pc crashes, ie & other files, empty (Resolved)

D

Dianne

New member
Hello, i have read through the sticky's. done a registry back up with ERDNT, disabled tea timer, and this is my 'double spaced' HJT log.

Edit:
Note: In notepad under Format, uncheck "Word Wrap" Produce all HJT logs like this, single spaced.
single-spaced - (of type or print) not having a blank space between lines. Otherwise the log is hard to read.
Click to expand...
I'm an extremely new novice!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:23:01, on 25/02/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\Anonymizer\Anonymizer Software\Anonymizer.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

C:\Windows\ehome\ehmsas.exe

C:\Program Files\Internet Explorer\ieuser.exe

C:\Windows\System32\mobsync.exe

C:\Windows\system32\taskeng.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: ::1 localhost

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe

O4 - HKCU\..\Run: [Anonymizer] C:\Program Files\Anonymizer\Anonymizer Software\Anonymizer.exe -nogui

O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')

O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O13 - Gopher Prefix:
O23 - Service: Anonymizer Management Service (AnonMgmtSvc) - Anonymizer - C:\Program Files\Anonymizer\Anonymizer Software\Common\AnonMgmtSvc.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

--
End of file - 4939 bytes


I need to tell you also, that i have already done a 'system restore' before someone pointed me in the direction of these forums.

Thank you :bigthumb:
 
Last edited by a moderator:
Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.
Click to expand...
Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
  1. Please Read All Instructions Carefully
  2. If you don't understand something, stop and ask! Don't keep going on.
  3. Please do not run any other tools or scans whilst I am helping you
  4. Please continue to respond until I give you the "All Clear"
    (Just because you can't see a problem doesn't mean it isn't there)
If you can do those few things, everything should go smoothly
laechel.gif


Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe
----------------------------------------------------------------------------------------

Hi Dianne,

I think you need to disable TeaTimer again :)

Download and Run RSIT
  • Please download Random's System Information Tool by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open:
    • log.txt will be opened maximized.
    • info.txt will be opened minimized.
  • Please post the contents of both log.txt and info.txt.
 
Hello and thank you... sorry and very much appreciated! :)

I followed the steps again to disable tea timer and the box was unchecked and i restarted my computer but when i checked again, it still said 'actice' even though there was no check in the box.


logtxt

Logfile of random's system information tool 1.05 (written by random/random)
Run by minime at 2009-02-28 14:04:21
Microsoft® Windows Vista™ Home Premium Service Pack 1
System drive C: has 103 GB (71%) free of 144 GB
Total RAM: 1916 MB (72% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:04:29, on 28/02/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Anonymizer\Anonymizer Software\Anonymizer.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\System32\mobsync.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Users\minime\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\minime.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Anonymizer] C:\Program Files\Anonymizer\Anonymizer Software\Anonymizer.exe -nogui
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O23 - Service: Anonymizer Management Service (AnonMgmtSvc) - Anonymizer - C:\Program Files\Anonymizer\Anonymizer Software\Common\AnonMgmtSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

--
End of file - 4435 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2007-09-20 328752]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-21 1008184]
"RtHDVCpl"=C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [2008-10-13 6335008]
"RemoteControl"=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2007-01-08 68640]
"LanguageShortcut"=C:\Program Files\CyberLink\PowerDVD\Language\Language.exe [2007-01-08 52256]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2008-01-21 1233920]
"MsnMsgr"=C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe [2007-10-18 5724184]
"ehTray.exe"=C:\Windows\ehome\ehTray.exe [2008-01-21 125952]
"Anonymizer"=C:\Program Files\Anonymizer\Anonymizer Software\Anonymizer.exe [2008-11-17 1557176]

C:\Users\minime\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======List of files/folders created in the last 1 months======

2009-02-28 14:04:21 ----D---- C:\rsit
2009-02-25 12:41:42 ----D---- C:\Windows\ERDNT
2009-02-25 12:40:23 ----D---- C:\Program Files\ERUNT
2009-02-25 12:09:40 ----D---- C:\Program Files\Trend Micro
2009-02-25 12:03:02 ----D---- C:\Users\minime\AppData\Roaming\Template
2009-02-24 18:58:27 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-02-23 18:23:23 ----A---- C:\Windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-02-23 18:23:23 ----A---- C:\Windows\system32\infocardapi.dll
2009-02-23 18:23:22 ----A---- C:\Windows\system32\PresentationHostProxy.dll
2009-02-23 18:23:22 ----A---- C:\Windows\system32\icardres.dll
2009-02-23 18:23:22 ----A---- C:\Windows\system32\icardagt.exe
2009-02-23 18:23:18 ----A---- C:\Windows\system32\PresentationNative_v0300.dll
2009-02-23 18:23:17 ----A---- C:\Windows\system32\PresentationHost.exe
2009-02-23 18:15:58 ----A---- C:\Windows\system32\dfshim.dll
2009-02-23 18:15:55 ----A---- C:\Windows\system32\mscoree.dll
2009-02-23 18:15:54 ----A---- C:\Windows\system32\netfxperf.dll
2009-02-23 18:15:38 ----A---- C:\Windows\system32\mscorier.dll
2009-02-23 18:15:31 ----A---- C:\Windows\system32\mscories.dll
2009-02-23 10:36:55 ----A---- C:\Windows\system32\mshtml.dll
2009-02-23 10:36:54 ----A---- C:\Windows\system32\ieframe.dll
2009-02-23 10:36:52 ----A---- C:\Windows\system32\urlmon.dll
2009-02-23 10:36:51 ----A---- C:\Windows\system32\wininet.dll
2009-02-23 10:36:51 ----A---- C:\Windows\system32\mstime.dll
2009-02-23 10:36:51 ----A---- C:\Windows\system32\msfeeds.dll
2009-02-23 10:36:50 ----A---- C:\Windows\system32\jsproxy.dll
2009-02-23 10:36:50 ----A---- C:\Windows\system32\iertutil.dll
2009-02-22 19:29:16 ----A---- C:\Windows\system32\EncDec.dll
2009-02-22 19:29:11 ----A---- C:\Windows\system32\psisdecd.dll
2009-02-22 16:03:14 ----D---- C:\Users\minime\AppData\Roaming\Macromedia
2009-02-22 16:03:14 ----D---- C:\Users\minime\AppData\Roaming\Adobe
2009-02-22 15:57:37 ----A---- C:\Windows\ntbtlog.txt
2009-02-22 07:41:40 ----D---- C:\Program Files\Common Files\Adobe AIR
2009-02-22 07:40:52 ----D---- C:\ProgramData\Adobe
2009-02-22 07:40:47 ----D---- C:\Program Files\Adobe
2009-02-22 07:37:38 ----D---- C:\ProgramData\NOS
2009-02-22 07:37:35 ----D---- C:\Program Files\NOS
2009-02-18 21:45:57 ----D---- C:\Program Files\Amazon
2009-01-30 18:18:32 ----D---- C:\Program Files\MSXML 4.0

======List of files/folders modified in the last 1 months======

2009-02-28 14:04:23 ----D---- C:\Windows\Temp
2009-02-28 13:50:57 ----D---- C:\Windows\System32
2009-02-28 13:50:57 ----D---- C:\Windows\inf
2009-02-28 13:50:57 ----A---- C:\Windows\system32\PerfStringBackup.INI
2009-02-26 22:12:31 ----D---- C:\Windows\system32\LogFiles
2009-02-26 14:28:12 ----SD---- C:\Users\minime\AppData\Roaming\Microsoft
2009-02-25 12:41:42 ----D---- C:\Windows
2009-02-25 12:40:23 ----RD---- C:\Program Files
2009-02-25 11:50:17 ----D---- C:\Windows\system32\drivers
2009-02-24 19:11:13 ----D---- C:\ProgramData\Spybot - Search & Destroy
2009-02-24 18:48:41 ----HD---- C:\ProgramData
2009-02-24 17:09:41 ----D---- C:\Windows\system32\catroot2
2009-02-23 20:08:52 ----D---- C:\Windows\Microsoft.NET
2009-02-23 20:08:46 ----RSD---- C:\Windows\assembly
2009-02-23 18:50:29 ----D---- C:\Windows\rescache
2009-02-23 18:46:40 ----D---- C:\Windows\winsxs
2009-02-23 18:36:07 ----D---- C:\Windows\system32\catroot
2009-02-23 18:33:12 ----D---- C:\Program Files\Windows Mail
2009-02-23 18:32:59 ----D---- C:\Windows\system32\XPSViewer
2009-02-23 18:32:58 ----D---- C:\Windows\system32\wbem
2009-02-23 18:32:58 ----D---- C:\Windows\system32\en-US
2009-02-23 18:31:01 ----SHD---- C:\System Volume Information
2009-02-23 18:29:35 ----SHD---- C:\Windows\Installer
2009-02-23 10:09:34 ----D---- C:\Windows\ehome
2009-02-22 15:52:47 ----D---- C:\Windows\Prefetch
2009-02-22 14:25:12 ----D---- C:\Windows\system32\config
2009-02-22 14:23:48 ----RSD---- C:\Windows\Media
2009-02-22 14:23:48 ----D---- C:\Windows\system32\migration
2009-02-22 14:23:48 ----D---- C:\Program Files\Windows Media Player
2009-02-22 14:23:48 ----D---- C:\Program Files\Windows Defender
2009-02-22 14:23:48 ----D---- C:\Program Files\Internet Explorer
2009-02-22 14:23:44 ----D---- C:\Windows\Tasks
2009-02-22 14:23:44 ----D---- C:\Windows\system32\spool
2009-02-22 14:23:44 ----D---- C:\Windows\system32\Msdtc
2009-02-22 14:23:44 ----D---- C:\Windows\system32\CodeIntegrity
2009-02-22 14:23:39 ----D---- C:\Users\minime\AppData\Roaming\Anonymizer
2009-02-22 14:23:37 ----RD---- C:\Users
2009-02-22 14:23:37 ----HD---- C:\ProgramData\{773E7240-B347-4DFF-A6EF-6E829EDD59DF}
2009-02-22 14:23:37 ----HD---- C:\Program Files\InstallShield Installation Information
2009-02-22 14:23:37 ----D---- C:\Program Files\Samsung
2009-02-22 14:23:36 ----D---- C:\Program Files\Anonymizer
2009-02-22 14:23:21 ----D---- C:\Windows\registration
2009-02-22 13:03:12 ----SD---- C:\Windows\Downloaded Program Files
2009-02-22 07:41:40 ----D---- C:\Program Files\Common Files
2009-02-22 07:40:56 ----D---- C:\Program Files\Common Files\Adobe
2009-02-18 22:26:45 ----SHD---- C:\$Recycle.Bin
2009-02-12 04:56:17 ----A---- C:\Windows\system32\mrt.exe
2009-01-30 18:30:58 ----D---- C:\Windows\system
2009-01-30 10:26:25 ----D---- C:\Windows\system32\Samsung_USB_Drivers

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\Windows\system32\DRIVERS\CmBatt.sys [2008-01-21 14208]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys [2008-10-13 2176856]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter; C:\Windows\system32\DRIVERS\RTL8187B.sys [2008-06-26 337920]
R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver; C:\Windows\system32\DRIVERS\SiSGB6.sys [2008-03-03 48128]
R3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-21 83328]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-21 5632]
S3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
S3 hidshim;Service for HID-KMDF Shim layer; C:\Windows\system32\drivers\hidshim.sys [2007-07-11 5632]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-21 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-21 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-21 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-21 6016]
S3 RTL8169;Realtek 8169 NT Driver; C:\Windows\system32\DRIVERS\Rtlh86.sys [2006-11-02 44544]
S3 smserial;smserial; C:\Windows\system32\DRIVERS\smserial.sys [2006-11-02 1010560]
S4 EMSCR;EMSCR; C:\Windows\system32\drivers\ems7sk.sys [2007-01-31 67584]
S4 ErrDev;Microsoft Hardware Error Device Driver; C:\Windows\system32\drivers\errdev.sys [2008-01-21 6656]
S4 ESDCR;ESDCR; C:\Windows\system32\drivers\esd7sk.sys [2007-01-31 46592]
S4 ESMCR;ESMCR; C:\Windows\system32\drivers\esm7sk.sys [2007-01-31 61952]
S4 iaNvStor;Intel(R) Turbo Memory Controller; C:\Windows\system32\drivers\ianvstor.sys [2008-05-08 226328]
S4 iaStor;Intel AHCI Controller; C:\Windows\system32\drivers\iastor.sys [2007-02-12 277784]
S4 ioatdma;Intel(R) QuickData Technology Device; C:\Windows\system32\drivers\ioatdma.sys [2008-01-18 36480]
S4 JRAID;JRAID; C:\Windows\system32\drivers\jraid.sys [2007-08-30 43008]
S4 MegaSR;MegaSR; C:\Windows\system32\drivers\megasr.sys [2008-01-21 386616]
S4 MTsensor;ATK0100 ACPI UTILITY; C:\Windows\system32\drivers\atkacpi.sys [2006-12-14 7680]
S4 nvrd32;NVIDIA nForce RAID Driver; C:\Windows\system32\drivers\nvrd32.sys [2007-09-11 123424]
S4 nvsmu;nvsmu; C:\Windows\system32\drivers\nvsmu.sys [2007-07-07 12032]
S4 nvstor32;nvstor32; C:\Windows\system32\drivers\nvstor32.sys [2007-09-11 114208]
S4 O2MDRDR;O2MDRDR; C:\Windows\system32\drivers\o2media.sys [2005-11-14 34176]
S4 O2SDRDR;O2SDRDR; C:\Windows\system32\drivers\o2sd.sys [2005-12-19 28800]
S4 sdbus;sdbus; C:\Windows\system32\DRIVERS\sdbus.sys [2008-01-21 88576]
S4 SI3132;SiI-3132 SATALink Controller; C:\Windows\system32\drivers\si3132.sys [2007-05-24 74800]
S4 Si3531;SiI-3531 SATA Controller; C:\Windows\system32\drivers\si3531.sys [2007-01-30 210224]
S4 wbondir;Winbond CIR Transceiver; C:\Windows\system32\drivers\wbondir.sys [2007-06-24 64000]
S4 winbondcir;Winbond IR Transceiver; C:\Windows\system32\drivers\winbondcir.sys [2007-03-28 43008]
S4 winbondhidcir;Winbond HID CIR Receiver; C:\Windows\system32\drivers\winbondhidcir.sys [2007-07-11 21504]
S4 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\DRIVERS\wmiacpi.sys [2008-01-21 11264]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AnonMgmtSvc;Anonymizer Management Service; C:\Program Files\Anonymizer\Anonymizer Software\Common\AnonMgmtSvc.exe [2008-11-17 37560]
R2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\CyberLink\Shared Files\RichVideo.exe [2007-01-08 171040]
R2 SBSDWSCService;SBSD Security Center Service; C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2007-08-24 443776]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]

-----------------EOF------------------


infotxt

info.txt logfile of random's system information tool 1.05 2009-02-28 14:04:31

======Uninstall list======

2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
Adobe Flash Player 10 ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Anonymizer Software-->"C:\ProgramData\{773E7240-B347-4DFF-A6EF-6E829EDD59DF}\Anonymizer_Software.exe" REMOVE=TRUE MODIFY=FALSE
Anonymizer Software-->C:\ProgramData\{773E7240-B347-4DFF-A6EF-6E829EDD59DF}\Anonymizer_Software.exe
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
ERUNT 1.1j-->"C:\Program Files\ERUNT\unins000.exe"
Feed Viewer for Windows SideShow-->MsiExec.exe /X{E4DA04B6-3EC4-4DFD-A14E-44959EF36D5B}
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Microsoft .NET Framework 3.5 SP1-->c:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Home and Student 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall HOMESTUDENTR /dll OSETUP.DLL
Microsoft Office Home and Student 2007-->MsiExec.exe /X{91120000-002F-0000-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint Remote-->MsiExec.exe /X{21550042-EA9F-4419-A8D7-DF732DCEB76E}
Microsoft Office PowerPoint Viewer 2007 (English)-->MsiExec.exe /X{95120000-00AF-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Suite Activation Assistant-->MsiExec.exe /X{E50AE784-FABE-46DA-A1F8-7B6B56DCB22E}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Works-->MsiExec.exe /I{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
Realtek High Definition Audio Driver-->C:\Program Files\Realtek\Audio\HDA\RtlUpd.exe -r -m -nrg2709
Samsung PC Studio 3 USB Driver Installer-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EBA29752-DDD2-4B62-B2E3-9841F92A3E3A}\setup.exe" -l0x9 -removeonly
Samsung Samples Installer-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7AC15160-A49B-4A89-B181-D4619C025FFF}\setup.exe" -l0x9 -removeonly
Security Update for 2007 Microsoft Office System (KB951550)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {B243E9A5-ED77-4F1B-B338-2486FD82DC85}
Security Update for 2007 Microsoft Office System (KB951944)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {797AE457-BA17-4BBC-B501-25FB3A0103C7}
Security Update for 2007 Microsoft Office System (KB958439)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {6491B8AA-D11C-4648-A461-6234B31EB7E2}
Security Update for Microsoft Office Excel 2007 (KB958437)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {648FC016-2D6B-4A16-8D87-404533642F4B}
Security Update for Microsoft Office OneNote 2007 (KB950130)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {F1B2401C-B610-4BF2-AA1C-52C55827A8F4}
Security Update for Microsoft Office PowerPoint 2007 (KB951338)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {558B709B-821B-4FC5-90FC-9A8890641E77}
Security Update for Microsoft Office system 2007 (KB954326)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {5F7F6FFF-395D-480E-8450-64F385D82C5F}
Security Update for Microsoft Office system 2007 (KB956828)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {885E081B-72BD-4E76-8E98-30B4BE468FAC}
Security Update for Microsoft Office Word 2007 (KB956358)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {4551666D-0FD6-4C69-8A81-1C6F2E64517C}
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Update for Microsoft Office 2007 Help for Common Features (KB957244)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {C8C72583-C907-4D20-8973-C3858D96BD9E}
Update for Microsoft Office Excel 2007 Help (KB957242)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {51864046-74C8-487B-97CD-6167A4B1DB56}
Update for Microsoft Office OneNote 2007 Help (KB957245)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {7332DE60-DC79-4578-A60A-A5EA0D6E032B}
Update for Microsoft Office PowerPoint 2007 Help (KB957247)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {B20E2C59-EEC5-4102-9E50-5DBB2093C37D}
Update for Microsoft Office Word 2007 Help (KB957252)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {54DF3345-0720-4224-9740-C7E00303F565}
Update for Microsoft Script Editor Help (KB957253)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {F21BF703-548C-47B2-B92A-6876E9566C42}
Update for Office 2007 (KB946691)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Windows Live installer-->MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger-->MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant-->MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}

======Security center information======

AS: Spybot - Search and Destroy (disabled) (outdated)
AS: Windows Defender

System event log

Computer Name: MY
Event Code: 7036
Message: The Windows Update service entered the running state.
Record Number: 44774
Source Name: Service Control Manager
Time Written: 20090228134848.000000-000
Event Type: Information
User:

Computer Name: MY
Event Code: 537
Message: A compatible Trusted Platform Module (TPM) Security Device cannot be found on this computer. TBS could not be started.
Record Number: 44775
Source Name: Microsoft-Windows-TBS
Time Written: 20090228134847.829567-000
Event Type: Information
User: NT AUTHORITY\LOCAL SERVICE

Computer Name: MY
Event Code: 7036
Message: The Windows Media Center Service Launcher service entered the stopped state.
Record Number: 44776
Source Name: Service Control Manager
Time Written: 20090228134850.000000-000
Event Type: Information
User:

Computer Name: MY
Event Code: 7036
Message: The WinHTTP Web Proxy Auto-Discovery Service service entered the stopped state.
Record Number: 44777
Source Name: Service Control Manager
Time Written: 20090228140317.000000-000
Event Type: Information
User:

Computer Name: MY
Event Code: 7036
Message: The Application Information service entered the running state.
Record Number: 44778
Source Name: Service Control Manager
Time Written: 20090228140331.000000-000
Event Type: Information
User:

Application event log

Computer Name: MY
Event Code: 1003
Message: The Windows Search Service started.

Record Number: 6383
Source Name: Microsoft-Windows-Search
Time Written: 20090228134650.000000-000
Event Type: Information
User:

Computer Name: MY
Event Code: 1
Message: Certificate Services Client has been started successfully.
Record Number: 6384
Source Name: Microsoft-Windows-CertificateServicesClient
Time Written: 20090228134743.066894-000
Event Type: Information
User: MY\minime

Computer Name: MY
Event Code: 1
Message: Certificate Services Client has been started successfully.
Record Number: 6385
Source Name: Microsoft-Windows-CertificateServicesClient
Time Written: 20090228134744.113769-000
Event Type: Information
User: NT AUTHORITY\SYSTEM

Computer Name: MY
Event Code: 1001
Message: Performance counters for the WmiApRpl (WmiApRpl) service were removed successfully. The Record Data contains the new values of the system Last Counter and Last Help registry entries.
Record Number: 6386
Source Name: Microsoft-Windows-LoadPerf
Time Written: 20090228135057.000000-000
Event Type: Information
User:

Computer Name: MY
Event Code: 1000
Message: Performance counters for the WmiApRpl (WmiApRpl) service were loaded successfully. The Record Data in the data section contains the new index values assigned to this service.
Record Number: 6387
Source Name: Microsoft-Windows-LoadPerf
Time Written: 20090228135057.000000-000
Event Type: Information
User:

Security event log

Computer Name: MY
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys
Record Number: 11945
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090228140429.590308-000
Event Type: Audit Failure
User:

Computer Name: MY
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys
Record Number: 11946
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090228140429.637183-000
Event Type: Audit Failure
User:

Computer Name: MY
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys
Record Number: 11947
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090228140429.668433-000
Event Type: Audit Failure
User:

Computer Name: MY
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys
Record Number: 11948
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090228140429.715308-000
Event Type: Audit Failure
User:

Computer Name: MY
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys
Record Number: 11949
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090228140429.746558-000
Event Type: Audit Failure
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=x86
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 13, GenuineIntel
"PROCESSOR_REVISION"=0f0d
"NUMBER_OF_PROCESSORS"=2
"TRACE_FORMAT_SEARCH_PATH"=\\NTREL202.ntdev.corp.microsoft.com\4F18C3A5-CA09-4DBD-B6FC-219FDD4C6BE0\TraceFormat
"DFSTRACINGON"=FALSE
"configsetroot"=%SystemRoot%\ConfigSetRoot

-----------------EOF-----------------
 
There is no obvious sign of infection, please can you describe your problems in a bit more detail.
What Antivirus do you use ?


Please Download GMER to your desktop

Download GMER and extract it to your desktop.

***Please close any open programs ***

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click Yes.
  • Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.
If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.
  • Click the Scan button and let the program do its work. GMER will produce a log.
  • Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.

DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

Please post the results from the GMER scan in your reply.



Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.


**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.
 
Hello!

I've been having problems running GMER. I'll tell you about that in a minute.

First, the initial problems on my notebook, more specifically, were...
* windows would crash and close without warning or...
* it would give a warning saying it had encountered a problem and needed to close or...
* i would loose internet connection and when i try to reconnect, there would be nothing to click on in the start menu. No ie button, no email button, all the microsoft files i clicked on would be empty etc....or/and
* the noise level of the cpu (i think) would be very loud, suggesting i was running something huge but i wasn't.

In answer to your other question, i was using AVG antivirus, but i uninstalled it initially thinking it might be the problem.

GMER - i extracted the files and saved them to my desktop. Open it and it begins to run but only for a few seconds and then stops. The 'show all' box cannot be checked because it is grey not black and won't let me check it. All the boxes above are checked by default (registery, files, system, etc i presume all the things it's going to scan) I start the scan anyway and it stops half way through (after about thirty seconds i'm estimating) and tells me in a pop up window that, it has stopped working and needs to close.

Another pop up tells me to check it has installed correctly and i do, then wondows tells me there is a problem and needs to close i get a black screen with white type and it closes.


Do you still want me to do the kaspersky online scan?
 
Rename GMER.exe to something like ScanMe.exe and try it again.

Run the Kaspersky scan regardless of whether you get GMER running
 
Sorry to take so long, this below is all i get initially when gmer scans automatically

(i did rename it also to ScanMe.exe)

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-03-06 21:22:56
Windows 6.0.6001 Service Pack 1


---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.14 ----


When i try the 'show all' scan, it cuts out when it gets to the same file.....harddisc/shadow1.... blah something, it blue screens before i can get a decent read of it.

Just about to do the Kasp scan now.
 
Download and Run ComboFix
----------------------------------------------------------------------------------------

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2

CF_download_FF.gif



CF_download_rename.gif

--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
 
ComboFix 09-03-06.01 - minime 2009-03-07 12:16:58.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1916.1163 [GMT 0:00]
Running from: c:\users\minime\Desktop\Combo-Fix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-02-07 to 2009-03-07 )))))))))))))))))))))))))))))))
.

2009-03-06 21:59 . 2009-03-06 21:59 410,984 --a------ c:\windows\System32\deploytk.dll
2009-03-03 16:22 . 2009-03-06 21:32 198,721,577 --a------ c:\windows\MEMORY.DMP
2009-03-03 16:15 . 2009-03-06 21:21 250 --a------ c:\windows\gmer.ini
2009-02-28 14:04 . 2009-02-28 14:04 <DIR> d-------- C:\rsit
2009-02-25 12:09 . 2009-02-25 12:09 <DIR> d-------- c:\program files\Trend Micro
2009-02-25 12:03 . 2009-02-25 12:03 <DIR> d-------- c:\users\minime\AppData\Roaming\Template
2009-02-25 12:03 . 2009-03-04 14:52 92 --a------ c:\users\minime\AppData\Roaming\wklnhst.dat
2009-02-24 18:58 . 2009-02-24 18:58 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-23 18:23 . 2008-06-20 01:14 781,344 --a------ c:\windows\System32\PresentationNative_v0300.dll
2009-02-23 18:23 . 2008-06-20 01:14 622,080 --a------ c:\windows\System32\icardagt.exe
2009-02-23 18:23 . 2008-06-20 01:14 326,160 --a------ c:\windows\System32\PresentationHost.exe
2009-02-23 18:23 . 2008-06-20 01:14 105,016 --a------ c:\windows\System32\PresentationCFFRasterizerNative_v0300.dll
2009-02-23 18:23 . 2008-06-20 01:14 97,800 --a------ c:\windows\System32\infocardapi.dll
2009-02-23 18:23 . 2008-06-20 01:14 43,544 --a------ c:\windows\System32\PresentationHostProxy.dll
2009-02-23 18:23 . 2008-06-20 01:14 37,384 --a------ c:\windows\System32\infocardcpl.cpl
2009-02-23 18:23 . 2008-06-20 01:14 11,264 --a------ c:\windows\System32\icardres.dll
2009-02-23 18:15 . 2008-07-27 18:03 282,112 --a------ c:\windows\System32\mscoree.dll
2009-02-23 18:15 . 2008-07-27 18:03 158,720 --a------ c:\windows\System32\mscorier.dll
2009-02-23 18:15 . 2008-07-27 18:03 96,760 --a------ c:\windows\System32\dfshim.dll
2009-02-23 18:15 . 2008-07-27 18:03 83,968 --a------ c:\windows\System32\mscories.dll
2009-02-23 18:15 . 2008-07-27 18:03 41,984 --a------ c:\windows\System32\netfxperf.dll
2009-02-23 10:36 . 2009-01-15 03:36 1,383,424 --a------ c:\windows\System32\mshtml.tlb
2009-02-23 10:36 . 2009-01-15 06:11 827,392 --a------ c:\windows\System32\wininet.dll
2009-02-22 19:29 . 2008-12-05 04:32 428,544 --a------ c:\windows\System32\EncDec.dll
2009-02-22 19:29 . 2008-12-05 04:32 293,376 --a------ c:\windows\System32\psisdecd.dll
2009-02-22 19:29 . 2008-12-05 04:31 217,088 --a------ c:\windows\System32\psisrndr.ax
2009-02-22 19:29 . 2008-12-05 04:31 177,664 --a------ c:\windows\System32\mpg2splt.ax
2009-02-22 19:29 . 2008-12-05 04:31 80,896 --a------ c:\windows\System32\MSNP.ax
2009-02-22 07:41 . 2009-02-22 07:41 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-02-22 07:40 . 2009-02-22 07:41 <DIR> d-------- c:\users\All Users\Adobe
2009-02-22 07:37 . 2009-02-22 13:03 <DIR> d-------- c:\users\All Users\NOS
2009-02-22 07:37 . 2009-02-22 13:03 <DIR> d-------- c:\programdata\NOS
2009-02-22 07:37 . 2009-02-22 13:03 <DIR> d-------- c:\program files\NOS
2009-02-18 22:26 . 2009-02-18 22:26 <DIR> d-------- c:\users\wilson\Searches
2009-02-18 22:26 . 2009-02-20 19:45 <DIR> d-------- c:\users\wilson\Music
2009-02-18 22:26 . 2009-02-22 07:36 <DIR> d-------- c:\users\wilson\Downloads
2009-02-18 22:26 . 2009-02-20 20:20 <DIR> d-------- c:\users\wilson\Documents
2009-02-18 22:26 . 2009-02-18 22:26 <DIR> d-------- c:\users\wilson\Contacts
2009-02-18 22:26 . 2006-11-02 12:37 <DIR> d-------- c:\users\wilson\AppData\Roaming\Media Center Programs
2009-02-18 22:26 . 2009-02-18 22:26 <DIR> d-------- c:\users\wilson\AppData
2009-02-18 22:26 . 2009-02-22 14:25 <DIR> d-------- c:\users\wilson
2009-02-18 21:45 . 2009-02-18 21:45 <DIR> d-------- c:\program files\Amazon

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-02 17:36 --------- d-----w c:\programdata\Microsoft Help
2009-02-24 19:11 --------- d-----w c:\programdata\Spybot - Search & Destroy
2009-02-23 18:33 --------- d-----w c:\program files\Windows Mail
2009-02-22 14:23 --------- d--h--w c:\programdata\{773E7240-B347-4DFF-A6EF-6E829EDD59DF}
2009-02-22 14:23 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-22 14:23 --------- d-----w c:\users\minime\AppData\Roaming\Anonymizer
2009-02-22 14:23 --------- d-----w c:\program files\Windows Defender
2009-02-22 14:23 --------- d-----w c:\program files\Samsung
2009-02-22 07:40 --------- d-----w c:\program files\Common Files\Adobe
2009-01-30 18:18 --------- d-----w c:\program files\MSXML 4.0
2009-01-25 21:25 --------- d-----w c:\program files\Microsoft Silverlight
2009-01-19 17:00 --------- d-----w c:\programdata\Anonymizer
2008-01-21 02:43 174 --sha-w c:\program files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2008-10-13 6335008]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-01-08 68640]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 52256]

c:\users\minime\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{FE4CEBF3-10E9-4F58-B584-3F1A37625EA3}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{D7B0F18F-D53E-4BCC-BB78-BF7E31440EC4}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{FC84EFFE-4F13-45DB-9B44-6D06353EEC28}"= c:\program files\CyberLink\PowerDVD\PowerDVD.EXE:CyberLink PowerDVD
"{E3740D22-271D-4210-AD60-C36860C05263}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{7A2990CE-D1CC-4F8F-AEA6-AF6D009118E7}c:\\program files\\anonymizer\\anonymizer software\\common\\anonproxy.exe"= UDP:c:\program files\anonymizer\anonymizer software\common\anonproxy.exe:AnonProxy
"UDP Query User{075928D3-743A-4489-9A56-27BAE6925DA6}c:\\program files\\anonymizer\\anonymizer software\\common\\anonproxy.exe"= TCP:c:\program files\anonymizer\anonymizer software\common\anonproxy.exe:AnonProxy

R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-02-24 1153368]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\System32\drivers\RTL8187B.sys [2008-11-06 337920]
R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\System32\drivers\SiSGB6.sys [2008-11-06 48128]
S2 AnonMgmtSvc;Anonymizer Management Service;"c:\program files\Anonymizer\Anonymizer Software\Common\AnonMgmtSvc.exe" --> c:\program files\Anonymizer\Anonymizer Software\Common\AnonMgmtSvc.exe [?]
S3 hidshim;Service for HID-KMDF Shim layer;c:\windows\System32\drivers\hidshim.sys [2008-11-06 5632]
S4 iaNvStor;Intel(R) Turbo Memory Controller;c:\windows\System32\drivers\iaNvStor.sys [2008-11-06 226328]
S4 ioatdma;Intel(R) QuickData Technology Device;c:\windows\System32\drivers\ioatdma.sys [2008-11-06 36480]
S4 O2MDRDR;O2MDRDR;c:\windows\System32\drivers\o2media.sys [2008-11-06 34176]
S4 O2SDRDR;O2SDRDR;c:\windows\System32\drivers\o2sd.sys [2008-11-06 28800]
S4 Si3531;SiI-3531 SATA Controller;c:\windows\System32\drivers\Si3531.sys [2008-11-06 210224]
S4 wbondir;Winbond CIR Transceiver;c:\windows\System32\drivers\wbondir.sys [2008-11-06 64000]
S4 winbondcir;Winbond IR Transceiver;c:\windows\System32\drivers\winbondcir.sys [2008-11-06 43008]
S4 winbondhidcir;Winbond HID CIR Receiver;c:\windows\System32\drivers\winbondhidcir.sys [2008-11-06 21504]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Anonymizer - c:\program files\Anonymizer\Anonymizer Software\Anonymizer.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-07 12:18:31
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-03-07 12:20:15
ComboFix-quarantined-files.txt 2009-03-07 12:20:12

Pre-Run: 108,345,147,392 bytes free
Post-Run: 109,341,425,664 bytes free

127 --- E O F --- 2009-02-23 18:31:10
 
Hijack this flashes me a window which says.... "For some reason your system denied write access to the hosts file....

notepadC:\Windows\System32\drivers\etc\hosts

I don't know if that is relavent but i thought i'd mention it

Here's the log...


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:04:29, on 28/02/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Anonymizer\Anonymizer Software\Anonymizer.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\System32\mobsync.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Users\minime\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\minime.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Anonymizer] C:\Program Files\Anonymizer\Anonymizer Software\Anonymizer.exe -nogui
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O23 - Service: Anonymizer Management Service (AnonMgmtSvc) - Anonymizer - C:\Program Files\Anonymizer\Anonymizer Software\Common\AnonMgmtSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

--
End of file - 4435 bytes
 
Dianne said:
Hijack this flashes me a window which says.... "For some reason your system denied write access to the hosts file....
Click to expand...
That is normal for Vista. It is due to the UAC being active.

There is still no sign of any infection, are the problems still happening ?
Did you do the Kaspersky scan ? .... if not please can you run it now.
 
The last time i had any system probelms was when GMER stopped scanning half way through and it blue screened.

Other than that, since you've been inverstigating, it has not happened, no.

Do you think it is possible the 'system restore' i did before i posted initially sorted the problem?
 
Do you think it is possible the 'system restore' i did before i posted initially sorted the problem?
Click to expand...
It's very possible.


Congratulations your logs look clean :)

Let's see if I can help you keep it that way

First lets tidy up

Please delete RSIT.exe and C:\RSIT (entire folder)
You can also delete any logs we have produced, and empty your Recycle bin.


Uninstall Combofix
  • This will clear your System Volume Information restore points and remove all the infected files that were quarantined
  • Click START, type RUN into the search box, then click Enter
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
    • CF_Cleanup.png



----------------------------------------------------------- -----------------------------------------------------------

The following is some info to help you stay safe and clean.


You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )

Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.

http://www.pandasecurity.com/activescan
http://www.kaspersky.com/kos/eng/partner/71706/kavwebscan.html

!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE for details

AntiSpyware

  • AntiSpyware is not the same thing as Antivirus.
    Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
    You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
    Most of the programs in this list have a free (for Home Users ) and paid versions,
    it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
  • Spybot - Search & Destroy <<< A must have program
    • It includes host protection and registry protection
    • A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
  • MalwareBytes Anti-malware <<< A New and effective program
  • a-squared Free <<< A good "realtime" or "on demand" scanner
  • superantispyware <<< A good "realtime" or "on demand" scanner

Prevention

  • These programs don't detect malware, they help stop it getting on your machine in the first place.
    Each does a different job, so you can have more than one
  • Winpatrol
    • An excellent startup manager and then some !!
    • Notifies you if programs are added to startup
    • Allows delayed startup
    • A must have addition
  • SpywareBlaster 4.0
    • SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
  • SpywareGuard 2.2
    • SpywareGuard provides real-time protection against spyware.
    • Not required if you have other "realtime" antispyware or Winpatrol
  • ZonedOut
    • Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
  • MVPS HOSTS
    • This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
    • For information on how to download and install, please read this tutorial by WinHelp2002.
    • Not required if you are using other host file protections

Internet Browsers

  • Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
    Using a different web browser can help stop malware getting on your machine.
    • Make your Internet Explorer more secure - This can be done by following these simple instructions:
      1. From within Internet Explorer click on the Tools menu and then click on Options.
      2. Click once on the Security tab
      3. Click once on the Internet icon so it becomes highlighted.
      4. Click once on the Custom Level button.
        • Change the Download signed ActiveX controls to Prompt
        • Change the Download unsigned ActiveX controls to Disable
        • Change the Initialise and script ActiveX controls not marked as safe to Disable
        • Change the Installation of desktop items to Prompt
        • Change the Launching programs and files in an IFRAME to Prompt
        • Change the Navigate sub-frames across different domains to Prompt
        • When all these settings have been made, click on the OK button.
        • If it prompts you as to whether or not you want to save the settings, press the Yes button.
      5. Next press the Apply button and then the OK to exit the Internet Properties page.
    If you are still using IE6 then either update, or get one of the following.
    • FireFox
      • With many addons available that make customization easy this is a very popular choice
      • NoScript and AdBlockPlus addons are essential
    • Opera
      • Another popular alternative
    • Netscape
      • Another popular alternative
      • Also has Addons available

Cleaning Temporary Internet Files and Tracking Cookies

  • Temporary Internet Files are mainly the files that are downloaded when you open a web page.
    Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
    It is a good idea to empty the Temporary Internet Files folder on a regular basis.

    Tracking Cookies are files that websites use to monitor which sites you visit and how often.
    A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
    CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords

    Both of these can be cleaned manually, but a quicker option is to use a program
  • ATF Cleaner
    • Free and very simple to use
  • CCleaner
    • Free and very flexible, you can chose which cookies to keep

Also PLEASE read this article.....So How Did I Get Infected In The First Place

The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again :D


If you could post back one more time to let me know everything is OK, then I can have this thread archived.

Happy surfing K'
 
I unistalled ComboFix as shown

Spybot went a bit mental with a gazzillion windows popping up asking me to allow or deny goodness knows what changes. I did my best to navigate through them.

Thank you for the advice on anti-virus/spy info and online scanners etc. I will go do that right now and update anything that needs it.

Really appreciate you assistance K
 
You must log in or register to reply here.
Back
Top