TechSpot

Cpu running at 100% am i infected

By vogelrok
Feb 26, 2011
  1. i have checked and checked but cant find nothing at present.

    avp.exe and system in the task manager are using up 100% of cpu when i connect to internet.

    here is the hyjack me log file.

    thank you for any help.


    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 09:42:44, on 26/02/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
    C:\Program Files\Cyberlink\Shared Files\brs.exe
    C:\WINDOWS\system32\UMonit.exe
    C:\WINDOWS\tsnpstd3.exe
    C:\WINDOWS\vsnpstd3.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\RocketDock\RocketDock.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Windows Media Player\WMPNSCFG.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtblfs.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\hyjackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ievkbd.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
    O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O3 - Toolbar: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll
    O4 - HKLM\..\Run: [PDVD9LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD9\Language\Language.exe"
    O4 - HKLM\..\Run: [BDRegion] C:\Program Files\Cyberlink\Shared Files\brs.exe
    O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe"
    O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\system32\UMonit.exe
    O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
    O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKCU\..\Run: [EPSON BX300F Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEJE.EXE /FU "C:\WINDOWS\TEMP\E_S5C.tmp" /EF "HKCU"
    O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
    O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
    O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6886.cab
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
    O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PC Tools Startup and Shutdown Monitor service (PCToolsSSDMonitorSvc) - Unknown owner - C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
    O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

    --
    End of file - 9470 bytes
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to Techspot! I'll help find the problem.

    avp.exe is related to Kaspersky_Internet_security Program.:
    O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe"

    System is, well, part of the system!
    But malware can hide in almost every name.

    But we don't 'screen' with HijackThis>>
    If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
     
  3. vogelrok

    vogelrok TS Rookie Topic Starter Posts: 22

    Thank you Bobbye

    here is the malware scan results and the rest to follow. i did find 10 trojans with the avira antivirus, i think it managed to quarntine 9 of them. so think 1 is left.


    www.malwarebytes.org

    Database version: 5882

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    26/02/2011 13:02:39
    mbam-log-2011-02-26 (13-02-39).txt

    Scan type: Quick scan
    Objects scanned: 141693
    Time elapsed: 2 minute(s), 43 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  4. vogelrok

    vogelrok TS Rookie Topic Starter Posts: 22

    the gmer.log

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2011-02-26 15:24:33
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-6 Hitachi_HDT721032SLA360 rev.ST2OA31B
    Running: m5gpmxv1.exe; Driver: C:\DOCUME~1\LEEVOG~1\LOCALS~1\Temp\afpciaob.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateKey [0xB2DAAE3A]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateValueKey [0xB2DAAEE4]

    Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) FsRtlCheckLockForReadAccess
    Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) IoIsOperationSynchronous

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
    AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
    AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
    AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

    ---- EOF - GMER 1.0.15 ----
     
  5. vogelrok

    vogelrok TS Rookie Topic Starter Posts: 22

    dds.log


    DDS (Ver_10-12-12.02) - NTFSx86
    Run by lee vogelrok at 15:20:16.45 on 26/02/2011
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3326.2659 [GMT 0:00]

    AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    AV: Kaspersky Internet Security *Enabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
    FW: Kaspersky Internet Security *Enabled*

    ============== Running Processes ===============

    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    svchost.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    svchost.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Cyberlink\Shared Files\brs.exe
    C:\WINDOWS\system32\UMonit.exe
    C:\WINDOWS\tsnpstd3.exe
    C:\WINDOWS\vsnpstd3.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\RocketDock\RocketDock.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Windows Media Player\WMPNSCFG.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\lee vogelrok\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.ntlworld.com/
    uInternet Settings,ProxyOverride = *.local
    BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2010\ievkbd.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
    BHO: FlashFXP Helper for Internet Explorer: {e5a1691b-d188-4419-ad02-90002030b8ee} - c:\progra~1\flashfxp\IEFlash.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
    TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
    TB: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
    TB: {00B8E20C-5C71-4C2F-85A5-6AD541500DF0} - No File
    uRun: [EPSON BX300F Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatieje.exe /fu "c:\windows\temp\E_S5C.tmp" /EF "HKCU"
    uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    mRun: [PDVD9LanguageShortcut] "c:\program files\cyberlink\powerdvd9\language\Language.exe"
    mRun: [BDRegion] c:\program files\cyberlink\shared files\brs.exe
    mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe"
    mRun: [UMonit] c:\windows\system32\UMonit.exe
    mRun: [tsnpstd3] c:\windows\tsnpstd3.exe
    mRun: [snpstd3] c:\windows\vsnpstd3.exe
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    dRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
    dRunOnce: [nltide_2] regsvr32 /s /n /i:U shell32
    IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky internet security 2010\ie_banner_deny.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
    IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
    DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
    DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6886.cab
    DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
    DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
    Notify: klogon - c:\windows\system32\klogon.dll
    AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

    ============= SERVICES / DRIVERS ===============

    R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2009-6-15 128016]
    R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-12-15 33808]
    R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-2-26 11608]
    R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-9-1 296976]
    R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2009/08/06 12:12:18];c:\program files\cyberlink\powerdvd9\000.fcl [2009-5-7 87536]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-2-26 135336]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-2-26 267944]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-2-26 61960]
    R2 AVP;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe [2009-7-3 311680]
    R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2010-10-18 632792]
    R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2010-6-24 92008]
    R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2009-5-13 31760]
    R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-5-16 19472]
    S3 FoxAwdWINFLASH;FoxAwdWINFLASH;\??\c:\progra~1\afox\afoxli~1\foxawdwinflash.sys --> c:\progra~1\afox\afoxli~1\FoxAwdWINFLASH.SYS [?]
    S3 FXDrv32;FXDrv32;\??\d:\fxdrv32.sys --> d:\FXDrv32.sys [?]
    S3 INFUSB;INFUSB;c:\windows\system32\drivers\infusb.sys [2002-9-30 15904]
    S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2010-10-18 137344]
    S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2010-10-18 8320]
    S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys --> c:\windows\system32\drivers\rt2870.sys [?]

    =============== Created Last 30 ================

    2011-02-26 12:59:26 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-02-26 12:59:22 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-02-26 11:29:13 -------- d-----w- c:\windows\system32\NtmsData
    2011-02-26 11:27:57 -------- d-----w- c:\docume~1\leevog~1\applic~1\Avira
    2011-02-26 11:24:44 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-02-26 11:24:43 -------- d-----w- c:\program files\Avira
    2011-02-26 11:24:43 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira
    2011-02-25 20:36:51 -------- d-----w- c:\program files\ESET
    2011-02-25 19:42:03 -------- d-----w- c:\docume~1\leevog~1\applic~1\Malwarebytes
    2011-02-25 19:41:52 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2011-02-25 19:41:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-02-25 19:27:49 -------- d-----w- c:\windows\pss
    2011-02-25 19:20:19 -------- d-----w- c:\program files\hyjackthis
    2011-02-25 02:06:07 -------- d-----w- c:\program files\backups
    2011-02-25 00:39:07 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
    2011-02-25 00:39:07 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
    2011-02-25 00:39:07 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
    2011-02-25 00:39:07 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
    2011-02-25 00:39:07 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
    2011-02-25 00:39:07 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
    2011-02-25 00:39:07 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
    2011-02-24 01:04:47 -------- d-----w- c:\docume~1\leevog~1\applic~1\Mozilla-Cache
    2011-02-24 01:03:27 -------- d-----w- c:\program files\PartyGaming
    2011-02-03 20:49:43 -------- d-----w- c:\docume~1\alluse~1\applic~1\NVIDIA Corporation
    2011-02-03 20:49:29 232968 ----a-w- c:\windows\system32\nvdrsdb0.bin
    2011-02-03 20:49:26 232968 ----a-w- c:\windows\system32\nvdrsdb1.bin
    2011-02-03 20:49:25 1 ----a-w- c:\windows\system32\nvdrssel.bin
    2011-02-03 20:49:13 -------- d-----w- c:\program files\NVIDIA Corporation

    ==================== Find3M ====================

    2011-02-02 21:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-02-02 19:19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
    2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
    2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
    2010-12-20 23:59:20 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-12-20 23:59:19 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-12-20 23:59:19 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
    2010-12-20 12:55:26 385024 ----a-w- c:\windows\system32\html.iec
    2010-12-09 15:15:09 718336 ----a-w- c:\windows\system32\ntdll.dll
    2010-12-09 14:30:22 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2010-12-09 13:42:26 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-12-09 13:07:07 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2010-11-29 17:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-11-29 17:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts

    ============= FINISH: 15:21:00.01 ===============
     
  6. vogelrok

    vogelrok TS Rookie Topic Starter Posts: 22

    attach.txt log


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-12-12.02)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 09/07/2009 18:21:47
    System Uptime: 26/02/2011 15:14:45 (0 hours ago)

    Motherboard: Foxconn | | G31MV/G31MV-K
    Processor: Intel Pentium III Xeon processor | Socket 775 | 2499/200mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 298 GiB total, 128.122 GiB free.
    D: is CDROM ()

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP506: 28/11/2010 14:37:51 - System Checkpoint
    RP507: 29/11/2010 15:38:56 - System Checkpoint
    RP508: 30/11/2010 18:36:19 - System Checkpoint
    RP509: 01/12/2010 19:48:53 - System Checkpoint
    RP510: 02/12/2010 20:57:06 - System Checkpoint
    RP511: 03/12/2010 21:32:46 - System Checkpoint
    RP512: 04/12/2010 21:47:54 - System Checkpoint
    RP513: 05/12/2010 22:47:54 - System Checkpoint
    RP514: 07/12/2010 00:08:52 - System Checkpoint
    RP515: 08/12/2010 01:08:54 - System Checkpoint
    RP516: 09/12/2010 02:08:54 - System Checkpoint
    RP517: 10/12/2010 14:13:41 - System Checkpoint
    RP518: 11/12/2010 14:48:18 - System Checkpoint
    RP519: 12/12/2010 14:58:17 - System Checkpoint
    RP520: 13/12/2010 15:18:33 - System Checkpoint
    RP521: 14/12/2010 16:07:38 - System Checkpoint
    RP522: 15/12/2010 17:24:38 - System Checkpoint
    RP523: 16/12/2010 03:00:20 - Software Distribution Service 3.0
    RP524: 17/12/2010 12:15:21 - System Checkpoint
    RP525: 18/12/2010 10:20:06 - Software Distribution Service 3.0
    RP526: 19/12/2010 12:52:28 - System Checkpoint
    RP527: 20/12/2010 13:04:38 - System Checkpoint
    RP528: 21/12/2010 14:29:24 - System Checkpoint
    RP529: 22/12/2010 14:33:54 - System Checkpoint
    RP530: 23/12/2010 16:24:23 - System Checkpoint
    RP531: 24/12/2010 17:02:34 - System Checkpoint
    RP532: 25/12/2010 17:38:16 - System Checkpoint
    RP533: 26/12/2010 18:18:41 - System Checkpoint
    RP534: 27/12/2010 21:38:05 - System Checkpoint
    RP535: 28/12/2010 22:37:07 - System Checkpoint
    RP536: 29/12/2010 23:03:12 - System Checkpoint
    RP537: 30/12/2010 23:36:33 - System Checkpoint
    RP538: 01/01/2011 00:36:32 - System Checkpoint
    RP539: 02/01/2011 00:57:51 - System Checkpoint
    RP540: 03/01/2011 11:14:34 - System Checkpoint
    RP541: 04/01/2011 13:46:50 - System Checkpoint
    RP542: 05/01/2011 13:50:12 - System Checkpoint
    RP543: 06/01/2011 14:18:23 - System Checkpoint
    RP544: 07/01/2011 14:57:12 - System Checkpoint
    RP545: 08/01/2011 15:03:53 - System Checkpoint
    RP546: 09/01/2011 16:46:05 - System Checkpoint
    RP547: 10/01/2011 18:16:29 - System Checkpoint
    RP548: 11/01/2011 18:19:24 - System Checkpoint
    RP549: 12/01/2011 19:03:50 - System Checkpoint
    RP550: 13/01/2011 00:54:23 - Software Distribution Service 3.0
    RP551: 13/01/2011 10:33:32 - Software Distribution Service 3.0
    RP552: 14/01/2011 11:21:20 - System Checkpoint
    RP553: 15/01/2011 11:24:54 - System Checkpoint
    RP554: 16/01/2011 14:39:42 - System Checkpoint
    RP555: 17/01/2011 14:59:51 - System Checkpoint
    RP556: 18/01/2011 15:24:09 - System Checkpoint
    RP557: 19/01/2011 16:21:56 - System Checkpoint
    RP558: 20/01/2011 17:04:09 - System Checkpoint
    RP559: 21/01/2011 17:17:42 - System Checkpoint
    RP560: 22/01/2011 17:19:11 - System Checkpoint
    RP561: 23/01/2011 18:20:16 - System Checkpoint
    RP562: 24/01/2011 20:50:17 - System Checkpoint
    RP563: 25/01/2011 21:31:19 - System Checkpoint
    RP564: 26/01/2011 21:48:19 - System Checkpoint
    RP565: 28/01/2011 11:06:01 - System Checkpoint
    RP566: 29/01/2011 11:12:53 - System Checkpoint
    RP567: 30/01/2011 12:24:53 - System Checkpoint
    RP568: 31/01/2011 17:47:26 - System Checkpoint
    RP569: 01/02/2011 21:43:38 - System Checkpoint
    RP570: 03/02/2011 14:05:10 - System Checkpoint
    RP571: 03/02/2011 20:48:53 - Software Distribution Service 3.0
    RP572: 04/02/2011 21:46:01 - System Checkpoint
    RP573: 05/02/2011 21:51:13 - System Checkpoint
    RP574: 07/02/2011 12:08:37 - System Checkpoint
    RP575: 08/02/2011 13:55:24 - System Checkpoint
    RP576: 09/02/2011 14:08:44 - System Checkpoint
    RP577: 09/02/2011 20:13:04 - Software Distribution Service 3.0
    RP578: 11/02/2011 10:47:51 - System Checkpoint
    RP579: 12/02/2011 13:40:19 - System Checkpoint
    RP580: 13/02/2011 14:10:30 - System Checkpoint
    RP581: 14/02/2011 14:26:00 - System Checkpoint
    RP582: 15/02/2011 14:42:47 - System Checkpoint
    RP583: 16/02/2011 15:22:43 - System Checkpoint
    RP584: 17/02/2011 15:25:21 - System Checkpoint
    RP585: 18/02/2011 16:29:32 - System Checkpoint
    RP586: 19/02/2011 16:31:56 - System Checkpoint
    RP587: 20/02/2011 17:00:05 - System Checkpoint
    RP588: 21/02/2011 18:11:44 - System Checkpoint
    RP589: 22/02/2011 18:39:04 - System Checkpoint
    RP590: 23/02/2011 21:24:34 - System Checkpoint
    RP591: 24/02/2011 22:19:08 - System Checkpoint
    RP592: 25/02/2011 00:30:43 - Installed Java(TM) 6 Update 24
    RP593: 25/02/2011 00:37:40 - Installed QuickTime
    RP594: 25/02/2011 01:59:29 - Configured DECAdry Express Business Cards 4
    RP595: 25/02/2011 19:04:12 - Made by Registry Mechanic O

    ==== Installed Programs ======================

    ABBYY FineReader 6.0 Sprint
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 7.0.7
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    ĀµTorrent
    Avira AntiVir Personal - Free Antivirus
    Bonjour
    CloneCD
    Cool Music CD Burner v7.4.3.36
    Critical Update for Windows Media Player 11 (KB959772)
    CyberLink PowerDVD 9
    EPSON BX300F Series Printer Uninstall
    Epson Easy Photo Print 2
    EPSON Scan
    EPSON Stylus Office BX300F_TX300F Manual
    EPSON Web-To-Page
    ESET Online Scanner v3
    Facebook Plug-In
    FlashFXP v3
    gBurner
    Genesys USB Mass Storage Device
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976002-v5)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB981793)
    ImgBurn
    iTunes
    Jasc Paint Shop Pro 9
    Java Auto Updater
    Java(TM) 6 Update 24
    K-Lite Codec Pack 5.0.5 (Full)
    Kaspersky Internet Security 2010
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Professional Plus 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft Software Update for Web Folders (English) 12
    Microsoft User-Mode Driver Framework Feature Pack 1.7
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    MobileMe Control Panel
    MSVC80_x86
    MSVC80_x86_v2
    MSVCRT
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Nokia Connectivity Cable Driver
    Nokia PC Suite
    Nokia Software Updater
    NVIDIA Display Control Panel
    NVIDIA Drivers
    NVIDIA nView Desktop Manager
    NVIDIA PhysX v8.09.04
    PC Connectivity Solution
    PL-2303 USB-to-Serial
    QuickTime
    Realtek High Definition Audio Driver
    Registry Mechanic 10.0
    RocketDock 1.3.5
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2289158)
    Security Update for 2007 Microsoft Office System (KB2344875)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft Office Access 2007 (KB979440)
    Security Update for Microsoft Office Excel 2007 (KB2345035)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB982158)
    Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
    Security Update for Microsoft Office Publisher 2007 (KB2284697)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 7 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    Segoe UI
    TomTom HOME 2.7.5.2014
    TomTom HOME Visual Studio Merge Modules
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office Outlook 2007 (KB2412171)
    Update for Outlook 2007 Junk Email Filter (KB2492475)
    Update for Windows Internet Explorer 8 (KB973874)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB961503)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    USB PC Camera Plus
    VC80CRTRedist - 8.0.50727.762
    VoiceOver Kit
    Vtune 6.7
    WebFldrs XP
    Windows Driver Package - Nokia Modem (06/01/2009 7.01.0.4)
    Windows Driver Package - Nokia Modem (10/05/2009 4.2)
    Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
    Windows Genuine Advantage Notifications (KB905474)
    Windows Internet Explorer 8
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Messenger
    Windows Live OneCare safety scanner
    Windows Live Sign-in Assistant
    Windows Live Upload Tool
    Windows Media Format 11 runtime
    Windows Media Player 11
    WinRAR archiver

    ==== Event Viewer Messages From Past Week ========

    26/02/2011 12:52:41, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
    26/02/2011 12:52:40, error: Service Control Manager [7034] - The PC Tools Startup and Shutdown Monitor service service terminated unexpectedly. It has done this 1 time(s).
    26/02/2011 12:52:40, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
    26/02/2011 12:52:40, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    26/02/2011 12:48:14, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    26/02/2011 12:48:13, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.
    26/02/2011 11:21:57, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.CRT. Reference error message: The referenced assembly is not installed on your system. .
    26/02/2011 11:21:57, error: SideBySide [59] - Generate Activation Context failed for C:\DOCUME~1\LEEVOG~1\LOCALS~1\Temp\RarSFX0\redist.dll. Reference error message: The operation completed successfully. .
    26/02/2011 11:21:57, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.CRT could not be found and Last Error was The referenced assembly is not installed on your system.
    25/02/2011 20:05:51, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    25/02/2011 11:21:18, error: Service Control Manager [7034] - The TomTomHOMEService service terminated unexpectedly. It has done this 1 time(s).
    25/02/2011 10:26:41, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
    22/02/2011 21:58:07, error: NetBT [4321] - The name "WORKGROUP :1d" could not be registered on the Interface with IP address 192.168.1.143. The machine with the IP address 192.168.1.109 did not allow the name to be claimed by this machine.
    22/02/2011 20:51:10, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\QuickTime\QTTask.exe. Reference error message: The operation completed successfully. .
    22/02/2011 20:51:10, error: SideBySide [58] - Syntax error in manifest or policy file "C:\Program Files\QuickTime\QTTask.exe" on line 0.

    ==== End Of File ===========================
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You are running 2 antivirus programs. This will make the system more vulnerable. Please remove one of them:
    AV: AntiVir Desktop
    AV: Kaspersky Internet Security

    I would thing you may want to keep Kaspersky since there was a charge and Avira is free.
    Please reboot the computer when through.
    ===============================================
    Please don run any more Avira scans while I am helping you.
    Please disable or uninstall Registry Mechanic while I am helping you.

    =============================================
    ===============================================
    Download Combofix to your desktop from one of these locations:
    Link 1
    Link 2
    • Double click combofix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Query- Recovery Console image
      [​IMG]
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes it will open a text window. Please paste that log in your next reply.
    Re-enable your Antivirus software.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
     
  8. vogelrok

    vogelrok TS Rookie Topic Starter Posts: 22

    Thank you Bobbye

    here is the log file and i also deleted kaspersky as it wasn't finding anything. were avira did.

    ComboFix 11-02-27.01 - lee vogelrok 27/02/2011 23:09:46.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3326.2875 [GMT 0:00]
    Running from: c:\documents and settings\lee vogelrok\Desktop\ComboFix.exe
    AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\install.exe
    c:\windows\system32\twunk_32.exe

    .
    ((((((((((((((((((((((((( Files Created from 2011-01-27 to 2011-02-27 )))))))))))))))))))))))))))))))
    .

    2011-02-26 12:59 . 2010-12-20 18:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-02-26 12:59 . 2010-12-20 18:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-02-26 11:29 . 2011-02-26 12:23 -------- d-----w- c:\windows\system32\NtmsData
    2011-02-26 11:27 . 2011-02-26 11:27 -------- d-----w- c:\documents and settings\lee vogelrok\Application Data\Avira
    2011-02-26 11:24 . 2011-01-10 14:23 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-02-26 11:24 . 2011-01-10 14:23 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-02-26 11:24 . 2010-06-17 14:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2011-02-26 11:24 . 2010-06-17 14:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2011-02-26 11:24 . 2011-02-26 11:24 -------- d-----w- c:\program files\Avira
    2011-02-26 11:24 . 2011-02-26 11:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2011-02-25 20:36 . 2011-02-25 20:36 -------- d-----w- c:\program files\ESET
    2011-02-25 19:42 . 2011-02-25 19:42 -------- d-----w- c:\documents and settings\lee vogelrok\Application Data\Malwarebytes
    2011-02-25 19:41 . 2011-02-25 19:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-02-25 19:41 . 2011-02-26 12:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-02-25 19:20 . 2011-02-26 09:42 -------- d-----w- c:\program files\hyjackthis
    2011-02-25 02:06 . 2011-02-25 02:06 -------- d-----w- c:\program files\backups
    2011-02-25 00:39 . 2011-02-25 00:39 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
    2011-02-25 00:39 . 2011-02-25 00:39 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
    2011-02-25 00:39 . 2011-02-25 00:39 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
    2011-02-25 00:39 . 2011-02-25 00:39 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
    2011-02-25 00:39 . 2011-02-25 00:39 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
    2011-02-25 00:39 . 2011-02-25 00:39 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
    2011-02-25 00:39 . 2011-02-25 00:39 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
    2011-02-25 00:31 . 2011-02-25 00:31 -------- d-----w- c:\program files\Common Files\Java
    2011-02-25 00:30 . 2011-02-25 00:30 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
    2011-02-24 01:04 . 2011-02-24 01:08 -------- d-----w- c:\documents and settings\lee vogelrok\Application Data\Mozilla-Cache
    2011-02-24 01:03 . 2011-02-25 02:01 -------- d-----w- c:\program files\PartyGaming
    2011-02-03 20:49 . 2011-02-03 20:49 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
    2011-02-03 20:49 . 2011-02-03 20:49 232968 ----a-w- c:\windows\system32\nvdrsdb0.bin
    2011-02-03 20:49 . 2011-02-03 20:49 232968 ----a-w- c:\windows\system32\nvdrsdb1.bin
    2011-02-03 20:49 . 2011-02-03 20:49 1 ----a-w- c:\windows\system32\nvdrssel.bin
    2011-02-03 20:49 . 2011-02-03 20:50 -------- d-----w- c:\program files\NVIDIA Corporation
    2011-02-03 20:29 . 2011-02-03 20:30 -------- d-----w- c:\program files\Windows Live Safety Center

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-02 21:40 . 2010-09-21 09:49 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-02-02 19:19 . 2009-07-13 12:08 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-01-21 14:44 . 2008-04-14 08:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
    2011-01-07 14:09 . 2008-04-14 08:00 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:10 . 2008-04-14 08:00 1854976 ----a-w- c:\windows\system32\win32k.sys
    2010-12-22 12:34 . 2008-04-14 08:00 301568 ----a-w- c:\windows\system32\kerberos.dll
    2010-12-20 23:59 . 2008-04-23 00:16 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-12-20 23:59 . 2008-07-12 19:10 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-12-20 23:59 . 2008-04-23 00:16 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-12-20 17:26 . 2008-04-14 08:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
    2010-12-20 12:55 . 2008-07-12 19:09 385024 ----a-w- c:\windows\system32\html.iec
    2010-12-09 15:15 . 2008-04-14 08:00 718336 ----a-w- c:\windows\system32\ntdll.dll
    2010-12-09 14:30 . 2008-04-14 08:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2010-12-09 13:42 . 2008-04-14 08:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-12-09 13:07 . 2008-04-14 04:01 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
    .

    ------- Sigcheck -------

    [-] 2008-07-12 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
    "uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-12-19 395640]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PDVD9LanguageShortcut"="c:\program files\CyberLink\PowerDVD9\Language\Language.exe" [2009-04-27 50472]
    "BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2009-05-07 75048]
    "UMonit"="c:\windows\system32\UMonit.exe" [2007-06-18 200704]
    "tsnpstd3"="c:\windows\tsnpstd3.exe" [2007-03-30 262144]
    "snpstd3"="c:\windows\vsnpstd3.exe" [2006-09-18 843776]
    "nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-07 1753192]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-01-10 281768]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "nltide_2"="shell32" [X]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
    2005-05-04 01:43 69632 ----a-r- c:\windows\ALCMTR.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
    2010-03-16 20:58 47392 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
    2009-01-29 22:20 57344 ----a-w- c:\program files\SlySoft\CloneCD\CloneCDTray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2010-09-01 07:32 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
    2009-07-26 16:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
    2009-11-11 10:57 1451520 ----a-w- c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-11-29 17:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl9]
    2009-04-27 19:41 87336 ------w- c:\program files\CyberLink\PowerDVD9\PDVD9Serv.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
    2008-04-10 23:52 16861184 ----a-r- c:\windows\RTHDCPL.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-10-29 14:49 249064 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TBPanel]
    2008-10-21 12:18 2154496 ----a-w- c:\program files\Vtune\TBPANEL.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
    2010-06-24 14:41 247144 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
    2010-12-19 21:37 395640 ----a-w- c:\program files\uTorrent\uTorrent.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
    "AllowInboundEchoRequest"= 1 (0x1)

    R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2009/08/06 12:12];c:\program files\CyberLink\PowerDVD9\000.fcl [07/05/2009 20:05 87536]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [26/02/2011 11:24 135336]
    R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [24/06/2010 14:41 92008]
    S3 FoxAwdWINFLASH;FoxAwdWINFLASH;\??\c:\progra~1\AFox\AFOXLI~1\FoxAwdWINFLASH.SYS --> c:\progra~1\AFox\AFOXLI~1\FoxAwdWINFLASH.SYS [?]
    S3 FXDrv32;FXDrv32;\??\d:\fxdrv32.sys --> d:\FXDrv32.sys [?]
    S3 INFUSB;INFUSB;c:\windows\system32\drivers\infusb.sys [30/09/2002 16:16 15904]
    S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [18/10/2010 19:40 137344]
    S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [18/10/2010 19:40 8320]
    .
    Contents of the 'Scheduled Tasks' folder

    2011-02-22 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.ntlworld.com/
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
    .
    - - - - ORPHANS REMOVED - - - -

    WebBrowser-{00B8E20C-5C71-4C2F-85A5-6AD541500DF0} - (no file)



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-02-27 23:12
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    UMonit = c:\windows\system32\UMonit.exe?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{B154377D-700F-42cc-9474-23858FBDF4BD}]
    "ImagePath"="\??\c:\program files\CyberLink\PowerDVD9\000.fcl"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    Completion time: 2011-02-27 23:13:00
    ComboFix-quarantined-files.txt 2011-02-27 23:12

    Pre-Run: 138,026,754,048 bytes free
    Post-Run: 137,994,788,864 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    - - End Of File - - A9CF1A3D398E1A0846B95E172B51AB0B
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please go ahead and run this:
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    d:\fxdrv32.sys
    Folder::
    c:\documents and settings\All Users\Application Data\McAfee
    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "uTorrent"=-
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "nltide_2"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    UMonit =-
    Driver::
    FXDrv32
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ============================================
    Go on to my next reply when finished.
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please run this online virus scan:
    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Click on "Copy to Clipboard"> (you won't see the 'clipboard')
    10. Click anywhere in the post where you want the logs to go, the do Ctrl V. The log will be sent from the clipboard and pasted in the post.
    11. Re-enable your Antivirus software.
      NOTE: If you forget to copy to the clipboard, you can find the log here:
      C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    ========================================
    I reviewed the HJT log you left initially and the following is based on that. It is possible that you won't see some of the entries- that's okay, they will have been removed elsewhere. Some of these entries are for nothing more than a tray icon, but they do use resources.

    Please reopen HijackThis to 'do system scan only.' Check each of the following- if present:

    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Cyberlink\Shared Files\brs.exe
    C:\WINDOWS\system32\UMonit.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtblfs.exe
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll>>> update
    O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ievkbd.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe"
    O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\system32\UMonit.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
    O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
    O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\klo ehk.dll
    O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: PC Tools Startup and Shutdown Monitor service (PCToolsSSDMonitorSvc) - Unknown owner - C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
    O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    CyberLink
    [/b]

    Regarding: O23 - Service: PC Tools Startup and Shutdown Monitor service (PCToolsSSDMonitorSvc) - Unknown owner - C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
    I just went through a very lengthy discussion on the PCTools about this Service. All said it was a 'resource hog' that sometimes ran as long as 10 minutes.Although I'm recommending you change the Startup type to Manual for now, consider removing it all together.

    Close all Windows except HijackThis and click on "Fix Checked."

    Click on Start> Run> type in services.msc. Set Startup Type as indicated:
    Apple Mobile Device > Manual
    All Kaspersky Services> Disabled Start up, Stop the Services.
    Bonjour Service> Manual
    iPod> Manual
    Java Quick Starter (jqs)> Disabled Startup, Stop the Service.
    PC Tools Startup> Manual or Disable if you remove the program


    None of the following need to Start on boot and can be unchecked:
    CyberLink
    Java Update\jusched.exe
    SlySoft\CloneCD\CloneCDTray.exe
    iTunesHelper.exe
    Nokia PC Suite
    QuickTime\QTTask.exe
    TBPANEL.exe
    uTorrent\uTorrent.exe


    To remove entries from Startup using the msconfig utility:
    • Click on Start> Run> type in msconfig> enter>
    • Click on Selective Startup
    • Choose the Startup tab:
      This is where you UNCHECK the Startup items. This does not remove the item or uninstall anything> it just stops it from starting on boot. It can be rechecked at any time if wanted.
    • To expand the Command Column, (this shows what the process 'belongs' to) hold left mouse button down on the dividing line on frame above Location and move to the right to expand.
    • Click on Apply> OK when finished.

    NOTE:
    When you reboot the system the first time after making changes using the msconfig utility, a nag message comes up that can be ignored and closed after checking 'don't show this message again.'
    Once you make changes to the Startup menu, you must remain in Selective Startup to retain those changed. If you go back to Normal Startup, everything you unchecked will be checked again and start on boot.
     
  11. vogelrok

    vogelrok TS Rookie Topic Starter Posts: 22

    Hi Bobbye.
    my pc had a bit of a freezing fit earlier. checked the bios to see what temps was at the cpu. they was hitting 77. so turned machine off and went straight out and brought a coolmaster v8 cpu cooler.
    fitted it all and machine up and running and cpu at 25. so all good there.

    so on bootup had a few problems. i forgot to hookup the system fan and a few minor problems with bios as it was reset. all done

    ran your script but combofix updated and i thought it was doing a scan from scratch again. however i have now noticed it hadn't after re-running the script.

    here is the script at the 2nd attempt.
    but it is missing the 2 mcfee deleted files. that was in the first run. hope this hasn't cocked it up to much

    ComboFix 11-02-28.01 - lee vogelrok 28/02/2011 19:50:23.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3326.2887 [GMT 0:00]
    Running from: c:\documents and settings\lee vogelrok\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\lee vogelrok\Desktop\CFScript.txt
    AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

    FILE ::
    "d:\fxdrv32.sys"
    .

    ((((((((((((((((((((((((( Files Created from 2011-01-28 to 2011-02-28 )))))))))))))))))))))))))))))))
    .

    2011-02-26 12:59 . 2010-12-20 18:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-02-26 12:59 . 2010-12-20 18:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-02-26 11:29 . 2011-02-26 12:23 -------- d-----w- c:\windows\system32\NtmsData
    2011-02-26 11:27 . 2011-02-26 11:27 -------- d-----w- c:\documents and settings\lee vogelrok\Application Data\Avira
    2011-02-26 11:24 . 2011-01-10 14:23 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-02-26 11:24 . 2011-01-10 14:23 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-02-26 11:24 . 2010-06-17 14:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2011-02-26 11:24 . 2010-06-17 14:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2011-02-26 11:24 . 2011-02-26 11:24 -------- d-----w- c:\program files\Avira
    2011-02-26 11:24 . 2011-02-26 11:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2011-02-25 20:36 . 2011-02-25 20:36 -------- d-----w- c:\program files\ESET
    2011-02-25 19:42 . 2011-02-25 19:42 -------- d-----w- c:\documents and settings\lee vogelrok\Application Data\Malwarebytes
    2011-02-25 19:41 . 2011-02-25 19:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-02-25 19:41 . 2011-02-26 12:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-02-25 19:20 . 2011-02-26 09:42 -------- d-----w- c:\program files\hyjackthis
    2011-02-25 02:06 . 2011-02-25 02:06 -------- d-----w- c:\program files\backups
    2011-02-25 00:39 . 2011-02-25 00:39 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
    2011-02-25 00:39 . 2011-02-25 00:39 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
    2011-02-25 00:39 . 2011-02-25 00:39 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
    2011-02-25 00:39 . 2011-02-25 00:39 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
    2011-02-25 00:39 . 2011-02-25 00:39 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
    2011-02-25 00:39 . 2011-02-25 00:39 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
    2011-02-25 00:39 . 2011-02-25 00:39 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
    2011-02-25 00:31 . 2011-02-25 00:31 -------- d-----w- c:\program files\Common Files\Java
    2011-02-24 01:04 . 2011-02-24 01:08 -------- d-----w- c:\documents and settings\lee vogelrok\Application Data\Mozilla-Cache
    2011-02-24 01:03 . 2011-02-25 02:01 -------- d-----w- c:\program files\PartyGaming
    2011-02-03 20:49 . 2011-02-03 20:49 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
    2011-02-03 20:49 . 2011-02-03 20:49 232968 ----a-w- c:\windows\system32\nvdrsdb0.bin
    2011-02-03 20:49 . 2011-02-03 20:49 232968 ----a-w- c:\windows\system32\nvdrsdb1.bin
    2011-02-03 20:49 . 2011-02-03 20:49 1 ----a-w- c:\windows\system32\nvdrssel.bin
    2011-02-03 20:49 . 2011-02-03 20:50 -------- d-----w- c:\program files\NVIDIA Corporation
    2011-02-03 20:29 . 2011-02-03 20:30 -------- d-----w- c:\program files\Windows Live Safety Center

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-02 21:40 . 2010-09-21 09:49 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-02-02 19:19 . 2009-07-13 12:08 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-01-21 14:44 . 2008-04-14 08:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
    2011-01-07 14:09 . 2008-04-14 08:00 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:10 . 2008-04-14 08:00 1854976 ----a-w- c:\windows\system32\win32k.sys
    2010-12-22 12:34 . 2008-04-14 08:00 301568 ----a-w- c:\windows\system32\kerberos.dll
    2010-12-20 23:59 . 2008-04-23 00:16 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-12-20 23:59 . 2008-07-12 19:10 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-12-20 23:59 . 2008-04-23 00:16 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-12-20 17:26 . 2008-04-14 08:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
    2010-12-20 12:55 . 2008-07-12 19:09 385024 ----a-w- c:\windows\system32\html.iec
    2010-12-09 15:15 . 2008-04-14 08:00 718336 ----a-w- c:\windows\system32\ntdll.dll
    2010-12-09 14:30 . 2008-04-14 08:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2010-12-09 13:42 . 2008-04-14 08:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-12-09 13:07 . 2008-04-14 04:01 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
    .

    ------- Sigcheck -------

    [-] 2008-07-12 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-02-27_23.12.09 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-02-28 19:43 . 2011-02-28 19:43 16384 c:\windows\Temp\Perflib_Perfdata_598.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PDVD9LanguageShortcut"="c:\program files\CyberLink\PowerDVD9\Language\Language.exe" [2009-04-27 50472]
    "BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2009-05-07 75048]
    "UMonit"="c:\windows\system32\UMonit.exe" [2007-06-18 200704]
    "tsnpstd3"="c:\windows\tsnpstd3.exe" [2007-03-30 262144]
    "snpstd3"="c:\windows\vsnpstd3.exe" [2006-09-18 843776]
    "nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-07 1753192]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-01-10 281768]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
    2005-05-04 01:43 69632 ----a-r- c:\windows\ALCMTR.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
    2010-03-16 20:58 47392 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
    2009-01-29 22:20 57344 ----a-w- c:\program files\SlySoft\CloneCD\CloneCDTray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2010-09-01 07:32 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
    2009-07-26 16:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
    2009-11-11 10:57 1451520 ----a-w- c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-11-29 17:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl9]
    2009-04-27 19:41 87336 ------w- c:\program files\CyberLink\PowerDVD9\PDVD9Serv.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
    2008-04-10 23:52 16861184 ----a-r- c:\windows\RTHDCPL.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-10-29 14:49 249064 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TBPanel]
    2008-10-21 12:18 2154496 ----a-w- c:\program files\Vtune\TBPANEL.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
    2010-06-24 14:41 247144 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
    2010-12-19 21:37 395640 ----a-w- c:\program files\uTorrent\uTorrent.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
    "AllowInboundEchoRequest"= 1 (0x1)

    R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2009/08/06 12:12];c:\program files\CyberLink\PowerDVD9\000.fcl [07/05/2009 20:05 87536]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [26/02/2011 11:24 135336]
    R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [24/06/2010 14:41 92008]
    S3 FoxAwdWINFLASH;FoxAwdWINFLASH;\??\c:\progra~1\AFox\AFOXLI~1\FoxAwdWINFLASH.SYS --> c:\progra~1\AFox\AFOXLI~1\FoxAwdWINFLASH.SYS [?]
    S3 INFUSB;INFUSB;c:\windows\system32\drivers\infusb.sys [30/09/2002 16:16 15904]
    S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [18/10/2010 19:40 137344]
    S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [18/10/2010 19:40 8320]
    .
    Contents of the 'Scheduled Tasks' folder

    2011-02-22 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.ntlworld.com/
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-02-28 19:53
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    UMonit = c:\windows\system32\UMonit.exe?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{B154377D-700F-42cc-9474-23858FBDF4BD}]
    "ImagePath"="\??\c:\program files\CyberLink\PowerDVD9\000.fcl"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(2388)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2011-02-28 19:54:17
    ComboFix-quarantined-files.txt 2011-02-28 19:54
    ComboFix2.txt 2011-02-28 19:46
    ComboFix3.txt 2011-02-27 23:13

    Pre-Run: 137,907,765,248 bytes free
    Post-Run: 137,894,162,432 bytes free

    - - End Of File - - EDE0EB80D588D2260E71C9838A00282A
     
  12. vogelrok

    vogelrok TS Rookie Topic Starter Posts: 22

    will do the other parts now in your 2nd message. thank you so much for the help you are putting in. the pctools can go for sure dont have a problem with that at all.
    anything to make machine run better and safer.
     
  13. vogelrok

    vogelrok TS Rookie Topic Starter Posts: 22

    heres the eset log as requested.

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6425
    # api_version=3.0.2
    # EOSSerial=09cce9760078d94c84dfbb0c80ba045a
    # end=stopped
    # remove_checked=true
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2011-02-25 08:40:52
    # local_time=2011-02-25 08:40:52 (+0000, GMT Standard Time)
    # country="United Kingdom"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 0 0 0 0
    # compatibility_mode=1280 16777175 100 0 46855509 46855509 0 0
    # compatibility_mode=2560 16777215 100 0 0 0 0 0
    # compatibility_mode=8192 67108863 100 0 3680 3680 0 0
    # scanned=5187
    # found=0
    # cleaned=0
    # scan_time=163
    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6425
    # api_version=3.0.2
    # EOSSerial=09cce9760078d94c84dfbb0c80ba045a
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2011-02-28 08:32:24
    # local_time=2011-02-28 08:32:24 (+0000, GMT Standard Time)
    # country="United Kingdom"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 0 0 0 0
    # compatibility_mode=1797 16775141 100 93 202747 35456532 203993 0
    # compatibility_mode=8192 67108863 100 0 260972 260972 0 0
    # scanned=81581
    # found=2
    # cleaned=0
    # scan_time=1563
    C:\Documents and Settings\lee vogelrok\My Documents\Downloads\DivX7+Keygen\Universal Keygen.exe a variant of Win32/Keygen.AJ application (unable to clean) 00000000000000000000000000000000 I
    C:\Documents and Settings\lee vogelrok\My Documents\Downloads\IsoBuster.v2.5.5.1-AGAiN\Keygen.EXE a variant of Win32/Keygen.AF application (unable to clean) 00000000000000000000000000000000 I
     
  14. vogelrok

    vogelrok TS Rookie Topic Starter Posts: 22

    Hi Bobbye

    everything done as per your post.

    couldn't find the pc tools so can only think that had something to do with the reg checker i had on pc which i had removed the other day. along with kaspersky.

    nothing seems to be chewing up my cpu usage at present. just the usual opening of software or ie which uses it then drops straight away to normal running

    so far so good. think the cpu fan was part of the problem maybe. but wouldn't have found that out if i hadn't of checked bios.

    as the vtune software was saying it was fine at about 37 not 77 which it was at.

    Thank you so much for your help so far. i know we not finished yet but its always nice to say thank you.
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    And I appreciate the 'thank you'!

    The Eset log shows you have pirated some downloads. I will remove the malware that came with them, but you will have to remove the pirated software for support to continue.:
    DivX7+Keygen
    IsoBuster.v2.5.5.1-AGAiN

    ===============================================
    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Files  
      C:\Documents and Settings\lee vogelrok\My Documents\Downloads\DivX7+Keygen\Universal Keygen.exe 
      C:\Documents and Settings\lee vogelrok\My Documents\Downloads\IsoBuster.v2.5.5.1-AGAiN\Keygen.EXE 
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    =======================================
    When finished with OTM, please run this:

    Download CKScanner and save to your desktop.
    • Doubleclick CKScanner.exe and click Search For Files.
    • When the cursor hourglass disappears, click Save List To File.
    • A message box will verify that the file is saved.
    • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents
      in your next reply.
     
  16. vogelrok

    vogelrok TS Rookie Topic Starter Posts: 22

    Hi Bobbye

    As requested both scan logs below

    will remove divx7 and isobuster.

    All processes killed
    ========== FILES ==========
    C:\Documents and Settings\lee vogelrok\My Documents\Downloads\DivX7+Keygen\Universal Keygen.exe moved successfully.
    C:\Documents and Settings\lee vogelrok\My Documents\Downloads\IsoBuster.v2.5.5.1-AGAiN\Keygen.EXE moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: lee vogelrok
    ->Temp folder emptied: 114688 bytes
    ->Temporary Internet Files folder emptied: 4492708 bytes
    ->Java cache emptied: 0 bytes
    ->Opera cache emptied: 0 bytes
    ->Flash cache emptied: 4061 bytes

    User: LocalService
    ->Temp folder emptied: 65748 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: NetworkService
    ->Temp folder emptied: 66016 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 483 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 5.00 mb


    OTM by OldTimer - Version 3.1.17.2 log created on 03012011_085314

    Files moved on Reboot...

    Registry entries deleted on Reboot...


    CKScanner - Additional Security Risks - These are not necessarily bad
    c:\documents and settings\lee vogelrok\my documents\azureus downloads\adobe photoshop cs3\cs3\cs3\crack.rar
    c:\documents and settings\lee vogelrok\my documents\azureus downloads\adobe photoshop cs3\cs3\cs3\crack\crack\photoshop.exe
    c:\documents and settings\lee vogelrok\my documents\azureus downloads\adobe photoshop cs3\cs3\cs3\crack\crack\serial.nfo
    c:\documents and settings\lee vogelrok\my documents\downloads\divx7+keygen\divxinstaller.exe
    c:\documents and settings\lee vogelrok\my documents\downloads\divx7+keygen\torrent downloaded from demonoid.com.txt
    c:\documents and settings\lee vogelrok\my documents\downloads\flashfxp v3.6.0.1240\flashfxp.v3.6.0.1240.multilingual.patch.and.keymaker.only-acme\ac-ffx36\ffxp36_keygen.exe
    c:\documents and settings\lee vogelrok\my documents\downloads\macromedia studio 8 with working keygen- dreamweaver 8, flash 8 and fireworks 8\dreamweaver 8 setup.exe
    c:\documents and settings\lee vogelrok\my documents\downloads\macromedia studio 8 with working keygen- dreamweaver 8, flash 8 and fireworks 8\fireworks 8 setup.exe
    c:\documents and settings\lee vogelrok\my documents\downloads\macromedia studio 8 with working keygen- dreamweaver 8, flash 8 and fireworks 8\flash 8 setup.exe
    c:\documents and settings\lee vogelrok\my documents\downloads\macromedia studio 8 with working keygen- dreamweaver 8, flash 8 and fireworks 8\macromedia dreamweaver 8, flash 8 and fireworks 8 keygen.exe
    c:\documents and settings\lee vogelrok\my documents\downloads\macromedia studio 8 with working keygen- dreamweaver 8, flash 8 and fireworks 8\torrent downloaded from demonoid.com.txt
    c:\documents and settings\lee vogelrok\my documents\downloads\rarlab.winrar.v3.91.proper-eat\rarlab.winrar.v3.91.proper-eat\crack\rar.exe
    c:\documents and settings\lee vogelrok\my documents\downloads\rarlab.winrar.v3.91.proper-eat\rarlab.winrar.v3.91.proper-eat\crack\rarreg.key
    c:\documents and settings\lee vogelrok\my documents\downloads\rarlab.winrar.v3.91.proper-eat\rarlab.winrar.v3.91.proper-eat\crack\unrar.exe
    c:\documents and settings\lee vogelrok\my documents\downloads\rarlab.winrar.v3.91.proper-eat\rarlab.winrar.v3.91.proper-eat\crack\winrar.exe
    c:\documents and settings\lee vogelrok\my documents\my recievced\poweriso v3.6 (full) use for daa or iso plus\keygen.nfo
    c:\documents and settings\lee vogelrok\my documents\tattooflash\pc.tools.registry.mechanic.v10.0.0.126.multilingual-crd\cxx2683a\cxx2683a\crack\install.txt
    c:\documents and settings\lee vogelrok\my documents\tattooflash\pc.tools.registry.mechanic.v10.0.0.126.multilingual-crd\cxx2683a\cxx2683a\crack\serial.txt
    c:\documents and settings\lee vogelrok\my documents\tattooflash\pc.tools.registry.mechanic.v10.0.0.126.multilingual-crd\cxx2683a\cxx2683a\crack\update.exe
    c:\program files\jasc software inc\paint shop pro 9\bump maps\cracked desert.pspimage
    c:\program files\jasc software inc\paint shop pro 9\patterns\cracked paint.pspimage
    c:\_otm\movedfiles\03012011_085314\c_documents and settings\lee vogelrok\my documents\downloads\divx7+keygen\universal keygen.exe
    c:\_otm\movedfiles\03012011_085314\c_documents and settings\lee vogelrok\my documents\downloads\isobuster.v2.5.5.1-again\keygen.exe
    scanner sequence 3.ZZ.11
    ----- EOF -----
     
  17. vogelrok

    vogelrok TS Rookie Topic Starter Posts: 22

    i checked to see if both programs was running neither of them was. have deleted the files for them programs.

    looking at the last list. i will need to be removing that lot. not a problem. dont want to lose the help im getting to get my machine clean.
    thank you
     
  18. vogelrok

    vogelrok TS Rookie Topic Starter Posts: 22

    just had a warning pop up. something called system tool protect your pc.

    avira has picked it up and stared to run scan.

    i was logged into my shop email account from my home pc. i was just hitting the send button. it sent the email to draft and also sent it. then attack happend.

    the unwanted program is EXP/Pidief.deo

    avira is wanting to run.

    so is this system tool thing. i havent downloaded anything since we started the cleanup. not even any pictures from emails.

    please advise.

    Since i typed the message just now. my desktop has been changed and now have a great big warning sign over it.

    warning
    your in danger
    your computer is infected with spyware.

    just had a blue screen of death, then pc shut down and rebooted and the program mentioned above is trying to run a scan again. keep getting popups telling me files are infected.
    i hate these scam pc tools.

    edit: now avira is closed it wont open, cant get in to task manager either. the program has now placed itselfs in the tray at bottom with its own little padlock symbol.
     
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    This is a Java exploit: Clear the cache:

    To clear the Java Plug-in cache:

    • [1]. Click Start > Control Panel.
      [2]. Double-click the Java icon in the control panel. The Java Control Panel appears.
      [​IMG]
      [3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
      [4] Click Delete Files.The Delete Temporary Files dialog box appears.
      [​IMG]
      There are three options on this window to clear the cache.Check all.
    • . Delete Files
    • .View Applications
    • .View Applets
      [5]. Click OK on Delete Temporary Files window.
      Note: This deletes all the Downloaded Applications and Applets from the cache.
      [6]. Click Apply> OK on Temporary Files Settings window.
    Note: If you want to delete a specific application and applet from the cache, click on View Application and View Applet options respectively.

    You most likely got the malware from all the programs and apps you pirated. You will have to remove all of those program as we do not support piracy. ll the entries in the Eset log with the words keygen or crack have been pirated.
     
  20. vogelrok

    vogelrok TS Rookie Topic Starter Posts: 22

    cant get into anything now. even tried in safe mode and im locked out of the admin section.

    think i might just go and do the upgrade to windows 7. gutted as i have a lot of photos on my pc that i need to keep.

    so lesson learned, something for free aint always best.

    cant get any of the programs we downloaded to start either

    cant get into java it wont let me and in safe mode i dont have the admin control as that is blocked from me. or im just not getting the password right

    thank you for your help. think the best option now it to reinstall. and start again.
     
  21. vogelrok

    vogelrok TS Rookie Topic Starter Posts: 22

    managed to get rid of it.

    had to use combofix in safemode. I know i shouldn't have done it without instruction sorry.

    here is the log.

    will remove the software and apps now,

    Edit: have removed them all as far as i can tell.

    thank you for your help.

    ComboFix 11-02-28.01 - lee vogelrok 02/03/2011 10:36:15.4.2 - x86 MINIMAL
    Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3326.3063 [GMT 0:00]
    Running from: c:\documents and settings\lee vogelrok\Desktop\ComboFix.exe
    AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\All Users\Application Data\mAbLoKm06300
    c:\documents and settings\All Users\Application Data\mAbLoKm06300\mAbLoKm06300
    c:\documents and settings\All Users\Application Data\mAbLoKm06300\mAbLoKm06300.exe

    .
    ((((((((((((((((((((((((( Files Created from 2011-02-02 to 2011-03-02 )))))))))))))))))))))))))))))))
    .

    2011-03-01 08:53 . 2011-03-01 08:53 -------- d-----w- C:\_OTM
    2011-02-26 12:59 . 2010-12-20 18:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-02-26 12:59 . 2010-12-20 18:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-02-26 11:29 . 2011-02-26 12:23 -------- d-----w- c:\windows\system32\NtmsData
    2011-02-26 11:27 . 2011-02-26 11:27 -------- d-----w- c:\documents and settings\lee vogelrok\Application Data\Avira
    2011-02-26 11:24 . 2011-01-10 14:23 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-02-26 11:24 . 2011-01-10 14:23 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-02-26 11:24 . 2010-06-17 14:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2011-02-26 11:24 . 2010-06-17 14:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2011-02-26 11:24 . 2011-02-26 11:24 -------- d-----w- c:\program files\Avira
    2011-02-26 11:24 . 2011-02-26 11:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2011-02-25 20:36 . 2011-02-25 20:36 -------- d-----w- c:\program files\ESET
    2011-02-25 19:42 . 2011-02-25 19:42 -------- d-----w- c:\documents and settings\lee vogelrok\Application Data\Malwarebytes
    2011-02-25 19:41 . 2011-02-25 19:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-02-25 19:41 . 2011-02-26 12:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-02-25 19:20 . 2011-02-28 21:03 -------- d-----w- c:\program files\hyjackthis
    2011-02-25 02:06 . 2011-02-25 02:06 -------- d-----w- c:\program files\backups
    2011-02-25 00:39 . 2011-02-25 00:39 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
    2011-02-25 00:39 . 2011-02-25 00:39 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
    2011-02-25 00:39 . 2011-02-25 00:39 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
    2011-02-25 00:39 . 2011-02-25 00:39 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
    2011-02-25 00:39 . 2011-02-25 00:39 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
    2011-02-25 00:39 . 2011-02-25 00:39 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
    2011-02-25 00:39 . 2011-02-25 00:39 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
    2011-02-25 00:31 . 2011-02-25 00:31 -------- d-----w- c:\program files\Common Files\Java
    2011-02-24 01:04 . 2011-02-24 01:08 -------- d-----w- c:\documents and settings\lee vogelrok\Application Data\Mozilla-Cache
    2011-02-24 01:03 . 2011-02-25 02:01 -------- d-----w- c:\program files\PartyGaming
    2011-02-03 20:49 . 2011-02-03 20:49 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
    2011-02-03 20:49 . 2011-02-03 20:49 232968 ----a-w- c:\windows\system32\nvdrsdb0.bin
    2011-02-03 20:49 . 2011-02-03 20:49 232968 ----a-w- c:\windows\system32\nvdrsdb1.bin
    2011-02-03 20:49 . 2011-02-03 20:49 1 ----a-w- c:\windows\system32\nvdrssel.bin
    2011-02-03 20:49 . 2011-02-03 20:50 -------- d-----w- c:\program files\NVIDIA Corporation
    2011-02-03 20:29 . 2011-02-03 20:30 -------- d-----w- c:\program files\Windows Live Safety Center

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-02 21:40 . 2010-09-21 09:49 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-02-02 19:19 . 2009-07-13 12:08 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-01-21 14:44 . 2008-04-14 08:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
    2011-01-07 14:09 . 2008-04-14 08:00 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:10 . 2008-04-14 08:00 1854976 ----a-w- c:\windows\system32\win32k.sys
    2010-12-22 12:34 . 2008-04-14 08:00 301568 ----a-w- c:\windows\system32\kerberos.dll
    2010-12-20 23:59 . 2008-04-23 00:16 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-12-20 23:59 . 2008-07-12 19:10 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-12-20 23:59 . 2008-04-23 00:16 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-12-20 17:26 . 2008-04-14 08:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
    2010-12-20 12:55 . 2008-07-12 19:09 385024 ----a-w- c:\windows\system32\html.iec
    2010-12-09 15:15 . 2008-04-14 08:00 718336 ----a-w- c:\windows\system32\ntdll.dll
    2010-12-09 14:30 . 2008-04-14 08:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2010-12-09 13:42 . 2008-04-14 08:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-12-09 13:07 . 2008-04-14 04:01 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
    .

    ------- Sigcheck -------

    [-] 2008-07-12 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "tsnpstd3"="c:\windows\tsnpstd3.exe" [2007-03-30 262144]
    "snpstd3"="c:\windows\vsnpstd3.exe" [2006-09-18 843776]
    "nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-07 1753192]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-01-10 281768]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
    2005-05-04 01:43 69632 ----a-r- c:\windows\ALCMTR.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
    2010-03-16 20:58 47392 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDRegion]
    2009-05-07 19:05 75048 ----a-w- c:\program files\CyberLink\Shared Files\brs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
    2009-01-29 22:20 57344 ----a-w- c:\program files\SlySoft\CloneCD\CloneCDTray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2010-09-01 07:32 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
    2009-07-26 16:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
    2009-11-11 10:57 1451520 ----a-w- c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVD9LanguageShortcut]
    2009-04-27 16:50 50472 ------w- c:\program files\CyberLink\PowerDVD9\Language\Language.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-11-29 17:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl9]
    2009-04-27 19:41 87336 ------w- c:\program files\CyberLink\PowerDVD9\PDVD9Serv.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
    2008-04-10 23:52 16861184 ----a-r- c:\windows\RTHDCPL.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-10-29 14:49 249064 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TBPanel]
    2008-10-21 12:18 2154496 ----a-w- c:\program files\Vtune\TBPANEL.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
    2010-06-24 14:41 247144 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
    2010-12-19 21:37 395640 ----a-w- c:\program files\uTorrent\uTorrent.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
    "AllowInboundEchoRequest"= 1 (0x1)

    S2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2009/08/06 12:12];c:\program files\CyberLink\PowerDVD9\000.fcl [07/05/2009 20:05 87536]
    S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [26/02/2011 11:24 135336]
    S2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [24/06/2010 14:41 92008]
    S3 FoxAwdWINFLASH;FoxAwdWINFLASH;\??\c:\progra~1\AFox\AFOXLI~1\FoxAwdWINFLASH.SYS --> c:\progra~1\AFox\AFOXLI~1\FoxAwdWINFLASH.SYS [?]
    S3 INFUSB;INFUSB;c:\windows\system32\drivers\infusb.sys [30/09/2002 16:16 15904]
    S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [18/10/2010 19:40 137344]
    S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [18/10/2010 19:40 8320]
    .
    Contents of the 'Scheduled Tasks' folder

    2011-03-01 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.ntlworld.com/
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-02 10:41
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{B154377D-700F-42cc-9474-23858FBDF4BD}]
    "ImagePath"="\??\c:\program files\CyberLink\PowerDVD9\000.fcl"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    Completion time: 2011-03-02 10:42:50
    ComboFix-quarantined-files.txt 2011-03-02 10:42
    ComboFix2.txt 2011-02-28 19:54
    ComboFix3.txt 2011-02-28 19:46
    ComboFix4.txt 2011-02-27 23:13

    Pre-Run: 138,048,823,296 bytes free
    Post-Run: 138,136,449,024 bytes free

    - - End Of File - - F1F461E68468DAD04492BA2EC3405088
     
  22. vogelrok

    vogelrok TS Rookie Topic Starter Posts: 22

    Hi Bobbye

    i have deleted all the pirated software i can find on my pc.

    have also downloaded comdo firewall and geekbuddy. as noticed in a few other posts that the windows firewall is only one way not bi-directional

    if this was a mistake please advise

    thank you.
     
  23. vogelrok

    vogelrok TS Rookie Topic Starter Posts: 22

    heres the latest Eset scan to show i have removed the pirated software from my pc.

    but it is still showing two of them remaining even thought they are uninstalled and deleted.

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6425
    # api_version=3.0.2
    # EOSSerial=09cce9760078d94c84dfbb0c80ba045a
    # end=stopped
    # remove_checked=true
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2011-02-25 08:40:52
    # local_time=2011-02-25 08:40:52 (+0000, GMT Standard Time)
    # country="United Kingdom"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 0 0 0 0
    # compatibility_mode=1280 16777175 100 0 46855509 46855509 0 0
    # compatibility_mode=2560 16777215 100 0 0 0 0 0
    # compatibility_mode=8192 67108863 100 0 3680 3680 0 0
    # scanned=5187
    # found=0
    # cleaned=0
    # scan_time=163
    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6425
    # api_version=3.0.2
    # EOSSerial=09cce9760078d94c84dfbb0c80ba045a
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2011-02-28 08:32:24
    # local_time=2011-02-28 08:32:24 (+0000, GMT Standard Time)
    # country="United Kingdom"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 0 0 0 0
    # compatibility_mode=1797 16775141 100 93 202747 35456532 203993 0
    # compatibility_mode=8192 67108863 100 0 260972 260972 0 0
    # scanned=81581
    # found=2
    # cleaned=0
    # scan_time=1563
    C:\Documents and Settings\lee vogelrok\My Documents\Downloads\DivX7+Keygen\Universal Keygen.exe a variant of Win32/Keygen.AJ application (unable to clean) 00000000000000000000000000000000 I
    C:\Documents and Settings\lee vogelrok\My Documents\Downloads\IsoBuster.v2.5.5.1-AGAiN\Keygen.EXE a variant of Win32/Keygen.AF application (unable to clean) 00000000000000000000000000000000 I
    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6425
    # api_version=3.0.2
    # EOSSerial=09cce9760078d94c84dfbb0c80ba045a
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2011-03-03 08:43:15
    # local_time=2011-03-03 08:43:15 (+0000, GMT Standard Time)
    # country="United Kingdom"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 0 0 0 0
    # compatibility_mode=1797 16775141 100 93 462494 35716279 105643 0
    # compatibility_mode=3073 16777213 80 75 119415 5600024 0 0
    # compatibility_mode=8192 67108863 100 0 520719 520719 0 0
    # scanned=76094
    # found=3
    # cleaned=0
    # scan_time=1667
    C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\mAbLoKm06300\mAbLoKm06300.exe.vir a variant of Win32/Kryptik.LFO trojan (unable to clean) 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{754642D3-1915-4355-981C-527A3385A415}\RP600\A0069866.exe a variant of Win32/Keygen.AJ application (unable to clean) 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{754642D3-1915-4355-981C-527A3385A415}\RP600\A0069867.EXE a variant of Win32/Keygen.AF application (unable to clean) 00000000000000000000000000000000 I
     
  24. vogelrok

    vogelrok TS Rookie Topic Starter Posts: 22

    i take it im not getting anymore help then because i had the cracked software. i have removed it all and as far as i can see none is left.

    if my help is over with how do i remove the stuff from the desktop safely and not messing up my system.


    i only ask as last reply was couple of days ago now, i know you have other people to help i know you are doing this for free,
    but i hope you are not judging me for having downloaded a bit of pirated software.

    if the above comment offends im sorry, but your last comment sort of told me to do one in my books your help is ended, so im asking.
     
  25. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    A sudden and tragic death in the family took me away for a while. I am catching up now.

    The Eset log shows no new infections. Perhaps you would be kind enough to let me know if there has been any improvement in the system.
    =========================================
    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • After clicking Next, the utility applies selected actions and outputs the result.
    • A reboot is required after disinfection.
    ====================
    Yes, downloading Geekbuddy was a mistake. It is to get remote help. If you plan on using that, you don't need me. However, be advised that the remote help will cost $$$.
    ==============================================
    What is the status of the system please? Why did you run Combofix in Safe Mode?
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...