.exe
2009-11-16 09:11 <DIR> --d-h--- c:\windows\PIF
2009-11-16 09:01 <DIR> --d----- c:\docume~1\daddy\applic~1\Malwarebytes
2009-11-16 09:01 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-16 09:01 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-11-16 09:01 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-11-16 09:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-15 16:54 <DIR> --d----- c:\program files\Trend Micro
2009-11-08 22:22 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-11-08 20:27 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-11-03 12:39 <DIR> --d----- C:\ProgramData
==================== Find3M ====================
2009-11-26 10:16 411,368 a------- c:\windows\system32\deploytk.dll
2009-09-12 01:18 136,192 a------- c:\windows\system32\msv1_0.dll
2009-09-05 08:03 58,880 a------- c:\windows\system32\msasn1.dll
2008-09-16 21:32 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091620080917\index.dat
2008-09-16 21:32 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat
============= FINISH: 17:12:13.73 ===============
Good. Are there any other issues left or shall we take a look at the final instructions?
TassieWarrior
2009-11-28, 13:52
no that appears to be them all sorted thank you, ready for final instructions
Good. Here're the final steps :)
THESE STEPS ARE VERY IMPORTANT
Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis
Now lets uninstall ComboFix:
Click START then RUN
Now copy-paste Combofix /uninstall in the runbox and click OK
Please download OTC (http://oldtimer.geekstogo.com/OTC.exe) and save it to desktop.
Double-click OTC.exe.
Click the CleanUp! button.
Select Yes when the
Begin cleanup Process?
prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
UPDATING WINDOWS AND INTERNET EXPLORER
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.
If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.
Make your Internet Explorer more secure
This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.
hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok
Get Anti Virus Software and keep it updated - Most AVs will update automatically, but if not I would recommend making updating the AV the first job every time the PC is connected to the internet. An AV that is using defs that are seven days old is not going to be much protection. If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out. Good free antivirus programs are:
Antivir (http://free-av.com/en/download/1/download_avira_antivir_personal__free_antivirus.html)
Avast! (http://www.avast.com/eng/download-avast-home.html)
Good commercial ones are from:
Kaspersky (http://www.kaspersky.com/homeuser) and
ESET (http://www.eset.com/products/index.php)
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this (http://www.bleepingcomputer.com/forums/tutorial60.html) webpage out.
If you don't have a 3rd party firewall or a router behind NAT then I recommend getting one. I recommend either Online Armor Free (http://www.tallemu.com/free-firewall-protection-software.html) or Comodo Firewall Pro (http://www.personalfirewall.comodo.com/download_firewall.html#fw3.0) (If you choose Comodo: Uncheck during installation Install Comodo HopSurf.., Make Comodo my default search provider and Make Comodo Search my homepage and install firewall ONLY!). Both providers have support forums that help with configuration related questions.
Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Once again, please post and tell me how things are going with your system... problems etc.
Have a great day,
Blade :cool:
TassieWarrior
2009-11-29, 10:51
Thank You vedy much blade :thanks: I have done the final steps and the computer is running perfectly, You are a credit to this forum and the computer industry, wish all people were as nice and helpful as you are, thanks again :thanks:
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)
Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.