View Full Version : Hijack this log, Right Media Prob
I have read the forum 'Read before you post'
I first had a ave.exe bug, I used spybot to get rid of it, however spybot can't seem to get rid of 'Right Media 32'
I have read the posts regarding how to get rid of Right Media. I disabled the tea timer in spybot, restarted pc and run Hijackthis. I've got a big log but I'm not sure which one's I'm supposed to fix?
I've tried registry mechanic but the problem just comes back each time I connect to the net. If I search for anything on google and I try to click on the link via google a totally different website appears (usually some website that wants my money). My log from Hijack this is below. All help appreciated. In addition my hard wired internet connection stops for 10 seconds then re-connects, not sure if this bug has anything to do with this? never had this problem prior to this bug
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 21:12:44, on 09/05/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\PROGRA~1\AHEAD\NEROPH~2\DATA\XTRAS\MSSYSMGR.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trigold\Update\TRUService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Documents and Settings\Admin\Desktop\HijackThis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bbc.co.uk/news
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: thechatterbox.cc Toolbar - {00b8e20c-5c71-4c2f-85a5-6ad541500df0} - C:\Program Files\thechatterbox.cc\tbthe0.dll
R3 - URLSearchHook: W1zardm0ds.co.uk Toolbar - {813cf69b-bebf-423d-9936-eb451ffab26f} - C:\Program Files\W1zardm0ds.co.uk\tbW1z1.dll
O2 - BHO: thechatterbox.cc Toolbar - {00b8e20c-5c71-4c2f-85a5-6ad541500df0} - C:\Program Files\thechatterbox.cc\tbthe0.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: W1zardm0ds.co.uk Toolbar - {813cf69b-bebf-423d-9936-eb451ffab26f} - C:\Program Files\W1zardm0ds.co.uk\tbW1z1.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: thechatterbox.cc Toolbar - {00b8e20c-5c71-4c2f-85a5-6ad541500df0} - C:\Program Files\thechatterbox.cc\tbthe0.dll
O3 - Toolbar: W1zardm0ds.co.uk Toolbar - {813cf69b-bebf-423d-9936-eb451ffab26f} - C:\Program Files\W1zardm0ds.co.uk\tbW1z1.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinSys2] C:\WINDOWS\system32\winsys2.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\AHEAD\NEROPH~2\DATA\XTRAS\MSSYSMGR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3EDBA9C8-BB88-4DB6-9EB4-CA2BDAEF10FC} (AesDecryptor Class) - http://downloads.privatepost.com/files/ppZDHelper/ppZDHelper.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
O16 - DPF: {83A4D5A6-E2C1-4EDD-AD48-1A1C50BD06EF} (Image Uploader Control) - http://www.landlorddirect.com/js/ImageUploader6.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://btc.webex.com/client/T25LSP41EP13-LOCKDOWN/webex/ieatgpc.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: AVG Firewall (avgfws9) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgfws9.exe
O23 - Service: AVG9IDSAgent (AVGIDSAgent) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Startup and Shutdown Monitor service (PCToolsSSDMonitorSvc) - Unknown owner - C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
O23 - Service: TrigoldCrystal Update Service (TRUService) - Trigold - C:\Program Files\Trigold\Update\TRUService.exe
--
End of file - 10243 bytes
Hello and welcome to Safer Networking.
My name is km2357 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.
If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.
Please do not start another thread or topic, I will assist you at this thread until we solve your problems.
Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.
Step # 1 Download and run DDS
Download DDS and save it to your desktop from here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt
Save both reports to your desktop. Post them back to your topic.
Step # 2: Download and Run Gmer
Please download gmer.zip (http://www.gmer.net/gmer.zip) from Gmer and save it to your desktop.
***Please close any open programs ***
Double-click gmer.exe. The program will begin to run.
**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOTKIT" entries unless advised by a trained Security Analyst
If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click No.
If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure that the 'Sections' button is ticked and the 'Show All' button is unticked. Click the Scan button and let the program do its work. GMER will produce a log.
Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.
GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.
DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !
Please post the results from the GMER scan in your reply.
In your next post/reply, I need to see the following:
1. The two DDS Logs (DDS and Attach.txt)
2. The GMER Log
Use multiple posts if you can't fit everything into one post.
As requested, DDS, ATTACH & GMER LOGS
DDS
DDS (Ver_10-03-17.01) - NTFSx86
Run by Admin at 18:24:46.75 on 12/05/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.2047.1036 [GMT 1:00]
AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\PROGRA~1\AHEAD\NEROPH~2\DATA\XTRAS\MSSYSMGR.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Trigold\Update\TRUService.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Admin\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://bbc.co.uk/news
uURLSearchHooks: thechatterbox.cc Toolbar: {00b8e20c-5c71-4c2f-85a5-6ad541500df0} - c:\program files\thechatterbox.cc\tbthe0.dll
uURLSearchHooks: W1zardm0ds.co.uk Toolbar: {813cf69b-bebf-423d-9936-eb451ffab26f} - c:\program files\w1zardm0ds.co.uk\tbW1z0.dll
BHO: thechatterbox.cc Toolbar: {00b8e20c-5c71-4c2f-85a5-6ad541500df0} - c:\program files\thechatterbox.cc\tbthe0.dll
{02478d38-c3f9-4efb-9b51-7695eca05670}
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: W1zardm0ds.co.uk Toolbar: {813cf69b-bebf-423d-9936-eb451ffab26f} - c:\program files\w1zardm0ds.co.uk\tbW1z0.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: thechatterbox.cc Toolbar: {00b8e20c-5c71-4c2f-85a5-6ad541500df0} - c:\program files\thechatterbox.cc\tbthe0.dll
TB: W1zardm0ds.co.uk Toolbar: {813cf69b-bebf-423d-9936-eb451ffab26f} - c:\program files\w1zardm0ds.co.uk\tbW1z0.dll
TB: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [PhotoShow Deluxe Media Manager] c:\progra~1\ahead\neroph~2\data\xtras\MSSYSMGR.EXE
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [WinSys2] c:\windows\system32\winsys2.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: threesixtytraining.co.uk\www
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {3EDBA9C8-BB88-4DB6-9EB4-CA2BDAEF10FC} - hxxp://downloads.privatepost.com/files/ppZDHelper/ppZDHelper.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
DPF: {83A4D5A6-E2C1-4EDD-AD48-1A1C50BD06EF} - hxxp://www.landlorddirect.com/js/ImageUploader6.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://btc.webex.com/client/T25LSP41EP13-LOCKDOWN/webex/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
Hosts: 127.0.0.1 www.spywareinfo.com
============= SERVICES / DRIVERS ===============
R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [2010-4-23 25096]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2010-4-23 52872]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-4-23 216200]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-4-23 29512]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-4-23 242896]
R1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2010-3-23 58984]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-3-23 125160]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-4-23 308064]
R2 avgfws9;AVG Firewall;c:\program files\avg\avg9\avgfws9.exe [2010-4-23 2325816]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2010-4-23 5888008]
R2 MSSQL$INERTIA3_SQL2005;SQL Server (INERTIA3_SQL2005);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2008-11-24 29263712]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2010-5-8 632792]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2010-3-23 779496]
R2 TRUService;TrigoldCrystal Update Service;c:\program files\trigold\update\TRUService.exe [2009-10-31 135816]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-4-23 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSDriver.sys [2010-4-23 122376]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSFilter.sys [2010-4-23 30216]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSShim.sys [2010-4-23 26120]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-10 136176]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-4-23 30104]
=============== Created Last 30 ================
2010-05-09 20:45:57 0 d-----w- c:\program files\CleanMyPC Popup Blocker
2010-05-08 14:02:30 0 d-----w- c:\docume~1\admin\applic~1\Registry Mechanic
2010-05-08 13:47:32 880640 ----a-w- c:\windows\system32\UniBox10.ocx
2010-05-08 13:47:32 212992 ----a-w- c:\windows\system32\UniBoxVB12.ocx
2010-05-08 13:47:32 1101824 ----a-w- c:\windows\system32\UniBox210.ocx
2010-05-08 13:47:31 0 d-----w- c:\program files\common files\PC Tools
2010-05-07 19:10:34 0 d-----w- c:\windows\SxsCaPendDel
2010-05-07 14:07:03 0 d-----w- c:\program files\ezLife
2010-05-07 14:05:39 0 d-----w- c:\docume~1\admin\applic~1\00844978A8DCCC908283E96066040B8A
2010-05-06 17:43:34 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-06 17:41:27 0 dc-h--w- c:\docume~1\alluse~1\applic~1\~0
2010-05-06 17:41:09 0 d-----w- c:\program files\Lavasoft
2010-04-28 18:00:54 0 d-----w- c:\docume~1\admin\applic~1\Sammsoft
2010-04-28 16:52:20 0 d-----w- c:\docume~1\admin\applic~1\Trusteer
2010-04-28 16:52:15 0 d-----w- c:\program files\Trusteer
2010-04-28 16:51:39 0 d-----w- c:\docume~1\alluse~1\applic~1\Trusteer
2010-04-26 18:29:51 0 d-----w- c:\windows\ServicePackFiles
2010-04-26 17:35:39 0 d-----w- c:\docume~1\admin\applic~1\Malwarebytes
2010-04-26 17:35:28 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-26 17:35:27 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-25 11:12:21 0 d--h--w- C:\$AVG
2010-04-25 10:04:42 0 d-----w- c:\docume~1\admin\applic~1\AVG9
2010-04-23 12:55:07 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-23 12:55:07 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-22 23:11:46 0 d-----w- c:\docume~1\admin\applic~1\MSNInstaller
2010-04-22 23:10:52 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-04-22 23:10:52 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-04-22 23:10:49 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-22 23:10:43 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-22 23:10:33 0 d-----w- c:\windows\system32\drivers\Avg
2010-04-22 23:08:51 25096 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys
2010-04-22 23:08:19 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2010-04-22 23:08:19 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2010-04-22 23:06:08 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-04-22 23:02:38 0 d-----w- c:\program files\AVG
==================== Find3M ====================
2010-05-10 17:36:06 36096 ----a-w- c:\windows\system32\drivers\intelppm.sys
2010-04-20 10:05:36 4212 ---h--w- c:\windows\system32\zllictbl.dat
2010-02-16 13:17:38 2137088 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 12:39:04 2016768 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-03-12 22:21:44 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-03-12 22:21:44 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-03-12 22:21:44 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat
============= FINISH: 18:26:17.82 ===============
ATTACH
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-03-17.01)
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 13/08/2008 12:32:14
System Uptime: 05/12/2010 10:51:45 (-4960 hours ago)
Motherboard: | | Wolfdale1333-D667.
Processor: Intel(R) Pentium(R) D CPU 3.00GHz | CPUSocket | 2991/200mhz
Processor: Intel(R) Pentium(R) D CPU 3.00GHz | CPUSocket | 2991/200mhz
==== Disk Partitions =========================
A: is Removable
C: is FIXED (NTFS) - 98 GiB total, 80.482 GiB free.
D: is FIXED (NTFS) - 238 GiB total, 227.298 GiB free.
E: is CDROM ()
==== Disabled Device Manager Items =============
Class GUID: {4D36E971-E325-11CE-BFC1-08002BE10318}
Description: Deskjet F4500 series
Device ID: ROOT\MULTIFUNCTION\0000
Manufacturer: HP
Name: Deskjet F4500 series
PNP Device ID: ROOT\MULTIFUNCTION\0000
Service:
==== System Restore Points ===================
RP241: 12/02/2010 12:52:15 - System Checkpoint
RP242: 13/02/2010 13:51:30 - System Checkpoint
RP243: 16/02/2010 12:13:26 - System Checkpoint
RP244: 17/02/2010 19:48:58 - System Checkpoint
RP245: 19/02/2010 14:25:37 - System Checkpoint
RP246: 20/02/2010 15:36:31 - System Checkpoint
RP247: 22/02/2010 12:56:53 - System Checkpoint
RP248: 23/02/2010 13:05:07 - System Checkpoint
RP249: 26/02/2010 10:03:05 - System Checkpoint
RP250: 28/02/2010 22:08:22 - System Checkpoint
RP251: 03/03/2010 13:00:52 - System Checkpoint
RP252: 04/03/2010 13:12:00 - System Checkpoint
RP253: 05/03/2010 15:26:05 - System Checkpoint
RP254: 07/03/2010 15:50:29 - System Checkpoint
RP255: 08/03/2010 16:19:27 - System Checkpoint
RP256: 09/03/2010 16:20:38 - System Checkpoint
RP257: 11/03/2010 13:53:56 - System Checkpoint
RP258: 11/03/2010 23:49:55 - Removed Windows Live Sign-in Assistant
RP259: 12/03/2010 18:44:54 - Installed Virgin Media Broadband SpeedBooster
RP260: 14/03/2010 17:09:34 - System Checkpoint
RP261: 15/03/2010 17:46:12 - System Checkpoint
RP262: 16/03/2010 17:49:06 - System Checkpoint
RP263: 19/03/2010 10:40:50 - System Checkpoint
RP264: 20/03/2010 20:19:00 - System Checkpoint
RP265: 22/03/2010 12:25:51 - System Checkpoint
RP266: 23/03/2010 17:10:45 - System Checkpoint
RP267: 26/03/2010 11:55:14 - System Checkpoint
RP268: 27/03/2010 13:11:37 - System Checkpoint
RP269: 29/03/2010 11:41:30 - System Checkpoint
RP270: 30/03/2010 11:50:50 - System Checkpoint
RP271: 31/03/2010 11:58:40 - System Checkpoint
RP272: 01/04/2010 12:54:09 - System Checkpoint
RP273: 04/04/2010 19:07:07 - System Checkpoint
RP274: 06/04/2010 10:20:48 - System Checkpoint
RP275: 08/04/2010 14:10:42 - System Checkpoint
RP276: 09/04/2010 14:47:05 - System Checkpoint
RP277: 11/04/2010 12:49:53 - System Checkpoint
RP278: 12/04/2010 13:38:19 - System Checkpoint
RP279: 14/04/2010 09:10:12 - System Checkpoint
RP280: 15/04/2010 12:57:28 - System Checkpoint
RP281: 16/04/2010 13:12:45 - System Checkpoint
RP282: 19/04/2010 10:43:22 - System Checkpoint
RP283: 20/04/2010 11:57:04 - System Checkpoint
RP284: 21/04/2010 12:30:09 - System Checkpoint
RP285: 21/04/2010 23:06:59 - Installed Ad-Aware
RP286: 22/04/2010 00:37:09 - Removed Ad-Aware
RP287: 23/04/2010 00:06:08 - Installed AVG 9.0
RP288: 23/04/2010 00:08:52 - Removed Windows Live Messenger
RP289: 23/04/2010 00:13:13 - Removed Google Earth.
RP290: 23/04/2010 00:20:23 - Avg Update
RP291: 23/04/2010 00:28:53 - Removed Ask Toolbar.
RP292: 25/04/2010 14:27:36 - System Checkpoint
RP293: 26/04/2010 16:08:09 - System Checkpoint
RP294: 26/04/2010 19:20:29 - Software Distribution Service 3.0
RP295: 26/04/2010 19:44:35 - Software Distribution Service 3.0
RP296: 26/04/2010 23:03:16 - Software Distribution Service 3.0
RP297: 28/04/2010 11:21:31 - System Checkpoint
RP298: 28/04/2010 17:52:13 - Installed Rapport
RP299: 28/04/2010 19:00:26 - Advanced Registry Optimizer 2010 - Before Installation
RP300: 28/04/2010 19:01:06 - ADVANCED REGISTRY OPTIMIZER 2010- FIRST RUN
RP301: 28/04/2010 19:07:09 - Advanced Registry Optimizer 2010 Wed, Apr 28, 10 19:07
RP302: 30/04/2010 10:54:54 - Avg Update
RP303: 03/05/2010 13:40:03 - System Checkpoint
RP304: 05/05/2010 10:17:46 - System Checkpoint
RP305: 06/05/2010 09:51:23 - Avg Update
RP306: 06/05/2010 18:27:29 - Advanced Registry Optimizer 2010 - Before Installation
RP307: 06/05/2010 18:28:41 - ADVANCED REGISTRY OPTIMIZER 2010- FIRST RUN
RP308: 08/05/2010 12:10:53 - System Checkpoint
RP309: 10/05/2010 11:57:21 - System Checkpoint
RP310: 11/05/2010 13:27:42 - System Checkpoint
RP311: 12/05/2010 14:01:46 - System Checkpoint
==== Installed Programs ======================
32 Bit HP CIO Components Installer
ABBYY FineReader 6.0 Sprint
Acrobat.com
Adobe AIR
Adobe Flash Player ActiveX
Adobe Reader 9.3.2
Adobe Shockwave Player 11.5
Alliance and Leicester Online Forms
Ares 2.0.9
Avanquest update
AVG 9.0
BufferChm
Business Planner version 3
Canon CanoScan Toolbox 4.1
Copy
Coupon Printer
Destinations
DeviceDiscovery
DJ_AIO_06_F4500_SW_MIN
Driver Robot 1.1.0.14
EPSON BX300F Series Printer Uninstall
F4500
goal viewer (offline) Trigold Edition
Google Update Helper
GoToMeeting 4.1.0.366
GPBaseService2
High Definition Audio Driver Package - KB888111
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB935448)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB979306)
HP Customer Participation Program 13.0
HP Deskjet F4500 Printer Driver Software 13.0 Rel .6
HP Imaging Device Functions 13.0
HP Print Projects 1.0
HP Smart Web Printing 4.5
HP Solution Center 13.0
HP Update
hpPrintProjects
HPProductAssistant
hpWLPGInstaller
Inertia 3
Intel(R) Graphics Media Accelerator Driver
Intermediary Mortgages Application
Java(TM) 6 Update 2
Legal & General GIology (live) v7.2
MarketResearch
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (INERTIA3_SQL2005)
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual J# 2.0 Redistributable Package - SE
Motorola Phone Tools
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MSXML 6 Service Pack 2 (KB973686)
Nero PhotoShow Express
Nero Suite
Network
Northern Rock Online
NVIDIA Drivers
PowerDVD
Prospector AAA
Prospector Registry Tool
Rapport
RealPlayer
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Registry Mechanic 9.0
Scan
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB979402)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
SmartWebPrinting
SolutionCenter
Spybot - Search & Destroy
Status
thechatterbox.cc Toolbar
Toolbox
TrayApp
TRSoap
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Virgin Media Broadband SpeedBooster
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
W1zardm0ds.co.uk Toolbar
WebEx
WebFldrs XP
WebReg
Winamp
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live installer
Windows Media Format Runtime
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
==== Event Viewer Messages From Past Week ========
07/05/2010 20:11:52, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
07/05/2010 20:08:43, error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: This operation returned because the timeout period expired.
07/05/2010 20:03:18, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
07/05/2010 20:03:18, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
07/05/2010 19:11:44, error: Dhcp [1002] - The IP address lease 192.168.2.2 for the Network Card with network address 0C0C0C0C0C01 has been denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).
05/05/2010 08:39:03, error: Dhcp [1002] - The IP address lease 192.168.2.3 for the Network Card with network address 0C0C0C0C0C01 has been denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).
==== End Of File ===========================
GMER
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-13 07:49:22
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\Admin\LOCALS~1\Temp\uwrcrfob.sys
---- System - GMER 1.0.15 ----
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwAssignProcessToJobObject [0xB565CD92]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwCreateFile [0xB565D49E]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteFile [0xB565D5EA]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteKey [0xB5660D58]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteValueKey [0xB5660D8A]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenFile [0xB565D54E]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xB486E670]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenThread [0xB565D0C8]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwProtectVirtualMemory [0xB565D1FA]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwQueryValueKey [0xB5660E62]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwRenameKey [0xB5660DCC]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwReplaceKey [0xB5660DFE]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwRestoreKey [0xB5660E30]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetContextThread [0xB565CD40]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetInformationFile [0xB565D64A]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetValueKey [0xB5660CF0]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSuspendThread [0xB565CCE4]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xB486E720]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xB486E7C0]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xB486E860]
---- Kernel code sections - GMER 1.0.15 ----
.text ntoskrnl.exe!ZwYieldExecution + 16E 804E49C8 8 Bytes JMP 58B565D5
.text ntoskrnl.exe!ZwYieldExecution + 4CA 804E4D24 4 Bytes CALL 108301AF
.rsrc C:\WINDOWS\system32\DRIVERS\intelppm.sys entry point in ".rsrc" section [0xBA776394]
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB9184380, 0x2FF527, 0xE8000020]
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\Explorer.EXE[336] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C5000A
.text C:\WINDOWS\Explorer.EXE[336] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00CF000A
.text C:\WINDOWS\Explorer.EXE[336] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00C4000C
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[388] ntdll.dll!KiUserApcDispatcher 7C90E450 5 Bytes JMP 00439530 C:\Program Files\Trusteer\Rapport\bin\RapportService.exe (RapportService/Trusteer Ltd.)
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[388] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 716B001E
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[388] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 71680022
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[388] WS2_32.dll!gethostbyname 71AB4FD4 5 Bytes JMP 716E0022
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1092] ntdll.dll!KiUserApcDispatcher 7C90E450 5 Bytes JMP 00412220 C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe (RapportMgmtService/Trusteer Ltd.)
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1092] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 716B001E
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1092] USER32.dll!CallMsgFilterW + 21D 7E42DBC9 6 Bytes JMP 716E001E
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1092] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 71650022
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1092] WS2_32.dll!gethostbyname 71AB4FD4 5 Bytes JMP 71680022
.text C:\WINDOWS\System32\svchost.exe[1164] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A8000A
.text C:\WINDOWS\System32\svchost.exe[1164] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00A9000A
.text C:\WINDOWS\System32\svchost.exe[1164] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A7000C
.text C:\WINDOWS\system32\wuauclt.exe[3164] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0098000A
.text C:\WINDOWS\system32\wuauclt.exe[3164] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0099000A
.text C:\WINDOWS\system32\wuauclt.exe[3164] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0097000C
.text C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[4016] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0089000A
.text C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[4016] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 008A000A
.text C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[4016] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 007F000C
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
Device -> \Driver\atapi \Device\Harddisk0\DR0 89A47AC8
---- Files - GMER 1.0.15 ----
File C:\WINDOWS\system32\DRIVERS\intelppm.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification
---- EOF - GMER 1.0.15 ----
IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.
Ares 2.0.9
I'd like you to read the Guidelines for P2P Programs (http://spywarewarrior.com/viewtopic.php?t=26216) where we explain why it's not a good idea to have them.
Also available here (http://malwareremoval.com/forum/viewtopic.php?p=491394#p491394).
My recommendation is you go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).
Step # 1: Disable Teatimer
Spybot S&D's tea timer normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.
This is a two step process.
First step: Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
If you have the version 1.5 or 1.6, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
If you have Version 1.4, Click on Exit Spybot S&D Resident
Second step, For Either Version : Open Spybot S&D
Click Mode, choose Advanced Mode
Go To the bottom of the Vertical Panel on the Left, Click Tools
then, also in left panel, click Resident shows a red/white shield.
If your firewall raises a question, say OK
In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
OK any prompts.
Use File, Exit to terminate Spybot
Reboot your machine for the changes to take effect.
Step # 2: Download and Run ComboFix
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
*Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
* IMPORTANT !!! Save ComboFix.exe to your Desktop
When finished, it shall produce a log for you. Please include C:\ComboFix.txt in your next reply.
ares removed as per instructions
spybot stuff done,
combo log below, while it was doing the scan I did notice it stated it was deleting some stuff, did not notice this in the guide and not sure if its something for me to worry about?
ComboFix 10-05-14.06 - Admin 15/05/2010 0:28.1.2 - x86
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\2A.tmp
C:\5A.tmp
c:\documents and settings\Admin\Application Data\00844978A8DCCC908283E96066040B8A
c:\documents and settings\Admin\Application Data\00844978A8DCCC908283E96066040B8A\enemies-names.txt
c:\documents and settings\Admin\g2mdlhlpx.exe
c:\documents and settings\Admin\GoToAssistDownloadHelper.exe
c:\program files\ezLife
c:\windows\system32\AbaleZip.dll
c:\windows\system32\winsys.exe
Infected copy of c:\windows\system32\drivers\intelppm.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-04-14 to 2010-05-14 )))))))))))))))))))))))))))))))
.
2010-05-09 20:45 . 2010-05-10 08:58 -------- d-----w- c:\program files\CleanMyPC Popup Blocker
2010-05-08 14:02 . 2010-05-08 14:05 -------- d-----w- c:\documents and settings\Admin\Application Data\Registry Mechanic
2010-05-08 13:47 . 2010-05-08 13:47 -------- d-----w- c:\program files\Common Files\PC Tools
2010-05-08 13:47 . 2010-05-14 22:31 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-07 19:10 . 2010-05-08 09:52 -------- d-----w- c:\windows\SxsCaPendDel
2010-05-07 15:16 . 2010-05-07 15:16 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Trusteer
2010-05-07 14:07 . 2010-05-07 14:07 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\vsfuticgf
2010-05-06 17:43 . 2010-05-06 17:43 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-06 17:41 . 2010-05-08 09:52 -------- dc-h--w- c:\documents and settings\All Users\Application Data\~0
2010-05-06 17:41 . 2010-05-07 19:09 -------- d-----w- c:\program files\Lavasoft
2010-04-28 18:00 . 2010-05-08 13:32 -------- d-----w- c:\documents and settings\Admin\Application Data\Sammsoft
2010-04-28 16:52 . 2010-04-28 16:52 -------- d-----w- c:\documents and settings\Admin\Application Data\Trusteer
2010-04-28 16:52 . 2010-04-28 16:52 -------- d-----w- c:\program files\Trusteer
2010-04-28 16:51 . 2010-04-28 16:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Trusteer
2010-04-28 10:54 . 2010-04-28 10:55 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-26 18:29 . 2010-04-26 18:29 -------- d-----w- c:\windows\ServicePackFiles
2010-04-26 17:35 . 2010-04-26 17:35 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes
2010-04-26 17:35 . 2010-04-26 17:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-26 17:35 . 2010-05-08 09:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-25 11:12 . 2010-04-25 11:12 -------- d-----w- C:\$AVG
2010-04-25 10:44 . 2010-04-25 10:44 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Ahead
2010-04-25 10:04 . 2010-04-25 10:04 -------- d-----w- c:\documents and settings\Admin\Application Data\AVG9
2010-04-23 12:55 . 2010-04-23 12:55 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-23 12:55 . 2010-04-23 12:55 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-22 23:11 . 2010-04-22 23:11 -------- d-----w- c:\documents and settings\Admin\Application Data\MSNInstaller
2010-04-22 23:10 . 2010-04-22 23:10 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-04-22 23:10 . 2010-04-22 23:10 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-04-22 23:10 . 2010-04-22 23:10 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-22 23:10 . 2010-04-22 23:10 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-22 23:10 . 2010-04-22 23:10 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-04-22 23:10 . 2010-05-14 22:34 -------- d-----w- c:\windows\system32\drivers\Avg
2010-04-22 23:08 . 2010-04-22 23:08 25096 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys
2010-04-22 23:08 . 2010-04-22 23:08 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2010-04-22 23:08 . 2010-04-22 23:08 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2010-04-22 23:06 . 2010-04-22 23:06 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-04-22 23:02 . 2010-04-22 23:06 -------- d-----w- c:\program files\AVG
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-14 23:02 . 2009-11-12 17:43 -------- d-----w- c:\documents and settings\Admin\Application Data\HPAppData
2010-05-14 17:57 . 2009-03-05 16:44 -------- d-----w- c:\documents and settings\Admin\Application Data\U3
2010-05-14 12:00 . 2004-08-04 12:00 36096 ----a-w- c:\windows\system32\drivers\intelppm.sys
2010-05-11 10:06 . 2010-01-03 17:26 -------- d-----w- c:\program files\W1zardm0ds.co.uk
2010-05-07 19:10 . 2008-08-14 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-05-06 18:31 . 2008-08-14 19:58 -------- d-----w- c:\program files\thechatterbox.cc
2010-04-30 15:06 . 2009-11-06 14:55 -------- d-----w- c:\program files\Common Files\F1
2010-04-26 22:09 . 2009-11-03 18:53 -------- d-----w- c:\program files\Microsoft SQL Server
2010-04-22 23:30 . 2009-01-30 18:31 -------- d-----w- c:\program files\SolarWinds
2010-04-22 23:14 . 2009-11-23 11:42 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-04-22 23:13 . 2010-04-10 20:04 -------- d-----w- c:\program files\Google
2010-04-22 23:08 . 2008-09-22 19:37 -------- d-----w- c:\program files\Windows Live
2010-04-22 22:22 . 2008-09-20 18:00 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-22 22:20 . 2008-09-20 18:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-20 10:05 . 2008-08-13 19:03 4212 ---h--w- c:\windows\system32\zllictbl.dat
2010-04-10 15:18 . 2008-08-14 09:48 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-28 15:12 . 2010-03-16 15:44 439816 ----a-w- c:\documents and settings\Admin\Application Data\Real\Update\setup3.10\setup.exe
2010-03-20 19:53 . 2010-03-20 19:53 -------- d-----w- c:\program files\Coupon Printer
2010-03-20 19:53 . 2010-03-20 19:53 31 ---ha-w- c:\windows\UKCpInfo.sys
2010-02-24 12:31 . 2004-08-04 12:00 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-22 09:59 . 2010-03-12 12:19 40960 ----a-w- c:\documents and settings\All Users\Application Data\TrigoldCrystal\Prospector\paymentshield\QuoteEngine\MortgageProtectorSolo.dll
2010-02-16 13:17 . 2004-08-04 12:00 2137088 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 12:39 . 2004-08-03 22:59 2016768 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00b8e20c-5c71-4c2f-85a5-6ad541500df0}"= "c:\program files\thechatterbox.cc\tbthe0.dll" [2010-02-11 2349080]
"{813cf69b-bebf-423d-9936-eb451ffab26f}"= "c:\program files\W1zardm0ds.co.uk\tbW1z0.dll" [2010-05-11 2515552]
[HKEY_CLASSES_ROOT\clsid\{00b8e20c-5c71-4c2f-85a5-6ad541500df0}]
[HKEY_CLASSES_ROOT\clsid\{813cf69b-bebf-423d-9936-eb451ffab26f}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00b8e20c-5c71-4c2f-85a5-6ad541500df0}]
2010-02-11 10:06 2349080 ----a-w- c:\program files\thechatterbox.cc\tbthe0.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{813cf69b-bebf-423d-9936-eb451ffab26f}]
2010-05-11 10:06 2515552 ----a-w- c:\program files\W1zardm0ds.co.uk\tbW1z0.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{00b8e20c-5c71-4c2f-85a5-6ad541500df0}"= "c:\program files\thechatterbox.cc\tbthe0.dll" [2010-02-11 2349080]
"{813cf69b-bebf-423d-9936-eb451ffab26f}"= "c:\program files\W1zardm0ds.co.uk\tbW1z0.dll" [2010-05-11 2515552]
[HKEY_CLASSES_ROOT\clsid\{00b8e20c-5c71-4c2f-85a5-6ad541500df0}]
[HKEY_CLASSES_ROOT\clsid\{813cf69b-bebf-423d-9936-eb451ffab26f}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{00B8E20C-5C71-4C2F-85A5-6AD541500DF0}"= "c:\program files\thechatterbox.cc\tbthe0.dll" [2010-02-11 2349080]
"{813CF69B-BEBF-423D-9936-EB451FFAB26F}"= "c:\program files\W1zardm0ds.co.uk\tbW1z0.dll" [2010-05-11 2515552]
[HKEY_CLASSES_ROOT\clsid\{00b8e20c-5c71-4c2f-85a5-6ad541500df0}]
[HKEY_CLASSES_ROOT\clsid\{813cf69b-bebf-423d-9936-eb451ffab26f}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="c:\progra~1\AHEAD\NEROPH~2\DATA\XTRAS\MSSYSMGR.EXE" [2005-02-26 212992]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]
"RTHDCPL"="RTHDCPL.EXE" [2007-11-22 16858112]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-28 8466432]
"nwiz"="nwiz.exe" [2007-06-28 1626112]
"WinSys2"="c:\windows\system32\winsys2.exe" [2006-04-29 208896]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-28 81920]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-05-17 198160]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 53760]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-04-22 23:10 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-04-10 136176]
R3 Avgfwfd;AVG network filter service;c:\windows\system32\DRIVERS\avgfwdx.sys [2010-04-22 30104]
S0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\System32\Drivers\AVGIDSxx.sys [2010-04-22 25096]
S0 AvgRkx86;avgrkx86.sys;c:\windows\System32\Drivers\avgrkx86.sys [2010-04-22 52872]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2010-04-22 216200]
S1 AvgTdiX;AVG Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2010-04-22 242896]
S1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [2010-03-23 58984]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2010-03-23 125160]
S2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-04-22 308064]
S2 avgfws9;AVG Firewall;c:\program files\AVG\AVG9\avgfws9.exe [2010-04-22 2325816]
S2 AVGIDSAgent;AVG9IDSAgent;c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe AVGIDSAgent [x]
S2 MSSQL$INERTIA3_SQL2005;SQL Server (INERTIA3_SQL2005);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-11-24 29263712]
S2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [2010-04-08 632792]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [2010-03-23 779496]
S2 TRUService;TrigoldCrystal Update Service;c:\program files\Trigold\Update\TRUService.exe [2009-10-31 135816]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\DRIVERS\avgfwdx.sys [2010-04-22 30104]
S3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys [2010-04-22 122376]
S3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys [2010-04-22 30216]
S3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys [2010-04-22 26120]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
2009-11-18 c:\windows\Tasks\Driver Robot.job
- c:\program files\Driver Robot\1.1.0.14\DriverRobot.exe [2009-11-18 13:53]
2010-05-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-10 20:04]
2010-05-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-10 20:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://bbc.co.uk/news
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: threesixtytraining.co.uk\www
DPF: {3EDBA9C8-BB88-4DB6-9EB4-CA2BDAEF10FC} - hxxp://downloads.privatepost.com/files/ppZDHelper/ppZDHelper.cab
DPF: {83A4D5A6-E2C1-4EDD-AD48-1A1C50BD06EF} - hxxp://www.landlorddirect.com/js/ImageUploader6.cab
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
AddRemove-PremierBuilder - Test Insurer - Legal & General GIology - c:\program files\Legal & General\GIology\GIology
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-15 00:35
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\docume~1\Admin\LOCALS~1\Temp\catchme.dll 53248 bytes executable
scan completed successfully
hidden files: 1
**************************************************************************
.
Completion time: 2010-05-15 00:37:31
ComboFix-quarantined-files.txt 2010-05-14 23:37
Pre-Run: 86,093,524,992 bytes free
Post-Run: 86,426,116,096 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
- - End Of File - - 488B20DACA6AA5033412A0B8942C4CE6
combo log below, while it was doing the scan I did notice it stated it was deleting some stuff, did not notice this in the guide and not sure if its something for me to worry about?
Just ComboFix doing its job. :)
If ComboFix finds any bad/malicious stuff, it'll start deleting it. Nothing to worry about. :)
Step # 1: Run CFScript
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
KILLALL::
DirLook::
c:\documents and settings\Admin\Local Settings\Application Data\vsfuticgf
DDS::
TB: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - No File
Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Note: This CFScript is for use on 003294's computer only! Do not use it on your computer.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
In your next post/reply, I need to see the following:
1. The ComboFix Log that appears after Step 1 has been completed.
2. A fresh DDS Log taken after Step 1 has been completed.
Instructions followed above
Combo log (2)
ComboFix 10-05-14.06 - Admin 15/05/2010 10:37:09.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.2047.1398 [GMT 1:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.txt
.
((((((((((((((((((((((((( Files Created from 2010-04-15 to 2010-05-15 )))))))))))))))))))))))))))))))
.
2010-05-09 20:45 . 2010-05-10 08:58 -------- d-----w- c:\program files\CleanMyPC Popup Blocker
2010-05-08 14:02 . 2010-05-08 14:05 -------- d-----w- c:\documents and settings\Admin\Application Data\Registry Mechanic
2010-05-08 13:47 . 2010-05-08 13:47 -------- d-----w- c:\program files\Common Files\PC Tools
2010-05-08 13:47 . 2010-05-14 22:31 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-07 19:10 . 2010-05-08 09:52 -------- d-----w- c:\windows\SxsCaPendDel
2010-05-07 15:16 . 2010-05-07 15:16 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Trusteer
2010-05-07 14:07 . 2010-05-07 14:07 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\vsfuticgf
2010-05-06 17:43 . 2010-05-06 17:43 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-06 17:41 . 2010-05-08 09:52 -------- dc-h--w- c:\documents and settings\All Users\Application Data\~0
2010-05-06 17:41 . 2010-05-07 19:09 -------- d-----w- c:\program files\Lavasoft
2010-04-28 18:00 . 2010-05-08 13:32 -------- d-----w- c:\documents and settings\Admin\Application Data\Sammsoft
2010-04-28 16:52 . 2010-04-28 16:52 -------- d-----w- c:\documents and settings\Admin\Application Data\Trusteer
2010-04-28 16:52 . 2010-04-28 16:52 -------- d-----w- c:\program files\Trusteer
2010-04-28 16:51 . 2010-04-28 16:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Trusteer
2010-04-28 10:54 . 2010-04-28 10:55 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-26 18:29 . 2010-04-26 18:29 -------- d-----w- c:\windows\ServicePackFiles
2010-04-26 17:35 . 2010-04-26 17:35 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes
2010-04-26 17:35 . 2010-04-26 17:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-26 17:35 . 2010-05-08 09:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-25 11:12 . 2010-04-25 11:12 -------- d-----w- C:\$AVG
2010-04-25 10:44 . 2010-04-25 10:44 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Ahead
2010-04-25 10:04 . 2010-04-25 10:04 -------- d-----w- c:\documents and settings\Admin\Application Data\AVG9
2010-04-23 12:55 . 2010-04-23 12:55 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-23 12:55 . 2010-04-23 12:55 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-22 23:11 . 2010-04-22 23:11 -------- d-----w- c:\documents and settings\Admin\Application Data\MSNInstaller
2010-04-22 23:10 . 2010-04-22 23:10 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-04-22 23:10 . 2010-04-22 23:10 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-04-22 23:10 . 2010-04-22 23:10 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-22 23:10 . 2010-04-22 23:10 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-22 23:10 . 2010-04-22 23:10 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-04-22 23:10 . 2010-05-15 09:30 -------- d-----w- c:\windows\system32\drivers\Avg
2010-04-22 23:08 . 2010-04-22 23:08 25096 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys
2010-04-22 23:08 . 2010-04-22 23:08 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2010-04-22 23:08 . 2010-04-22 23:08 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2010-04-22 23:06 . 2010-04-22 23:06 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-04-22 23:02 . 2010-04-22 23:06 -------- d-----w- c:\program files\AVG
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-15 09:31 . 2009-11-12 17:43 -------- d-----w- c:\documents and settings\Admin\Application Data\HPAppData
2010-05-14 17:57 . 2009-03-05 16:44 -------- d-----w- c:\documents and settings\Admin\Application Data\U3
2010-05-14 12:00 . 2004-08-04 12:00 36096 ----a-w- c:\windows\system32\drivers\intelppm.sys
2010-05-11 10:06 . 2010-01-03 17:26 -------- d-----w- c:\program files\W1zardm0ds.co.uk
2010-05-07 19:10 . 2008-08-14 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-05-06 18:31 . 2008-08-14 19:58 -------- d-----w- c:\program files\thechatterbox.cc
2010-04-30 15:06 . 2009-11-06 14:55 -------- d-----w- c:\program files\Common Files\F1
2010-04-26 22:09 . 2009-11-03 18:53 -------- d-----w- c:\program files\Microsoft SQL Server
2010-04-22 23:30 . 2009-01-30 18:31 -------- d-----w- c:\program files\SolarWinds
2010-04-22 23:14 . 2009-11-23 11:42 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-04-22 23:13 . 2010-04-10 20:04 -------- d-----w- c:\program files\Google
2010-04-22 23:08 . 2008-09-22 19:37 -------- d-----w- c:\program files\Windows Live
2010-04-22 22:22 . 2008-09-20 18:00 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-22 22:20 . 2008-09-20 18:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-20 10:05 . 2008-08-13 19:03 4212 ---h--w- c:\windows\system32\zllictbl.dat
2010-04-10 15:18 . 2008-08-14 09:48 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-28 15:12 . 2010-03-16 15:44 439816 ----a-w- c:\documents and settings\Admin\Application Data\Real\Update\setup3.10\setup.exe
2010-03-20 19:53 . 2010-03-20 19:53 -------- d-----w- c:\program files\Coupon Printer
2010-03-20 19:53 . 2010-03-20 19:53 31 ---ha-w- c:\windows\UKCpInfo.sys
2010-02-24 12:31 . 2004-08-04 12:00 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-22 09:59 . 2010-03-12 12:19 40960 ----a-w- c:\documents and settings\All Users\Application Data\TrigoldCrystal\Prospector\paymentshield\QuoteEngine\MortgageProtectorSolo.dll
2010-02-16 13:17 . 2004-08-04 12:00 2137088 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 12:39 . 2004-08-03 22:59 2016768 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\Admin\Local Settings\Application Data\vsfuticgf ----
((((((((((((((((((((((((((((( SnapShot@2010-05-14_23.35.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-15 09:43 . 2010-05-15 09:43 16384 c:\windows\Temp\Perflib_Perfdata_be0.dat
+ 2010-05-15 09:43 . 2010-05-15 09:43 16384 c:\windows\Temp\Perflib_Perfdata_b7c.dat
+ 2004-08-04 12:00 . 2010-05-14 23:45 76510 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2010-05-14 23:45 441194 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00b8e20c-5c71-4c2f-85a5-6ad541500df0}"= "c:\program files\thechatterbox.cc\tbthe0.dll" [2010-02-11 2349080]
"{813cf69b-bebf-423d-9936-eb451ffab26f}"= "c:\program files\W1zardm0ds.co.uk\tbW1z0.dll" [2010-05-11 2515552]
[HKEY_CLASSES_ROOT\clsid\{00b8e20c-5c71-4c2f-85a5-6ad541500df0}]
[HKEY_CLASSES_ROOT\clsid\{813cf69b-bebf-423d-9936-eb451ffab26f}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00b8e20c-5c71-4c2f-85a5-6ad541500df0}]
2010-02-11 10:06 2349080 ----a-w- c:\program files\thechatterbox.cc\tbthe0.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{813cf69b-bebf-423d-9936-eb451ffab26f}]
2010-05-11 10:06 2515552 ----a-w- c:\program files\W1zardm0ds.co.uk\tbW1z0.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{00b8e20c-5c71-4c2f-85a5-6ad541500df0}"= "c:\program files\thechatterbox.cc\tbthe0.dll" [2010-02-11 2349080]
"{813cf69b-bebf-423d-9936-eb451ffab26f}"= "c:\program files\W1zardm0ds.co.uk\tbW1z0.dll" [2010-05-11 2515552]
[HKEY_CLASSES_ROOT\clsid\{00b8e20c-5c71-4c2f-85a5-6ad541500df0}]
[HKEY_CLASSES_ROOT\clsid\{813cf69b-bebf-423d-9936-eb451ffab26f}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{00B8E20C-5C71-4C2F-85A5-6AD541500DF0}"= "c:\program files\thechatterbox.cc\tbthe0.dll" [2010-02-11 2349080]
"{813CF69B-BEBF-423D-9936-EB451FFAB26F}"= "c:\program files\W1zardm0ds.co.uk\tbW1z0.dll" [2010-05-11 2515552]
[HKEY_CLASSES_ROOT\clsid\{00b8e20c-5c71-4c2f-85a5-6ad541500df0}]
[HKEY_CLASSES_ROOT\clsid\{813cf69b-bebf-423d-9936-eb451ffab26f}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="c:\progra~1\AHEAD\NEROPH~2\DATA\XTRAS\MSSYSMGR.EXE" [2005-02-26 212992]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]
"RTHDCPL"="RTHDCPL.EXE" [2007-11-22 16858112]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-28 8466432]
"nwiz"="nwiz.exe" [2007-06-28 1626112]
"WinSys2"="c:\windows\system32\winsys2.exe" [2006-04-29 208896]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-28 81920]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-05-17 198160]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 53760]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-04-22 23:10 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [23/04/2010 00:08 25096]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [23/04/2010 00:10 52872]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [23/04/2010 00:10 216200]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [23/04/2010 00:10 242896]
R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [23/03/2010 16:39 58984]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [23/03/2010 16:39 125160]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [23/04/2010 00:08 308064]
R2 avgfws9;AVG Firewall;c:\program files\AVG\AVG9\avgfws9.exe [23/04/2010 00:09 2325816]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe [23/04/2010 00:08 5888008]
R2 MSSQL$INERTIA3_SQL2005;SQL Server (INERTIA3_SQL2005);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [24/11/2008 22:31 29263712]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [08/05/2010 14:47 632792]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [23/03/2010 16:39 779496]
R2 TRUService;TrigoldCrystal Update Service;c:\program files\Trigold\Update\TRUService.exe [31/10/2009 20:02 135816]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [23/04/2010 00:08 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys [23/04/2010 00:08 122376]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys [23/04/2010 00:08 30216]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys [23/04/2010 00:08 26120]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/04/2010 21:04 136176]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [23/04/2010 00:08 30104]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
2009-11-18 c:\windows\Tasks\Driver Robot.job
- c:\program files\Driver Robot\1.1.0.14\DriverRobot.exe [2009-11-18 13:53]
2010-05-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-10 20:04]
2010-05-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-10 20:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://bbc.co.uk/news
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: threesixtytraining.co.uk\www
DPF: {3EDBA9C8-BB88-4DB6-9EB4-CA2BDAEF10FC} - hxxp://downloads.privatepost.com/files/ppZDHelper/ppZDHelper.cab
DPF: {83A4D5A6-E2C1-4EDD-AD48-1A1C50BD06EF} - hxxp://www.landlorddirect.com/js/ImageUploader6.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-15 10:43
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(7084)
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2010-05-15 10:47:03 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-15 09:47
ComboFix2.txt 2010-05-14 23:37
Pre-Run: 86,369,574,912 bytes free
Post-Run: 86,393,794,560 bytes free
- - End Of File - - 083E1E427AC38B378D9C535C34411BE4
DDS (2)
DDS (Ver_10-03-17.01) - NTFSx86
Run by Admin at 14:13:37.73 on 15/05/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.2047.1234 [GMT 1:00]
AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\AHEAD\NEROPH~2\DATA\XTRAS\MSSYSMGR.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Trigold\Update\TRUService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Documents and Settings\Admin\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://bbc.co.uk/news
uURLSearchHooks: thechatterbox.cc Toolbar: {00b8e20c-5c71-4c2f-85a5-6ad541500df0} - c:\program files\thechatterbox.cc\tbthe0.dll
uURLSearchHooks: W1zardm0ds.co.uk Toolbar: {813cf69b-bebf-423d-9936-eb451ffab26f} - c:\program files\w1zardm0ds.co.uk\tbW1z0.dll
BHO: thechatterbox.cc Toolbar: {00b8e20c-5c71-4c2f-85a5-6ad541500df0} - c:\program files\thechatterbox.cc\tbthe0.dll
{02478d38-c3f9-4efb-9b51-7695eca05670}
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: W1zardm0ds.co.uk Toolbar: {813cf69b-bebf-423d-9936-eb451ffab26f} - c:\program files\w1zardm0ds.co.uk\tbW1z0.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: thechatterbox.cc Toolbar: {00b8e20c-5c71-4c2f-85a5-6ad541500df0} - c:\program files\thechatterbox.cc\tbthe0.dll
TB: W1zardm0ds.co.uk Toolbar: {813cf69b-bebf-423d-9936-eb451ffab26f} - c:\program files\w1zardm0ds.co.uk\tbW1z0.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [PhotoShow Deluxe Media Manager] c:\progra~1\ahead\neroph~2\data\xtras\MSSYSMGR.EXE
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [WinSys2] c:\windows\system32\winsys2.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: threesixtytraining.co.uk\www
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {3EDBA9C8-BB88-4DB6-9EB4-CA2BDAEF10FC} - hxxp://downloads.privatepost.com/files/ppZDHelper/ppZDHelper.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
DPF: {83A4D5A6-E2C1-4EDD-AD48-1A1C50BD06EF} - hxxp://www.landlorddirect.com/js/ImageUploader6.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://btc.webex.com/client/T25LSP41EP13-LOCKDOWN/webex/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
============= SERVICES / DRIVERS ===============
R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [2010-4-23 25096]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2010-4-23 52872]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-4-23 216200]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-4-23 29512]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-4-23 242896]
R1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2010-3-23 58984]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-3-23 125160]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-4-23 308064]
R2 avgfws9;AVG Firewall;c:\program files\avg\avg9\avgfws9.exe [2010-4-23 2325816]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2010-4-23 5888008]
R2 MSSQL$INERTIA3_SQL2005;SQL Server (INERTIA3_SQL2005);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2008-11-24 29263712]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2010-5-8 632792]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2010-3-23 779496]
R2 TRUService;TrigoldCrystal Update Service;c:\program files\trigold\update\TRUService.exe [2009-10-31 135816]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-4-23 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSDriver.sys [2010-4-23 122376]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSFilter.sys [2010-4-23 30216]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSShim.sys [2010-4-23 26120]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-10 136176]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-4-23 30104]
=============== Created Last 30 ================
2010-05-14 23:23:27 0 d-sha-r- C:\cmdcons
2010-05-14 23:22:33 98816 ----a-w- c:\windows\sed.exe
2010-05-14 23:06:33 77312 ----a-w- c:\windows\MBR.exe
2010-05-14 23:06:33 256512 ----a-w- c:\windows\PEV.exe
2010-05-14 23:06:33 161792 ----a-w- c:\windows\SWREG.exe
2010-05-09 20:45:57 0 d-----w- c:\program files\CleanMyPC Popup Blocker
2010-05-08 14:02:30 0 d-----w- c:\docume~1\admin\applic~1\Registry Mechanic
2010-05-08 13:47:32 880640 ----a-w- c:\windows\system32\UniBox10.ocx
2010-05-08 13:47:32 212992 ----a-w- c:\windows\system32\UniBoxVB12.ocx
2010-05-08 13:47:32 1101824 ----a-w- c:\windows\system32\UniBox210.ocx
2010-05-08 13:47:31 0 d-----w- c:\program files\common files\PC Tools
2010-05-07 19:10:34 0 d-----w- c:\windows\SxsCaPendDel
2010-05-06 17:43:34 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-06 17:41:27 0 dc-h--w- c:\docume~1\alluse~1\applic~1\~0
2010-05-06 17:41:09 0 d-----w- c:\program files\Lavasoft
2010-04-28 18:00:54 0 d-----w- c:\docume~1\admin\applic~1\Sammsoft
2010-04-28 16:52:20 0 d-----w- c:\docume~1\admin\applic~1\Trusteer
2010-04-28 16:52:15 0 d-----w- c:\program files\Trusteer
2010-04-28 16:51:39 0 d-----w- c:\docume~1\alluse~1\applic~1\Trusteer
2010-04-26 18:29:51 0 d-----w- c:\windows\ServicePackFiles
2010-04-26 17:35:39 0 d-----w- c:\docume~1\admin\applic~1\Malwarebytes
2010-04-26 17:35:28 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-26 17:35:27 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-25 11:12:21 0 d-----w- C:\$AVG
2010-04-25 10:04:42 0 d-----w- c:\docume~1\admin\applic~1\AVG9
2010-04-23 12:55:07 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-23 12:55:07 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-22 23:11:46 0 d-----w- c:\docume~1\admin\applic~1\MSNInstaller
2010-04-22 23:10:52 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-04-22 23:10:52 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-04-22 23:10:49 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-22 23:10:43 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-22 23:10:33 0 d-----w- c:\windows\system32\drivers\Avg
2010-04-22 23:08:51 25096 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys
2010-04-22 23:08:19 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2010-04-22 23:08:19 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2010-04-22 23:06:08 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-04-22 23:02:38 0 d-----w- c:\program files\AVG
==================== Find3M ====================
2010-05-14 12:00:54 36096 ----a-w- c:\windows\system32\drivers\intelppm.sys
2010-04-20 10:05:36 4212 ---h--w- c:\windows\system32\zllictbl.dat
2010-02-16 13:17:38 2137088 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 12:39:04 2016768 ----a-w- c:\windows\system32\ntkrnlpa.exe
============= FINISH: 14:14:18.65 ===============
Attach (2)
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-03-17.01)
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 13/08/2008 12:32:14
System Uptime: 15/05/2010 14:09:20 (0 hours ago)
Motherboard: | | Wolfdale1333-D667.
Processor: Intel(R) Pentium(R) D CPU 3.00GHz | CPUSocket | 2991/200mhz
Processor: Intel(R) Pentium(R) D CPU 3.00GHz | CPUSocket | 2991/200mhz
==== Disk Partitions =========================
A: is Removable
C: is FIXED (NTFS) - 98 GiB total, 80.48 GiB free.
D: is FIXED (NTFS) - 238 GiB total, 227.298 GiB free.
E: is CDROM ()
==== Disabled Device Manager Items =============
Class GUID: {4D36E971-E325-11CE-BFC1-08002BE10318}
Description: Deskjet F4500 series
Device ID: ROOT\MULTIFUNCTION\0000
Manufacturer: HP
Name: Deskjet F4500 series
PNP Device ID: ROOT\MULTIFUNCTION\0000
Service:
==== System Restore Points ===================
RP243: 16/02/2010 12:13:26 - System Checkpoint
RP244: 17/02/2010 19:48:58 - System Checkpoint
RP245: 19/02/2010 14:25:37 - System Checkpoint
RP246: 20/02/2010 15:36:31 - System Checkpoint
RP247: 22/02/2010 12:56:53 - System Checkpoint
RP248: 23/02/2010 13:05:07 - System Checkpoint
RP249: 26/02/2010 10:03:05 - System Checkpoint
RP250: 28/02/2010 22:08:22 - System Checkpoint
RP251: 03/03/2010 13:00:52 - System Checkpoint
RP252: 04/03/2010 13:12:00 - System Checkpoint
RP253: 05/03/2010 15:26:05 - System Checkpoint
RP254: 07/03/2010 15:50:29 - System Checkpoint
RP255: 08/03/2010 16:19:27 - System Checkpoint
RP256: 09/03/2010 16:20:38 - System Checkpoint
RP257: 11/03/2010 13:53:56 - System Checkpoint
RP258: 11/03/2010 23:49:55 - Removed Windows Live Sign-in Assistant
RP259: 12/03/2010 18:44:54 - Installed Virgin Media Broadband SpeedBooster
RP260: 14/03/2010 17:09:34 - System Checkpoint
RP261: 15/03/2010 17:46:12 - System Checkpoint
RP262: 16/03/2010 17:49:06 - System Checkpoint
RP263: 19/03/2010 10:40:50 - System Checkpoint
RP264: 20/03/2010 20:19:00 - System Checkpoint
RP265: 22/03/2010 12:25:51 - System Checkpoint
RP266: 23/03/2010 17:10:45 - System Checkpoint
RP267: 26/03/2010 11:55:14 - System Checkpoint
RP268: 27/03/2010 13:11:37 - System Checkpoint
RP269: 29/03/2010 11:41:30 - System Checkpoint
RP270: 30/03/2010 11:50:50 - System Checkpoint
RP271: 31/03/2010 11:58:40 - System Checkpoint
RP272: 01/04/2010 12:54:09 - System Checkpoint
RP273: 04/04/2010 19:07:07 - System Checkpoint
RP274: 06/04/2010 10:20:48 - System Checkpoint
RP275: 08/04/2010 14:10:42 - System Checkpoint
RP276: 09/04/2010 14:47:05 - System Checkpoint
RP277: 11/04/2010 12:49:53 - System Checkpoint
RP278: 12/04/2010 13:38:19 - System Checkpoint
RP279: 14/04/2010 09:10:12 - System Checkpoint
RP280: 15/04/2010 12:57:28 - System Checkpoint
RP281: 16/04/2010 13:12:45 - System Checkpoint
RP282: 19/04/2010 10:43:22 - System Checkpoint
RP283: 20/04/2010 11:57:04 - System Checkpoint
RP284: 21/04/2010 12:30:09 - System Checkpoint
RP285: 21/04/2010 23:06:59 - Installed Ad-Aware
RP286: 22/04/2010 00:37:09 - Removed Ad-Aware
RP287: 23/04/2010 00:06:08 - Installed AVG 9.0
RP288: 23/04/2010 00:08:52 - Removed Windows Live Messenger
RP289: 23/04/2010 00:13:13 - Removed Google Earth.
RP290: 23/04/2010 00:20:23 - Avg Update
RP291: 23/04/2010 00:28:53 - Removed Ask Toolbar.
RP292: 25/04/2010 14:27:36 - System Checkpoint
RP293: 26/04/2010 16:08:09 - System Checkpoint
RP294: 26/04/2010 19:20:29 - Software Distribution Service 3.0
RP295: 26/04/2010 19:44:35 - Software Distribution Service 3.0
RP296: 26/04/2010 23:03:16 - Software Distribution Service 3.0
RP297: 28/04/2010 11:21:31 - System Checkpoint
RP298: 28/04/2010 17:52:13 - Installed Rapport
RP299: 28/04/2010 19:00:26 - Advanced Registry Optimizer 2010 - Before Installation
RP300: 28/04/2010 19:01:06 - ADVANCED REGISTRY OPTIMIZER 2010- FIRST RUN
RP301: 28/04/2010 19:07:09 - Advanced Registry Optimizer 2010 Wed, Apr 28, 10 19:07
RP302: 30/04/2010 10:54:54 - Avg Update
RP303: 03/05/2010 13:40:03 - System Checkpoint
RP304: 05/05/2010 10:17:46 - System Checkpoint
RP305: 06/05/2010 09:51:23 - Avg Update
RP306: 06/05/2010 18:27:29 - Advanced Registry Optimizer 2010 - Before Installation
RP307: 06/05/2010 18:28:41 - ADVANCED REGISTRY OPTIMIZER 2010- FIRST RUN
RP308: 08/05/2010 12:10:53 - System Checkpoint
RP309: 10/05/2010 11:57:21 - System Checkpoint
RP310: 11/05/2010 13:27:42 - System Checkpoint
RP311: 12/05/2010 14:01:46 - System Checkpoint
RP312: 14/05/2010 13:02:23 - System Checkpoint
==== Installed Programs ======================
32 Bit HP CIO Components Installer
ABBYY FineReader 6.0 Sprint
Acrobat.com
Adobe AIR
Adobe Flash Player ActiveX
Adobe Reader 9.3.2
Adobe Shockwave Player 11.5
Alliance and Leicester Online Forms
Avanquest update
AVG 9.0
BufferChm
Business Planner version 3
Canon CanoScan Toolbox 4.1
Copy
Coupon Printer
Destinations
DeviceDiscovery
DJ_AIO_06_F4500_SW_MIN
Driver Robot 1.1.0.14
EPSON BX300F Series Printer Uninstall
F4500
goal viewer (offline) Trigold Edition
Google Update Helper
GoToMeeting 4.1.0.366
GPBaseService2
High Definition Audio Driver Package - KB888111
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB935448)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB979306)
HP Customer Participation Program 13.0
HP Deskjet F4500 Printer Driver Software 13.0 Rel .6
HP Imaging Device Functions 13.0
HP Print Projects 1.0
HP Smart Web Printing 4.5
HP Solution Center 13.0
HP Update
hpPrintProjects
HPProductAssistant
hpWLPGInstaller
Inertia 3
Intel(R) Graphics Media Accelerator Driver
Intermediary Mortgages Application
Java(TM) 6 Update 2
MarketResearch
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (INERTIA3_SQL2005)
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual J# 2.0 Redistributable Package - SE
Motorola Phone Tools
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MSXML 6 Service Pack 2 (KB973686)
Nero PhotoShow Express
Nero Suite
Network
Northern Rock Online
NVIDIA Drivers
PowerDVD
Prospector AAA
Prospector Registry Tool
Rapport
RealPlayer
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Registry Mechanic 9.0
Scan
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB979402)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
SmartWebPrinting
SolutionCenter
Spybot - Search & Destroy
Status
thechatterbox.cc Toolbar
Toolbox
TrayApp
TRSoap
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Virgin Media Broadband SpeedBooster
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
W1zardm0ds.co.uk Toolbar
WebEx
WebFldrs XP
WebReg
Winamp
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live installer
Windows Media Format Runtime
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
==== Event Viewer Messages From Past Week ========
15/05/2010 10:37:04, error: Service Control Manager [7034] - The Windows User Mode Driver Framework service terminated unexpectedly. It has done this 1 time(s).
15/05/2010 10:37:04, error: Service Control Manager [7034] - The SQL Server VSS Writer service terminated unexpectedly. It has done this 1 time(s).
15/05/2010 10:37:04, error: Service Control Manager [7034] - The SQL Server (INERTIA3_SQL2005) service terminated unexpectedly. It has done this 1 time(s).
15/05/2010 10:37:04, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s).
15/05/2010 10:37:04, error: Service Control Manager [7034] - The PC Tools Startup and Shutdown Monitor service service terminated unexpectedly. It has done this 1 time(s).
15/05/2010 10:37:04, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
15/05/2010 10:37:04, error: Service Control Manager [7034] - The Machine Debug Manager service terminated unexpectedly. It has done this 1 time(s).
15/05/2010 10:37:04, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).
15/05/2010 10:37:04, error: Service Control Manager [7031] - The TrigoldCrystal Update Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
15/05/2010 10:37:04, error: Service Control Manager [7031] - The SQL Server Browser service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
14/05/2010 18:01:27, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 0C0C0C0C0C01. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
11/05/2010 11:05:01, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
11/05/2010 11:05:01, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
10/05/2010 19:58:24, error: Dhcp [1002] - The IP address lease 192.168.2.2 for the Network Card with network address 0C0C0C0C0C01 has been denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).
08/05/2010 14:33:35, error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: This operation returned because the timeout period expired.
==== End Of File ===========================
Delete CFScript.txt from your Desktop, you will be creating and running a new one.
Step # 1: Run CFScript
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
KILLALL::
Folder::
c:\documents and settings\Admin\Local Settings\Application Data\vsfuticgf
Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Note: This CFScript is for use on 003294's computer only! Do not use it on your computer.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
In your next post/reply, I need to see the following:
1. The ComboFix Log that appears after Step 1 has been completed.
ComboFix 10-05-14.06 - Admin 15/05/2010 19:15:07.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.2047.1433 [GMT 1:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.txt
AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Admin\Local Settings\Application Data\vsfuticgf
.
((((((((((((((((((((((((( Files Created from 2010-04-15 to 2010-05-15 )))))))))))))))))))))))))))))))
.
2010-05-09 20:45 . 2010-05-10 08:58 -------- d-----w- c:\program files\CleanMyPC Popup Blocker
2010-05-08 14:02 . 2010-05-08 14:05 -------- d-----w- c:\documents and settings\Admin\Application Data\Registry Mechanic
2010-05-08 13:47 . 2010-05-08 13:47 -------- d-----w- c:\program files\Common Files\PC Tools
2010-05-08 13:47 . 2010-05-15 14:58 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-07 19:10 . 2010-05-08 09:52 -------- d-----w- c:\windows\SxsCaPendDel
2010-05-07 15:16 . 2010-05-07 15:16 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Trusteer
2010-05-06 17:43 . 2010-05-06 17:43 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-06 17:41 . 2010-05-08 09:52 -------- dc-h--w- c:\documents and settings\All Users\Application Data\~0
2010-05-06 17:41 . 2010-05-07 19:09 -------- d-----w- c:\program files\Lavasoft
2010-04-28 18:00 . 2010-05-08 13:32 -------- d-----w- c:\documents and settings\Admin\Application Data\Sammsoft
2010-04-28 16:52 . 2010-04-28 16:52 -------- d-----w- c:\documents and settings\Admin\Application Data\Trusteer
2010-04-28 16:52 . 2010-04-28 16:52 -------- d-----w- c:\program files\Trusteer
2010-04-28 16:51 . 2010-04-28 16:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Trusteer
2010-04-28 10:54 . 2010-04-28 10:55 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-26 18:29 . 2010-04-26 18:29 -------- d-----w- c:\windows\ServicePackFiles
2010-04-26 17:35 . 2010-04-26 17:35 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes
2010-04-26 17:35 . 2010-04-26 17:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-26 17:35 . 2010-05-08 09:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-25 11:12 . 2010-04-25 11:12 -------- d-----w- C:\$AVG
2010-04-25 10:44 . 2010-04-25 10:44 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Ahead
2010-04-25 10:04 . 2010-04-25 10:04 -------- d-----w- c:\documents and settings\Admin\Application Data\AVG9
2010-04-23 12:55 . 2010-04-23 12:55 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-23 12:55 . 2010-04-23 12:55 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-22 23:11 . 2010-04-22 23:11 -------- d-----w- c:\documents and settings\Admin\Application Data\MSNInstaller
2010-04-22 23:10 . 2010-04-22 23:10 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-04-22 23:10 . 2010-04-22 23:10 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-04-22 23:10 . 2010-04-22 23:10 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-22 23:10 . 2010-04-22 23:10 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-22 23:10 . 2010-04-22 23:10 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-04-22 23:10 . 2010-05-15 09:30 -------- d-----w- c:\windows\system32\drivers\Avg
2010-04-22 23:08 . 2010-04-22 23:08 25096 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys
2010-04-22 23:08 . 2010-04-22 23:08 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2010-04-22 23:08 . 2010-04-22 23:08 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2010-04-22 23:06 . 2010-04-22 23:06 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-04-22 23:02 . 2010-04-22 23:06 -------- d-----w- c:\program files\AVG
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-15 09:31 . 2009-11-12 17:43 -------- d-----w- c:\documents and settings\Admin\Application Data\HPAppData
2010-05-14 17:57 . 2009-03-05 16:44 -------- d-----w- c:\documents and settings\Admin\Application Data\U3
2010-05-14 12:00 . 2004-08-04 12:00 36096 ----a-w- c:\windows\system32\drivers\intelppm.sys
2010-05-11 10:06 . 2010-01-03 17:26 -------- d-----w- c:\program files\W1zardm0ds.co.uk
2010-05-07 19:10 . 2008-08-14 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-05-06 18:31 . 2008-08-14 19:58 -------- d-----w- c:\program files\thechatterbox.cc
2010-04-30 15:06 . 2009-11-06 14:55 -------- d-----w- c:\program files\Common Files\F1
2010-04-26 22:09 . 2009-11-03 18:53 -------- d-----w- c:\program files\Microsoft SQL Server
2010-04-22 23:30 . 2009-01-30 18:31 -------- d-----w- c:\program files\SolarWinds
2010-04-22 23:14 . 2009-11-23 11:42 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-04-22 23:13 . 2010-04-10 20:04 -------- d-----w- c:\program files\Google
2010-04-22 23:08 . 2008-09-22 19:37 -------- d-----w- c:\program files\Windows Live
2010-04-22 22:22 . 2008-09-20 18:00 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-22 22:20 . 2008-09-20 18:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-20 10:05 . 2008-08-13 19:03 4212 ---h--w- c:\windows\system32\zllictbl.dat
2010-04-10 15:18 . 2008-08-14 09:48 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-28 15:12 . 2010-03-16 15:44 439816 ----a-w- c:\documents and settings\Admin\Application Data\Real\Update\setup3.10\setup.exe
2010-03-20 19:53 . 2010-03-20 19:53 -------- d-----w- c:\program files\Coupon Printer
2010-03-20 19:53 . 2010-03-20 19:53 31 ---ha-w- c:\windows\UKCpInfo.sys
2010-02-24 12:31 . 2004-08-04 12:00 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-22 09:59 . 2010-03-12 12:19 40960 ----a-w- c:\documents and settings\All Users\Application Data\TrigoldCrystal\Prospector\paymentshield\QuoteEngine\MortgageProtectorSolo.dll
2010-02-16 13:17 . 2004-08-04 12:00 2137088 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 12:39 . 2004-08-03 22:59 2016768 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
((((((((((((((((((((((((((((( SnapShot@2010-05-14_23.35.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-15 18:21 . 2010-05-15 18:21 16384 c:\windows\Temp\Perflib_Perfdata_95c.dat
+ 2010-05-15 18:22 . 2010-05-15 18:22 16384 c:\windows\Temp\Perflib_Perfdata_159c.dat
+ 2004-08-04 12:00 . 2010-05-14 23:45 76510 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2010-05-14 23:45 441194 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00b8e20c-5c71-4c2f-85a5-6ad541500df0}"= "c:\program files\thechatterbox.cc\tbthe0.dll" [2010-02-11 2349080]
"{813cf69b-bebf-423d-9936-eb451ffab26f}"= "c:\program files\W1zardm0ds.co.uk\tbW1z0.dll" [2010-05-11 2515552]
[HKEY_CLASSES_ROOT\clsid\{00b8e20c-5c71-4c2f-85a5-6ad541500df0}]
[HKEY_CLASSES_ROOT\clsid\{813cf69b-bebf-423d-9936-eb451ffab26f}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00b8e20c-5c71-4c2f-85a5-6ad541500df0}]
2010-02-11 10:06 2349080 ----a-w- c:\program files\thechatterbox.cc\tbthe0.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{813cf69b-bebf-423d-9936-eb451ffab26f}]
2010-05-11 10:06 2515552 ----a-w- c:\program files\W1zardm0ds.co.uk\tbW1z0.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{00b8e20c-5c71-4c2f-85a5-6ad541500df0}"= "c:\program files\thechatterbox.cc\tbthe0.dll" [2010-02-11 2349080]
"{813cf69b-bebf-423d-9936-eb451ffab26f}"= "c:\program files\W1zardm0ds.co.uk\tbW1z0.dll" [2010-05-11 2515552]
[HKEY_CLASSES_ROOT\clsid\{00b8e20c-5c71-4c2f-85a5-6ad541500df0}]
[HKEY_CLASSES_ROOT\clsid\{813cf69b-bebf-423d-9936-eb451ffab26f}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{00B8E20C-5C71-4C2F-85A5-6AD541500DF0}"= "c:\program files\thechatterbox.cc\tbthe0.dll" [2010-02-11 2349080]
"{813CF69B-BEBF-423D-9936-EB451FFAB26F}"= "c:\program files\W1zardm0ds.co.uk\tbW1z0.dll" [2010-05-11 2515552]
[HKEY_CLASSES_ROOT\clsid\{00b8e20c-5c71-4c2f-85a5-6ad541500df0}]
[HKEY_CLASSES_ROOT\clsid\{813cf69b-bebf-423d-9936-eb451ffab26f}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="c:\progra~1\AHEAD\NEROPH~2\DATA\XTRAS\MSSYSMGR.EXE" [2005-02-26 212992]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]
"RTHDCPL"="RTHDCPL.EXE" [2007-11-22 16858112]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-28 8466432]
"nwiz"="nwiz.exe" [2007-06-28 1626112]
"WinSys2"="c:\windows\system32\winsys2.exe" [2006-04-29 208896]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-28 81920]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-05-17 198160]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 53760]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-04-22 23:10 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [23/04/2010 00:08 25096]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [23/04/2010 00:10 52872]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [23/04/2010 00:10 216200]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [23/04/2010 00:10 242896]
R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [23/03/2010 16:39 58984]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [23/03/2010 16:39 125160]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [23/04/2010 00:08 308064]
R2 avgfws9;AVG Firewall;c:\program files\AVG\AVG9\avgfws9.exe [23/04/2010 00:09 2325816]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe [23/04/2010 00:08 5888008]
R2 MSSQL$INERTIA3_SQL2005;SQL Server (INERTIA3_SQL2005);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [24/11/2008 22:31 29263712]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [08/05/2010 14:47 632792]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [23/03/2010 16:39 779496]
R2 TRUService;TrigoldCrystal Update Service;c:\program files\Trigold\Update\TRUService.exe [31/10/2009 20:02 135816]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [23/04/2010 00:08 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys [23/04/2010 00:08 122376]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys [23/04/2010 00:08 30216]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys [23/04/2010 00:08 26120]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/04/2010 21:04 136176]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [23/04/2010 00:08 30104]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
2009-11-18 c:\windows\Tasks\Driver Robot.job
- c:\program files\Driver Robot\1.1.0.14\DriverRobot.exe [2009-11-18 13:53]
2010-05-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-10 20:04]
2010-05-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-10 20:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://bbc.co.uk/news
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: threesixtytraining.co.uk\www
DPF: {3EDBA9C8-BB88-4DB6-9EB4-CA2BDAEF10FC} - hxxp://downloads.privatepost.com/files/ppZDHelper/ppZDHelper.cab
DPF: {83A4D5A6-E2C1-4EDD-AD48-1A1C50BD06EF} - hxxp://www.landlorddirect.com/js/ImageUploader6.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-15 19:22
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(6564)
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2010-05-15 19:25:54 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-15 18:25
ComboFix2.txt 2010-05-15 09:47
ComboFix3.txt 2010-05-14 23:37
Pre-Run: 86,356,656,128 bytes free
Post-Run: 86,340,308,992 bytes free
- - End Of File - - D0B47B9A8436502593BBECC83FF76085
Before we continue further, I need something cleared up.
The following thread was brought to my attention:
avg 9.0 free licence key? (http://forums.spybot.info/showthread.php?t=57375)
Since your logs show that you already have AVG 9.0 installed, why do you need a free license key?
its a trial version for 30 days which is due to expire very soon
Since its a trial version and is going to expire soon, let's replace AVG's AV and Firewall with a free AV and Firewall. That way don't have to worry about obtaining license keys.
Here are two free AntiViruses to choose from:
1)Antivir PersonalEdition Classic (http://www.free-av.com/)
2)avast! Home Edition (http://www.avast.com/free-antivirus-download)
Download and install only one!
Once you've downloaded the setup file for your new AV, unplug your computer from the Internet. Next uninstall AVG via Add/Remove Programs. Once that's done, reboot your computer. When your computer has booted back up, install your new AntiVirus. Finally, reconnect your computer back to the Internet and update your new AV.
Here are some free Firewalls to replace AVG's firewall:
Jetico Personal Firewall (http://www.jetico.com/jpf2.htm)
Soft perfect (http://www.softperfect.com/products/firewall/)
Sunbelt Kerio Firewall (http://www.sunbelt-software.com/Kerio-Download.cfm)
Please download and install only one!
Repeat the same steps as before (disconnect from 'Net, uninstall AVG Firewall, reboot computer, install new Firewall, reconnect to Net, update firewall (if you can))
Also, do the following:
Once the new firewall is installed, check to see that the Windows Firewall is disabled. To do so follow these steps:
1. Click Start, click Run, type Firewall.cpl, and then click OK.
2. On the General tab, check to see if Off (not recommended) is checkmarked/ticked, if it is not, then checkmark/tick the box and click OK
Let me know once you've done everything and we'll continue. :)
003294? How are things coming along?
going to begin with above now, will keep you posted
All done, decided to install jetico firwall and avira anti virus, I have updated, what is the next stage now?
Registry Cleaners + "Tweak" Tools
Re. Registry Mechanic 9.0
I don't personally recommend the use of ANY Registry Cleaners or "Tweak" Tools
They are marketed as ways to make your machine run faster and more efficiently ...... Some will actually achieve this .... IF you know how to use them correctly.
Removing "Orphaned/Old/Obsolete" registry entries is fine ..... as long as they actually are "Orphaned/Old/Obsolete", it won't speed up your machine though
Stopping services and setting policies can speed up your machine ..... as long as you stop and set the right ones, and even then it's debatable if you will notice the improvement.
Remove the wrong registry entry, or stop the wrong service, and not only can you slow your machine .... you could kill it !
To use a Registry Cleaner or "Tweak" tool to its full advantage, you really need to know what it is they are doing and what else the changes may affect.
In short, if you know how to use them safely ----- you don't actually need them.
discussion on regcleaners >> http://forums.whatthetech.com/Regcleaner_t42862.html
And for more good information see what Miekiemoes has to say >> http://miekiemoes.blogspot.com/2008/02/registry-cleaners-and-system-tweaking_13.html
Step # 1 Update Java
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6u20 (http://www.java.com/en/download/manual.jsp).
Click on the link to download Windows Offline Installation and save to your desktop. Do NOT use the Sun Download Manager.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Remove the following old versions of Java:
Java(TM) 6 Update 2
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
From your desktop double-click on the download to install the newest version.
Step # 2: Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it.
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Step # 3 Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware from Here (http://www.malwarebytes.org/mbam-download.php).
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
In your next post/reply, I need to see the following:
1. MalwareBytes' Log
2. A fresh DDS Log
Java has been updated & I've used the cleaner program above. As for the firewall's I've had no choice but to get rid of jetico firewall and avira anti virus as this caused way too many problems in me trying to connect to the net, The moment I close both firewall and anit virus programs my net works fine.
I've gone to AVG 8.5 free edition for now and have updated. 1 infection found with malwarebites (adware.ezlife), DDS log below, I think this bug is almost gone as I'm no longer getting the random pop ups
MALWAREBITES
Time elapsed: 4 minute(s), 49 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{38061edc-40bb-4618-a8da-e56353347e6d} (Adware.EZlife) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
DDS
DDS (Ver_10-03-17.01) - NTFSx86
Run by Admin at 22:58:33.51 on 24/05/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.2047.1225 [GMT 1:00]
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Belkin\F5D7051\WLService.exe
C:\Program Files\Belkin\F5D7051\WLanCfgG.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\PROGRA~1\AHEAD\NEROPH~2\DATA\XTRAS\MSSYSMGR.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Trigold\Update\TRUService.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\hpmup091.bin
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Documents and Settings\Admin\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://bbc.co.uk/news
uURLSearchHooks: thechatterbox.cc Toolbar: {00b8e20c-5c71-4c2f-85a5-6ad541500df0} - c:\program files\thechatterbox.cc\tbthe0.dll
uURLSearchHooks: W1zardm0ds.co.uk Toolbar: {813cf69b-bebf-423d-9936-eb451ffab26f} - c:\program files\w1zardm0ds.co.uk\tbW1z0.dll
BHO: thechatterbox.cc Toolbar: {00b8e20c-5c71-4c2f-85a5-6ad541500df0} - c:\program files\thechatterbox.cc\tbthe0.dll
{02478d38-c3f9-4efb-9b51-7695eca05670}
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: W1zardm0ds.co.uk Toolbar: {813cf69b-bebf-423d-9936-eb451ffab26f} - c:\program files\w1zardm0ds.co.uk\tbW1z0.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: thechatterbox.cc Toolbar: {00b8e20c-5c71-4c2f-85a5-6ad541500df0} - c:\program files\thechatterbox.cc\tbthe0.dll
TB: W1zardm0ds.co.uk Toolbar: {813cf69b-bebf-423d-9936-eb451ffab26f} - c:\program files\w1zardm0ds.co.uk\tbW1z0.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [PhotoShow Deluxe Media Manager] c:\progra~1\ahead\neroph~2\data\xtras\MSSYSMGR.EXE
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [WinSys2] c:\windows\system32\winsys2.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: threesixtytraining.co.uk\www
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {3EDBA9C8-BB88-4DB6-9EB4-CA2BDAEF10FC} - hxxp://downloads.privatepost.com/files/ppZDHelper/ppZDHelper.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
DPF: {83A4D5A6-E2C1-4EDD-AD48-1A1C50BD06EF} - hxxp://www.landlorddirect.com/js/ImageUploader6.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://btc.webex.com/client/T25LSP41EP13-LOCKDOWN/webex/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {B5475F04-47B0-4D4E-BFE7-E842F18F1492} = 4.2.2.2,4.2.2.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
============= SERVICES / DRIVERS ===============
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-5-23 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-5-23 29512]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-5-23 242896]
R1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2010-3-23 58984]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-3-23 125160]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-5-23 308064]
R2 MSSQL$INERTIA3_SQL2005;SQL Server (INERTIA3_SQL2005);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2008-11-24 29263712]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2010-5-8 632792]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2010-3-23 779496]
R2 TRUService;TrigoldCrystal Update Service;c:\program files\trigold\update\TRUService.exe [2009-10-31 135816]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-10 136176]
=============== Created Last 30 ================
2010-05-24 21:51:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-24 21:51:35 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-23 23:14:25 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-05-23 23:14:25 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-23 22:44:02 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-05-23 22:43:59 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-05-23 22:43:53 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-05-23 22:43:47 0 d-----w- c:\windows\system32\drivers\Avg
2010-05-19 19:38:57 17801 ----a-w- c:\windows\system32\drivers\AegisP.sys
2010-05-19 19:38:49 40960 ----a-w- c:\windows\system32\F5D7051.dll
2010-05-19 19:38:49 29184 ----a-w- c:\windows\system32\drivers\RNDISMPK.sys
2010-05-19 19:38:49 13824 ----a-w- c:\windows\system32\drivers\usb8023k.sys
2010-05-19 19:38:47 94208 ----a-w- c:\windows\system32\GTW32N50.dll
2010-05-19 19:38:47 31930 ----a-w- c:\windows\system32\GTNDIS3.VXD
2010-05-19 19:38:47 15872 ----a-w- c:\windows\system32\GTNDIS5.sys
2010-05-19 19:38:46 1396831 ----a-w- c:\windows\system32\AegisE5.dll
2010-05-19 19:38:46 0 d-----w- c:\program files\Belkin
2010-05-14 23:23:27 0 d-sha-r- C:\cmdcons
2010-05-14 23:22:33 98816 ----a-w- c:\windows\sed.exe
2010-05-14 23:06:33 77312 ----a-w- c:\windows\MBR.exe
2010-05-14 23:06:33 256512 ----a-w- c:\windows\PEV.exe
2010-05-14 23:06:33 161792 ----a-w- c:\windows\SWREG.exe
2010-05-09 20:45:57 0 d-----w- c:\program files\CleanMyPC Popup Blocker
2010-05-08 14:02:30 0 d-----w- c:\docume~1\admin\applic~1\Registry Mechanic
2010-05-08 13:47:32 880640 ----a-w- c:\windows\system32\UniBox10.ocx
2010-05-08 13:47:32 212992 ----a-w- c:\windows\system32\UniBoxVB12.ocx
2010-05-08 13:47:32 1101824 ----a-w- c:\windows\system32\UniBox210.ocx
2010-05-08 13:47:31 0 d-----w- c:\program files\common files\PC Tools
2010-05-07 19:10:34 0 d-----w- c:\windows\SxsCaPendDel
2010-05-06 17:43:34 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-06 17:41:27 0 dc-h--w- c:\docume~1\alluse~1\applic~1\~0
2010-05-06 17:41:09 0 d-----w- c:\program files\Lavasoft
2010-04-28 18:00:54 0 d-----w- c:\docume~1\admin\applic~1\Sammsoft
2010-04-28 16:52:20 0 d-----w- c:\docume~1\admin\applic~1\Trusteer
2010-04-28 16:52:15 0 d-----w- c:\program files\Trusteer
2010-04-28 16:51:39 0 d-----w- c:\docume~1\alluse~1\applic~1\Trusteer
2010-04-26 18:29:51 0 d-----w- c:\windows\ServicePackFiles
2010-04-26 17:35:39 0 d-----w- c:\docume~1\admin\applic~1\Malwarebytes
2010-04-26 17:35:28 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-26 17:35:27 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
==================== Find3M ====================
2010-05-14 12:00:54 36096 ----a-w- c:\windows\system32\drivers\intelppm.sys
2010-04-20 10:05:36 4212 ---h--w- c:\windows\system32\zllictbl.dat
============= FINISH: 22:59:11.89 ===============
Your DDS Log looks good. :)
It looks like the top part of the MalwareBytes' Log you posted got cut off. Please post everything above the Time elapsed: 4 minute(s), 49 second(s) line in your next post/reply.
Step # 1: Run Kaspersky Online Scan
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply.
In your next post/reply, I need to see the following:
1. The top part of the MBAM Log
2. Kaspersky Log
3. How is your computer doing, any problems?
Top Part of MBAM Log
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4140
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13
24/05/2010 22:57:55
mbam-log-2010-05-24 (22-57-55).txt
Scan type: Quick scan
Objects scanned: 127304
Time elapsed: 4 minute(s), 49 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{38061edc-40bb-4618-a8da-e56353347e6d} (Adware.EZlife) -> Quarantined and deleted successfully.
Kasperski Log
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, May 25, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, May 25, 2010 06:57:50
Records in database: 4171379
--------------------------------------------------------------------------------
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
E:\
Scan statistics:
Objects scanned: 63148
Threats found: 4
Infected objects found: 7
Suspicious objects found: 0
Scan duration: 01:37:16
File name / Threat / Threats count
C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\6.0\61\757db4fd-36fff2bd Infected: Exploit.Java.Agent.f 1
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\29\7adbb65d-10aad6fd Infected: Exploit.Java.Agent.f 1
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\44\5473416c-1e10dde3 Infected: Exploit.Java.Agent.f 1
C:\Program Files\SolarWinds\Free Tools\~GLH0031.TMP Infected: not-a-virus:Server-FTP.Win32.Tftp.500 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\intelppm.sys.vir Infected: Rootkit.Win32.TDSS.ap 1
C:\System Volume Information\_restore{6ADE42A1-A5D1-4E5E-8204-E809371069BE}\RP291\A0031740.exe Infected: not-a-virus:Server-FTP.Win32.Tftp.500 1
C:\System Volume Information\_restore{6ADE42A1-A5D1-4E5E-8204-E809371069BE}\RP307\A0038640.exe Infected: Trojan.Win32.FraudPack.avii 1
Selected area has been scanned.
I did run another scan with MBAM this morning no bugs found.
Overall the computer is performing alot better since the combo fix, the pop-ups have completely gone, I am able to search things via google and click on websites without another totally different website coming. However the amount of infections found via kasperski is a concern. I'll let you be the judge based on logs. However I am yet to run a spybot search, not sure if this is necassary?
However I am yet to run a spybot search, not sure if this is necassary?
Don't really see the need to run a scan with Spybot. Maybe if MalwareBytes' found something when you ran it, but it didn't. :)
Kaspersky found a file in the Qoobox folder which is where ComboFix keeps its quarantined files. I'll show you how to remove ComboFix (and its quarantined files) in an upcoming post. Kaspersky also found some infected System Restore points. They are harmless where they are. I'll show you how to remove them and set a new, clean one in an upcoming post.
Step # 1 Clear Java's Cache
Click Start > Control Panel
Double-click the Java icon in the control panel. (coffeecup icon)
Click Settings under Temporary Internet Files.
-The Temporary Files Settings dialog box appears.
Click Delete Files.
-The Delete Temporary Files dialog box appears.
-There are two options on this window to clear the cache.
Applications and Applets
Trace and Log Files
Make sure both are checked.
Click OK on Delete Temporary Files window.
-Note: This deletes all the Downloaded Applications and Applets from the cache.
Click OK on Temporary Files Settings window.
Close the Java Control Panel
Java Cache deleted, what next?
If there are no other problems, you are good to go. :)
You can delete the following off of your computer:
DDS.scr
The two DDS Logs
GMER.zip
GMER.exe
The GMER Log
You can reenable Teatimer.
To remove ComboFix, do the following:
Go to Start > Run - type in ComboFix /Uninstall & click OK
Empty your Recycle Bin.
Please take the time to read my All Clean Post.
Please follow these simple steps in order to keep your computer clean and secure:
This is a good time to clear your existing system restore points and establish a new clean restore point
Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and Ok it.
Next, go to Start > Run and type in cleanmgr
Make sure the C:\ drive is selected and click OK. If your computer's Hard Drive is not located on C:, change it to the correct drive letter then click OK.
Select the More options tab
Choose the option to clean up system restore and OK it.
This will remove all restore points except the new one you just created..
Clearing your restore points is not something you should do on a regular basis. Normally, this process only needs to be done after clearing out an infestation of malware.
Make your Internet Explorer more secure This can be done by following these simple instructions: From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub frames across different domains to Prompt When all these settings have been made, click on the OK button.
If it asks you if you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Set correct settings for files that should be hidden in Windows XP
Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
If unchecked please checkHide protected operating system files (Recommended)
If necessary check "Display content of system folders"
If necessary Uncheck Hide file extensions for known file types.
Click OK
Use An Antivirus Software and Keep It Updated - It is very important that your computer has an antivirus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a day. If you do not update your antivirus software, then it will not be able to catch any of the new variants that may come out.
Visit Microsoft's Update Site Frequently It is important that you visit Microsoft Updates (http://update.microsoft.com/) regularly. This will ensure your computer has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install SpywareBlaster SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. An article on anti-malware products with links for this program and others can be found here:
Computer Safety on line Anti Malware (http://forum.malwareremoval.com/viewtopic.php?p=54#54)
Use the hosts file: Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate web pages. We can customize a hosts file so that it blocks certain web pages. However, it can slow down certain computers. This is why using a hosts file is optional. Download mvps hosts file (http://www.mvps.org/winhelp2002/hosts.htm) Make sure you read the instructions on how to install the hosts file. There is a good tutorial HERE (http://www.bleepingcomputer.com/forums/tutorial51.html) If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button on the task bar at the bottom of your screen Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then doubleclick it. On the dropdown box, change the setting from automatic to manual. Click ok..
Use an alternative instant messenger program.Trillian (http://www.trillian.cc/) and Miranda IM (http://www.miranda-im.com/) These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
Please read Tony Klein's excellent article: How I got Infected in the First Place (http://forums.subratam.org/index.php?showtopic=5931)
Please read Understanding Spyware, Browser Hijackers, and Dialers (http://www.bleepingcomputer.com/forums/tutorial41.html)
Please read Simple and easy ways to keep your computer safe and secure on the Internet (http://www.bleepingcomputer.com/tutorials/tutorial82.html)
If you are using Internet Explorer, please consider using an alternate browser: Mozilla's Firefox (http://www.mozilla.org/products/firefox) or
Opera (http://www.opera.com/download/).
If you decide to use either FireFox or Opera, it is very important that you keep them up to date and check frequently for updates of the browser of your choice.
Update all these programs regularly Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
If your computer was infected by a website, a program, IM, MSN, or p2p, check this site because it is Time To Fight Back (http://spyware-free.us/2006/01/time-to-fight-back.html). Follow these steps and your potential for being infected again will reduce dramatically.
Here's a good website to read about Malware prevention:
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
If your computer is running slow, click here (http://www.malwareremoval.com/tutorials/runningslowly.php) for instructions on how to help speed up your computer.
Good luck!
Please reply one last time so that I know you have read my post and this thread can be closed.
Above followed, however I'm still getting 'Right Media' after a spybot scan
Above followed, however I'm still getting 'Right Media' after a spybot scan
Post the Spybot Log that shows 'Right Media'. Plus, redownload DDS and post a fresh DDS Log as well. No need for Attach.txt, just the main DDS Log.
This topic has been archived due to inactivity.
If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a new HijackThis log with a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.
Applies only to the original poster, anyone else with similar problems please start a new topic.