TechSpot

Google redirect issue

By Paulski1
Oct 24, 2010
  1. Hi all,

    I have somehow managed to contract some form of virus that is constantly sending google searches to random search sites & advertising sites. I have checked for TDSS etc, but cannot find anything.

    Steps taken so far:
    Ran Kaspersky TDSS Killer - nothing found
    ran MBAM (after figuring out I needed to rename file): several trojans(!) found and removed - now clean (log attcahed)
    ran AVG - nothing found
    ran TFC

    Below are the logs for:
    MBAM / GMER - I'm really hoping someone can spot something and tell me how to get rid of this bloody thing :mad:

    I've also got the DDS logs & a Hijack this log if needed. Thanks for looking :)

    MBAM Log:
    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4934

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 7.0.5730.11

    24/10/2010 16:04:38
    mbam-log-2010-10-24 (16-04-38).txt

    Scan type: Quick scan
    Objects scanned: 172376
    Time elapsed: 29 minute(s), 50 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    GMER Log:
    GMER 1.0.15.15477 - http://www.gmer.net
    Rootkit scan 2010-10-24 15:15:53
    Windows 5.1.2600 Service Pack 3
    Running: tm873jk0.exe; Driver: C:\DOCUME~1\Paul\LOCALS~1\Temp\pxtdipow.sys


    ---- System - GMER 1.0.15 ----

    SSDT spgr.sys ZwCreateKey [0xF764F0E0]
    SSDT spgr.sys ZwEnumerateKey [0xF766DCA2]
    SSDT spgr.sys ZwEnumerateValueKey [0xF766E030]
    SSDT spgr.sys ZwOpenKey [0xF764F0C0]
    SSDT spgr.sys ZwQueryKey [0xF766E108]
    SSDT spgr.sys ZwQueryValueKey [0xF766DF88]
    SSDT spgr.sys ZwSetValueKey [0xF766E19A]

    INT 0x63 ? 87605F00
    INT 0x73 ? 87605F00
    INT 0x83 ? 877DABF8

    Code 87474778 ZwSetSystemInformation

    ---- Kernel code sections - GMER 1.0.15 ----

    PAGE ntoskrnl.exe!ZwSetSystemInformation 805A7C5F 5 Bytes JMP 8747477C
    ? spgr.sys The system cannot find the file specified. !
    .text USBPORT.SYS!DllUnload F67848AC 5 Bytes JMP 876054E0
    .text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xF6162360, 0x24BB1D, 0xE8000020]
    .text a05wqehq.SYS ED43B386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
    .text a05wqehq.SYS ED43B3AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
    .text a05wqehq.SYS ED43B3C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}
    .text a05wqehq.SYS ED43B3C9 1 Byte [2E]
    .text a05wqehq.SYS ED43B3C9 11 Bytes [2E, 00, 00, 00, 5C, 02, 00, ...] {ADD CS:[EAX], AL; ADD [EDX+EAX+0x0], BL; ADD [EAX], AL; ADD [EAX], AL}
    .text ...

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\SearchIndexer.exe[3700] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

    ---- Kernel IAT/EAT - GMER 1.0.15 ----

    IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 877DA2D8
    IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F7680C4C] spgr.sys
    IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F7680CA0] spgr.sys
    IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F7650040] spgr.sys
    IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F765013C] spgr.sys
    IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F76500BE] spgr.sys
    IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F76507FC] spgr.sys
    IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F76506D2] spgr.sys
    IAT \SystemRoot\System32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 876055E0
    IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F7660048] spgr.sys
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!RtlInitUnicodeString] 2266E852
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!swprintf] 478B0000
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!KeSetEvent] 50016A40
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoCreateSymbolicLink] 1CAC8E8D
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoGetConfigurationInformation] E8510000
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoDeleteSymbolicLink] 00002254
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!MmFreeMappingAddress] 6A18538B
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoFreeErrorLogEntry] 868D5200
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoDisconnectInterrupt] 00001C98
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!MmUnmapIoSpace] 2242E850
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!ObReferenceObjectByPointer] 4B8B0000
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IofCompleteRequest] 51016A18
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!RtlCompareUnicodeString] 1CB4968D
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IofCallDriver] E8520000
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!MmAllocateMappingAddress] 00002230
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoAllocateErrorLogEntry] 8A05478A
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoConnectInterrupt] 001CBB8E
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoDetachDevice] 30C48300
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!KeWaitForSingleObject] 1CBD8688
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!KeInitializeEvent] 80E90000
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!KeCancelTimer] C6000000
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!RtlAnsiStringToUnicodeString] 001CBB86
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!RtlInitAnsiString] 438B0100
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoBuildDeviceIoControlRequest] 8E8D5018
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoQueueWorkItem] 00001C90
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!MmMapIoSpace] 2202E851
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoInvalidateDeviceRelations] 538B0000
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoReportDetectedDevice] 52016A18
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoReportResourceForDetection] 1CAC868D
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!RtlxAnsiStringToUnicodeSize] E8500000
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!NlsMbCodePageTag] 000021F0
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!PoRequestPowerIrp] 8A05478A
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!KeInsertByKeyDeviceQueue] 001CBB8E
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!PoRegisterDeviceForIdleDetection] 18C48300
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!sprintf] 1CBD8688
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!MmMapLockedPagesSpecifyCache] 43EB0000
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!ObfDereferenceObject] 320C538A
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoGetAttachedDeviceReference] 88F93BC0
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoInvalidateDeviceState] 001CBB96
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!ZwClose] [F6317300] \SystemRoot\System32\DRIVERS\nv4_mini.sys (NVIDIA Compatible Windows 2000 Miniport Driver, Version 93.71 /NVIDIA Corporation)
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!ObReferenceObjectByHandle] 74070647
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!ZwCreateDirectoryObject] 75C0841A
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoBuildSynchronousFsdRequest] 05578A0B
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!PoStartNextPowerIrp] 968801B0
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoCreateDevice] 00001CBD
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!RtlCopyUnicodeString] 57B60F66
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoAllocateDriverObjectExtension] 533B6604
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!RtlQueryRegistryValues] 03087408
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!ZwOpenKey] 72F93B3F
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!RtlFreeUnicodeString] 8A09EBDA
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoStartTimer] 86880547
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!KeInitializeTimer] 00001CBD
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoInitializeTimer] 88084B8A
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!KeInitializeDpc] 001CBE8E
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!KeInitializeSpinLock] 40578B00
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoInitializeIrp] 8D52006A
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!ZwCreateKey] 001CC086
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!RtlAppendUnicodeStringToString] 81E85000
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!RtlIntegerToUnicodeString] 8B000021
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!ZwSetValueKey] 001CB88E
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!KeInsertQueueDpc] BC968B00
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!KefAcquireSpinLockAtDpcLevel] 8900001C
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoStartPacket] 001CC48E
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!KefReleaseSpinLockFromDpcLevel] C8968900
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoBuildAsynchronousFsdRequest] 8B00001C
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoFreeMdl] 016A4047
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!MmUnlockPages] CCC68150
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoWriteErrorLogEntry] 5600001C
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!KeRemoveByKeyDeviceQueue] 002157E8
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!MmMapLockedPagesWithReservedMapping] 18C48300
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!MmUnmapReservedMapping] 5D5B5E5F
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!KeSynchronizeExecution] CCCCCCC3
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoStartNextPacket] CCCCCCCC
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!KeBugCheckEx] CCCCCCCC
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!KeRemoveDeviceQueue] CCCCCCCC
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!KeSetTimer] 8BEC8B55
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!_allmul] 00C73445
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!MmProbeAndLockPages] 00000000
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!_except_handler3] 830C458B
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!PoSetPowerState] C0840CEC
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoOpenDeviceRegistryKey] 053C0D74
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!RtlWriteRegistryValue] 57B80974
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!RtlDeleteRegistryValue] 8B000000
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!_aulldiv] 56C35DE5
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!strstr] 8D08758B
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!_strupr] 8D51FC4D
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!KeQuerySystemTime] 8D52FD55
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoWMIRegistrationControl] 8D51FE4D
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!KeTickCount] 8D52FF55
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoAttachDeviceToDeviceStack] 8D51F84D
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoDeleteDevice] 5052F455
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!ExAllocatePoolWithTag] EACAE856
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoAllocateWorkItem] C483FFFF
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoAllocateIrp] 0FC08520
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoAllocateMdl] 0001AD85
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!MmBuildMdlForNonPagedPool] 46B70F00
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!MmLockPagableDataSection] F44D8B48
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoGetDriverObjectExtension] C1815753
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!MmUnlockPagableImageSection] 00002590
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!ExFreePoolWithTag] 467C8D51
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoFreeIrp] 7622E84A
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoFreeWorkItem] D88BFFFF
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!InitSafeBootMode] 8504C483
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!RtlCompareMemory] 5F0A75DB
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!PoCallDriver] 5B08438D
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!memmove] 5DE58B5E
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!MmHighestUserAddress] 259068C3
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[HAL.dll!KfAcquireSpinLock] 4B8BDF8B
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[HAL.dll!READ_PORT_UCHAR] 8D3F0304
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[HAL.dll!KeGetCurrentIrql] CB033043
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[HAL.dll!KfRaiseIrql] 0673C13B
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[HAL.dll!KfLowerIrql] C13B0003
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[HAL.dll!HalGetInterruptVector] 8366FA72
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[HAL.dll!HalTranslateBusAddress] 75000E7B
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[HAL.dll!KeStallExecutionProcessor] 0B7D80E3
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[HAL.dll!KfReleaseSpinLock] 307B8D00
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 00AA840F
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[HAL.dll!READ_PORT_USHORT] 83660000
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 6A000E7A
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[HAL.dll!WRITE_PORT_UCHAR] C6647400
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[WMILIB.SYS!WmiSystemControl] 4F8B0200
    IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[WMILIB.SYS!WmiCompleteRequest] 968D5140

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs 8776A1F8
    Device \FileSystem\Fastfat \FatCdrom 87432500
    Device \Driver\USBSTOR \Device\0000008e 86B9D500
    Device \Driver\USBSTOR \Device\0000008f 86B9D500

    AttachedDevice \Driver\Tcpip \Device\Ip FreeTdi.sys (Radialpoint Filter/Radialpoint Inc.)
    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    Device \Driver\usbohci \Device\USBPDO-0 875FB500
    Device \Driver\usbohci \Device\USBPDO-1 875FB500
    Device \Driver\dmio \Device\DmControl\DmIoDaemon 877D81F8
    Device \Driver\dmio \Device\DmControl\DmConfig 877D81F8
    Device \Driver\dmio \Device\DmControl\DmPnP 877D81F8
    Device \Driver\dmio \Device\DmControl\DmInfo 877D81F8
    Device \Driver\usbehci \Device\USBPDO-2 876921F8
    Device \Driver\NetBT \Device\NetBT_Tcpip_{2FF799CD-EF64-40EA-8A7B-A912B8C95AEC} 874CB500

    AttachedDevice \Driver\Tcpip \Device\Tcp FreeTdi.sys (Radialpoint Filter/Radialpoint Inc.)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    Device \Driver\dmio \Device\HarddiskDmVolumes\PhysicalDmVolumes\RawVolume1 877D81F8
    Device \Driver\dmio \Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolume1 877D81F8
    Device \Driver\Ftdisk \Device\HarddiskVolume1 8776D1F8
    Device \Driver\Ftdisk \Device\HarddiskVolume2 8776D1F8
    Device \Driver\Cdrom \Device\CdRom0 875811F8
    Device \Driver\Ftdisk \Device\HarddiskVolume3 8776D1F8
    Device \Driver\Cdrom \Device\CdRom1 875811F8
    Device \Driver\Cdrom \Device\CdRom2 875811F8
    Device \Driver\Cdrom \Device\CdRom3 875811F8
    Device \Driver\NetBT \Device\NetBt_Wins_Export 874CB500
    Device \Driver\NetBT \Device\NetbiosSmb 874CB500

    AttachedDevice \Driver\Tcpip \Device\Udp FreeTdi.sys (Radialpoint Filter/Radialpoint Inc.)
    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp FreeTdi.sys (Radialpoint Filter/Radialpoint Inc.)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    Device \Driver\PCI_PNP7630 \Device\0000005e spgr.sys
    Device \Driver\usbohci \Device\USBFDO-0 875FB500
    Device \Driver\usbohci \Device\USBFDO-1 875FB500
    Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 87142500
    Device \Driver\usbehci \Device\USBFDO-2 876921F8
    Device \Driver\NetBT \Device\NetBT_Tcpip_{9EF5A04E-EFE2-4C28-A60B-1B752F6B0BFD} 874CB500
    Device \FileSystem\MRxSmb \Device\LanmanRedirector 87142500
    Device \Driver\Ftdisk \Device\FtControl 8776D1F8
    Device \Driver\USBSTOR \Device\0000008c 86B9D500
    Device \Driver\nvidesm -> DriverStartIo \Device\Scsi\nvidesm1 87040AEA
    Device \Driver\nvidesm \Device\Scsi\nvidesm1 877D71F8
    Device \Driver\VOBID \Device\Scsi\VOBID1Port1Path0Target0Lun0 8776B1F8
    Device \Driver\nvidesm -> DriverStartIo \Device\Scsi\nvidesm1Port0Path1Target1Lun0 87040AEA
    Device \Driver\nvidesm \Device\Scsi\nvidesm1Port0Path1Target1Lun0 877D71F8
    Device \Driver\VOBID \Device\Scsi\VOBID1 8776B1F8
    Device \Driver\a05wqehq \Device\Scsi\a05wqehq1Port2Path0Target0Lun0 87165500
    Device \Driver\a05wqehq \Device\Scsi\a05wqehq1 87165500
    Device \Driver\nvidesm -> DriverStartIo \Device\Scsi\nvidesm1Port0Path0Target1Lun0 87040AEA
    Device \Driver\nvidesm \Device\Scsi\nvidesm1Port0Path0Target1Lun0 877D71F8
    Device \Driver\nvidesm -> DriverStartIo \Device\Scsi\nvidesm1Port0Path1Target0Lun0 87040AEA
    Device \Driver\nvidesm \Device\Scsi\nvidesm1Port0Path1Target0Lun0 877D71F8
    Device \Driver\sptd \Device\1426898880 spgr.sys
    Device \Driver\USBSTOR \Device\0000008d 86B9D500
    Device \FileSystem\Fastfat \Fat 87432500

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    Device \FileSystem\Cdfs \Cdfs 87441500

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00081be0099d
    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00081be0099d@001f6b7a958c 0xA8 0xF8 0xC9 0xE6 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00081be0099d@00233ae01e3c 0x12 0x6B 0x81 0x8B ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00081be0099d@001317726fa3 0xC7 0x93 0xF1 0x62 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000ea13124a8
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 H:\exe.progs\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xD9 0xE5 0x49 0xB6 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x26 0x33 0x55 0x53 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x5A 0x71 0xFB 0x82 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00081be0099d (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00081be0099d@001f6b7a958c 0xA8 0xF8 0xC9 0xE6 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00081be0099d@00233ae01e3c 0x12 0x6B 0x81 0x8B ...
    Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00081be0099d@001317726fa3 0xC7 0x93 0xF1 0x62 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000ea13124a8 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 H:\exe.progs\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xD9 0xE5 0x49 0xB6 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x26 0x33 0x55 0x53 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x5A 0x71 0xFB 0x82 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{6802E635-CB18-F544-790D-700BAC51E508}\AutoConvertTo@ {00020907-0000-0000-C000-000000000046}
    Reg HKLM\SOFTWARE\Classes\CLSID\{6802E635-CB18-F544-790D-700BAC51E508}\DefaultIcon@ C:\PROGRA~1\MICROS~2\Office10\WINWORD.EXE,1
    Reg HKLM\SOFTWARE\Classes\CLSID\{6802E635-CB18-F544-790D-700BAC51E508}\Insertable@
    Reg HKLM\SOFTWARE\Classes\CLSID\{6802E635-CB18-F544-790D-700BAC51E508}\NotInsertable@
    Reg HKLM\SOFTWARE\Classes\CLSID\{6802E635-CB18-F544-790D-700BAC51E508}\ProgId@ Word.Picture.6
    Reg HKLM\SOFTWARE\Classes\CLSID\{6802E635-CB18-F544-790D-700BAC51E508}\TreatAs@ {00020906-0000-0000-C000-000000000046}

    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 06: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 32: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sectors 312581552 (+255): rootkit-like behavior;

    ---- EOF - GMER 1.0.15 ----
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please include the 2 logs from DDS.

    This is what we ask for in the preliminary scans: Please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    When you have finished, leave the logs for review in your next reply .

    Please run this:Download Bootkit Remover and save to your Desktop
    1. You then need to extract the remover.exe file from the RAR using a program capable of extracting RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
    2. After extracting remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
    3. You will see a Black screen with some data on it.
    4. Right click on the screen and click Select All.
    5. Press CTRL+C to Copy
    6. Open a Notepad and press CTRL+V to Paste.
    7. Include the report in your next post.
    Credits to Broni
    =======================================
    Then download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    =======================================================
    So you've done half. I need the 2 DDS logs, the Booremover log and the Combofix report. You can use multiple pposts to paste in the logs.A note: gathering programs around the internet to try and fix unknown malware is risky at best. so far, I see no reason for TDSS to have been run. I don't want HJT now- it is most likely an old version.

    Important!
    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
     
  3. Paulski1

    Paulski1 TS Rookie Topic Starter

    Hi Bobbye,

    Thanks for replying. I've attached requested logs below - this is going to be a long post! The only issue I have is Bootkit remover. I can't run as Admin as no password (inherited pc with no such thing as passwords)! Have attached what I got, but don't know if any use...

    DDS Text:
    DDS (Ver_10-10-21.02) - NTFSx86
    Run by Paul at 15:17:01.73 on 24/10/2010
    Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_21
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.354 [GMT 1:00]

    AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    AV: PCguard Anti-Virus *On-access scanning disabled* (Outdated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
    FW: PCguard Firewall *enabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\Program Files\blueyonder\PCguard\fws.exe
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    svchost.exe
    C:\Program Files\Common Files\Command Software\dvpapi.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\IoctlSvc.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\system32\RunDll32.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\PROGRA~1\AVG\AVG9\avgtray.exe
    C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
    C:\Program Files\Windows Media Player\WMPNSCFG.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    C:\Program Files\Common Files\Java\Java Update\jucheck.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\SearchProtocolHost.exe
    I:\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.co.uk/
    uWindow Title = Windows Internet Explorer provided by Yahoo!
    mDefault_Page_URL = hxxp://www.yahoo.com
    mStart Page = hxxp://www.yahoo.com/
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
    mSearch Page =
    uInternet Connection Wizard,ShellNext = hxxp://www.incredimail.com/page.asp?page=reg_success&lang=9&version=5252598&setup_id=7&aff_id=1&addon=IncrediMail
    uURLSearchHooks: H - No File
    uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: PopKill Class: {3c060ea2-e6a9-4e49-a530-d4657b8c449a} - c:\program files\blueyonder\pcguard\pkR.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
    BHO: PaltalkWebLogin: {502c3ba4-2c3e-4317-bc29-c0445e82b1f9} - c:\program files\common files\paltalk\PaltalkWebLogin.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
    BHO: c:\program files\blueyonder\pcguard\fbhr.dll: c:\program files\spybot - search & destroy\SDHelper.dll: {56071e0d-c61b-11d3-b41c-00e02927a304} - ZKBho Class
    BHO: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - No File
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    BHO: {B56A7D7D-6927-48C8-A975-17DF180C71AC} - No File
    BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
    BHO: 1 (0x1) - No File
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
    TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
    TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
    EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
    uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
    mRun: [RemoteControl] "c:\program files\cyberlink dvd solution\powerdvd\PDVDServ.exe"
    mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
    mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [AsioReg] REGSVR32 /S CTASIO.DLL
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [CmPCIaudio] RunDll32 CMICNFG3.cpl,CMICtrlWnd
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
    mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
    mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
    mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - c:\program files\paltalk messenger\Paltalk.exe
    IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\msi\btoes bluetooth software\btsendto_ie.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - {A1EDC4A1-940F-48E0-8DFD-E38F1D501021}
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
    DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/betapit/PCPitStop.CAB
    DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1097583489610
    DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} - hxxp://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
    DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
    DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} - hxxp://www.telewest.co.uk/motive/files/MotivePreQual.cab
    DPF: {CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.3.1/jinstall-1_3_1_04-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
    Handler: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - c:\windows\system32\BTXPPanel.dll
    Notify: avgrsstarter - avgrsstx.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
    SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
    Hosts: 127.0.0.1 www.spywareinfo.com

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\paul\applic~1\mozilla\firefox\profiles\f19tzaav.default\
    FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
    FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:eek:fficial
    FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_uk&p=
    FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
    FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
    FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
    FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
    FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
    FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
    FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
    FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\NPXPEE.dll
    FF - plugin: c:\program files\picasa2\npPicasa2.dll
    FF - plugin: h:\exe.progs\divx\divx web player\npdivx32.dll
    FF - plugin: h:\exe.progs\plugins\npqtplugin.dll
    FF - plugin: h:\exe.progs\plugins\npqtplugin2.dll
    FF - plugin: h:\exe.progs\plugins\npqtplugin3.dll
    FF - plugin: h:\k-lite codec pack\real\browser\plugins\nppl3260.dll
    FF - plugin: h:\k-lite codec pack\real\browser\plugins\nprpjplug.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

    ============= SERVICES / DRIVERS ===============

    R0 VOBID;VOBID;c:\windows\system32\drivers\vobid.sys [2003-8-1 29239]
    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-7-28 216400]
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-7-28 29584]
    R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-7-28 243024]
    R1 vobiw;vobiw;c:\windows\system32\drivers\vobIW.sys [2004-7-2 188416]
    R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-16 308136]
    R2 hcw88ts;Hauppauge WinTV 88x TS Capture;c:\windows\system32\drivers\hcw88ts.sys [2004-10-13 13888]
    R3 HCW88BDA;Hauppauge WinTV 88x DVB Tuner/Demod;c:\windows\system32\drivers\hcw88bda.sys [2004-9-28 141888]
    R3 hcw88rc5;Hauppauge WinTV 88x IR Decoder;c:\windows\system32\drivers\hcw88rc5.sys [2004-6-24 10305]
    R3 hcw88vid;Hauppauge WinTV 88x Video;c:\windows\system32\drivers\hcw88vid.sys [2004-9-28 577296]
    S2 gupdate1ca4d0117b3322a;Google Update Service (gupdate1ca4d0117b3322a);c:\program files\google\update\GoogleUpdate.exe [2009-10-14 133104]
    S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
    S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-4-17 369920]
    S3 Bthatide;Bthatide; [x]
    S3 BulkUsb;VoIPUSBDriver.sys;c:\windows\system32\drivers\VoIPUSBDriver.sys [2005-9-16 149504]
    S3 cdrdrv;Cdrdrv;c:\windows\system32\drivers\Cdrdrv.sys [2004-6-1 64000]
    S3 lgmcbus;LGE Mobile driver (WDM);c:\windows\system32\drivers\lgmcbus.sys [2008-11-15 83584]
    S3 lgmcmdfl;LGE Mobile USB WMC Modem Filter;c:\windows\system32\drivers\lgmcmdfl.sys [2008-11-15 14976]
    S3 lgmcmdm;LGE Mobile USB WMC Modem Driver;c:\windows\system32\drivers\lgmcmdm.sys [2008-11-15 110464]
    S3 lgmcmgmt;LGE Mobile USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\lgmcmgmt.sys [2008-11-15 104448]
    S3 lgmcnd5;LGE Mobile USB WMC Ethernet ELDA (NDIS);c:\windows\system32\drivers\lgmcnd5.sys [2008-11-15 25344]
    S3 lgmcobex;LGE Mobile USB WMC OBEX Interface;c:\windows\system32\drivers\lgmcobex.sys [2008-11-15 100480]
    S3 lgmcunic;LGE Mobile USB WMC Ethernet ELDA (WDM);c:\windows\system32\drivers\lgmcunic.sys [2008-11-15 109952]
    S3 uac4pdt;PDT USB Composite Class Filter Driver;c:\windows\system32\drivers\uac4pdt.sys [2005-11-21 15232]

    ============== File Associations ===============

    regfile=regedit.exe "%1" %*
    scrfile="%1" %*

    =============== Created Last 30 ================

    2010-10-17 15:07:07 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
    2010-10-17 15:07:06 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
    2010-10-17 15:06:57 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
    2010-10-17 09:50:49 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-10-17 09:50:45 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-10-17 09:50:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

    ==================== Find3M ====================

    2010-09-18 11:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-09 13:38:01 832512 ----a-w- c:\windows\system32\wininet.dll
    2010-09-09 13:38:01 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-09-09 13:38:00 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-09-09 13:38:00 17408 ----a-w- c:\windows\system32\corpol.dll
    2010-09-08 15:57:57 389120 ----a-w- c:\windows\system32\html.iec
    2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
    2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
    2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
    2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
    2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
    2010-08-22 14:57:43 256 ----a-w- c:\windows\system32\pool.bin
    2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
    2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
    2008-06-25 16:48:13 49074432 ----a-w- c:\program files\avg_free_stf_en_8_101a1327.exe
    2004-10-01 15:00:16 40960 ----a-w- c:\program files\Uninstall_CDS.exe

    ============= FINISH: 15:19:49.84 ===============

    DDS Attach:

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-10-21.02)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 11/10/2004 16:03:08
    System Uptime: 24/10/2010 14:56:58 (1 hours ago)

    Motherboard: | | nVidia-nForce
    Processor: AMD Athlon(tm) XP 2000+ | Socket A | 1530/133mhz

    ==== Disk Partitions =========================

    A: is Removable
    C: is FIXED (NTFS) - 29 GiB total, 4.615 GiB free.
    D: is CDROM ()
    E: is CDROM ()
    F: is FIXED (NTFS) - 120 GiB total, 104.244 GiB free.
    G: is CDROM ()
    H: is FIXED (NTFS) - 153 GiB total, 18.772 GiB free.
    I: is Removable
    N: is CDROM ()
    P: is FIXED (FAT32) - 234 GiB total, 147.634 GiB free.

    ==== Disabled Device Manager Items =============

    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Belkin Wireless 54Mbps Desktop Adapter
    Device ID: PCI\VEN_14E4&DEV_4320&SUBSYS_70001799&REV_03\4&3B1D9AB8&0&4040
    Manufacturer: Broadcom
    Name: Belkin Wireless 54Mbps Desktop Adapter
    PNP Device ID: PCI\VEN_14E4&DEV_4320&SUBSYS_70001799&REV_03\4&3B1D9AB8&0&4040
    Service: BCM43XX

    ==== System Restore Points ===================

    RP1217: 22/07/2010 18:35:58 - Avg Update
    RP1218: 25/07/2010 19:23:16 - System Checkpoint
    RP1219: 25/07/2010 19:56:57 - Installed BlackBerry Desktop Software 5.0.1.
    RP1220: 25/07/2010 20:06:33 - Installed Roxio Media Manager
    RP1221: 01/08/2010 19:14:33 - System Checkpoint
    RP1222: 02/08/2010 19:57:32 - System Checkpoint
    RP1223: 08/08/2010 10:10:37 - Software Distribution Service 3.0
    RP1224: 15/08/2010 19:29:13 - Software Distribution Service 3.0
    RP1225: 20/08/2010 21:50:59 - System Checkpoint
    RP1226: 22/08/2010 12:23:08 - Installed Java(TM) 6 Update 20
    RP1227: 08/09/2010 12:04:06 - System Checkpoint
    RP1228: 09/09/2010 09:30:41 - Avg Update
    RP1229: 10/09/2010 11:42:59 - System Checkpoint
    RP1230: 17/09/2010 12:41:54 - Software Distribution Service 3.0
    RP1231: 24/09/2010 13:19:24 - Avg Update
    RP1232: 24/09/2010 13:21:14 - Avg Update
    RP1233: 27/09/2010 20:12:37 - Installed Java(TM) 6 Update 21
    RP1234: 29/09/2010 13:35:26 - System Checkpoint
    RP1235: 29/09/2010 15:26:36 - Software Distribution Service 3.0
    RP1236: 06/10/2010 13:01:59 - Avg Update
    RP1237: 07/10/2010 13:43:37 - System Checkpoint
    RP1238: 17/10/2010 14:59:18 - System Checkpoint
    RP1239: 17/10/2010 22:28:14 - Software Distribution Service 3.0

    ==== Hosts File Hijack ======================

    Hosts: 127.0.0.1 www.spywareinfo.com

    ==== Installed Programs ======================

    AAC Decoder
    Ad-Aware SE Personal
    Adobe Acrobat 5.0
    Adobe Flash Player 10 Plugin
    Adobe Photoshop CS
    Adobe Reader 8.1.6
    Adobe® Photoshop® Album Starter Edition 3.0
    Adobe® Photoshop® Album Starter Edition 3.2
    Agent Ransack Version 1.7.3
    AllToAVI v4 r5394
    Apple Software Update
    Audio Conversion Wizard 1.4
    Authentium
    AutoUpdate
    AVG Free 9.0
    BlackBerry Desktop Software 5.0.1
    BlackBerry® Media Sync
    blueyonder PCguard
    C-Media PCI Audio
    CCleaner
    Cheetah Audio Converter
    Confidence Online(tm) for Web Applications
    ConvertXtoDVD 2.1.12
    Critical Update for Windows Media Player 11 (KB959772)
    DAEMON Tools Toolbar
    DC++ 0.667
    Diskeeper Professional Edition
    DivX Codec
    DivX Converter
    DivX Media Format Filter Build 1
    DivX Player
    DivX Plus DirectShow Filters
    DivX Plus Web Player
    DivX Version Checker
    DVD Shrink 3.2
    DVD Solution
    Eraser
    exPressit S.E. 2.1
    Felix
    GameSpy Arcade
    getPlus(R)_dll
    Google Update Helper
    H.264 Decoder
    Hauppauge WinTV Infrared Remote
    Hauppauge WinTV Scheduler
    Hauppauge WinTV2000
    HijackThis 1.99.1
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB915800-v4)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976002-v5)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    Indeo® XP Software
    InterVideo FilterSDK for Hauppauge
    Jasc Animation Shop 3
    Jasc Paint Shop Pro 9
    Jasc Paint Shop Pro 9 GDI+ Patch
    Jasc Paint Shop Pro 9.01 - (9.0.1.1)
    Jasc Paint Shop Pro 9.01 Patch
    Java 2 Runtime Environment Standard Edition v1.3.1_04
    Java Auto Updater
    Java(TM) 6 Update 21
    Java(TM) 6 Update 7
    LG MC USB Modem driver
    LG ODD Auto Firmware Update
    LG PC Suite II
    LightScribe 1.4.124.1
    LiveUpdate
    Logitech Desktop Messenger
    Logitech IM Video Companion
    Logitech® Camera Driver
    Macromedia Contribute
    Macromedia Dreamweaver MX
    Macromedia Extension Manager
    Macromedia Fireworks MX
    Macromedia Flash MX
    Macromedia Flash Player 8
    Macromedia FreeHand MX
    MadOnion.com/3DMark2001 SE
    Malwarebytes' Anti-Malware
    Map Button (Windows Live Toolbar)
    Medi@Show
    MediaKey
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft IntelliPoint 5.3
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Office XP Professional with FrontPage
    Microsoft Software Update for Web Folders (English) 12
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    MKV Splitter
    Mozilla Firefox (3.6.10)
    Mozilla Thunderbird (2.0.0.24)
    MSXML 4.0 SP2 (KB925672)
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Multimedia Launcher
    MUSICMATCH® Jukebox
    Nero 8
    neroxml
    Nokia Connectivity Cable Driver
    NVIDIA Display Driver
    NVIDIA Drivers
    NVIDIA Windows 2000/XP nForce Drivers
    OGA Notifier 2.0.0048.0
    OneCare Advisor (Windows Live Toolbar)
    OpenMG AAC Add-on Module 1.0.00
    OpenMG Limited Patch 4.5-06-05-12-01
    OpenMG Secure Module 4.5.01
    Paltalk Messenger
    PCguard
    PCguard advisor 1.3.22
    PDF Manual NW-S200 Series
    Picasa 2
    Pinnacle InstantCD/DVD Suite
    Popup Blocker (Windows Live Toolbar)
    PowerDVD
    PowerProducer
    PPSDKRedistributables
    QuickTime
    Realtek AC'97 Audio
    Roxio Media Manager
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2344875)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for 2007 Microsoft Office System (KB982312)
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft Office Access 2007 (KB979440)
    Security Update for Microsoft Office Excel 2007 (KB2345035)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office Outlook 2007 (KB2288953)
    Security Update for Microsoft Office PowerPoint 2007 (KB982158)
    Security Update for Microsoft Office Publisher 2007 (KB982124)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Security Update for Windows Internet Explorer 7 (KB2183461)
    Security Update for Windows Internet Explorer 7 (KB2360131)
    Security Update for Windows Internet Explorer 7 (KB928090)
    Security Update for Windows Internet Explorer 7 (KB929969)
    Security Update for Windows Internet Explorer 7 (KB931768)
    Security Update for Windows Internet Explorer 7 (KB933566)
    Security Update for Windows Internet Explorer 7 (KB937143)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB939653)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 7 (KB972260)
    Security Update for Windows Internet Explorer 7 (KB974455)
    Security Update for Windows Internet Explorer 7 (KB976325)
    Security Update for Windows Internet Explorer 7 (KB978207)
    Security Update for Windows Internet Explorer 7 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 10 (KB911565)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows Media Player 10 (KB936782)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows Search 4 - KB963093
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165-v2)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981349)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    SiSoftware Sandra Lite 2005 (Win64/32/CE)
    Smart Menus (Windows Live Toolbar)
    SonicStage 4.0
    Sony Ericsson Communications Suite
    Sony Ericsson Image Editor
    Sony Ericsson MMS Home Studio
    SopCast 1.1.2
    SoulSeek Client 156c
    Spelling Dictionaries Support For Adobe Reader 8
    Spybot - Search & Destroy
    Spybot - Search & Destroy 1.5.2.20
    Symantec Network Driver Update
    System Requirements Lab
    Turbo Lister 2
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Outlook 2007 Junk Email Filter (kb2410711)
    Update for Windows Internet Explorer 7 (KB976749)
    Update for Windows Internet Explorer 7 (KB980182)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    VC80CRTRedist - 8.0.50727.4053
    VideoLAN VLC media player 0.8.6b
    WebFldrs XP
    WIDCOMM Bluetooth Software
    Winamp
    Windows Defender
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool
    Windows Internet Explorer 7
    Windows Live Outlook Toolbar (Windows Live Toolbar)
    Windows Live Safety scanner
    Windows Live Sign-in Assistant
    Windows Live Toolbar
    Windows Live Toolbar Extension (Windows Live Toolbar)
    Windows Live Toolbar Feed Detector (Windows Live Toolbar)
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Search 4.0
    Windows XP Service Pack 3
    WinRAR archiver
    WinZip
    Wire Pilot 1.00

    ==== Event Viewer Messages From Past Week ========

    24/10/2010 14:51:53, error: Service Control Manager [7034] - The NMIndexingService service terminated unexpectedly. It has done this 1 time(s).
    24/10/2010 14:51:52, error: Service Control Manager [7034] - The PLFlash DeviceIoControl Service service terminated unexpectedly. It has done this 1 time(s).
    24/10/2010 14:51:52, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
    24/10/2010 14:51:52, error: Service Control Manager [7034] - The Nero BackItUp Scheduler 3 service terminated unexpectedly. It has done this 1 time(s).
    24/10/2010 14:51:52, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    24/10/2010 14:51:52, error: Service Control Manager [7034] - The dvpapi service terminated unexpectedly. It has done this 1 time(s).
    24/10/2010 14:51:50, error: Service Control Manager [7031] - The AVG Free WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
    24/10/2010 14:51:49, error: Service Control Manager [7034] - The PCguard Firewall service terminated unexpectedly. It has done this 1 time(s).
    17/10/2010 22:32:52, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows Search service to connect.
    17/10/2010 22:32:52, error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    17/10/2010 10:49:07, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Roxio Hard Drive Watcher 9 service to connect.
    17/10/2010 10:47:05, error: nvidesm [9] - The device, \Device\Scsi\nvidesm1, did not respond within the timeout period.

    ==== End Of File ===========================

    Bootkit Remover:
    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com

    Program version: 1.2.0.0
    OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
    ATA_Read(): DeviceIoControl() ERROR 1
    Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

    Size Device Name MBR Status
    --------------------------------------------
    149 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


    Done;
    Press any key to quit...

    CONT'D
     
  4. Paulski1

    Paulski1 TS Rookie Topic Starter

    CONT FROM PREVIOUS POST:

    Combofix Log:
    ComboFix 10-10-24.06 - Paul 25/10/2010 21:20:38.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.513 [GMT 1:00]
    Running from: I:\cf.exe
    AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    AV: PCguard Anti-Virus *On-access scanning disabled* (Outdated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
    FW: PCguard Firewall *enabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\program files\driver

    Infected copy of c:\windows\system32\drivers\tcpip.sys was found and disinfected
    Restored copy from - Kitty had a snack :p
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_uac4pdt
    -------\Service_uac4pdt


    ((((((((((((((((((((((((( Files Created from 2010-09-25 to 2010-10-25 )))))))))))))))))))))))))))))))
    .

    2010-10-17 15:07 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
    2010-10-17 15:07 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
    2010-10-17 15:06 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
    2010-10-17 09:50 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-10-17 09:50 . 2010-10-17 09:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-10-17 09:50 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-18 11:23 . 2003-03-31 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53 . 2003-03-31 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53 . 2003-03-31 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53 . 2003-03-31 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-15 03:50 . 2010-08-22 11:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-09-15 01:29 . 2007-12-30 16:18 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-09-09 13:38 . 2003-03-31 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
    2010-09-09 13:38 . 2003-03-31 12:00 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-09-09 13:38 . 2004-10-12 12:10 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-09-09 13:38 . 2003-03-31 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
    2010-09-08 15:57 . 2004-10-12 12:10 389120 ----a-w- c:\windows\system32\html.iec
    2010-09-01 11:51 . 2003-03-31 12:00 285824 ----a-w- c:\windows\system32\atmfd.dll
    2010-08-31 13:42 . 2003-03-31 12:00 1852800 ----a-w- c:\windows\system32\win32k.sys
    2010-08-27 08:02 . 2003-03-31 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
    2010-08-27 05:57 . 2003-03-31 12:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
    2010-08-26 13:39 . 2003-03-31 12:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-08-26 12:52 . 2009-04-16 19:18 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2010-08-23 16:12 . 2003-03-31 12:00 617472 ----a-w- c:\windows\system32\comctl32.dll
    2010-08-17 13:17 . 2003-03-31 12:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
    2010-08-16 08:45 . 2003-03-31 12:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
    2008-06-25 16:48 . 2008-06-25 16:48 49074432 ----a-w- c:\program files\avg_free_stf_en_8_101a1327.exe
    2004-10-01 15:00 . 2007-05-26 16:39 40960 ----a-w- c:\program files\Uninstall_CDS.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

    [HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
    2010-02-23 13:04 1664256 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

    [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

    [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 1828136]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
    "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
    "RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
    "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-10-06 2067808]
    "BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-11-19 623960]
    "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-07-08 236016]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2010-07-16 09:42 12536 ----a-w- c:\windows\system32\avgrsstx.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoStart IR.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoStart IR.lnk
    backup=c:\windows\pss\AutoStart IR.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger Agent.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger Agent.lnk
    backup=c:\windows\pss\Logitech Desktop Messenger Agent.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
    backup=c:\windows\pss\Windows Search.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^Paul^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
    path=c:\documents and settings\Paul\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
    backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2008-10-15 01:04 39792 -c--a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
    2005-04-04 14:11 16384 ----a-w- c:\windows\CTHELPER.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
    2008-12-29 10:40 687560 ----a-w- h:\exe.progs\DAEMON Tools Lite\daemon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
    2008-10-25 11:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LGODDFU]
    2005-04-12 10:11 229376 -c--a-w- c:\program files\lg_fwupdate\fwupdate.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
    2008-02-18 16:29 2221352 ----a-w- c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    2008-04-28 16:14 570664 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2006-10-22 11:22 7700480 ----a-w- c:\windows\system32\nvcpl.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
    2009-03-05 15:07 2260480 ------w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
    2006-05-08 04:17 81920 ----a-w- c:\progra~1\Sony\SONICS~1\SSAAD.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2008-06-10 03:27 144784 -c--a-w- c:\program files\Java\jre1.6.0_07\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
    2008-08-03 23:02 36352 ----a-w- c:\program files\Winamp\winampa.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "DisableNotifications"= 1 (0x1)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2005\\sandra.exe"=
    "c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2005\\RpcSandraSrv.exe"=
    "c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2005\\RpcDataSrv.exe"=
    "c:\\Program Files\\Macromedia\\Fireworks MX\\Fireworks.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "h:\\exe.progs\\Soulseek\\slsk.exe"=
    "h:\\exe.progs\\BitLord\\BitLord.exe"=
    "h:\\exe.progs\\SopCast\\SopCast.exe"=
    "c:\\Documents and Settings\\Paul\\Application Data\\SopCast\\adv\\SopAdver.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "h:\\exe.progs\\Thunderbird\\thunderbird.exe"=

    R0 VOBID;VOBID;c:\windows\system32\drivers\vobid.sys [01/08/2003 15:47 29239]
    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [28/07/2008 21:23 216400]
    R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [28/07/2008 21:23 243024]
    R1 vobiw;vobiw;c:\windows\system32\drivers\vobIW.sys [02/07/2004 09:44 188416]
    R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [16/07/2010 10:42 308136]
    R2 hcw88ts;Hauppauge WinTV 88x TS Capture;c:\windows\system32\drivers\hcw88ts.sys [13/10/2004 13:30 13888]
    R3 HCW88BDA;Hauppauge WinTV 88x DVB Tuner/Demod;c:\windows\system32\drivers\hcw88bda.sys [28/09/2004 01:10 141888]
    R3 hcw88rc5;Hauppauge WinTV 88x IR Decoder;c:\windows\system32\drivers\hcw88rc5.sys [24/06/2004 11:02 10305]
    R3 hcw88vid;Hauppauge WinTV 88x Video;c:\windows\system32\drivers\hcw88vid.sys [28/09/2004 01:09 577296]
    S2 gupdate1ca4d0117b3322a;Google Update Service (gupdate1ca4d0117b3322a);c:\program files\Google\Update\GoogleUpdate.exe [14/10/2009 20:03 133104]
    S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 20:19 13592]
    S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [17/04/2010 22:05 369920]
    S3 Bthatide;Bthatide; [x]
    S3 BulkUsb;VoIPUSBDriver.sys;c:\windows\system32\drivers\VoIPUSBDriver.sys [16/09/2005 16:14 149504]
    S3 cdrdrv;Cdrdrv;c:\windows\system32\drivers\Cdrdrv.sys [01/06/2004 13:41 64000]
    S3 lgmcbus;LGE Mobile driver (WDM);c:\windows\system32\drivers\lgmcbus.sys [15/11/2008 17:57 83584]
    S3 lgmcmdfl;LGE Mobile USB WMC Modem Filter;c:\windows\system32\drivers\lgmcmdfl.sys [15/11/2008 17:57 14976]
    S3 lgmcmdm;LGE Mobile USB WMC Modem Driver;c:\windows\system32\drivers\lgmcmdm.sys [15/11/2008 17:57 110464]
    S3 lgmcmgmt;LGE Mobile USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\lgmcmgmt.sys [15/11/2008 17:57 104448]
    S3 lgmcnd5;LGE Mobile USB WMC Ethernet ELDA (NDIS);c:\windows\system32\drivers\lgmcnd5.sys [15/11/2008 17:57 25344]
    S3 lgmcobex;LGE Mobile USB WMC OBEX Interface;c:\windows\system32\drivers\lgmcobex.sys [15/11/2008 17:57 100480]
    S3 lgmcunic;LGE Mobile USB WMC Ethernet ELDA (WDM);c:\windows\system32\drivers\lgmcunic.sys [15/11/2008 17:57 109952]
    S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [01/06/2009 19:53 717296]
    .
    Contents of the 'Scheduled Tasks' folder

    2009-06-17 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-06-11 14:57]

    2010-10-24 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
    - c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

    2010-10-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cabd38f710e229.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-10-14 19:03]

    2010-10-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-10-14 19:03]

    2010-10-25 c:\windows\Tasks\OGALogon.job
    - c:\windows\system32\OGAEXEC.exe [2009-08-03 14:07]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    mStart Page = hxxp://www.yahoo.com/
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
    uInternet Connection Wizard,ShellNext = hxxp://www.incredimail.com/page.asp?page=reg_success&lang=9&version=5252598&setup_id=7&aff_id=1&addon=IncrediMail
    IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
    FF - ProfilePath - c:\documents and settings\Paul\Application Data\Mozilla\Firefox\Profiles\f19tzaav.default\
    FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
    FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:eek:fficial
    FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_uk&p=
    FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
    FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
    FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
    FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
    FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
    FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
    FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\NPXPEE.dll
    FF - plugin: c:\program files\Picasa2\npPicasa2.dll
    FF - plugin: h:\exe.progs\Plugins\npqtplugin.dll
    FF - plugin: h:\exe.progs\Plugins\npqtplugin2.dll
    FF - plugin: h:\exe.progs\Plugins\npqtplugin3.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-AsioReg - CTASIO.DLL
    HKLM-Run-CmPCIaudio - CMICNFG3.cpl
    MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    MSConfigStartUp-Yahoo! Pager - c:\program files\Yahoo!\Messenger\YahooMessenger.exe
    AddRemove-GameSpy Arcade - i:\progra~1\GAMESP~1\UNWISE.EXE



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-10-25 21:34
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(3960)
    c:\windows\system32\WININET.dll
    c:\program files\Windows Desktop Search\deskbar.dll
    c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
    c:\program files\Windows Desktop Search\dbres.dll
    c:\program files\Windows Desktop Search\wordwheel.dll
    c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
    c:\program files\Windows Desktop Search\msnlExtRes.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\btncopy.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\blueyonder\PCguard\fws.exe
    c:\program files\AVG\AVG9\avgchsvx.exe
    c:\program files\AVG\AVG9\avgrsx.exe
    c:\program files\AVG\AVG9\avgcsrvx.exe
    c:\program files\Common Files\Command Software\dvpapi.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
    c:\program files\AVG\AVG9\avgnsx.exe
    c:\windows\system32\nvsvc32.exe
    c:\windows\system32\IoctlSvc.exe
    c:\windows\system32\SearchIndexer.exe
    c:\program files\Windows Media Player\WMPNetwk.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\system32\rundll32.exe
    c:\windows\system32\RUNDLL32.EXE
    c:\windows\system32\RunDll32.exe
    c:\program files\Common Files\Nero\Lib\NMIndexingService.exe
    .
    **************************************************************************
    .
    Completion time: 2010-10-25 21:40:05 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-10-25 20:40

    Pre-Run: 5,119,598,592 bytes free
    Post-Run: 5,116,977,152 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

    - - End Of File - - 6C20A0C3EDED61F2A3F82DC346EE258B
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    A few things to discuss here:

    1. False Positive: Host File Hijack> Hosts: 127.0.0.1 www.spywareinfo.com
    See this for explanation: http://www.pctools.com/forum/showthread.php?t=55852

    2. You have 2 antivirus programs running: This makes the system more vulnerable.
    AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
    AV: PCguard Anti-Virus *On-access scanning disabled* (Outdated)
    FW: PCguard Firewall *enabled*

    Even if it's outdated, it's still loading. Please remove one of these AV programs.

    I don't know if you can use the PCTools FW separately.

    3. About this: I can't run as Admin as no password (inherited pc with no such thing as passwords)!
    You are going to be limited in what you can do as some features and functions require the Administrative account. You need to reset the OS to have that account available, even if you have to reformat.reinstall.

    4. Please Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    I'll wait until I see the log from the Eset scan before I write script to run through Combofix.
     
  6. Paulski1

    Paulski1 TS Rookie Topic Starter

    Hi,

    The PCGuard was originally provided by my ISP. I've tried several times to get this removed, but it keeps failing to uninstall - why I don't know, but it's a right pain in the @rse :mad:

    As for Administrator priveleges etc I know the issues around not having this, but again, I have no discs etc. When my dad upgraded and gave me this, he didn't keep track of the Windows disk. Looked everywhere for it, as thought a complete format/re-install may be the only way out. The only other way I can think of doing this would be maybe to switch to LINUX? If I can't get rid of this virus without Admin privileges, that may the only other option I have....

    I'll run ESET tonight when I get home as I'm at work at the moment and post the results later.

    Thanks
     
  7. Paulski1

    Paulski1 TS Rookie Topic Starter

    Hi again,

    Here is the ESAT log file:

    ESETSmartInstaller@High as downloader log:
    all ok
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=a247ecd8a60c364587d22d3d41bc5bcc
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-10-29 07:29:00
    # local_time=2010-10-29 08:29:00 (+0000, GMT Daylight Time)
    # country="United Kingdom"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=1024 16777191 100 0 16836955 16836955 0 0
    # compatibility_mode=6143 16777215 0 0 0 0 0 0
    # compatibility_mode=8192 67108863 100 0 188 188 0 0
    # scanned=145683
    # found=3
    # cleaned=0
    # scan_time=5486
    C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\tcpip.sys.vir Win32/Olmarik.ZC trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{A3BA6E80-23E8-4658-B048-CCA215816FE2}\RP1240\A0192977.sys Win32/Olmarik.ZC trojan 00000000000000000000000000000000 I
    H:\exe.progs\nero 8\Nero-8.3.2.1b_eng_trial.exe Win32/Toolbar.AskSBar application 00000000000000000000000000000000 I


    Thanks
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Processes	
      
      :Files 
      H:\exe.progs\nero 8\Nero-8.3.2.1b_eng_trial.exe 
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    =======================================
    Before I write script to run in Combofix, I want to ask about these executables loading from the H drive, with Firewall Permissions. All are file sharing programs.
    "h:\\exe.progs\\Soulseek\\slsk.exe"= >>> Trojab Dllhost EXPLOIT and/or a file sharing app
    "h:\\exe.progs\\BitLord\\BitLord.exe"= >>> P2P
    "h:\\exe.progs\\SopCast\\SopCast.exe"= >>> P2P for TV & Video
    "c:\\Documents and Settings\\Paul\\Application Data\\SopCast\\adv\\SopAdver.exe"= >>P2P
    "h:\\exe.progs\\Thunderbird\\thunderbird.exe"=
    I know this is Mozilla email, but don't understand the entry

    P2P- File Sharing Warning
    I recommend that you uninstall these P2P programs for the following reasons:
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.

    Please read the information on P2P Warning to help you better understand these dangers.

    I find slsk.exe identified as Trojan Dllhost EXPLOIT, but on another reference site is find it's a File sharing application. BitLord of course is also P2p
     
  9. Paulski1

    Paulski1 TS Rookie Topic Starter

    Hi - sorry for taking my time getting back to you - kids!

    Here's the MoveIt log:

    All processes killed
    ========== PROCESSES ==========
    ========== FILES ==========
    H:\exe.progs\nero 8\Nero-8.3.2.1b_eng_trial.exe moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Bob
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 65748 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes
    ->FireFox cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: Paul
    ->Temp folder emptied: 272255 bytes
    ->Temporary Internet Files folder emptied: 214736 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 18002792 bytes
    ->Flash cache emptied: 456 bytes

    User: Tracy
    ->Temp folder emptied: 1429 bytes
    ->Temporary Internet Files folder emptied: 164172 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 15671825 bytes
    ->Flash cache emptied: 611 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 1476133 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 34.00 mb


    OTM by OldTimer - Version 3.1.17.2 log created on 11042010_190601

    Files moved on Reboot...

    Registry entries deleted on Reboot...

    Have removed Soulseek & Sop cast, although couldn't find c:\\docs&settings\\Paul\\Application data\\SopCast\\adv\\Sopadver.exe?

    I've kept BItLord, but warning heeded. I still can't get rid of the PCGuard Anti Virus programme - keep getting an "error -access denied" message.

    Awaiting further instructions :)
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, I think I found all the PCGuard entries. When you run the script below, be sure the AV is disabled. After you run the script, if PCGuard still shows in the Comofix header, I can remove it. We're almost done!

    Please run this Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    KillAll::
    File::
    c:\program files\blueyonder\PCguard\fws.exe
    
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "DisableNotifications"=-
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger Agent.lnk]
    path=-
    backup=-
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=-
    "h:\\exe.progs\\Soulseek\\slsk.exe"=-
    "h:\\exe.progs\\SopCast\\SopCast.exe"=-
    "c:\\Documents and Settings\\Paul\\Application Data\\SopCast\\adv\\SopAdver.exe"=-
    
    DDS::
    mSearch Page =
    uURLSearchHooks: H - No File
    mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
    BHO: PopKill Class: {3c060ea2-e6a9-4e49-a530-d4657b8c449a} - c:\program files\blueyonder\pcguard\pkR.dll
    BHO: c:\program files\blueyonder\pcguard\fbhr.dll: c:\program files\spybot - search & destroy\SDHelper.dll: {56071e0d-c61b-11d3-b41c-00e02927a304} - ZKBho Class
    BHO: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - No File
    BHO: {B56A7D7D-6927-48C8-A975-17DF180C71AC} - No File
    BHO: 1 (0x1) - No File
    TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
    EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    IE: {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - {A1EDC4A1-940F-48E0-8DFD-E38F1D501021}
    DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/betapit/PCPitStop.CAB
    DPF: {CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.3.1/jinstall-1_3_1_04-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    
    Driver::
    Bthatide
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
     
  11. Paulski1

    Paulski1 TS Rookie Topic Starter

    Hi there,

    Got a problem running ComboFIx. It asked me to unistall AVG as it said it would cause errors etc. so I tried to uninstall AVG, and guess what - It won't unistall properly :mad: Why can't people just make stuff that does what it's supposed to do!

    So now, I have no AV at all as AVG won't work but won't uninstall, so I can't run ComboFic either as that still recognises AVG as being present!

    Any ideas would be welcome!

    Thanks
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Open your browser> Click on File> Check 'Work Offline.' You can stay offline to do this since both VG and Combofix are already on the system.

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
    To temporarily disable AVG:
    In AVG Anti-Virus, the main module (Resident Shield) is typically the only component that needs to be temporarily disabled.


    • [1]Right-click on the "Resident Shield" icon located on the right side of the taskbar, then select "Open AVG User Interface."
      [​IMG]
      [2]Double-click on "Resident Shield" in the middle of the AVG User Interface window. As an alternative, click on "Tools," then "Advanced Settings," and then select "Resident Shield."
      [3]Uncheck "Resident Shield Active" under the Resident Shield settings section, then click "Save Changes." This will disable the Resident Shield but keep the Email Scanner and other virus protection features active.
      Reboot the computer back in to Normal Mode.

      Let me know if you have more trouble. By the way, doesn't Combofix say to 'disable' AVG instead of 'uninstall'?
     
  13. Paulski1

    Paulski1 TS Rookie Topic Starter

    Hi,

    Booting into safe mode is no help - still get the same error message when running Combofix: Combofix cannot run when AVG is installed. This is due to AVGs targeting of ComboFix's files/processes. It would be dangerous to continue. Please uninstall AVG or use another tool.

    Unfortunately, as stated before, I now can't uninstall or even re-install AVG - to put it bluntly, it's shagged! It doesn't appear as a useable program (won't launch etc), so tried to re-install it, and I now get an error when trying to do this: Error. Action failed for registry key HKLM\SOFTWARE\Microsoft\Windows NT\Current Version\Windows: creating registry key.... Access is denied.

    I know this is probably stupid, but what has NT got to do with anything? I'm running XP Pro?!?

    Seem to be stuck in some sort of loop here which is getting quite depressing :(
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, do this: Right click on combofix.exe on the desktop> Choose Rename> change to paulsrun.exe

    Now try the scan.
     
  15. Paulski1

    Paulski1 TS Rookie Topic Starter

    Hi there,

    No joy again I'm afraid same message. Although this time it did try launching a dos window, but it just disappeared and nothing happened.

    Left it for around 10mins in case, but nothing. :(

    I've even re-downloaded it in case I'd done something to the original Combofix programme, but this just gives the same message.

    Sorry - I know this must be getting rather frustrating for you too! Thanks for all your help so far - much appreciated.
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    When you rename Combofix, AVG shouldn't recognize it! AVG must have added something in a recent update. I'm helping someone else who is getting the same message. He ended up uninstalling AVG and running Combofix offline.

    I don't know what "shagged" means. If you want to try doing this offline and removing AVG in the meantime:

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    While in Safe Mode, disable all the AVG processes and uninstall it. To protect yourself while doing the scan, click on File> check 'Work offline' first.
     
  17. Paulski1

    Paulski1 TS Rookie Topic Starter

    Hi,

    Sorry - "shagged" is a euphamism for not working!

    I've tried uninstalling AVG, but can't get rid of it. I've seen something called Perfect Uninstaller which claims to be able to forcibly remove AVG - have you ever heard of this? Had a look on the net and appears to be genuine.

    Other than that, do you know of any good reliable uninstallers that can forcibly remove AVG? The situation I am in at the moment is that AVG won't run, but is still active somewhere in the background so is stopping ComboFix. I can't launch AVG to shutdown Resident Shield, can't Uninstall AVG and can't re-install AVG to try and fix whatever issue there currently is with it!

    Without knowing every process AVG is running, I can't "kill" anything via task manager either.

    Thanks
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    What has probably happened is that it's uninstaller has become corrupt. I use thw Windows Installer Cleanup Utility to remove entry problems like this: http://support.microsoft.com/default.aspx?scid=kb;en-us;290301

    Before you do this, you should get another AV downloaded: Use either one of these for now:
    Both of the following programs are free and known to be good:
    Avira Free
    Avast Home

    Download the Windows Uninstaller first, then either of the new AV programs. Once done, go to the Work Offline mode through File> Work Offline.
    Boot into Safe Mode and run the Uninstaller, removing any and all AVG files.
    Then double click to run the new AV.
    Reboot into Normal Mode and check for updates.

    You will need to disable the AV to run Combofix, but it shouldn't be a problem.
     
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Closed due to inactivity. Please PM your helper if you need this thread reopened.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...