TechSpot

[Closed] The file avgcmgr.exe is infected.

By tina97
Nov 30, 2010
  1. Please help, I had the thinkpoint virus, which I managed to get rid of by renaming the hotfix.exe file to hotfix1.exe Ive been running Malwarebytes for a wk now followed by RegTweak and also freeAVG8 everyday but today I have been getting these warnings all day (*see below) and unable to open anything as the warning wont let me it pos up even for control panel. I have managed to download & rename & run HijackThis but the virus wont let me open Notepad so I can't copy & paste the log here, I can only attach it to this mssge. I'm really worried I will lose all my files if I reboot,so am sat here not knowing what to do next. Any helpwould be very much appreciated, thankyou.

    "Security Warning: Application cannot be executed.The file avgcmgr.exe is infected. Do you want to activate your antivirus software now"

    View attachment hijackthis.log
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    This is where you need to start for Think Point. You also need to run Malwarebytes as soon as possible. If necessary, download Mbam to a flash drive, then install it on the problem computer.

    ThinkPoint is a rogue anti-spyware program that comes bundled with the fake Microsoft Security Essentials Alert. It will block task manager, registry editor and other tools too claiming that these tools were block due the security reasons and might be infected with malicious code.

    The malware authors try to mimic legitimate programs in looks and what the action will be> that's why so many users get drawn into these programs. The main entry we see is hotfix.exe so we will stop it:

    1. Boot into Safe Mode
      • Restart your computer and start pressing the F8 key on your keyboard.
      • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
    2. End Task
      Click on Start> Run> type in taskmgr> OK.
      Double click on the frame at the top of the Processes column to sort
      Find hotfix.exe and click to Highlight
      Click on End Task
    3. Unhide
      Click on Start> Search> All Files and Folders
      Go up to Tools> Folder Options
      Click on the View tab
      Check 'Show hidden files and folders'
      Uncheck 'Hide protected operating system files (Recommended)'
      Click on OK> Apply> OK
    4. Search
      Go to Search> 'all or part of the name'
      Type in hotfix.exe
      (It should be found in this folder: C:\Documents and Settings\User\Application Data\hotfix.exe
      Do a right click> Delete on the file
    5. Rehide the files and folders.
    Close
    ===============================================
    Reboot the computer back into Normal Mode
    ==============================================
    There are Registry entries to remove as well and they can be done within another program. Let me know how far you get on the above. Some entries can be stopped using HijackThis. Please check and see if you can reopen HJT to 'do system scan only.' If you can, I'll give you a list of entries to remove.

    Note: avgcmgr.exe It is a legitimate file used by AVG:
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    There is a lot of content in HJT that needs to be stopped. Most are malware. Some are auto-updaters or processes that start on boot and are running in the background but don't need to run unless you are actively using the program at that time:

    Please reopen HijackThis to 'do system scan only.'. Check the following entries if present: The optional removals are coded in Green. They do not have to be stopped, but it is recommended to stop them while we are cleaning. None need to start on boot and run in the background. This will not uninstall or remove the program or process. All entries in BOLD Black must be checked for removal. Note: Do not click on FixAll until all of the entries tob e removed have been checked:

    C:\WINDOWS\System32\mshta.exe
    C:\WINDOWS\System32\mshta.exe
    C:\WINDOWS\System32\mshta.exe
    C:\WINDOWS\TEMP\qfpuvuuas\tetghnmtsbl.exe
    C:\Documents and Settings\Santina Crolla.BENS\My Documents\iexplore.exe
    R3 - URLSearchHook: (no name) - {c2db4fe6-8409-45ce-8010-189a7b5cce86} - (no file)
    O2 - BHO: SuggestMeYesBHO - {0FB6A909-6086-458F-BD92-1F8EE10042A0} - C:\Program Files\AutocompletePro\AutocompletePro.dll
    O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
    O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100465 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB6; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.freeworldgroup.com/games/santaballs/index.html"
    O4 - Global Startup: Launcher.lnk = ?

    -------------------------------------------------
    SMARTAP.EXE has been seen to perform the following behavior:
    • Found on infected systems and resists interrogation by security products
    • Uses low level functions to hide itself from the user and from system/security processes
    • The Process is polymorphic and can change its structure
    C:\Program Files\Macpower & Tytech Technology\SmartAP\SmartHDD.exe
    C:\Program Files\Macpower & Tytech Technology\SmartAP\SmartAP.exe

    -------------------------------------------------
    The following are all recording related. They are not malware, but I recommend you stop them from running in the background
    C:\WINDOWS\system32\bgsvcgen.exe
    O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - SOURCENEXT - C:\WINDOWS\system32\bgsvcgen.exe

    ------------------------------------------------
    The following are all related to Cyberlink
    C:\Program Files\CyberLink\Shared files\RichVideo.exeC:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
    C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
    O4 - HKLM\..\Run: [CLMLServer] "C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe"
    O4 - HKLM\..\Run: [UpdateP2GoShortCut] "C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
    O4 - HKLM\..\Run: [RemoteControl8] "C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe"
    O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe"
    O4 - HKLM\..\Run: [UpdatePPShortCut] "C:\Program Files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\PowerProducer" UpdateWithCreateOnce "Software\CyberLink\PowerProducer\5.0"
    O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\2.0"
    O4 - HKLM\..\Run: [UpdatePSTShortCut] "C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
    O4 - HKLM\..\Run: [UpdatePDRShortCut] "C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\PowerDirector" UpdateWithCreateOnce "Software\CyberLink\PowerDirector\8.0"
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

    -----------------------------------------------
    The The Smart Drive / humyo.com Ltd. are for an online backup service. I do not recommend that you use with while the system is infected.
    C:\Program Files\Free Virtual Drive SmartDrive\HrfsClient.exe
    C:\Program Files\Free Virtual Drive SmartDrive\hrfscore.exe
    O2 - BHO: IEHelperObject - {4DC16316-5372-4476-9CA5-88B2786B838F} - C:\Program Files\Free Virtual Drive SmartDrive\HrfsDownloader.dll
    O4 - Global Startup: Free Virtual Drive SmartDrive.lnk = C:\Program Files\Free Virtual Drive SmartDrive\HrfsClient.exe
    O4 - Global Startup: Free Virtual Drive.lnk = C:\Program Files\Free Virtual Drive SmartDrive\HrfsClient.exe
    O23 - Service: humyo.com - humyo.com Ltd. - C:\Program Files\Free Virtual Drive SmartDrive\hrfscore.exe

    ----------------------------------------------
    These are a part of the Nero program and additional backup service:
    C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe


    When finished with all checking, close all Windows except HijackThis and click on "Fix Checked.:
    Reboot the computer.
    See if you can now do any of the functions that you could not do previously.

    NOTE: mshta.exe is an Adult Content Dialer. You have 3 entries.
     
  4. tina97

    tina97 TS Rookie Topic Starter

    Thanks Bobbye, sorry it took me a while but whilst you sent your reply I was running Malwarebytes & then Avg in safe mode &it took hrs, they both found a trojan, I repaired one on Malwarebytes and Avg sent one to virus vault. I renamed hotfix & deleted it 2 wks ago and haven't found the file in Docs & settings/Users/Application Data since then however I did follow instructions again in safe mode & did not find hotfix.exe but realised that I didn't re-hide the files & folders so I did put a check in the box for that . I then rebooted in normal mode & re-ran Hijack This. I clicked fix/delete on most of the files you listed in HJT except I could not find the Windows/mshta.exe files so I assume they were deleted in either AVG or Malwarebytes when I ran them in safe mode. I'm able to use most functions now & the PC is running much faster but I am still unable to get IE running while the Windows Firewall is on, I am using Firefox at the moment so I'm hoping the next step with the registry will help get back IE. I have Reg Tweaker which I paid for & have been using for the past week,should I run that now or have you anything better? below is my new HJT log...I know it's late just reply when you can, thanks again for your help, you're a star ;-) kindest regards Tina97

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 00:48:09, on 01/12/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.17091)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\WINDOWS\system32\bgsvcgen.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\Program Files\CyberLink\Shared files\RichVideo.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\Program Files\AVG\AVG8\avgcsrvx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\RTHDCPL.EXE
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
    C:\Program Files\Adobe Media Player\Adobe Media Player.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Common Files\Java\Java Update\jucheck.exe
    C:\Documents and Settings\Santina Crolla.BENS\My Documents\iexplore.exe
    C:\WINDOWS\System32\mshta.exe

    R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [UpdateLBPShortCut] "C:\Program Files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"
    O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - HKCU\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\ICQ.exe -minimize
    O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
    O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
    O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
    O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG8\Toolbar\ToolbarBroker.exe
    O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - SOURCENEXT - C:\WINDOWS\system32\bgsvcgen.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

    --
    End of file - 8917 bytes
     
  5. tina97

    tina97 TS Rookie Topic Starter

    I just spotted that porn file Windows/System32/mshta.exe in this log ...oh dear I will have to look again & re-send the new HJT log...the 'My Documents/iexplore.exe' is Hijack This which I had to rename when the virus wouldn't let me access the file, so I will re-download that in it's correct name before I do anything and then fix/delete those two files.
     
  6. tina97

    tina97 TS Rookie Topic Starter

    I've noticed a couple of files I fixed/deleted from the first scan have re-appeared. Also, some of the files are hidden on the scan results (*see jpg image attached) but show on the log files,can I manually delete the hidden file Windows\system32\mshta.exe? I'm not sure how to get rid of it...so I will wait for your reply. New HijackThis LOG below,kindest regards Tina97

    HJT scan.jpg

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 03:12:28, on 01/12/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.17091)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\WINDOWS\system32\bgsvcgen.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\CyberLink\Shared files\RichVideo.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\Program Files\AVG\AVG8\avgcsrvx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\RTHDCPL.EXE
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
    C:\Program Files\Adobe Media Player\Adobe Media Player.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Program Files\Common Files\Java\Java Update\jucheck.exe
    C:\WINDOWS\System32\mshta.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\System32\mshta.exe
    C:\Documents and Settings\Santina Crolla.BENS\My Documents\Downloads\HijackThis.exe

    R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [UpdateLBPShortCut] "C:\Program Files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"
    O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - HKCU\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\ICQ.exe -minimize
    O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
    O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
    O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
    O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG8\Toolbar\ToolbarBroker.exe
    O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - SOURCENEXT - C:\WINDOWS\system32\bgsvcgen.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

    --
    End of file - 9011 bytes
     
  7. tina97

    tina97 TS Rookie Topic Starter

    I've removed this post so not to misguide other posters
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Tina, you should not give 'your fix' to others. While it might have worked for you and while the other person may have the same or similar problem, it would be best if you let the helpers handle the guidance.
    1. About hotfix.exe> if you renamed the file but search for the original name, you won't find the file.
    2. About AVG: I note you still have v8. Make sure there is still support for that version because AVGv10 and v11 are out now.
    3. About HijackThis You have left 3 or 4 HJT logs. I asked for one, then gave a lit of entries to be checked. We don't use HJT to 'screen' for malware, so I would not have had you continue to scan with it at that point> I opened the log you left to see if any obvious entries needed to be removed .
    4. About removal of entries in the HijackThis log: when I give a list of entries to be checked and removed, it is based on what I see in the HJT log at that time. It is not uncommon to go back to the system scan and not find an entry- that's why the instructions say:
    5. About Registry cleaners: Part of the initial instructions address this, but we haven't gotten there because you keep running HJT. If you want me to help you, you will need to follow my directions, step by step. As for Registry Tweaker, I recommend you uninstall it. Most of us do not recommend using a Registry cleaner. If you do ot want to uninstall it, Please disable it while I am helping you.
    =======================================
    I would have instructed you as follows:
    If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    When you have finished, leave the logs for review in your next reply .
    Important!
    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
    =============================================
    When you finish with the preliminary scans, you can go ahead with the following:
    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    =======================================
    Download Combofix to your desktop from one of these locations:
    Link 1
    Link 2
    • Double click combofix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Query- Recovery Console image
      [​IMG]
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes it will open a text window. Please paste that log in your next reply.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Please paste all logs in next reply. OK to use more than one post.
     
  9. tina97

    tina97 TS Rookie Topic Starter

    Yeah,sorry about that but I thought you wasn't coming back to help. I reinstalled the latest AVG2011, ran a full scan, 1 corrupt file was found and vaulted. I also reinstalled Malwarebytes from that 8 step page & I uninstalled my program RegTweaker. I followed the 8 step instructions & continued on with these instructions on this post up to the point of installing & running Combofix from 'Link2'. The first time I tried to run it I got an AVG popup warning me it was malware & I think it also went to the AVG Virus vault and AVG uninstalled it. I tried turning off AVG and download it again, tried to run it again & got another warning saying that AVG needs to be uninstalled off my computer to run Combofix, so I'm stuck at this point not knowing what to do :( do I need to install the "Microsoft Windows Recovery Console" myself first? if so how do I do that? or will Combofix install it for me when I have removed AVG? thanks again for helping, regards Tina

    Malwarebytes' Anti-Malware 1.46
    DB: 5159

    IE: Internet Explorer 7.0.5730.13
    OS: Windows 5.1.2600 Service Pack 3
    EX: C:\Program Files\Malwarebytes' Anti-Malware\mbam
    DB: C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref

    U: Santina Crolla

    W: C:\WINDOWS

    S: C:\WINDOWS\system32

    RD: C:

    PF: C:\Program Files

    CF: C:\Program Files\Common Files

    DAS: C:\Documents and Settings

    D: C:\Documents and Settings\All Users.WINDOWS\Desktop
    D: C:\Documents and Settings\All Users\Desktop
    D: C:\Documents and Settings\Default User.WINDOWS\Desktop
    D: C:\Documents and Settings\Default User\Desktop
    D: C:\Documents and Settings\LogMeInRemoteUser.TINA\Desktop
    D: C:\Documents and Settings\LogMeInRemoteUser\Desktop
    D: C:\Documents and Settings\Santina Crolla.BENS\Desktop
    D: C:\Documents and Settings\Santina Crolla\Desktop
    D: C:\WINDOWS\system32\config\systemprofile\Desktop

    SM: C:\Documents and Settings\All Users.WINDOWS\Start Menu
    SM: C:\Documents and Settings\All Users\Start Menu
    SM: C:\Documents and Settings\Default User.WINDOWS\Start Menu
    SM: C:\Documents and Settings\Default User\Start Menu
    SM: C:\Documents and Settings\LocalService.NT AUTHORITY\Start Menu
    SM: C:\Documents and Settings\LogMeInRemoteUser.TINA\Start Menu
    SM: C:\Documents and Settings\LogMeInRemoteUser\Start Menu
    SM: C:\Documents and Settings\Santina Crolla.BENS\Start Menu
    SM: C:\Documents and Settings\Santina Crolla\Start Menu
    SM: C:\WINDOWS\system32\config\systemprofile\Start Menu

    UR: C:\Documents and Settings\All Users
    UR: C:\Documents and Settings\All Users.WINDOWS
    UR: C:\Documents and Settings\Default User
    UR: C:\Documents and Settings\Default User.WINDOWS
    UR: C:\Documents and Settings\LocalService
    UR: C:\Documents and Settings\LocalService.NT AUTHORITY
    UR: C:\Documents and Settings\LogMeInRemoteUser
    UR: C:\Documents and Settings\LogMeInRemoteUser.TINA
    UR: C:\Documents and Settings\NetworkService
    UR: C:\Documents and Settings\NetworkService.NT AUTHORITY
    UR: C:\Documents and Settings\SANTIN~1~BEN
    UR: C:\Documents and Settings\Santina Crolla
    UR: C:\Documents and Settings\Santina Crolla.BENS
    UR: C:\WINDOWS\system32\config\systemprofile

    F: C:\Documents and Settings\All Users.WINDOWS\Favorites
    F: C:\Documents and Settings\All Users\Favorites
    F: C:\Documents and Settings\Default User.WINDOWS\Favorites
    F: C:\Documents and Settings\Default User\Favorites
    F: C:\Documents and Settings\LogMeInRemoteUser.TINA\Favorites
    F: C:\Documents and Settings\LogMeInRemoteUser\Favorites
    F: C:\Documents and Settings\NetworkService.NT AUTHORITY\Favorites
    F: C:\Documents and Settings\Santina Crolla.BENS\Favorites
    F: C:\Documents and Settings\Santina Crolla\Favorites
    F: C:\WINDOWS\system32\config\systemprofile\Favorites

    AD: C:\Documents and Settings\All Users.WINDOWS\Application Data
    AD: C:\Documents and Settings\Santina Crolla.BENS\Application Data
    AD: C:\Documents and Settings\All Users\Application Data
    AD: C:\Documents and Settings\Default User.WINDOWS\Application Data
    AD: C:\Documents and Settings\Default User\Application Data
    AD: C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data
    AD: C:\Documents and Settings\LocalService\Application Data
    AD: C:\Documents and Settings\LogMeInRemoteUser.TINA\Application Data
    AD: C:\Documents and Settings\LogMeInRemoteUser\Application Data
    AD: C:\Documents and Settings\NetworkService.NT AUTHORITY\Application Data
    AD: C:\Documents and Settings\NetworkService\Application Data
    AD: C:\Documents and Settings\Santina Crolla\Application Data
    AD: C:\WINDOWS\system32\config\systemprofile\Application Data

    QL: C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\Quick Launch
    QL: C:\Documents and Settings\Default User.WINDOWS\Application Data\Microsoft\Internet Explorer\Quick Launch
    QL: C:\Documents and Settings\Default User\Application Data\Microsoft\Internet Explorer\Quick Launch
    QL: C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\Microsoft\Internet Explorer\Quick Launch
    QL: C:\Documents and Settings\LocalService\Application Data\Microsoft\Internet Explorer\Quick Launch
    QL: C:\Documents and Settings\LogMeInRemoteUser.TINA\Application Data\Microsoft\Internet Explorer\Quick Launch
    QL: C:\Documents and Settings\LogMeInRemoteUser\Application Data\Microsoft\Internet Explorer\Quick Launch
    QL: C:\Documents and Settings\NetworkService.NT AUTHORITY\Application Data\Microsoft\Internet Explorer\Quick Launch
    QL: C:\Documents and Settings\NetworkService\Application Data\Microsoft\Internet Explorer\Quick Launch
    QL: C:\Documents and Settings\Santina Crolla.BENS\Application Data\Microsoft\Internet Explorer\Quick Launch
    QL: C:\Documents and Settings\Santina Crolla\Application Data\Microsoft\Internet Explorer\Quick Launch

    TF: C:\Documents and Settings\Default User.WINDOWS\Local Settings\Temp
    TF: C:\Documents and Settings\Default User\Local Settings\Temp
    TF: C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temp
    TF: C:\Documents and Settings\LocalService\Local Settings\Temp
    TF: C:\Documents and Settings\LogMeInRemoteUser.TINA\Local Settings\Temp
    TF: C:\Documents and Settings\LogMeInRemoteUser\Local Settings\Temp
    TF: C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Temp
    TF: C:\Documents and Settings\NetworkService\Local Settings\Temp
    TF: C:\Documents and Settings\Santina Crolla.BENS\Local Settings\Temp
    TF: C:\Documents and Settings\Santina Crolla\Local Settings\Temp
    TF: C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp
    TF: C:\WINDOWS\Temp

    P: C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs
    P: C:\Documents and Settings\All Users\Start Menu\Programs
    P: C:\Documents and Settings\Default User.WINDOWS\Start Menu\Programs
    P: C:\Documents and Settings\Default User\Start Menu\Programs
    P: C:\Documents and Settings\LocalService.NT AUTHORITY\Start Menu\Programs
    P: C:\Documents and Settings\LogMeInRemoteUser.TINA\Start Menu\Programs
    P: C:\Documents and Settings\LogMeInRemoteUser\Start Menu\Programs
    P: C:\Documents and Settings\Santina Crolla.BENS\Start Menu\Programs
    P: C:\Documents and Settings\Santina Crolla\Start Menu\Programs
    P: C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs

    S: C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup
    S: C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    S: C:\Documents and Settings\Default User.WINDOWS\Start Menu\Programs\Startup
    S: C:\Documents and Settings\Default User\Start Menu\Programs\Startup
    S: C:\Documents and Settings\LogMeInRemoteUser.TINA\Start Menu\Programs\Startup
    S: C:\Documents and Settings\LogMeInRemoteUser\Start Menu\Programs\Startup
    S: C:\Documents and Settings\Santina Crolla.BENS\Start Menu\Programs\Startup
    S: C:\Documents and Settings\Santina Crolla\Start Menu\Programs\Startup
    S: C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup

    D: C:\Documents and Settings\All Users.WINDOWS\Documents
    D: C:\Documents and Settings\All Users\Documents
    D: C:\Documents and Settings\Default User.WINDOWS\My Documents
    D: C:\Documents and Settings\Default User\My Documents
    D: C:\Documents and Settings\LocalService.NT AUTHORITY\My Documents
    D: C:\Documents and Settings\LogMeInRemoteUser.TINA\My Documents
    D: C:\Documents and Settings\LogMeInRemoteUser\My Documents
    D: C:\Documents and Settings\Santina Crolla.BENS\My Documents
    D: C:\Documents and Settings\Santina Crolla\My Documents
    D: C:\WINDOWS\system32\config\systemprofile\My Documents

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2010-12-03 01:54:22
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 ST3120026A rev.8.01
    Running: rh2l3y6g.exe; Driver: C:\DOCUME~1\SANTIN~1.BEN\LOCALS~1\Temp\pxtdipoc.sys


    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sector 01: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 02: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 03: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 04: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 05: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 06: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 07: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 08: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 09: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 10: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 11: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 12: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 13: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 14: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 15: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 16: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 17: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 18: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 19: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 20: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 21: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 22: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 24: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 25: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 26: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 27: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 28: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 29: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 30: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 32: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 33: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 34: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 35: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 36: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 37: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 38: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 39: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 40: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 41: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 42: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 43: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 44: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 45: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 46: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 47: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 48: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 49: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 50: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 51: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 52: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 53: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 54: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 55: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 56: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 57: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 58: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 59: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 60: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 62: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 63: copy of MBR

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 87112292
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 87112292
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 87112292
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T1L0-c 87112292
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 87112292
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP2T0L0-17 87112292

    AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    Device \Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskST3120026A______________________________8.01____#4a343054464e514b202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

    ---- EOF - GMER 1.0.15 ----
     
  10. tina97

    tina97 TS Rookie Topic Starter

    DDS (Ver_10-11-27.01) - NTFSx86
    Run by Santina Crolla at 2:15:29.87 on 03/12/2010
    Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20
    Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1023.432 [GMT 0:00]

    AV: AVG Anti-Virus Free Edition 2011 *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    ============== Running Processes ===============

    C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\AVG\AVG10\avgtray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\WINDOWS\system32\rundll32.exe
    svchost.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
    C:\Program Files\AVG\AVG10\avgwdsvc.exe
    C:\WINDOWS\system32\bgsvcgen.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\CyberLink\Shared files\RichVideo.exe
    C:\Program Files\AVG\AVG10\avgnsx.exe
    C:\Program Files\AVG\AVG10\avgemcx.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\PROGRA~1\AVG\AVG10\avgrsx.exe
    C:\Program Files\AVG\AVG10\avgcsrvx.exe
    C:\WINDOWS\System32\mshta.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\notepad.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Documents and Settings\Santina Crolla.BENS\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.msn.com
    mStart Page = hxxp://www.msn.com
    uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
    mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
    mWinlogon: SfcDisable=-99 (0xffffff9d)
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
    BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
    uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [Mirabilis ICQ] c:\program files\icq\ICQ.exe -minimize
    uRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
    uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
    uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [Alcmtr] ALCMTR.EXE
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
    mRun: [UpdateLBPShortCut] "c:\program files\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5"
    mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
    mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
    dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
    StartupFolder: c:\docume~1\santin~1.ben\startm~1\programs\startup\adobem~1.lnk - c:\program files\adobe media player\Adobe Media Player.exe
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
    Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\santin~1.ben\applic~1\mozilla\firefox\profiles\6ue49nb9.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cc680eb&v=6.010.006.004&i=23&tp=ab&iy=&ychte=uk&lng=en-GB&q=
    FF - component: c:\program files\mozilla firefox\extensions\hrfsdownloader@hrfs.com\components\HrfsFirefoxDownloader.dll
    FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdjvu.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
    FF - Extension: Download to online storage Plugin: hrfsdownloader@hrfs.com - c:\program files\mozilla firefox\extensions\hrfsdownloader@hrfs.com
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
    FF - Extension: AutocompletePro - Your handy search suggestions tool: support@predictad.com - c:\program files\autocompletepro\support@predictad.com
    FF - Extension: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg10\Firefox
    FF - Extension: AVG Security Toolbar em:version=6.010.023.001 em:displayname=AVG Security Toolbar em:iconURL=chrome://tavgp/skin/logo.ico em:creator=AVG Technologies em:description=AVG Security Toolbar em:homepageURL=http://www.avg.com >: avg@igeared - c:\program files\avg\avg10\toolbar\firefox\avg@igeared
    FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\docume~1\santin~1.ben\applic~1\mozilla\firefox\profiles\6ue49nb9.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

    ============= SERVICES / DRIVERS ===============

    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
    R0 Pnp680;SiI 680 ATA Controller;c:\windows\system32\drivers\PnP680.sys [2007-11-13 71720]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 249424]
    R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-9 299984]
    R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-11-10 6127184]
    R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]
    S0 xvigqv;xvigqv;c:\windows\system32\drivers\jnlycr.sys --> c:\windows\system32\drivers\jnlycr.sys [?]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-11 135664]
    S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2010-12-2 517448]
    S3 hrfsmrx;hrfsmrx;c:\windows\system32\drivers\hrfsmrx.sys [2010-1-12 144624]
    S3 SNPP106;PC Camera (6029 CIF);c:\windows\system32\drivers\snpp106.sys [2008-4-6 196096]
    S4 humyo.com;humyo.com;c:\program files\free virtual drive smartdrive\hrfscore.exe [2010-1-12 3186672]

    =============== Created Last 30 ================

    2010-12-03 01:06:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-03 01:06:01 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-03 01:06:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-12-02 18:18:27 -------- d--h--w- C:\$AVG
    2010-12-02 17:43:14 -------- d-----w- c:\docume~1\santin~1.ben\applic~1\AVG10
    2010-12-02 17:41:31 -------- d--h--w- c:\docume~1\alluse~1.win\applic~1\Common Files
    2010-12-02 17:41:12 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\AVG Security Toolbar
    2010-12-02 17:39:30 -------- d-----w- c:\windows\system32\drivers\AVG
    2010-12-02 17:39:30 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\AVG10
    2010-12-02 17:26:09 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\MFAData
    2010-11-23 15:16:34 -------- d-----w- c:\program files\RegTweaker
    2010-11-13 23:31:50 -------- d--h--w- c:\windows\system32\GroupPolicy
    2010-11-13 22:52:24 647168 ------w- c:\windows\system32\hasp_windows.dll
    2010-11-13 22:52:24 319488 ------w- c:\windows\system32\pavplal.dll
    2010-11-13 22:52:24 143360 ------w- c:\windows\system32\pavedius5db.dll
    2010-11-13 22:52:24 143360 ------w- c:\windows\system32\pavedius.dll
    2010-11-13 22:52:23 6656 ------w- c:\windows\system32\paveno.dll
    2010-11-13 22:52:23 462848 ------w- c:\windows\system32\pavapi.dll
    2010-11-13 07:21:33 -------- d-----w- c:\docume~1\santin~1.ben\applic~1\Malwarebytes
    2010-11-13 07:21:11 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
    2010-11-13 07:02:27 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\PC Tools
    2010-11-09 22:20:58 299984 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2010-11-05 07:25:03 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
    2010-11-05 07:25:01 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
    2010-11-05 07:24:59 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
    2010-11-05 07:24:56 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
    2010-11-05 07:15:58 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Spybot - Search & Destroy
    2010-11-05 06:22:50 -------- d-----w- c:\program files\Macpower & Tytech Technology

    ==================== Find3M ====================

    2010-09-18 11:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-09 13:38:01 832512 ----a-w- c:\windows\system32\wininet.dll
    2010-09-09 13:38:01 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-09-09 13:38:00 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-09-09 13:38:00 17408 ----a-w- c:\windows\system32\corpol.dll
    2010-09-08 15:57:57 389120 ----a-w- c:\windows\system32\html.iec
    2010-09-08 10:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-09-08 10:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts

    =================== ROOTKIT ====================

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: ST3120026A rev.8.01 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-4

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x87112446]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x87118504]; MOV EAX, [0x87118580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x870E1AB8]
    3 CLASSPNP[0xF74C7FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000069[0x870E7530]
    5 ACPI[0xF733E620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8716FD98]
    \Driver\atapi[0x87133030] -> IRP_MJ_CREATE -> 0x87112446
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
    detected disk devices:
    \Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskST3120026A______________________________8.01____#4a343054464e514b202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x87112292
    user != kernel MBR !!!
    sectors 234441646 (+255): user != kernel
    Warning: possible TDL4 rootkit infection !
    TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

    ============= FINISH: 2:16:31.17 ===============



    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-11-27.01)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 03/04/2008 20:28:28
    System Uptime: 12/03/2010 01:35:49 (6385 hours ago)

    Motherboard: http://www.abit.com.tw/ | | AN52(MCP65)
    Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4200+ | Socket AM2 | 2209/201mhz

    ==== Disk Partitions =========================

    A: is Removable
    C: is FIXED (NTFS) - 112 GiB total, 46.353 GiB free.
    D: is CDROM ()
    E: is CDROM ()
    G: is CDROM ()

    ==== Disabled Device Manager Items =============

    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Realtek RTL8139/810x Family Fast Ethernet NIC
    Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_813910EC&REV_10\4&23AC7881&0&5040
    Manufacturer: Realtek Semiconductor Corp.
    Name: Realtek RTL8139/810x Family Fast Ethernet NIC
    PNP Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_813910EC&REV_10\4&23AC7881&0&5040
    Service: RTL8023xp

    ==== System Restore Points ===================

    RP1040: 01/11/2010 21:12:22 - System Checkpoint
    RP1041: 03/11/2010 01:14:25 - System Checkpoint
    RP1042: 04/11/2010 02:12:28 - System Checkpoint
    RP1043: 05/11/2010 05:25:47 - Installed ShowBiz DVD
    RP1044: 05/11/2010 06:22:49 - Installed SmartAP
    RP1045: 05/11/2010 06:34:23 - Installed ShowBiz DVD
    RP1046: 05/11/2010 13:25:09 - Removed SmartAP
    RP1047: 05/11/2010 13:28:39 - Installed SmartAP
    RP1048: 06/11/2010 01:01:14 - Removed SmartAP
    RP1049: 06/11/2010 01:17:25 - Installed SmartAP
    RP1050: 07/11/2010 03:28:35 - System Checkpoint
    RP1051: 08/11/2010 04:23:17 - System Checkpoint
    RP1052: 09/11/2010 05:23:17 - System Checkpoint
    RP1053: 10/11/2010 07:23:04 - System Checkpoint
    RP1054: 12/11/2010 02:12:56 - System Checkpoint
    RP1055: 13/11/2010 09:34:36 - System Checkpoint
    RP1056: 14/11/2010 19:26:52 - System Checkpoint
    RP1057: 15/11/2010 23:47:40 - System Checkpoint
    RP1058: 17/11/2010 01:43:53 - System Checkpoint
    RP1059: 18/11/2010 03:58:56 - System Checkpoint
    RP1060: 19/11/2010 04:53:04 - System Checkpoint
    RP1061: 23/11/2010 07:36:29 - System Checkpoint
    RP1062: 24/11/2010 09:46:42 - System Checkpoint
    RP1063: 25/11/2010 17:19:00 - System Checkpoint
    RP1064: 01/12/2010 04:47:07 - System Checkpoint
    RP1065: 02/12/2010 04:53:49 - System Checkpoint
    RP1066: 02/12/2010 17:16:41 - Removed AVG Free 8.5
    RP1067: 02/12/2010 17:19:10 - Installed AVG Free 8.5
    RP1068: 02/12/2010 17:38:25 - Installed Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    RP1069: 02/12/2010 17:38:40 - Installed AVG 2011
    RP1070: 02/12/2010 17:39:11 - Installed AVG 2011

    ==== Installed Programs ======================

    Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Media Player
    Adobe Reader 8.1.2
    Adobe Shockwave Player 11
    AMD Processor Driver
    Apple Application Support
    Apple Software Update
    ArcSoft ShowBiz DVD 2
    ĀµTorrent
    AutocompletePro
    AVG 2011
    AviSynth 2.5
    Burn4Free CD & DVD 4.9.0.0
    Click and Convert Device Driver
    Core FTP LE 2.1
    Critical Update for Windows Media Player 11 (KB959772)
    CyberLink PowerDirector
    eBook Maestro FREE 1.80
    EPSON TWAIN 5
    Express Burn
    Express Rip
    FileZilla Client 3.3.3
    Free Virtual Drive
    GIMP 2.6.3
    Golden Videos
    Google Toolbar for Internet Explorer
    Google Update Helper
    High Definition Audio Driver Package - KB888111
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976002-v5)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    Huffyuv AVI lossless video codec (Remove Only)
    ICQ
    ICQHomepage
    IrfanView (remove only)
    Java Auto Updater
    Java(TM) 6 Update 20
    Java(TM) 6 Update 4
    LG CyberLink LabelPrint
    LG CyberLink Power2Go
    LG CyberLink PowerBackup
    LG CyberLink PowerDVD
    LG CyberLink PowerProducer
    LG CyberLink YouCam
    LG ODD Auto Firmware Update
    LG Power Tools
    LightScribe System Software
    LightScribe Template Designs - 9 to 5 Pack 1
    LightScribe Template Designs - Animal Pack 1
    LightScribe Template Designs - Architecture Pack 1
    LightScribe Template Designs - Art Pack 1
    LightScribe Template Designs - Athletic Pack 1
    LightScribe Template Designs - Bonus Pack 1
    LightScribe Template Designs - Bridal Pack 1
    LightScribe Template Designs - Business Pack 1
    LightScribe Template Designs - Celebration Pack 1
    LightScribe Template Designs - Expressions
    LightScribe Template Designs - Fantasy Pack 1
    LightScribe Template Designs - Floral Pack 1
    LightScribe Template Designs - Food-n-Family Pack 1
    LightScribe Template Designs - Grab Bag Pack 1
    LightScribe Template Designs - Hobby Pack 1
    LightScribe Template Designs - Holiday Pack 1
    LightScribe Template Designs - Kickin It Pack 1
    LightScribe Template Designs - Kids Korner Pack 1
    LightScribe Template Designs - Life Events Pack 1
    LightScribe Template Designs - Music Pack 1
    LightScribe Template Designs - Mythology Pack 1
    LightScribe Template Designs - Nature Pack 1
    LightScribe Template Designs - Quick and Simple Pack 1
    LightScribe Template Designs - Seasonal Pack 1
    LightScribe Template Designs - Special Occasion Pack 1
    LightScribe Template Designs - Sports Pack 1
    LightScribe Template Designs - Street Style Pack 1
    LightScribe Template Designs - Tattoo Pack 1
    LightScribe Template Designs - Tie The Knot
    LightScribe Template Designs - Travel Pack 1
    LightScribe Template Designs - Tribal Pack 1
    LightScribe Template Designs - Urban Pack 1
    LightScribe Template Designs - Wedding Pack 1
    LightScribe Template Designs - Winter Whimsy
    LightScribe Template Designs - With The Band
    MainConcept DV Codec
    Malwarebytes' Anti-Malware
    Marvell Miniport Driver
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Base Smart Card Cryptographic Service Provider Package
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Mozilla Firefox (3.6.12)
    MSN
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6 Service Pack 2 (KB973686)
    My Free Web Site Builder
    MySpaceIM
    NCH Toolbox
    Nero 7 Ultra Edition
    neroxml
    NVIDIA Display Control Panel
    NVIDIA Drivers
    NVIDIA nView Desktop Manager
    OpenOffice.org 2.4
    PC Camera (6029 CIF)
    Prism Video Converter
    QuickTime
    Realtek High Definition Audio Driver
    SbookBuilder 3
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Windows Internet Explorer 7 (KB2183461)
    Security Update for Windows Internet Explorer 7 (KB2360131)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 7 (KB972260)
    Security Update for Windows Internet Explorer 7 (KB974455)
    Security Update for Windows Internet Explorer 7 (KB976325)
    Security Update for Windows Internet Explorer 7 (KB978207)
    Security Update for Windows Internet Explorer 7 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows Media Player 9 (KB936782)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981349)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    SmartAP
    SmartSound Quicktracks Plugin
    System Requirements Lab
    TMPGEnc Authoring Works 4
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 7 (KB976749)
    Update for Windows Internet Explorer 7 (KB980182)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Video mp3 Extractor
    VideoPad Video Editor
    VLC media player 1.1.3
    WavePad Sound Editor
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Imaging Component
    Windows Internet Explorer 7
    Windows Live SkyDrive Upload Tool
    Windows Media Format 11 runtime
    Windows Media Format SDK Hotfix - KB891122
    Windows Media Player 11
    Windows PowerShell(TM) 1.0
    Windows Presentation Foundation
    Windows XP Service Pack 3
    WinRAR archiver
    XML Paper Specification Shared Components Pack 1.0

    ==== Event Viewer Messages From Past Week ========

    30/11/2010 22:02:17, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the nvsvc service.
    30/11/2010 22:02:17, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
    30/11/2010 22:02:17, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    30/11/2010 22:01:41, error: Service Control Manager [7022] - The Automatic Updates service hung on starting.
    30/11/2010 21:49:32, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    30/11/2010 21:40:40, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    30/11/2010 20:15:12, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdK8 AvgLdx86 AvgMfx86 Fips
    30/11/2010 11:28:13, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
    30/11/2010 09:40:55, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    29/11/2010 01:16:11, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
    26/11/2010 20:30:02, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service ntmssvc with arguments "-Service" in order to run the server: {D61A27C6-8F53-11D0-BFA0-00A024151983}
    03/12/2010 00:40:11, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
    03/12/2010 00:40:11, error: Service Control Manager [7034] - The LightScribeService Direct Disc Labeling Service service terminated unexpectedly. It has done this 1 time(s).
    03/12/2010 00:40:11, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    03/12/2010 00:40:11, error: Service Control Manager [7034] - The Cyberlink RichVideo Service(CRVS) service terminated unexpectedly. It has done this 1 time(s).
    03/12/2010 00:40:11, error: Service Control Manager [7034] - The B's Recorder GOLD Library General Service service terminated unexpectedly. It has done this 1 time(s).
    03/12/2010 00:40:11, error: Service Control Manager [7034] - The ArcSoft Connect Daemon service terminated unexpectedly. It has done this 1 time(s).
    01/12/2010 01:32:40, error: Dhcp [1002] - The IP address lease 192.168.1.2 for the Network Card with network address 00508D9E7479 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
    01/12/2010 01:09:10, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    01/12/2010 00:39:04, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service NMIndexingService with arguments "" in order to run the server: {C6A811AB-F8FF-45A4-93E5-FC5CCB650BE7}
    01/12/2010 00:37:54, error: Service Control Manager [7000] - The Print Spooler service failed to start due to the following error: The system cannot find the path specified.

    ==== End Of File ===========================


    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=7.00.6000.17091 (vista_gdr.100824-1500)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=40dfadd4bf70194194d8f1e36a793b22
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-12-03 04:16:19
    # local_time=2010-12-03 04:16:19 (+0000, GMT Standard Time)
    # country="United Kingdom"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 0 0 0 0
    # compatibility_mode=769 16774142 0 2 143097990 143097990 0 0
    # compatibility_mode=1024 16777191 100 0 37371 37371 0 0
    # compatibility_mode=8192 67108863 100 0 3801 3801 0 0
    # compatibility_mode=9217 16777214 0 70 115742336 117957657 0 0
    # scanned=151610
    # found=27
    # cleaned=0
    # scan_time=4489
    C:\Documents and Settings\Santina Crolla.BENS\My Documents\Downloads\Make Your Windows Genuine - For XP,Server 2003, Vista - iNGEn\Windows Vista All Versions x86 x64\VistaCheck.exe probably a variant of Win32/Agent.IYWOFRM trojan 00000000000000000000000000000000 I
    C:\Documents and Settings\Santina Crolla.BENS\My Documents\Downloads\Make Your Windows Genuine - For XP,Server 2003, Vista - iNGEn\Windows Vista All Versions x86 x64\VistaCrack.exe probably a variant of Win32/Agent.LDGFZQM trojan 00000000000000000000000000000000 I
    C:\Documents and Settings\Santina Crolla.BENS\My Documents\Downloads\Nero 7.10.1.0\Nero-7.10.1.0_eng_full.exe Win32/Toolbar.AskSBar application 00000000000000000000000000000000 I
    C:\WINDOWS\Tasks\At1.job Win32/Adware.FakeAntiSpy.O application 00000000000000000000000000000000 I
    C:\WINDOWS\Tasks\At10.job Win32/Adware.FakeAntiSpy.O application 00000000000000000000000000000000 I
    C:\WINDOWS\Tasks\At11.job Win32/Adware.FakeAntiSpy.O application 00000000000000000000000000000000 I
    C:\WINDOWS\Tasks\At12.job Win32/Adware.FakeAntiSpy.O application 00000000000000000000000000000000 I
    C:\WINDOWS\Tasks\At13.job Win32/Adware.FakeAntiSpy.O application 00000000000000000000000000000000 I
    C:\WINDOWS\Tasks\At14.job Win32/Adware.FakeAntiSpy.O application 00000000000000000000000000000000 I
    C:\WINDOWS\Tasks\At15.job Win32/Adware.FakeAntiSpy.O application 00000000000000000000000000000000 I
    C:\WINDOWS\Tasks\At16.job Win32/Adware.FakeAntiSpy.O application 00000000000000000000000000000000 I
    C:\WINDOWS\Tasks\At17.job Win32/Adware.FakeAntiSpy.O application 00000000000000000000000000000000 I
    C:\WINDOWS\Tasks\At18.job Win32/Adware.FakeAntiSpy.O application 00000000000000000000000000000000 I
    C:\WINDOWS\Tasks\At19.job Win32/Adware.FakeAntiSpy.O application 00000000000000000000000000000000 I
    C:\WINDOWS\Tasks\At2.job Win32/Adware.FakeAntiSpy.O application 00000000000000000000000000000000 I
    C:\WINDOWS\Tasks\At20.job Win32/Adware.FakeAntiSpy.O application 00000000000000000000000000000000 I
    C:\WINDOWS\Tasks\At3.job Win32/Adware.FakeAntiSpy.O application 00000000000000000000000000000000 I
    C:\WINDOWS\Tasks\At4.job Win32/Adware.FakeAntiSpy.O application 00000000000000000000000000000000 I
    C:\WINDOWS\Tasks\At5.job Win32/Adware.FakeAntiSpy.O application 00000000000000000000000000000000 I
    C:\WINDOWS\Tasks\At6.job Win32/Adware.FakeAntiSpy.O application 00000000000000000000000000000000 I
    C:\WINDOWS\Tasks\At7.job Win32/Adware.FakeAntiSpy.O application 00000000000000000000000000000000 I
    C:\WINDOWS\Tasks\At8.job Win32/Adware.FakeAntiSpy.O application 00000000000000000000000000000000 I
    C:\WINDOWS\Tasks\At9.job Win32/Adware.FakeAntiSpy.O application 00000000000000000000000000000000 I
    C:\WINNT\system32\edeeg.bak1 Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
    C:\WINNT\system32\edeeg.bak2 Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
    C:\WINNT\system32\edeeg.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
    C:\WINNT\system32\edeeg.ini2 Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    The reason your system isn't working well is because it's pirated.

    My Documents\Downloads\Make Your Windows Genuine - For XP,Server 2003,
    VistaCrack.exe
     
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.