Follow up to Archived post - XP wouldn't boot

**petezz** · 2012-01-03, 21:02

Hi

Had a problem about a month ago - now in Archives http://forums.spybot.info/showthread.php?t=64553 (Couldn't boot XP)

ken545 asked me to post DDS and aswMBR.exe logs once I was up and running - finally got the laptop up and running and posted DDS below but when I tried to run aswMBR.exe the laptop crashed so haven't posted anything for that.

I would be grateful to know if I still have any issues?

Thanks

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_27
Run by mikeg at 19:39:33 on 2012-01-03
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2038.1179 [GMT 0:00]
.
AV: BullGuard Antivirus *Enabled/Updated* {7A9BB333-8EDF-4FDC-A2A5-1A30FA021913}
FW: BullGuard Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\SvcHost.exe -k BullGuard_Main
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\thpsrv.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\TOSHIBA\Controls\VolumeIndicator.exe
svchost.exe
C:\Program Files\ClocX\ClocX.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\BullGuard Ltd\BullGuard\BullGuard.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\SvcHost.exe -k BullGuard_Backup
C:\Program Files\BullGuard Ltd\BullGuard\BullGuardBhvScanner.exe
C:\WINDOWS\System32\SvcHost.exe -k BullGuard
C:\WINDOWS\System32\SvcHost.exe -k BullGuard_Proxy
C:\Program Files\BullGuard Ltd\BullGuard\BullGuardScanner.exe
C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\20cd93918f8fe118a35d35bfeb53ccc1\update\update.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Toshiba Hotkey Utility] "c:\program files\toshiba\windows utilities\Hotkey.exe" /lang en
mRun: [TPSMain] TPSMain.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [ThpSrv] c:\windows\system32\thpsrv /logon
mRun: [Toshiba Controls Utility] "c:\program files\toshiba\controls\VolumeIndicator.exe"
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [ClocX] c:\program files\clocx\ClocX.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [BullGuard] "c:\program files\bullguard ltd\bullguard\BullGuard.exe" -boot
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {27FD17FB-CF63-486b-B2BE-8D8781CBEA01} - {27FD17FB-CF63-486b-B2BE-8D8781CBEA01} - c:\program files\bullguard ltd\bullguard\antiphishing\ie\BGAntiphishingIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\windows\system32\BGLsp.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1234280332500
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1234280324203
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{4884895F-F050-404D-8475-A0399AD214DB} : DhcpNameServer = 192.168.1.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: BgGamingMonitor.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\eos208.ad.001\application data\mozilla\firefox\profiles\4f4hpqs7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/webhp?complete=0&hl=en
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\nos\bin\np_gp.dll
.
============= SERVICES / DRIVERS ===============
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2011-12-21 56208]
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [2008-1-11 21120]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2007-9-4 6528]
R1 BdSpy;BdSpy;c:\windows\system32\drivers\BdSpy.sys [2011-11-18 64608]
R1 NovaShieldFilterDriver;NovaShieldFilterDriver;c:\windows\system32\drivers\NSKernel.sys [2011-11-18 789960]
R1 NovaShieldTDIDriver;NovaShieldTDIDriver;c:\windows\system32\drivers\NSNetmon.sys [2011-11-18 19272]
R1 RapportCerberus_34302;RapportCerberus_34302;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\34302\RapportCerberus32_34302.sys [2012-1-1 228208]
R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2011-12-21 71440]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2011-12-21 164112]
R2 BsBackup;BullGuard backup service;c:\windows\system32\SvcHost.exe -k BullGuard_Backup [2008-4-2 14336]
R2 BsBhvScan;BullGuard behavioural detection service;c:\program files\bullguard ltd\bullguard\BullGuardBhvScanner.exe [2011-12-15 299360]
R2 BsFileScan;BullGuard on-access service;c:\windows\system32\SvcHost.exe -k BullGuard [2008-4-2 14336]
R2 BsFire;BullGuard firewall service;c:\windows\system32\SvcHost.exe -k BullGuard [2008-4-2 14336]
R2 BsMailProxy;BullGuard e-mail monitoring service;c:\windows\system32\SvcHost.exe -k BullGuard_Proxy [2008-4-2 14336]
R2 BsMain;BullGuard main service;c:\windows\system32\SvcHost.exe -k BullGuard_Main [2008-4-2 14336]
R2 BsScanner;BullGuard scanning service;c:\program files\bullguard ltd\bullguard\BullGuardScanner.exe [2011-12-15 175456]
R2 BsUpdate;BullGuard update service;c:\program files\bullguard ltd\bullguard\BullGuardUpdate.exe [2011-12-19 276320]
R2 PassThru Service;Internet Pass-Through Service;c:\program files\htc\internet pass-through\PassThruSvr.exe [2010-9-16 80896]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2011-12-21 931640]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2007-3-26 105856]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2007-2-19 134016]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [2011-11-18 34280]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [2011-11-18 267624]
R3 CnxtHdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service;c:\windows\system32\drivers\CHDAud.sys [2009-12-25 732160]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2008-4-2 48600]
R3 QIOMem;Generic IO & Memory Access;c:\windows\system32\drivers\QIOMem.sys [2007-5-29 6912]
R3 RapportIaso;RapportIaso;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportms\28896\RapportIaso.sys [2011-8-18 21520]
S3 GTUHSBUS;GT UHS BUS;c:\windows\system32\drivers\gtuhsbus.sys [2009-3-19 58880]
S3 GTUHSNDISIPXP;GT UHS IP NDIS;c:\windows\system32\drivers\gtuhs51.sys [2009-3-19 106112]
S3 GTUHSOMS;GT UHS OMS;c:\windows\system32\drivers\gtuhsoms.sys [2009-3-19 18816]
S3 GTUHSSER;GT UHS SER;c:\windows\system32\drivers\gtuhsser.sys [2009-3-19 8064]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2010-5-29 24576]
S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [2010-6-22 21248]
S4 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
.
=============== Created Last 30 ================
.
2012-01-02 20:23:21 -------- d-----w- c:\windows\IIS Temporary Compressed Files
2012-01-02 20:23:02 -------- d-----w- c:\windows\system32\Cache
2012-01-02 20:21:18 9216 -c--a-w- c:\windows\system32\dllcache\wamps51.dll
2012-01-02 20:20:27 -------- d-----w- C:\Inetpub
2012-01-02 19:44:56 -------- d-----w- c:\documents and settings\eos208.ad.001\application data\SpaceMonger
2012-01-02 19:44:55 -------- d-----w- c:\program files\SpaceMonger
2012-01-01 19:36:03 -------- d-----w- c:\documents and settings\eos208.ad.001\application data\BullGuard
2012-01-01 19:35:12 -------- d-----w- c:\documents and settings\all users\application data\BullGuard
2012-01-01 19:34:59 -------- d-----w- c:\program files\common files\BullGuard Ltd
2012-01-01 19:34:57 -------- d-----w- c:\program files\BullGuard Ltd
2011-12-21 11:54:48 56208 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2011-12-16 21:31:32 -------- d-----w- C:\TMP
.
==================== Find3M ====================
.
2011-11-24 14:14:24 53088 ----a-w- c:\windows\system32\BGLsp.dll
2011-11-22 09:54:30 308296 ----a-w- c:\windows\system32\drivers\Trufos.sys
2011-11-18 08:58:50 34280 ----a-w- c:\windows\system32\drivers\afw.sys
2011-11-18 08:58:50 267624 ----a-w- c:\windows\system32\drivers\afwcore.sys
2011-11-18 08:58:24 64608 ----a-w- c:\windows\system32\drivers\BdSpy.sys
2011-11-18 08:58:18 789960 ----a-w- c:\windows\system32\drivers\NSKernel.sys
2011-11-18 08:58:18 19272 ----a-w- c:\windows\system32\drivers\NSNetmon.sys
2011-10-18 08:51:13 72080 ----a-w- c:\documents and settings\eos208.ad.001\g2mdlhlpx.exe
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
.
============= FINISH: 19:41:05.65 ===============

**ken545** · 2012-01-09, 10:15

Please read Before You Post
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.

Running programs with Vista or Windows 7 , you need to Right Click on the program and select RUN AS ADMINISTATOR

Sorry about the delay , looks like your post got lost in the shuffle.

Nothing jumping out at me earthshattering. How are things running, any browser redirects or unwanted pop up windows ?

Your DDS log is fairly old so run it again and post a new log please

Please download Malwarebytes from Here or Here

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.

Post the report please

**petezz** · 2012-01-09, 20:39

Hi

Thanks for getting back to me - much appreciated.

I finally got the laptop up and running, mainly thanks to Ubuntu and then managed to recover the XP OS.

No redirects or pop-ups. Logs are posted below:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_27
Run by mikeg at 19:27:17 on 2012-01-09
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2038.1008 [GMT 0:00]
.
AV: BullGuard Antivirus *Enabled/Updated* {7A9BB333-8EDF-4FDC-A2A5-1A30FA021913}
FW: BullGuard Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\SvcHost.exe -k BullGuard_Main
svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\thpsrv.exe
C:\Program Files\TOSHIBA\Controls\VolumeIndicator.exe
C:\Program Files\ClocX\ClocX.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\BullGuard Ltd\BullGuard\BullGuard.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Apoint2K\HidFind.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\SvcHost.exe -k BullGuard_Backup
C:\Program Files\BullGuard Ltd\BullGuard\BullGuardBhvScanner.exe
C:\WINDOWS\System32\SvcHost.exe -k BullGuard
C:\WINDOWS\System32\SvcHost.exe -k BullGuard_Proxy
C:\Program Files\BullGuard Ltd\BullGuard\BullGuardScanner.exe
C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ThpSrv.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\HTC\HTC Sync 3.0\htcUPCTLoader.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Toshiba Hotkey Utility] "c:\program files\toshiba\windows utilities\Hotkey.exe" /lang en
mRun: [TPSMain] TPSMain.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [ThpSrv] c:\windows\system32\thpsrv /logon
mRun: [Toshiba Controls Utility] "c:\program files\toshiba\controls\VolumeIndicator.exe"
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [ClocX] c:\program files\clocx\ClocX.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [BullGuard] "c:\program files\bullguard ltd\bullguard\BullGuard.exe" -boot
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {27FD17FB-CF63-486b-B2BE-8D8781CBEA01} - {27FD17FB-CF63-486b-B2BE-8D8781CBEA01} - c:\program files\bullguard ltd\bullguard\antiphishing\ie\BGAntiphishingIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\windows\system32\BGLsp.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1234280332500
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1234280324203
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{4884895F-F050-404D-8475-A0399AD214DB} : DhcpNameServer = 192.168.1.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: BgGamingMonitor.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\eos208.ad.001\application data\mozilla\firefox\profiles\4f4hpqs7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/webhp?complete=0&hl=en
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\nos\bin\np_gp.dll
.
============= SERVICES / DRIVERS ===============
.
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [2008-1-11 21120]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2007-9-4 6528]
R1 BdSpy;BdSpy;c:\windows\system32\drivers\BdSpy.sys [2011-11-18 64608]
R1 NovaShieldFilterDriver;NovaShieldFilterDriver;c:\windows\system32\drivers\NSKernel.sys [2011-11-18 789960]
R1 NovaShieldTDIDriver;NovaShieldTDIDriver;c:\windows\system32\drivers\NSNetmon.sys [2011-11-18 19272]
R1 RapportCerberus_34302;RapportCerberus_34302;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\34302\RapportCerberus32_34302.sys [2012-1-1 228208]
R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2011-12-21 71440]
R2 BsBackup;BullGuard backup service;c:\windows\system32\SvcHost.exe -k BullGuard_Backup [2008-4-2 14336]
R2 BsBhvScan;BullGuard behavioural detection service;c:\program files\bullguard ltd\bullguard\BullGuardBhvScanner.exe [2011-12-15 299360]
R2 BsFileScan;BullGuard on-access service;c:\windows\system32\SvcHost.exe -k BullGuard [2008-4-2 14336]
R2 BsFire;BullGuard firewall service;c:\windows\system32\SvcHost.exe -k BullGuard [2008-4-2 14336]
R2 BsMailProxy;BullGuard e-mail monitoring service;c:\windows\system32\SvcHost.exe -k BullGuard_Proxy [2008-4-2 14336]
R2 BsMain;BullGuard main service;c:\windows\system32\SvcHost.exe -k BullGuard_Main [2008-4-2 14336]
R2 BsScanner;BullGuard scanning service;c:\program files\bullguard ltd\bullguard\BullGuardScanner.exe [2011-12-15 175456]
R2 BsUpdate;BullGuard update service;c:\program files\bullguard ltd\bullguard\BullGuardUpdate.exe [2011-12-19 276320]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-1-9 652872]
R2 PassThru Service;Internet Pass-Through Service;c:\program files\htc\internet pass-through\PassThruSvr.exe [2010-9-16 80896]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2011-12-21 931640]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2007-3-26 105856]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2007-2-19 134016]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [2011-11-18 34280]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [2011-11-18 267624]
R3 CnxtHdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service;c:\windows\system32\drivers\CHDAud.sys [2009-12-25 732160]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-1-9 20464]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2008-4-2 48600]
R3 QIOMem;Generic IO & Memory Access;c:\windows\system32\drivers\QIOMem.sys [2007-5-29 6912]
R3 RapportIaso;RapportIaso;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportms\28896\RapportIaso.sys [2011-8-18 21520]
S3 GTUHSBUS;GT UHS BUS;c:\windows\system32\drivers\gtuhsbus.sys [2009-3-19 58880]
S3 GTUHSNDISIPXP;GT UHS IP NDIS;c:\windows\system32\drivers\gtuhs51.sys [2009-3-19 106112]
S3 GTUHSOMS;GT UHS OMS;c:\windows\system32\drivers\gtuhsoms.sys [2009-3-19 18816]
S3 GTUHSSER;GT UHS SER;c:\windows\system32\drivers\gtuhsser.sys [2009-3-19 8064]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2010-5-29 24576]
S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [2010-6-22 21248]
S3 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2011-12-21 56208]
S3 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2011-12-21 164112]
S4 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
.
=============== Created Last 30 ================
.
2012-01-09 19:07:52 -------- d-----w- c:\documents and settings\eos208.ad.001\application data\Malwarebytes
2012-01-09 19:07:41 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-01-09 19:07:39 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-09 19:07:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-07 17:00:24 -------- d-----w- C:\4 Phone Backup
2012-01-02 20:23:21 -------- d-----w- c:\windows\IIS Temporary Compressed Files
2012-01-02 20:23:02 -------- d-----w- c:\windows\system32\Cache
2012-01-02 20:21:18 9216 -c--a-w- c:\windows\system32\dllcache\wamps51.dll
2012-01-02 20:20:27 -------- d-----w- C:\Inetpub
2012-01-02 19:44:56 -------- d-----w- c:\documents and settings\eos208.ad.001\application data\SpaceMonger
2012-01-02 19:44:55 -------- d-----w- c:\program files\SpaceMonger
2012-01-01 19:36:03 -------- d-----w- c:\documents and settings\eos208.ad.001\application data\BullGuard
2012-01-01 19:35:12 -------- d-----w- c:\documents and settings\all users\application data\BullGuard
2012-01-01 19:34:59 -------- d-----w- c:\program files\common files\BullGuard Ltd
2012-01-01 19:34:57 -------- d-----w- c:\program files\BullGuard Ltd
2011-12-21 11:54:48 56208 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2011-12-16 21:31:32 -------- d-----w- C:\TMP
.
==================== Find3M ====================
.
2011-11-24 14:14:24 53088 ----a-w- c:\windows\system32\BGLsp.dll
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-22 09:54:30 308296 ----a-w- c:\windows\system32\drivers\Trufos.sys
2011-11-18 08:58:50 34280 ----a-w- c:\windows\system32\drivers\afw.sys
2011-11-18 08:58:50 267624 ----a-w- c:\windows\system32\drivers\afwcore.sys
2011-11-18 08:58:24 64608 ----a-w- c:\windows\system32\drivers\BdSpy.sys
2011-11-18 08:58:18 789960 ----a-w- c:\windows\system32\drivers\NSKernel.sys
2011-11-18 08:58:18 19272 ----a-w- c:\windows\system32\drivers\NSNetmon.sys
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ------w- c:\windows\system32\html.iec
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37:08 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:02 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13:22 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-18 08:51:13 72080 ----a-w- c:\documents and settings\eos208.ad.001\g2mdlhlpx.exe
.
============= FINISH: 19:28:47.84 ===============

Malwarebytes Anti-Malware (Trial) 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.09.07

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
mikeg :: ESTATENB08177 [administrator]

Protection: Enabled

09/01/2012 19:10:04
mbam-log-2012-01-09 (19-10-04).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 284186
Time elapsed: 13 minute(s), 6 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

**ken545** · 2012-01-09, 23:42

Looking good,

Please download ATF Cleaner by Atribune to your desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility. If you want to keep your log on info, just click on Select All and then uncheck cookies

ESET Online Scanner
I'd like us to scan your machine with ESET OnlineScan

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
Click the button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
1. Click on to download the ESET Smart Installer. Save it to your desktop.
2. Double click on the icon on your desktop.
Check
Click the button.
Accept any security warnings from your browser.
Check
Make sure that the option "Remove found threats" is Unchecked
Push the Start button.
ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
When the scan completes, push
Push , and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
Push the button.
Push

Please make sure you include the following items in your next post:
The log that was produced after running ESET Online Scanner.

**petezz** · 2012-01-11, 22:37

Hi

Ran both as requested

ESET Scanner

Scanned Files: 228940
Infected Files: 0
Cleaned Files: 0

Thanks

**ken545** · 2012-01-11, 22:50

Great

Everything running OK ?

**petezz** · 2012-01-12, 13:23

Yes, its all ok now. Thanks for all your help - much appreciated.

**ken545** · 2012-01-12, 19:22

Your very welcome

Now to remove most of the tools that we have used in fixing your machine:

Make sure you have an Internet Connection.
Download OTC to your desktop and run it
A list of tool components used in the cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
Click Yes to begin the cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.

How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
WhattheTech
GeeksTo Go
Dslreports

Safe Surfn
Ken

Thread: Follow up to Archived post - XP wouldn't boot

Thread Tools

Display

Follow up to Archived post - XP wouldn't boot

Posting Permissions