Can't complete scan - hard drive very busy - ssqro?

Hi man

That didnt work either - exactly the same thing happened again.

No response, waited 10 mins. Tried it twice with no luck.

The comp is taking longer to load up now, and the harddrive is making more noise...
 
Hi :)

I apologize for the delay. I have been in contact with the developer of FindAWF to seek further advice ;)

So please delete these two files from the Desktop(if present):

  • locate
  • process
Next:

Please re-download FindAWF and replace the existing copy.

Copy the paths in the code box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

Code: 
C:\PROGRA~1\MSNMES~1\BAK
C:\PROGRA~1\QUICKT~1\BAK
C:\WINDOWS\SYSTEM32\BAK
C:\PROGRA~1\COMMON~1\SYMANT~1\BAK
C:\PROGRA~1\HPQ\DEFAUL~1\BAK
C:\PROGRA~1\HPQ\QUICKL~1\BAK
C:\PROGRA~1\IRIVER\SERVICE\BAK
C:\PROGRA~1\SYNAPT~1\SYNTP\BAK
C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK
C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK
C:\PROGRA~1\JAVA\J2RE14~1.2_0\BIN\BAK
  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • Select Option 3 from the menu and press Enter.
  • Press any key to continue.
  • A Notepad document Folders will appear with instructions to click below the line and paste the list of folders to be removed.
  • Right click below this line and select Paste, to paste the list of folders copied to the clipboard earlier. Save and close the document.
  • The program will proceed to remove the folders and will perform another scan for bak folders.
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in Notepad called AWF.txt.
  • Please copy and paste the contents of the AWF.txt file in your next reply.
Before you close FindAWF, Select Option 4 from the menu and press Enter.
When it's finished the tool will return to the main menu.
Press E to close FindAWF.
 
Hey again man

Still no luck I'm afraid - exactly the same thing happened again.

Aaaargh! :sad:

It's slowed down a lot again as well
 
Hi :)

OK please delete these three files from the Desktop(if present):

  • FindAWF.exe
  • locate
  • process
Next:

Please download ATF Cleaner to your desktop.

  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Check Hard Disk For Errors:

  • Click on Start >> Run, then copy/paste the following command into the box and press OK:

    Code: 
    cmd /c chkdsk c: |find /v "percent"  >> "%userprofile%\desktop\checkhd.txt"
  • A blank command window will open on your desktop, then close in a few minutes. This is normal.
  • A file icon named checkhd.txt should appear on your Desktop. Please post the contents of this file.
 
Hey again

Cheers for all this help - so much appreciated!

Cleared the AWf stuff as requested
ATF cleaner (for firefox) worked fine
Here's the hard-disk log as requested...


The type of the file system is NTFS.

WARNING! F parameter not specified.
Running CHKDSK in read-only mode.

CHKDSK is verifying files (stage 1 of 3)...
CHKDSK is verifying indexes (stage 2 of 3)...
CHKDSK is recovering lost files.
Recovering orphaned file tmp.edb (29843) into directory file 12182.
CHKDSK is verifying security descriptors (stage 3 of 3)...
CHKDSK is verifying Usn Journal...
Usn Journal verification completed.
Correcting errors in the master file table's (MFT) BITMAP attribute.
Correcting errors in the Volume Bitmap.
Windows found problems with the file system.
Run CHKDSK with the /F (fix) option to correct these.

58597055 KB total disk space.
40208068 KB in 68957 files.
46744 KB in 7210 indexes.
4 KB in bad sectors.
203367 KB in use by the system.
4096 KB occupied by the log file.
18138872 KB available on disk.

4096 bytes in each allocation unit.
14649263 total allocation units on disk.
4534718 allocation units available on disk.
 
Hi :)

Cheers for all this help - so much appreciated!
Click to expand...
You're welcome!

Next:

Since we have put the Hard-Drive of your computer thrugh the mill so to speak with all the invasive scans and the nature of the various infections we have been dealing with a Hard-Drive Defragmention run and Windows Check-Disk will be of benifit:

  • Click Start >> Run... then type in CMD and click on OK.
  • At the Command Prompt C:\ > type the following:
  • CD C:\ and hit the Enter/Return key.
  • Now type in DEFRAG C: -F
  • A Analysis report will be displayed and then Windows will start the Defragmention run automatically.
  • This may take some time, when completed the Command Promtp C:\ > will appear.
  • Now type in CHKDSK C: /F and hit the Enter/Return key.
  • When prompted with:
CHKDSK cannot run because the volumne is in use by another process
Would you like to scedhule this volume to be checked next time the system
restarts (Y/N)
Click to expand...
  • Hit the Y key then at the Command Prompt C:\ >
  • Type in EXIT and and hit the Enter/Return key.
  • Now Reboot(Restart) your computer.

Note: After the POST(Power on Self Test) you will see the below on your laptops screen:

ChkDsk01.png


CHKDSK(check-disk) will start and carry out the repairs required. Do not touch either the keyboard or mousepad etc until CHKDSK has completed and your laptop has then started up as normal.

Next:

Please download FindAWF.

Copy the paths in the code box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

Code: 
C:\PROGRA~1\MSNMES~1\BAK
C:\PROGRA~1\QUICKT~1\BAK
C:\WINDOWS\SYSTEM32\BAK
C:\PROGRA~1\COMMON~1\SYMANT~1\BAK
C:\PROGRA~1\HPQ\DEFAUL~1\BAK
C:\PROGRA~1\HPQ\QUICKL~1\BAK
C:\PROGRA~1\IRIVER\SERVICE\BAK
C:\PROGRA~1\SYNAPT~1\SYNTP\BAK
C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK
C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK
C:\PROGRA~1\JAVA\J2RE14~1.2_0\BIN\BAK
  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • Select Option 3 from the menu and press Enter.
  • Press any key to continue.
  • A Notepad document Folders will appear with instructions to click below the line and paste the list of folders to be removed.
  • Right click below this line and select Paste, to paste the list of folders copied to the clipboard earlier. Save and close the document.
  • The program will proceed to remove the folders and will perform another scan for bak folders.
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in Notepad called AWF.txt.
  • Please copy and paste the contents of the AWF.txt file in your next reply.

Before you close FindAWF, Select Option 4 from the menu and press Enter.
When it's finished the tool will return to the main menu.
Press E to close FindAWF.
 
Howdy

The defrag went fine

But after I typed in the checkdisk stuff (i got the y/n promt as you said) and restarted the laptop, i never saw the screen you showed - it just started up as normal. (Although there was a black screen for longer than i'd normally get). I didnt move or touch anything at all.

You want me to try again from typing in CHKDSK etc, or just go straight to AWF?

cheers man
 
Hi :)

I apoligise for the delay, I had some personal matters to attend to.

OK, proceed with the FindAWF instructions please as follows:

Please download FindAWF.

Copy the paths in the code box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

Code: 
C:\PROGRA~1\MSNMES~1\BAK
C:\PROGRA~1\QUICKT~1\BAK
C:\WINDOWS\SYSTEM32\BAK
C:\PROGRA~1\COMMON~1\SYMANT~1\BAK
C:\PROGRA~1\HPQ\DEFAUL~1\BAK
C:\PROGRA~1\HPQ\QUICKL~1\BAK
C:\PROGRA~1\IRIVER\SERVICE\BAK
C:\PROGRA~1\SYNAPT~1\SYNTP\BAK
C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK
C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK
C:\PROGRA~1\JAVA\J2RE14~1.2_0\BIN\BAK
  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • Select Option 3 from the menu and press Enter.
  • Press any key to continue.
  • A Notepad document Folders will appear with instructions to click below the line and paste the list of folders to be removed.
  • Right click below this line and select Paste, to paste the list of folders copied to the clipboard earlier. Save and close the document.
  • The program will proceed to remove the folders and will perform another scan for bak folders.
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in Notepad called AWF.txt.
  • Please copy and paste the contents of the AWF.txt file in your next reply.

Before you close FindAWF, Select Option 4 from the menu and press Enter.
When it's finished the tool will return to the main menu.
Press E to close FindAWF.
 
Hey man, no worries about the wait :)

AFW scan failed again. After I copy and paste the text and save and close, the blue screen says "scanning for bak folders" or something like that, and the little text pointer blinks as if it's doing something.

Waited 30 mins, no changes - clock stopped. no noises from comp, thing still blinking away. force shutdown etc.

Two other things: internet connection keeps cutting out (i use a mobile one), and i have to restart cos it wont connect.

and something called Moodlogic keeps trying to connect to the net - i think this may be quite old, i dont think i've seen it in some time!
 
Hi :)

Ok re MoodLogic this is a safe software application and the reason it has now appeared again is the malware infections though partially removed have re-instated portions of software that were infected.

If you have no need for this software then uninstall it.

Re the forced shutdown this is never good for a Hard-Disks health but regrettably we have been in the unfortunate position this was the only option. So I would like you to run another scan so I can re-check its status:

Check Hard Disk For Errors:

  • Click on Start >> Run, then copy/paste the following command into the box and press OK:

    Code: 
    cmd /c chkdsk c: |find /v "percent"  >> "%userprofile%\desktop\checkhd.txt"
  • A blank command window will open on your desktop, then close in a few minutes. This is normal.
  • A file icon named checkhd.txt should appear on your Desktop. Please post the contents of this file.
Next:

OK please delete these three files from the Desktop(if present):

  • FindAWF.exe
  • locate
  • process
Next:

Please re-download ComboFix, if prompted with ComboFix.exe already exists, allow it to download and replace the existing exe file:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs can be read here
  • Double click on ComboFix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

When completed the above, please post back the following in the order asked for:

  • Any problems encountered and or further symptoms at all ?
  • checkhd.txt
  • ComboFix Log.
  • A new HijackThis Log.
 
Last edited:
Hey man

Sorry for the wait - not been at home.

Anything new: comp does seem quiter in general i think. And its quicker to load up.

Scans...

CheckHD:

The type of the file system is NTFS.

WARNING! F parameter not specified.
Running CHKDSK in read-only mode.

CHKDSK is verifying files (stage 1 of 3)...
CHKDSK is verifying indexes (stage 2 of 3)...
CHKDSK is verifying security descriptors (stage 3 of 3)...
CHKDSK is verifying Usn Journal...
Usn Journal verification completed.
CHKDSK discovered free space marked as allocated in the volume bitmap.
Windows found problems with the file system.
Run CHKDSK with the /F (fix) option to correct these.

58597055 KB total disk space.
31212772 KB in 69428 files.
46820 KB in 7231 indexes.
4 KB in bad sectors.
203623 KB in use by the system.
4096 KB occupied by the log file.
27133836 KB available on disk.

4096 bytes in each allocation unit.
14649263 total allocation units on disk.
6783459 allocation units available on disk.

Combofix:

ComboFix 09-02-03.01 - Oliver 2009-02-04 16:21:16.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.478.126 [GMT 0:00]
Running from: c:\documents and settings\Oliver\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\regscan.exe

.
((((((((((((((((((((((((( Files Created from 2009-01-04 to 2009-02-04 )))))))))))))))))))))))))))))))
.

2009-01-31 17:26 . 2009-01-31 17:26 54,156 --ah----- c:\windows\QTFont.qfn
2009-01-31 17:26 . 2009-01-31 17:26 1,409 --a------ c:\windows\QTFont.for
2009-01-29 18:51 . 2008-11-13 15:18 1,221,008 --a------ c:\windows\system32\zpeng25.dll
2009-01-28 18:27 . 2004-06-17 20:48 155,648 --a------ c:\windows\system32\igfxtray.exe
2009-01-28 18:27 . 2004-06-17 20:43 118,784 --a------ c:\windows\system32\hkcmd.exe
2009-01-27 22:07 . 2009-01-27 22:08 <DIR> d-------- C:\Rooter$
2009-01-26 20:49 . 2009-01-26 20:49 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-26 20:49 . 2009-01-26 20:49 <DIR> d-------- c:\documents and settings\Oliver\Application Data\Malwarebytes
2009-01-26 20:49 . 2009-01-26 20:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-26 20:49 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-26 20:49 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-23 09:42 . 2009-01-23 09:42 <DIR> d-------- c:\program files\Trend Micro
2009-01-23 09:37 . 2009-01-23 09:38 <DIR> d-------- c:\program files\ERUNT
2009-01-22 21:49 . 2009-01-22 21:49 <DIR> d-------- c:\documents and settings\Oliver\Application Data\dvdcss
2009-01-19 21:51 . 2009-02-01 01:51 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-01-19 21:51 . 2009-01-19 21:51 <DIR> d-------- c:\program files\AVG
2009-01-19 21:51 . 2009-01-19 21:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-01-19 21:51 . 2009-01-19 21:51 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-01-19 21:51 . 2009-01-19 21:51 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-01-11 13:23 . 2009-01-11 13:23 <DIR> d-------- c:\documents and settings\Oliver\Application Data\DivX
2009-01-11 13:20 . 2009-01-11 13:20 <DIR> d-------- c:\program files\DivX
2009-01-11 13:18 . 2009-01-11 13:18 <DIR> d-------- c:\documents and settings\Oliver\Application Data\ACD Systems
2009-01-11 13:17 . 2009-01-11 13:17 <DIR> d-------- c:\program files\Common Files\ACD Systems
2009-01-11 13:17 . 2009-01-11 13:17 <DIR> d-------- c:\program files\ACD Systems
2009-01-11 13:17 . 2009-01-11 13:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\ACD Systems

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-31 11:37 393,216 ----a-w c:\windows\Internet Logs\xDB1C.tmp
2009-01-28 22:51 2,157,568 ----a-w c:\windows\Internet Logs\xDB1B.tmp
2009-01-28 22:50 3,347,968 ----a-w c:\windows\Internet Logs\xDB1A.tmp
2009-01-28 18:28 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-28 18:27 --------- d-----w c:\program files\QuickTime
2009-01-27 21:52 --------- d-----w c:\documents and settings\Oliver\Application Data\uTorrent
2009-01-19 21:52 --------- d-----w c:\documents and settings\All Users\Application Data\Grisoft
2009-01-13 10:19 6,729,176 ----a-w c:\windows\Internet Logs\tvDebug.zip
2008-12-27 15:44 2,070,528 ----a-w c:\windows\Internet Logs\xDB19.tmp
2008-12-24 02:22 2,061,312 ----a-w c:\windows\Internet Logs\xDB18.tmp
2008-12-23 19:10 --------- d-----w c:\documents and settings\Oliver\Application Data\vlc
2008-12-23 12:14 --------- d-----w c:\program files\Soulseek
2008-12-18 10:19 2,048,512 ----a-w c:\windows\Internet Logs\xDB17.tmp
2008-12-17 23:22 --------- d-----w c:\program files\Java
2008-12-17 23:01 --------- d-----w c:\program files\Common Files\Adobe AIR
2008-12-16 09:54 2,017,792 ----a-w c:\windows\Internet Logs\xDB16.tmp
2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-12 15:06 2,018,816 ----a-w c:\windows\Internet Logs\xDB15.tmp
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2008-12-10 19:07 7,184,048 ----a-w c:\windows\Internet Logs\vsmon_on_demand_2008_12_10_17_55_45_full.dmp.zip
2008-11-24 01:03 1,975,808 ----a-w c:\windows\Internet Logs\xDB14.tmp
2008-11-12 01:02 1,940,480 ----a-w c:\windows\Internet Logs\xDB13.tmp
2008-11-10 05:43 410,984 ----a-w c:\windows\system32\deploytk.dll
2007-02-22 00:05 4,322,304 ----a-w c:\program files\aawsepersonal.exe
2007-02-21 20:45 6,469,352 ----a-w c:\program files\avgas-setup-7.5.0.50.exe
2007-02-17 13:45 18,895,728 ----a-w c:\program files\Install_Messenger.exe
2007-01-05 14:21 244 ----a-w c:\documents and settings\Oliver\Application Data\wklnhst.dat
2006-06-01 09:24 937,001 ----a-w c:\program files\slsk156c.exe
2005-07-09 02:44 777 ----a-w c:\program files\trial_setup.ini
2005-07-09 02:44 5,137,920 ----a-w c:\program files\trial_setup.msi
2005-07-09 02:44 40,448 ----a-w c:\program files\trial_setup.exe
2004-11-14 14:25 44,032 ----a-w c:\documents and settings\Oliver\Application Data\iebar.dll
2007-08-02 19:24 88 --sha-r c:\windows\system32\CC6E208781.sys
2007-08-02 19:24 2,828 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-10-24 20:09 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008102420081025\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-26_22.30.55.60 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 12:02:28 163,328 ----a-w c:\windows\erdnt\AutoBackup\01-02-2009\ERDNT.EXE
+ 2009-02-01 01:48:40 12,759,040 ----a-w c:\windows\erdnt\AutoBackup\01-02-2009\Users\00000001\NTUSER.DAT
+ 2009-02-01 01:48:41 221,184 ----a-w c:\windows\erdnt\AutoBackup\01-02-2009\Users\00000002\UsrClass.dat
+ 2005-10-20 12:02:28 163,328 ----a-w c:\windows\erdnt\AutoBackup\02-02-2009\ERDNT.EXE
+ 2009-02-02 00:16:32 12,759,040 ----a-w c:\windows\erdnt\AutoBackup\02-02-2009\Users\00000001\NTUSER.DAT
+ 2009-02-02 00:16:32 221,184 ----a-w c:\windows\erdnt\AutoBackup\02-02-2009\Users\00000002\UsrClass.dat
+ 2005-10-20 12:02:28 163,328 ----a-w c:\windows\erdnt\AutoBackup\04-02-2009\ERDNT.EXE
+ 2009-02-04 15:50:27 12,759,040 ----a-w c:\windows\erdnt\AutoBackup\04-02-2009\Users\00000001\NTUSER.DAT
+ 2009-02-04 15:50:29 221,184 ----a-w c:\windows\erdnt\AutoBackup\04-02-2009\Users\00000002\UsrClass.dat
+ 2005-10-20 12:02:28 163,328 ----a-w c:\windows\erdnt\AutoBackup\27-01-2009\ERDNT.EXE
+ 2009-01-27 00:50:02 12,673,024 ----a-w c:\windows\erdnt\AutoBackup\27-01-2009\Users\00000001\NTUSER.DAT
+ 2009-01-27 00:50:03 221,184 ----a-w c:\windows\erdnt\AutoBackup\27-01-2009\Users\00000002\UsrClass.dat
+ 2005-10-20 12:02:28 163,328 ----a-w c:\windows\erdnt\AutoBackup\28-01-2009\ERDNT.EXE
+ 2009-01-28 09:32:48 12,685,312 ----a-w c:\windows\erdnt\AutoBackup\28-01-2009\Users\00000001\NTUSER.DAT
+ 2009-01-28 09:32:48 221,184 ----a-w c:\windows\erdnt\AutoBackup\28-01-2009\Users\00000002\UsrClass.dat
+ 2005-10-20 12:02:28 163,328 ----a-w c:\windows\erdnt\AutoBackup\29-01-2009\ERDNT.EXE
+ 2009-01-29 08:24:09 12,685,312 ----a-w c:\windows\erdnt\AutoBackup\29-01-2009\Users\00000001\NTUSER.DAT
+ 2009-01-29 08:24:09 221,184 ----a-w c:\windows\erdnt\AutoBackup\29-01-2009\Users\00000002\UsrClass.dat
+ 2005-10-20 12:02:28 163,328 ----a-w c:\windows\erdnt\AutoBackup\30-01-2009\ERDNT.EXE
+ 2009-01-30 08:44:00 12,689,408 ----a-w c:\windows\erdnt\AutoBackup\30-01-2009\Users\00000001\NTUSER.DAT
+ 2009-01-30 08:44:01 221,184 ----a-w c:\windows\erdnt\AutoBackup\30-01-2009\Users\00000002\UsrClass.dat
+ 2005-10-20 12:02:28 163,328 ----a-w c:\windows\erdnt\AutoBackup\31-01-2009\ERDNT.EXE
+ 2009-01-31 03:09:11 12,689,408 ----a-w c:\windows\erdnt\AutoBackup\31-01-2009\Users\00000001\NTUSER.DAT
+ 2009-01-31 03:09:11 221,184 ----a-w c:\windows\erdnt\AutoBackup\31-01-2009\Users\00000002\UsrClass.dat
- 2008-04-14 00:12:16 15,360 ----a-w c:\windows\system32\ctfmon.exe
+ 2004-08-04 08:00:00 15,360 ----a-w c:\windows\system32\ctfmon.exe
+ 2004-08-04 08:00:00 15,360 ----a-w c:\windows\system32\dllcache\ctfmon.exe
- 2008-07-09 08:05:10 83,432 ----a-w c:\windows\system32\vsdata.dll
+ 2008-11-13 15:18:44 107,408 ----a-w c:\windows\system32\vsdata.dll
- 2008-07-09 08:05:22 394,952 ----a-w c:\windows\system32\vsdatant.sys
+ 2008-11-13 15:19:00 353,680 ----a-w c:\windows\system32\vsdatant.sys
- 2008-07-09 08:05:10 157,160 ----a-w c:\windows\system32\vsinit.dll
+ 2008-11-13 15:18:44 216,464 ----a-w c:\windows\system32\vsinit.dll
- 2008-07-09 08:05:10 103,912 ----a-w c:\windows\system32\vsmonapi.dll
+ 2008-11-13 15:18:44 107,408 ----a-w c:\windows\system32\vsmonapi.dll
- 2008-07-09 08:05:10 275,944 ----a-w c:\windows\system32\vspubapi.dll
+ 2008-11-13 15:18:44 310,160 ----a-w c:\windows\system32\vspubapi.dll
- 2008-07-09 08:05:10 71,144 ----a-w c:\windows\system32\vsregexp.dll
+ 2008-11-13 15:18:44 58,768 ----a-w c:\windows\system32\vsregexp.dll
- 2008-07-09 08:05:12 472,552 ----a-w c:\windows\system32\vsutil.dll
+ 2008-11-13 15:18:46 475,536 ----a-w c:\windows\system32\vsutil.dll
- 2008-07-09 08:05:12 46,568 ----a-w c:\windows\system32\vswmi.dll
+ 2008-11-13 15:18:46 30,096 ----a-w c:\windows\system32\vswmi.dll
- 2008-07-09 08:05:12 99,816 ----a-w c:\windows\system32\vsxml.dll
+ 2008-11-13 15:18:46 110,480 ----a-w c:\windows\system32\vsxml.dll
- 2008-07-09 08:05:12 83,432 ----a-w c:\windows\system32\zlcomm.dll
+ 2008-11-13 15:18:46 69,008 ----a-w c:\windows\system32\zlcomm.dll
- 2008-07-09 08:05:12 71,144 ----a-w c:\windows\system32\zlcommdb.dll
+ 2008-11-13 15:18:46 106,384 ----a-w c:\windows\system32\zlcommdb.dll
- 2008-07-16 13:38:37 4,212 ---h--w c:\windows\system32\zllictbl.dat
+ 2009-01-29 18:52:21 4,212 ---ha-w c:\windows\system32\zllictbl.dat
- 2008-07-09 08:05:06 99,816 ----a-w c:\windows\system32\ZoneLabs\camupd.dll
+ 2008-11-13 15:18:40 76,176 ----a-w c:\windows\system32\ZoneLabs\camupd.dll
- 2004-01-30 11:35:08 813,568 ----a-w c:\windows\system32\ZoneLabs\dbghelp.dll
+ 2008-03-17 16:52:02 813,568 ----a-w c:\windows\system32\ZoneLabs\dbghelp.dll
- 2008-07-09 08:05:08 128,480 ----a-w c:\windows\system32\ZoneLabs\fbl.dll
+ 2008-11-13 15:18:42 98,192 ----a-w c:\windows\system32\ZoneLabs\fbl.dll
- 2008-07-09 08:05:08 38,376 ----a-w c:\windows\system32\ZoneLabs\featuremap.dll
+ 2008-11-13 15:18:42 38,288 ----a-w c:\windows\system32\ZoneLabs\featuremap.dll
+ 2008-11-13 15:18:42 159,120 ----a-w c:\windows\system32\ZoneLabs\httpblocker.dll
+ 2008-05-19 14:59:00 525,792 ----a-w c:\windows\system32\ZoneLabs\icslta.dll
+ 2008-11-13 15:19:02 28,048 ----a-w c:\windows\system32\ZoneLabs\lib\Alert.zip.dll
- 2008-07-09 08:05:24 288,144 ----a-w c:\windows\system32\ZoneLabs\lib\ConfigWizard.zip.dll
+ 2008-11-13 15:19:02 322,960 ----a-w c:\windows\system32\ZoneLabs\lib\ConfigWizard.zip.dll
+ 2008-11-13 15:19:02 122,768 ----a-w c:\windows\system32\ZoneLabs\lib\DashBoard.zip.dll
- 2008-07-16 14:00:25 152,976 ----a-w c:\windows\system32\ZoneLabs\lib\licenseui.zip.dll
+ 2008-11-13 15:19:02 331,664 ----a-w c:\windows\system32\ZoneLabs\lib\LicenseUI.zip.dll
+ 2008-11-13 15:19:02 10,128 ----a-w c:\windows\system32\ZoneLabs\lib\MainLoop.zip.dll
+ 2008-11-13 15:19:04 18,320 ----a-w c:\windows\system32\ZoneLabs\lib\NavBar.zip.dll
+ 2008-11-13 15:19:04 110,992 ----a-w c:\windows\system32\ZoneLabs\lib\Overview.zip.dll
+ 2008-11-13 15:19:04 238,992 ----a-w c:\windows\system32\ZoneLabs\lib\Sandbox.zip.dll
+ 2008-11-13 15:19:04 156,048 ----a-w c:\windows\system32\ZoneLabs\lib\TrayTest.zip.dll
+ 2008-11-13 15:19:04 19,856 ----a-w c:\windows\system32\ZoneLabs\lib\UpdateUI.zip.dll
+ 2008-11-13 15:19:04 43,920 ----a-w c:\windows\system32\ZoneLabs\lib\ZAlert.zip.dll
+ 2008-11-13 15:19:04 19,344 ----a-w c:\windows\system32\ZoneLabs\lib\zic.zip.dll
+ 2008-11-13 15:19:04 13,712 ----a-w c:\windows\system32\ZoneLabs\lib\zmenu.zip.dll
+ 2008-11-13 15:19:04 24,464 ----a-w c:\windows\system32\ZoneLabs\lib\zp4pc.zip.dll
+ 2008-11-13 15:19:04 30,608 ----a-w c:\windows\system32\ZoneLabs\lib\zpdp.zip.dll
- 2008-07-09 08:05:24 1,361,296 ----a-w c:\windows\system32\ZoneLabs\lib\zpy.zip.dll
+ 2008-11-13 15:19:04 1,536,400 ----a-w c:\windows\system32\ZoneLabs\lib\zpy.zip.dll
+ 2008-11-13 15:19:04 18,832 ----a-w c:\windows\system32\ZoneLabs\lib\zsys.zip.dll
+ 2008-11-13 15:19:04 70,032 ----a-w c:\windows\system32\ZoneLabs\lib\ztv.zip.dll
- 2008-07-09 08:05:24 71,056 ----a-w c:\windows\system32\ZoneLabs\lib\zui.zip.dll
+ 2008-11-13 15:19:04 114,064 ----a-w c:\windows\system32\ZoneLabs\lib\zui.zip.dll
+ 2008-11-13 15:19:06 59,792 ----a-w c:\windows\system32\ZoneLabs\lib\zvpn.zip.dll
- 2008-02-27 02:10:26 714,208 ----a-w c:\windows\system32\ZoneLabs\qrbase.dll
+ 2008-04-21 07:19:42 718,272 ----a-w c:\windows\system32\ZoneLabs\qrbase.dll
- 2008-02-27 02:10:28 792,032 ----a-w c:\windows\system32\ZoneLabs\qrsrecl.dll
+ 2008-04-21 07:19:44 792,000 ----a-w c:\windows\system32\ZoneLabs\qrsrecl.dll
- 2008-07-09 08:05:08 173,544 ----a-w c:\windows\system32\ZoneLabs\scheduler.dll
+ 2008-11-13 15:18:42 132,496 ----a-w c:\windows\system32\ZoneLabs\scheduler.dll
- 2008-01-21 07:34:36 7,603,688 ----a-w c:\windows\system32\ZoneLabs\spyware.dat
+ 2008-04-21 07:19:46 8,790,493 ----a-w c:\windows\system32\ZoneLabs\spyware.dat
- 2008-02-27 02:10:32 1,504,736 ----a-w c:\windows\system32\ZoneLabs\srescan.dll
+ 2008-04-21 07:19:52 1,516,992 ----a-w c:\windows\system32\ZoneLabs\srescan.dll
- 2008-02-27 02:10:44 51,176 ----a-w c:\windows\system32\ZoneLabs\srescan.sys
+ 2008-04-21 07:19:58 51,648 ----a-w c:\windows\system32\ZoneLabs\srescan.sys
- 2008-07-09 08:05:10 456,168 ----a-w c:\windows\system32\ZoneLabs\ssleay32.dll
+ 2008-11-13 15:18:44 443,280 ----a-w c:\windows\system32\ZoneLabs\ssleay32.dll
- 2007-10-11 15:50:32 832,984 ----a-w c:\windows\system32\ZoneLabs\updating.dll
+ 2007-10-11 16:51:34 832,984 ----a-w c:\windows\system32\ZoneLabs\updating.dll
- 2008-07-09 08:05:18 144,936 ----a-w c:\windows\system32\ZoneLabs\updclient.exe
+ 2008-11-13 15:18:54 176,016 ----a-w c:\windows\system32\ZoneLabs\updclient.exe
- 2008-07-09 08:05:10 83,432 ----a-w c:\windows\system32\ZoneLabs\vsdb.dll
+ 2008-11-13 15:18:44 106,896 ----a-w c:\windows\system32\ZoneLabs\vsdb.dll
- 2008-07-09 08:05:18 75,304 ----a-w c:\windows\system32\ZoneLabs\vsmon.exe
+ 2008-11-13 15:18:56 2,405,776 ----a-w c:\windows\system32\ZoneLabs\vsmon.exe
- 2008-07-09 08:05:12 1,361,384 ----a-w c:\windows\system32\ZoneLabs\vsruledb.dll
+ 2008-11-13 15:18:46 1,655,184 ----a-w c:\windows\system32\ZoneLabs\vsruledb.dll
- 2008-07-09 08:05:12 239,080 ----a-w c:\windows\system32\ZoneLabs\vsvault.dll
+ 2008-11-13 15:18:46 172,432 ----a-w c:\windows\system32\ZoneLabs\vsvault.dll
- 2008-01-21 07:34:36 7,603,688 ----a-w c:\windows\system32\ZoneLabs\zlasdbup.dat
+ 2008-04-21 07:19:46 8,790,493 ----a-w c:\windows\system32\ZoneLabs\zlasdbup.dat
- 2008-07-09 08:05:12 177,640 ----a-w c:\windows\system32\ZoneLabs\zlparser.dll
+ 2008-11-13 15:18:46 178,576 ----a-w c:\windows\system32\ZoneLabs\zlparser.dll
- 2008-07-09 08:05:12 79,344 ----a-w c:\windows\system32\ZoneLabs\zlquarantine.dll
+ 2008-11-13 15:18:48 98,192 ----a-w c:\windows\system32\ZoneLabs\zlquarantine.dll
- 2008-07-09 08:05:14 382,440 ----a-w c:\windows\system32\ZoneLabs\zlsre.dll
+ 2008-11-13 15:18:48 311,696 ----a-w c:\windows\system32\ZoneLabs\zlsre.dll
- 2008-07-09 08:05:14 120,296 ----a-w c:\windows\system32\ZoneLabs\zlupdate.dll
+ 2008-11-13 15:18:48 110,480 ----a-w c:\windows\system32\ZoneLabs\zlupdate.dll
+ 2009-02-04 15:48:17 16,384 ----atw c:\windows\temp\Perflib_Perfdata_2ec.dat
+ 2007-11-06 20:23:58 224,768 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcm90.dll
+ 2007-11-07 01:19:34 568,832 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcp90.dll
+ 2007-11-07 01:19:34 655,872 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcr90.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-05 688218]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-09-17 290816]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-10-13 229438]
"iRiver AutoDB"="c:\program files\iRiver\Service\MLService.exe" [2004-09-10 1040384]
"iRiver Updater"="c:\program files\iRiver\Service\Updater.exe" [2004-09-07 212992]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-11-13 981904]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\Oliver\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
ICON2 USB Connect.lnk - c:\program files\Orange\ICON2 USB Connect\ICON2 USB Connect.exe [2007-07-20 794624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.SP54"= SP5X_32.DLL
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL
"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-19 97928]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-19 231704]
R2 GtFlashSwitch;GtFlashSwitch;c:\program files\Common Files\GtFlashSwitch\GtFlashSwitch.exe [2007-02-09 176128]
R3 GTMNDISIRPXP;GT M 3G+ IRP NDIS;c:\windows\system32\drivers\Gtm51Irp.sys [2007-04-14 122496]
R3 GTPTSER;GT PT SER;c:\windows\system32\drivers\gtptser.sys [2007-04-14 8064]
R3 GTUQBUS;GT UQ BUS;c:\windows\system32\drivers\gtuqbus.sys [2007-04-14 37120]
R3 MLFILEM;MLFILEM;c:\windows\system32\drivers\MLFILEM.SYS [2006-01-14 28160]
S3 CA500AI;GSmart Mini Still Image Capture;c:\windows\system32\drivers\BULK2NM.sys [2005-11-30 11117]
S3 CA500AV;GSmart Mini WDM Video Capture;c:\windows\system32\drivers\ca500av.SYS [2005-11-30 492619]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-11-12 33752]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MLFILEM
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-kdx - c:\program files\Kontiki\KHost.exe
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKLM-Run-ISUSScheduler - c:\program files\Common Files\InstallShield\UpdateService\issch.exe
HKLM-Run-WinampAgent - c:\program files\Winamp\winampa.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.virginmedia.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Trusted Zone: gmail.com
Trusted Zone: google.com\mail
TCP: {4F4516B6-07A9-4585-B713-CDE1E708EC2B} = 192.168.0.4
TCP: {9BFC924E-05D2-4633-87F7-8BB32D8ACDEB} = 192.168.0.4
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://85.235.16.146/activex/AMC.cab
FF - ProfilePath - c:\documents and settings\Oliver\Application Data\Mozilla\Firefox\Profiles\jvy67j0r.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-04 16:23:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????1?9?3?2??@???? ???B?????????????H<C? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-02-04 16:26:51
ComboFix-quarantined-files.txt 2009-02-04 16:26:28
ComboFix2.txt 2009-01-26 22:34:11
ComboFix3.txt 2007-08-09 13:22:44

Pre-Run: 27,740,053,504 bytes free
Post-Run: 27,772,653,568 bytes free

307 --- E O F --- 2009-01-14 00:35:47

and finally, HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:27:40, on 04/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\iRiver\Service\MLService.exe
C:\Program Files\iRiver\Service\Updater.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Orange\ICON2 USB Connect\ICON2 USB Connect.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - (no file)
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [iRiver AutoDB] C:\Program Files\iRiver\Service\MLService.exe
O4 - HKLM\..\Run: [iRiver Updater] C:\Program Files\iRiver\Service\Updater.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ICON2 USB Connect.lnk = C:\Program Files\Orange\ICON2 USB Connect\ICON2 USB Connect.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q105&bd=presario&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1186598090046
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1186598075984
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://handy-wf.de:8080/activex/AxisCamControl.cab
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.6.0_10) -
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://85.235.16.146/activex/AMC.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F4516B6-07A9-4585-B713-CDE1E708EC2B}: NameServer = 192.168.0.4
O17 - HKLM\System\CCS\Services\Tcpip\..\{9BFC924E-05D2-4633-87F7-8BB32D8ACDEB}: NameServer = 192.168.0.4
O17 - HKLM\System\CS2\Services\Tcpip\..\{31732A7F-D9B9-4B53-9CCC-01D88E18486B}: NameServer = 192.168.0.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: GtFlashSwitch - OptionNV - C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7820 bytes

Hope this helps!

cheers again man
 
Hi :)

Sorry for the wait - not been at home.
Click to expand...
Not a problem I assure you.

Anything new: comp does seem quiter in general i think. And its quicker to load up.
Click to expand...
That is good to learn and we have made a good in-roads so far.

However I do have bad news I'm afraid :sad:

One or more of the identified infections is a Backdoor IRC Trojan and it appears your computer has been for some time what is known as a Zombie Computer. Which goes a long to explain the problems we have been experiencing so far with the malware removal process.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Although an attempt could be made to clean this machine, it could never be considered to be truly clean, secure, or trustworthy. We could not say definitively that unknown and unseen malware will have been removed, nor will your system be restored to its pre-infection state. We cannot remedy unknown changes the malware may likely have made in order to allow itself access, nor can we repair the damage it may possibly have caused to vital system files. Additionally, it is quite possible that changes made to the system by the malware may impact negatively on your computer during the removal process. In short, your system may never regain its former stability or its full functionality without a reformat. Therefore, your best and safest course of action is a reformat and reinstallation of the Windows operating system, and that is the course we strongly recommend.

Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

I can attempt to clean this machine but I can't guarantee that it will be at all secure afterwords.

Should you have any questions, please feel free to ask.

Please let myself know what you have decided to do in your next post.
 
Wow - wasn't expecting that! Cheers for letting me know! :s

I'll reformat and reinstall asap - hit me with the instructions and I'll start going.

Will do all the other things you mentioned asap as well.

cheers
 
Hi :)

Wow - wasn't expecting that! Cheers for letting me know! :s
Click to expand...
Aye most unfortunate and you're welcome!

I'll reformat and reinstall asap - hit me with the instructions and I'll start going.
Click to expand...
I respect your decision and I assure this is the best course of action to take.

Being totally honest if this was one of my computers I would no doubt be feeling the exasperation you are currently experiencing but would not hesitate to so.

Especially since both my wife and I use online-banking this is even more so a prudent course of action.

REFORMAT & REINSTALL

Since you decided to do a clean install read the information below.

Please make sure that you know what to do before beginning the operation.

Here are a few links that probably help.
You can Print all these information, so you have them handy.

When should I re-format? How should I reinstall?
Windows XP Clean install

Then there are a couple of things you should do immediately after installing Windows and before surfing the net...
  • Use an Anti Virus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
    Here are some free Anti Virus programs which i recommend to use:
    • Antivir PersonalEditionClassic
      • Free anti-virus software for Windows.
      • Detects and removes more than 50,000 viruses. Free support.
    • avast! 4 Home Edition
        • Anti-virus program for Windows.
        • The home edition is freeware for noncommercial users.
    • Update your Anti Virus Software - It is imperative that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.
    • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly.
      Here are some free Firewalls which i recommend to use:
      (Use only one, and disable your Windows Firewall)


  • Keep your system updated-Microsoft releases patches for Windows and other products regularly:
  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialise and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.
    This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software.
    Download it from here. Just choose a mirror and off you go.
    Find here the tutorial on how to use Spybot properly here
  • Install WinPatrol
    Download it from here
    Here you can find information about how WinPatrol works here
  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
    Download it from here
    Find here the tutorial on how to use Spyware Blaster here
  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Good Luck! :) If any questions do not hesitate to ask OK :bigthumb:
 
Last edited:
Since this issue appears to be resolved ... this Topic has been closed.

Note: If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.
 
You must log in or register to reply here.
Back
Top