Inactive Google redirect issue

Status
Not open for further replies.

Paulski1

Posts: 10   +0
Hi all,

I have somehow managed to contract some form of virus that is constantly sending google searches to random search sites & advertising sites. I have checked for TDSS etc, but cannot find anything.

Steps taken so far:
Ran Kaspersky TDSS Killer - nothing found
ran MBAM (after figuring out I needed to rename file): several trojans(!) found and removed - now clean (log attcahed)
ran AVG - nothing found
ran TFC

Below are the logs for:
MBAM / GMER - I'm really hoping someone can spot something and tell me how to get rid of this bloody thing :mad:

I've also got the DDS logs & a Hijack this log if needed. Thanks for looking :)

MBAM Log:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4934

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

24/10/2010 16:04:38
mbam-log-2010-10-24 (16-04-38).txt

Scan type: Quick scan
Objects scanned: 172376
Time elapsed: 29 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


GMER Log:
GMER 1.0.15.15477 - http://www.gmer.net
Rootkit scan 2010-10-24 15:15:53
Windows 5.1.2600 Service Pack 3
Running: tm873jk0.exe; Driver: C:\DOCUME~1\Paul\LOCALS~1\Temp\pxtdipow.sys


---- System - GMER 1.0.15 ----

SSDT spgr.sys ZwCreateKey [0xF764F0E0]
SSDT spgr.sys ZwEnumerateKey [0xF766DCA2]
SSDT spgr.sys ZwEnumerateValueKey [0xF766E030]
SSDT spgr.sys ZwOpenKey [0xF764F0C0]
SSDT spgr.sys ZwQueryKey [0xF766E108]
SSDT spgr.sys ZwQueryValueKey [0xF766DF88]
SSDT spgr.sys ZwSetValueKey [0xF766E19A]

INT 0x63 ? 87605F00
INT 0x73 ? 87605F00
INT 0x83 ? 877DABF8

Code 87474778 ZwSetSystemInformation

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntoskrnl.exe!ZwSetSystemInformation 805A7C5F 5 Bytes JMP 8747477C
? spgr.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F67848AC 5 Bytes JMP 876054E0
.text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xF6162360, 0x24BB1D, 0xE8000020]
.text a05wqehq.SYS ED43B386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text a05wqehq.SYS ED43B3AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text a05wqehq.SYS ED43B3C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}
.text a05wqehq.SYS ED43B3C9 1 Byte [2E]
.text a05wqehq.SYS ED43B3C9 11 Bytes [2E, 00, 00, 00, 5C, 02, 00, ...] {ADD CS:[EAX], AL; ADD [EDX+EAX+0x0], BL; ADD [EAX], AL; ADD [EAX], AL}
.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[3700] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 877DA2D8
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F7680C4C] spgr.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F7680CA0] spgr.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F7650040] spgr.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F765013C] spgr.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F76500BE] spgr.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F76507FC] spgr.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F76506D2] spgr.sys
IAT \SystemRoot\System32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 876055E0
IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F7660048] spgr.sys
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!RtlInitUnicodeString] 2266E852
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!swprintf] 478B0000
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!KeSetEvent] 50016A40
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoCreateSymbolicLink] 1CAC8E8D
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoGetConfigurationInformation] E8510000
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoDeleteSymbolicLink] 00002254
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!MmFreeMappingAddress] 6A18538B
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoFreeErrorLogEntry] 868D5200
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoDisconnectInterrupt] 00001C98
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!MmUnmapIoSpace] 2242E850
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!ObReferenceObjectByPointer] 4B8B0000
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IofCompleteRequest] 51016A18
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!RtlCompareUnicodeString] 1CB4968D
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IofCallDriver] E8520000
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!MmAllocateMappingAddress] 00002230
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoAllocateErrorLogEntry] 8A05478A
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoConnectInterrupt] 001CBB8E
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoDetachDevice] 30C48300
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!KeWaitForSingleObject] 1CBD8688
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!KeInitializeEvent] 80E90000
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!KeCancelTimer] C6000000
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!RtlAnsiStringToUnicodeString] 001CBB86
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!RtlInitAnsiString] 438B0100
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoBuildDeviceIoControlRequest] 8E8D5018
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoQueueWorkItem] 00001C90
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!MmMapIoSpace] 2202E851
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoInvalidateDeviceRelations] 538B0000
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoReportDetectedDevice] 52016A18
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoReportResourceForDetection] 1CAC868D
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!RtlxAnsiStringToUnicodeSize] E8500000
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!NlsMbCodePageTag] 000021F0
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!PoRequestPowerIrp] 8A05478A
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!KeInsertByKeyDeviceQueue] 001CBB8E
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!PoRegisterDeviceForIdleDetection] 18C48300
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!sprintf] 1CBD8688
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!MmMapLockedPagesSpecifyCache] 43EB0000
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!ObfDereferenceObject] 320C538A
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoGetAttachedDeviceReference] 88F93BC0
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoInvalidateDeviceState] 001CBB96
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!ZwClose] [F6317300] \SystemRoot\System32\DRIVERS\nv4_mini.sys (NVIDIA Compatible Windows 2000 Miniport Driver, Version 93.71 /NVIDIA Corporation)
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!ObReferenceObjectByHandle] 74070647
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!ZwCreateDirectoryObject] 75C0841A
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoBuildSynchronousFsdRequest] 05578A0B
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!PoStartNextPowerIrp] 968801B0
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoCreateDevice] 00001CBD
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!RtlCopyUnicodeString] 57B60F66
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoAllocateDriverObjectExtension] 533B6604
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!RtlQueryRegistryValues] 03087408
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!ZwOpenKey] 72F93B3F
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!RtlFreeUnicodeString] 8A09EBDA
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoStartTimer] 86880547
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!KeInitializeTimer] 00001CBD
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoInitializeTimer] 88084B8A
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!KeInitializeDpc] 001CBE8E
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!KeInitializeSpinLock] 40578B00
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoInitializeIrp] 8D52006A
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!ZwCreateKey] 001CC086
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!RtlAppendUnicodeStringToString] 81E85000
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!RtlIntegerToUnicodeString] 8B000021
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!ZwSetValueKey] 001CB88E
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!KeInsertQueueDpc] BC968B00
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!KefAcquireSpinLockAtDpcLevel] 8900001C
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoStartPacket] 001CC48E
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!KefReleaseSpinLockFromDpcLevel] C8968900
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoBuildAsynchronousFsdRequest] 8B00001C
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoFreeMdl] 016A4047
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!MmUnlockPages] CCC68150
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoWriteErrorLogEntry] 5600001C
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!KeRemoveByKeyDeviceQueue] 002157E8
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!MmMapLockedPagesWithReservedMapping] 18C48300
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!MmUnmapReservedMapping] 5D5B5E5F
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!KeSynchronizeExecution] CCCCCCC3
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoStartNextPacket] CCCCCCCC
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!KeBugCheckEx] CCCCCCCC
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!KeRemoveDeviceQueue] CCCCCCCC
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!KeSetTimer] 8BEC8B55
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!_allmul] 00C73445
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!MmProbeAndLockPages] 00000000
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!_except_handler3] 830C458B
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!PoSetPowerState] C0840CEC
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoOpenDeviceRegistryKey] 053C0D74
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!RtlWriteRegistryValue] 57B80974
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!RtlDeleteRegistryValue] 8B000000
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!_aulldiv] 56C35DE5
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!strstr] 8D08758B
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!_strupr] 8D51FC4D
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!KeQuerySystemTime] 8D52FD55
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoWMIRegistrationControl] 8D51FE4D
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!KeTickCount] 8D52FF55
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoAttachDeviceToDeviceStack] 8D51F84D
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoDeleteDevice] 5052F455
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!ExAllocatePoolWithTag] EACAE856
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoAllocateWorkItem] C483FFFF
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoAllocateIrp] 0FC08520
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoAllocateMdl] 0001AD85
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!MmBuildMdlForNonPagedPool] 46B70F00
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!MmLockPagableDataSection] F44D8B48
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoGetDriverObjectExtension] C1815753
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!MmUnlockPagableImageSection] 00002590
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!ExFreePoolWithTag] 467C8D51
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoFreeIrp] 7622E84A
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!IoFreeWorkItem] D88BFFFF
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!InitSafeBootMode] 8504C483
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!RtlCompareMemory] 5F0A75DB
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!PoCallDriver] 5B08438D
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!memmove] 5DE58B5E
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[ntoskrnl.exe!MmHighestUserAddress] 259068C3
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[HAL.dll!KfAcquireSpinLock] 4B8BDF8B
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[HAL.dll!READ_PORT_UCHAR] 8D3F0304
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[HAL.dll!KeGetCurrentIrql] CB033043
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[HAL.dll!KfRaiseIrql] 0673C13B
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[HAL.dll!KfLowerIrql] C13B0003
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[HAL.dll!HalGetInterruptVector] 8366FA72
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[HAL.dll!HalTranslateBusAddress] 75000E7B
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[HAL.dll!KeStallExecutionProcessor] 0B7D80E3
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[HAL.dll!KfReleaseSpinLock] 307B8D00
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 00AA840F
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[HAL.dll!READ_PORT_USHORT] 83660000
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 6A000E7A
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[HAL.dll!WRITE_PORT_UCHAR] C6647400
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[WMILIB.SYS!WmiSystemControl] 4F8B0200
IAT \SystemRoot\System32\Drivers\a05wqehq.SYS[WMILIB.SYS!WmiCompleteRequest] 968D5140

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8776A1F8
Device \FileSystem\Fastfat \FatCdrom 87432500
Device \Driver\USBSTOR \Device\0000008e 86B9D500
Device \Driver\USBSTOR \Device\0000008f 86B9D500

AttachedDevice \Driver\Tcpip \Device\Ip FreeTdi.sys (Radialpoint Filter/Radialpoint Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbohci \Device\USBPDO-0 875FB500
Device \Driver\usbohci \Device\USBPDO-1 875FB500
Device \Driver\dmio \Device\DmControl\DmIoDaemon 877D81F8
Device \Driver\dmio \Device\DmControl\DmConfig 877D81F8
Device \Driver\dmio \Device\DmControl\DmPnP 877D81F8
Device \Driver\dmio \Device\DmControl\DmInfo 877D81F8
Device \Driver\usbehci \Device\USBPDO-2 876921F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{2FF799CD-EF64-40EA-8A7B-A912B8C95AEC} 874CB500

AttachedDevice \Driver\Tcpip \Device\Tcp FreeTdi.sys (Radialpoint Filter/Radialpoint Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\dmio \Device\HarddiskDmVolumes\PhysicalDmVolumes\RawVolume1 877D81F8
Device \Driver\dmio \Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolume1 877D81F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8776D1F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8776D1F8
Device \Driver\Cdrom \Device\CdRom0 875811F8
Device \Driver\Ftdisk \Device\HarddiskVolume3 8776D1F8
Device \Driver\Cdrom \Device\CdRom1 875811F8
Device \Driver\Cdrom \Device\CdRom2 875811F8
Device \Driver\Cdrom \Device\CdRom3 875811F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 874CB500
Device \Driver\NetBT \Device\NetbiosSmb 874CB500

AttachedDevice \Driver\Tcpip \Device\Udp FreeTdi.sys (Radialpoint Filter/Radialpoint Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp FreeTdi.sys (Radialpoint Filter/Radialpoint Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\PCI_PNP7630 \Device\0000005e spgr.sys
Device \Driver\usbohci \Device\USBFDO-0 875FB500
Device \Driver\usbohci \Device\USBFDO-1 875FB500
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 87142500
Device \Driver\usbehci \Device\USBFDO-2 876921F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{9EF5A04E-EFE2-4C28-A60B-1B752F6B0BFD} 874CB500
Device \FileSystem\MRxSmb \Device\LanmanRedirector 87142500
Device \Driver\Ftdisk \Device\FtControl 8776D1F8
Device \Driver\USBSTOR \Device\0000008c 86B9D500
Device \Driver\nvidesm -> DriverStartIo \Device\Scsi\nvidesm1 87040AEA
Device \Driver\nvidesm \Device\Scsi\nvidesm1 877D71F8
Device \Driver\VOBID \Device\Scsi\VOBID1Port1Path0Target0Lun0 8776B1F8
Device \Driver\nvidesm -> DriverStartIo \Device\Scsi\nvidesm1Port0Path1Target1Lun0 87040AEA
Device \Driver\nvidesm \Device\Scsi\nvidesm1Port0Path1Target1Lun0 877D71F8
Device \Driver\VOBID \Device\Scsi\VOBID1 8776B1F8
Device \Driver\a05wqehq \Device\Scsi\a05wqehq1Port2Path0Target0Lun0 87165500
Device \Driver\a05wqehq \Device\Scsi\a05wqehq1 87165500
Device \Driver\nvidesm -> DriverStartIo \Device\Scsi\nvidesm1Port0Path0Target1Lun0 87040AEA
Device \Driver\nvidesm \Device\Scsi\nvidesm1Port0Path0Target1Lun0 877D71F8
Device \Driver\nvidesm -> DriverStartIo \Device\Scsi\nvidesm1Port0Path1Target0Lun0 87040AEA
Device \Driver\nvidesm \Device\Scsi\nvidesm1Port0Path1Target0Lun0 877D71F8
Device \Driver\sptd \Device\1426898880 spgr.sys
Device \Driver\USBSTOR \Device\0000008d 86B9D500
Device \FileSystem\Fastfat \Fat 87432500

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs 87441500

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00081be0099d
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00081be0099d@001f6b7a958c 0xA8 0xF8 0xC9 0xE6 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00081be0099d@00233ae01e3c 0x12 0x6B 0x81 0x8B ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00081be0099d@001317726fa3 0xC7 0x93 0xF1 0x62 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000ea13124a8
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 H:\exe.progs\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xD9 0xE5 0x49 0xB6 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x26 0x33 0x55 0x53 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x5A 0x71 0xFB 0x82 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00081be0099d (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00081be0099d@001f6b7a958c 0xA8 0xF8 0xC9 0xE6 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00081be0099d@00233ae01e3c 0x12 0x6B 0x81 0x8B ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00081be0099d@001317726fa3 0xC7 0x93 0xF1 0x62 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000ea13124a8 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 H:\exe.progs\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xD9 0xE5 0x49 0xB6 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x26 0x33 0x55 0x53 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x5A 0x71 0xFB 0x82 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{6802E635-CB18-F544-790D-700BAC51E508}\AutoConvertTo@ {00020907-0000-0000-C000-000000000046}
Reg HKLM\SOFTWARE\Classes\CLSID\{6802E635-CB18-F544-790D-700BAC51E508}\DefaultIcon@ C:\PROGRA~1\MICROS~2\Office10\WINWORD.EXE,1
Reg HKLM\SOFTWARE\Classes\CLSID\{6802E635-CB18-F544-790D-700BAC51E508}\Insertable@
Reg HKLM\SOFTWARE\Classes\CLSID\{6802E635-CB18-F544-790D-700BAC51E508}\NotInsertable@
Reg HKLM\SOFTWARE\Classes\CLSID\{6802E635-CB18-F544-790D-700BAC51E508}\ProgId@ Word.Picture.6
Reg HKLM\SOFTWARE\Classes\CLSID\{6802E635-CB18-F544-790D-700BAC51E508}\TreatAs@ {00020906-0000-0000-C000-000000000046}

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 06: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 32: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sectors 312581552 (+255): rootkit-like behavior;

---- EOF - GMER 1.0.15 ----
 
Please include the 2 logs from DDS.

This is what we ask for in the preliminary scans: Please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

When you have finished, leave the logs for review in your next reply .

Please run this:Download Bootkit Remover and save to your Desktop
  1. You then need to extract the remover.exe file from the RAR using a program capable of extracting RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
  2. After extracting remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
  3. You will see a Black screen with some data on it.
  4. Right click on the screen and click Select All.
  5. Press CTRL+C to Copy
  6. Open a Notepad and press CTRL+V to Paste.
  7. Include the report in your next post.
Credits to Broni
=======================================
Then download ComboFix from Here and save to your Desktop.

  • [1]. Do NOT rename Combofix unless instructed.
    [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3].Close any open browsers.
    [4]. Double click combofix.exe & follow the prompts to run.
  • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
    [5]. If Combofix asks you to install Recovery Console, please allow it.
    [6]. If Combofix asks you to update the program, always allow.
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
=======================================================
So you've done half. I need the 2 DDS logs, the Booremover log and the Combofix report. You can use multiple pposts to paste in the logs.A note: gathering programs around the internet to try and fix unknown malware is risky at best. so far, I see no reason for TDSS to have been run. I don't want HJT now- it is most likely an old version.

Important!
Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
 
Hi Bobbye,

Thanks for replying. I've attached requested logs below - this is going to be a long post! The only issue I have is Bootkit remover. I can't run as Admin as no password (inherited pc with no such thing as passwords)! Have attached what I got, but don't know if any use...

DDS Text:
DDS (Ver_10-10-21.02) - NTFSx86
Run by Paul at 15:17:01.73 on 24/10/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.354 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: PCguard Anti-Virus *On-access scanning disabled* (Outdated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
FW: PCguard Firewall *enabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\blueyonder\PCguard\fws.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
svchost.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
I:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uWindow Title = Windows Internet Explorer provided by Yahoo!
mDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
mSearch Page =
uInternet Connection Wizard,ShellNext = hxxp://www.incredimail.com/page.asp?page=reg_success&lang=9&version=5252598&setup_id=7&aff_id=1&addon=IncrediMail
uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: PopKill Class: {3c060ea2-e6a9-4e49-a530-d4657b8c449a} - c:\program files\blueyonder\pcguard\pkR.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: PaltalkWebLogin: {502c3ba4-2c3e-4317-bc29-c0445e82b1f9} - c:\program files\common files\paltalk\PaltalkWebLogin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: c:\program files\blueyonder\pcguard\fbhr.dll: c:\program files\spybot - search & destroy\SDHelper.dll: {56071e0d-c61b-11d3-b41c-00e02927a304} - ZKBho Class
BHO: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: {B56A7D7D-6927-48C8-A975-17DF180C71AC} - No File
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [RemoteControl] "c:\program files\cyberlink dvd solution\powerdvd\PDVDServ.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AsioReg] REGSVR32 /S CTASIO.DLL
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [CmPCIaudio] RunDll32 CMICNFG3.cpl,CMICtrlWnd
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - c:\program files\paltalk messenger\Paltalk.exe
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\msi\btoes bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - {A1EDC4A1-940F-48E0-8DFD-E38F1D501021}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/betapit/PCPitStop.CAB
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1097583489610
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} - hxxp://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} - hxxp://www.telewest.co.uk/motive/files/MotivePreQual.cab
DPF: {CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.3.1/jinstall-1_3_1_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - c:\windows\system32\BTXPPanel.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\paul\applic~1\mozilla\firefox\profiles\f19tzaav.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:eek:fficial
FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_uk&p=
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPXPEE.dll
FF - plugin: c:\program files\picasa2\npPicasa2.dll
FF - plugin: h:\exe.progs\divx\divx web player\npdivx32.dll
FF - plugin: h:\exe.progs\plugins\npqtplugin.dll
FF - plugin: h:\exe.progs\plugins\npqtplugin2.dll
FF - plugin: h:\exe.progs\plugins\npqtplugin3.dll
FF - plugin: h:\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: h:\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

============= SERVICES / DRIVERS ===============

R0 VOBID;VOBID;c:\windows\system32\drivers\vobid.sys [2003-8-1 29239]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-7-28 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-7-28 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-7-28 243024]
R1 vobiw;vobiw;c:\windows\system32\drivers\vobIW.sys [2004-7-2 188416]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-16 308136]
R2 hcw88ts;Hauppauge WinTV 88x TS Capture;c:\windows\system32\drivers\hcw88ts.sys [2004-10-13 13888]
R3 HCW88BDA;Hauppauge WinTV 88x DVB Tuner/Demod;c:\windows\system32\drivers\hcw88bda.sys [2004-9-28 141888]
R3 hcw88rc5;Hauppauge WinTV 88x IR Decoder;c:\windows\system32\drivers\hcw88rc5.sys [2004-6-24 10305]
R3 hcw88vid;Hauppauge WinTV 88x Video;c:\windows\system32\drivers\hcw88vid.sys [2004-9-28 577296]
S2 gupdate1ca4d0117b3322a;Google Update Service (gupdate1ca4d0117b3322a);c:\program files\google\update\GoogleUpdate.exe [2009-10-14 133104]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-4-17 369920]
S3 Bthatide;Bthatide; [x]
S3 BulkUsb;VoIPUSBDriver.sys;c:\windows\system32\drivers\VoIPUSBDriver.sys [2005-9-16 149504]
S3 cdrdrv;Cdrdrv;c:\windows\system32\drivers\Cdrdrv.sys [2004-6-1 64000]
S3 lgmcbus;LGE Mobile driver (WDM);c:\windows\system32\drivers\lgmcbus.sys [2008-11-15 83584]
S3 lgmcmdfl;LGE Mobile USB WMC Modem Filter;c:\windows\system32\drivers\lgmcmdfl.sys [2008-11-15 14976]
S3 lgmcmdm;LGE Mobile USB WMC Modem Driver;c:\windows\system32\drivers\lgmcmdm.sys [2008-11-15 110464]
S3 lgmcmgmt;LGE Mobile USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\lgmcmgmt.sys [2008-11-15 104448]
S3 lgmcnd5;LGE Mobile USB WMC Ethernet ELDA (NDIS);c:\windows\system32\drivers\lgmcnd5.sys [2008-11-15 25344]
S3 lgmcobex;LGE Mobile USB WMC OBEX Interface;c:\windows\system32\drivers\lgmcobex.sys [2008-11-15 100480]
S3 lgmcunic;LGE Mobile USB WMC Ethernet ELDA (WDM);c:\windows\system32\drivers\lgmcunic.sys [2008-11-15 109952]
S3 uac4pdt;PDT USB Composite Class Filter Driver;c:\windows\system32\drivers\uac4pdt.sys [2005-11-21 15232]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2010-10-17 15:07:07 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-17 15:07:06 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-17 15:06:57 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-10-17 09:50:49 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-17 09:50:45 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-17 09:50:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2010-09-18 11:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-09 13:38:01 832512 ----a-w- c:\windows\system32\wininet.dll
2010-09-09 13:38:01 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-09 13:38:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-09-09 13:38:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-09-08 15:57:57 389120 ----a-w- c:\windows\system32\html.iec
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-22 14:57:43 256 ----a-w- c:\windows\system32\pool.bin
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2008-06-25 16:48:13 49074432 ----a-w- c:\program files\avg_free_stf_en_8_101a1327.exe
2004-10-01 15:00:16 40960 ----a-w- c:\program files\Uninstall_CDS.exe

============= FINISH: 15:19:49.84 ===============

DDS Attach:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-10-21.02)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 11/10/2004 16:03:08
System Uptime: 24/10/2010 14:56:58 (1 hours ago)

Motherboard: | | nVidia-nForce
Processor: AMD Athlon(tm) XP 2000+ | Socket A | 1530/133mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 29 GiB total, 4.615 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is FIXED (NTFS) - 120 GiB total, 104.244 GiB free.
G: is CDROM ()
H: is FIXED (NTFS) - 153 GiB total, 18.772 GiB free.
I: is Removable
N: is CDROM ()
P: is FIXED (FAT32) - 234 GiB total, 147.634 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Belkin Wireless 54Mbps Desktop Adapter
Device ID: PCI\VEN_14E4&DEV_4320&SUBSYS_70001799&REV_03\4&3B1D9AB8&0&4040
Manufacturer: Broadcom
Name: Belkin Wireless 54Mbps Desktop Adapter
PNP Device ID: PCI\VEN_14E4&DEV_4320&SUBSYS_70001799&REV_03\4&3B1D9AB8&0&4040
Service: BCM43XX

==== System Restore Points ===================

RP1217: 22/07/2010 18:35:58 - Avg Update
RP1218: 25/07/2010 19:23:16 - System Checkpoint
RP1219: 25/07/2010 19:56:57 - Installed BlackBerry Desktop Software 5.0.1.
RP1220: 25/07/2010 20:06:33 - Installed Roxio Media Manager
RP1221: 01/08/2010 19:14:33 - System Checkpoint
RP1222: 02/08/2010 19:57:32 - System Checkpoint
RP1223: 08/08/2010 10:10:37 - Software Distribution Service 3.0
RP1224: 15/08/2010 19:29:13 - Software Distribution Service 3.0
RP1225: 20/08/2010 21:50:59 - System Checkpoint
RP1226: 22/08/2010 12:23:08 - Installed Java(TM) 6 Update 20
RP1227: 08/09/2010 12:04:06 - System Checkpoint
RP1228: 09/09/2010 09:30:41 - Avg Update
RP1229: 10/09/2010 11:42:59 - System Checkpoint
RP1230: 17/09/2010 12:41:54 - Software Distribution Service 3.0
RP1231: 24/09/2010 13:19:24 - Avg Update
RP1232: 24/09/2010 13:21:14 - Avg Update
RP1233: 27/09/2010 20:12:37 - Installed Java(TM) 6 Update 21
RP1234: 29/09/2010 13:35:26 - System Checkpoint
RP1235: 29/09/2010 15:26:36 - Software Distribution Service 3.0
RP1236: 06/10/2010 13:01:59 - Avg Update
RP1237: 07/10/2010 13:43:37 - System Checkpoint
RP1238: 17/10/2010 14:59:18 - System Checkpoint
RP1239: 17/10/2010 22:28:14 - Software Distribution Service 3.0

==== Hosts File Hijack ======================

Hosts: 127.0.0.1 www.spywareinfo.com

==== Installed Programs ======================

AAC Decoder
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Flash Player 10 Plugin
Adobe Photoshop CS
Adobe Reader 8.1.6
Adobe® Photoshop® Album Starter Edition 3.0
Adobe® Photoshop® Album Starter Edition 3.2
Agent Ransack Version 1.7.3
AllToAVI v4 r5394
Apple Software Update
Audio Conversion Wizard 1.4
Authentium
AutoUpdate
AVG Free 9.0
BlackBerry Desktop Software 5.0.1
BlackBerry® Media Sync
blueyonder PCguard
C-Media PCI Audio
CCleaner
Cheetah Audio Converter
Confidence Online(tm) for Web Applications
ConvertXtoDVD 2.1.12
Critical Update for Windows Media Player 11 (KB959772)
DAEMON Tools Toolbar
DC++ 0.667
Diskeeper Professional Edition
DivX Codec
DivX Converter
DivX Media Format Filter Build 1
DivX Player
DivX Plus DirectShow Filters
DivX Plus Web Player
DivX Version Checker
DVD Shrink 3.2
DVD Solution
Eraser
exPressit S.E. 2.1
Felix
GameSpy Arcade
getPlus(R)_dll
Google Update Helper
H.264 Decoder
Hauppauge WinTV Infrared Remote
Hauppauge WinTV Scheduler
Hauppauge WinTV2000
HijackThis 1.99.1
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Indeo® XP Software
InterVideo FilterSDK for Hauppauge
Jasc Animation Shop 3
Jasc Paint Shop Pro 9
Jasc Paint Shop Pro 9 GDI+ Patch
Jasc Paint Shop Pro 9.01 - (9.0.1.1)
Jasc Paint Shop Pro 9.01 Patch
Java 2 Runtime Environment Standard Edition v1.3.1_04
Java Auto Updater
Java(TM) 6 Update 21
Java(TM) 6 Update 7
LG MC USB Modem driver
LG ODD Auto Firmware Update
LG PC Suite II
LightScribe 1.4.124.1
LiveUpdate
Logitech Desktop Messenger
Logitech IM Video Companion
Logitech® Camera Driver
Macromedia Contribute
Macromedia Dreamweaver MX
Macromedia Extension Manager
Macromedia Fireworks MX
Macromedia Flash MX
Macromedia Flash Player 8
Macromedia FreeHand MX
MadOnion.com/3DMark2001 SE
Malwarebytes' Anti-Malware
Map Button (Windows Live Toolbar)
Medi@Show
MediaKey
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft IntelliPoint 5.3
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Office XP Professional with FrontPage
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
MKV Splitter
Mozilla Firefox (3.6.10)
Mozilla Thunderbird (2.0.0.24)
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Multimedia Launcher
MUSICMATCH® Jukebox
Nero 8
neroxml
Nokia Connectivity Cable Driver
NVIDIA Display Driver
NVIDIA Drivers
NVIDIA Windows 2000/XP nForce Drivers
OGA Notifier 2.0.0048.0
OneCare Advisor (Windows Live Toolbar)
OpenMG AAC Add-on Module 1.0.00
OpenMG Limited Patch 4.5-06-05-12-01
OpenMG Secure Module 4.5.01
Paltalk Messenger
PCguard
PCguard advisor 1.3.22
PDF Manual NW-S200 Series
Picasa 2
Pinnacle InstantCD/DVD Suite
Popup Blocker (Windows Live Toolbar)
PowerDVD
PowerProducer
PPSDKRedistributables
QuickTime
Realtek AC'97 Audio
Roxio Media Manager
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2344875)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for 2007 Microsoft Office System (KB982312)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2345035)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office Outlook 2007 (KB2288953)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office Publisher 2007 (KB982124)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Windows Internet Explorer 7 (KB2183461)
Security Update for Windows Internet Explorer 7 (KB2360131)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SiSoftware Sandra Lite 2005 (Win64/32/CE)
Smart Menus (Windows Live Toolbar)
SonicStage 4.0
Sony Ericsson Communications Suite
Sony Ericsson Image Editor
Sony Ericsson MMS Home Studio
SopCast 1.1.2
SoulSeek Client 156c
Spelling Dictionaries Support For Adobe Reader 8
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
Symantec Network Driver Update
System Requirements Lab
Turbo Lister 2
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Outlook 2007 Junk Email Filter (kb2410711)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.4053
VideoLAN VLC media player 0.8.6b
WebFldrs XP
WIDCOMM Bluetooth Software
Winamp
Windows Defender
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool
Windows Internet Explorer 7
Windows Live Outlook Toolbar (Windows Live Toolbar)
Windows Live Safety scanner
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Live Toolbar Feed Detector (Windows Live Toolbar)
Windows Media Format 11 runtime
Windows Media Player 11
Windows Search 4.0
Windows XP Service Pack 3
WinRAR archiver
WinZip
Wire Pilot 1.00

==== Event Viewer Messages From Past Week ========

24/10/2010 14:51:53, error: Service Control Manager [7034] - The NMIndexingService service terminated unexpectedly. It has done this 1 time(s).
24/10/2010 14:51:52, error: Service Control Manager [7034] - The PLFlash DeviceIoControl Service service terminated unexpectedly. It has done this 1 time(s).
24/10/2010 14:51:52, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
24/10/2010 14:51:52, error: Service Control Manager [7034] - The Nero BackItUp Scheduler 3 service terminated unexpectedly. It has done this 1 time(s).
24/10/2010 14:51:52, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
24/10/2010 14:51:52, error: Service Control Manager [7034] - The dvpapi service terminated unexpectedly. It has done this 1 time(s).
24/10/2010 14:51:50, error: Service Control Manager [7031] - The AVG Free WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
24/10/2010 14:51:49, error: Service Control Manager [7034] - The PCguard Firewall service terminated unexpectedly. It has done this 1 time(s).
17/10/2010 22:32:52, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows Search service to connect.
17/10/2010 22:32:52, error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
17/10/2010 10:49:07, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Roxio Hard Drive Watcher 9 service to connect.
17/10/2010 10:47:05, error: nvidesm [9] - The device, \Device\Scsi\nvidesm1, did not respond within the timeout period.

==== End Of File ===========================

Bootkit Remover:
Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.2.0.0
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
ATA_Read(): DeviceIoControl() ERROR 1
Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


Done;
Press any key to quit...

CONT'D
 
CONT FROM PREVIOUS POST:

Combofix Log:
ComboFix 10-10-24.06 - Paul 25/10/2010 21:20:38.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.513 [GMT 1:00]
Running from: I:\cf.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: PCguard Anti-Virus *On-access scanning disabled* (Outdated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
FW: PCguard Firewall *enabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\driver

Infected copy of c:\windows\system32\drivers\tcpip.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_uac4pdt
-------\Service_uac4pdt


((((((((((((((((((((((((( Files Created from 2010-09-25 to 2010-10-25 )))))))))))))))))))))))))))))))
.

2010-10-17 15:07 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-17 15:07 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-17 15:06 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-10-17 09:50 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-17 09:50 . 2010-10-17 09:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-17 09:50 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 11:23 . 2003-03-31 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2003-03-31 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2003-03-31 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2003-03-31 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-15 03:50 . 2010-08-22 11:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-15 01:29 . 2007-12-30 16:18 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-09 13:38 . 2003-03-31 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-09-09 13:38 . 2003-03-31 12:00 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-09 13:38 . 2004-10-12 12:10 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-09-09 13:38 . 2003-03-31 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-09-08 15:57 . 2004-10-12 12:10 389120 ----a-w- c:\windows\system32\html.iec
2010-09-01 11:51 . 2003-03-31 12:00 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2003-03-31 12:00 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2003-03-31 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2003-03-31 12:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2003-03-31 12:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-04-16 19:18 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2003-03-31 12:00 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2003-03-31 12:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2003-03-31 12:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2008-06-25 16:48 . 2008-06-25 16:48 49074432 ----a-w- c:\program files\avg_free_stf_en_8_101a1327.exe
2004-10-01 15:00 . 2007-05-26 16:39 40960 ----a-w- c:\program files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-02-23 13:04 1664256 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 1828136]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-10-06 2067808]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-11-19 623960]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-07-08 236016]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-16 09:42 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoStart IR.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoStart IR.lnk
backup=c:\windows\pss\AutoStart IR.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger Agent.lnk
backup=c:\windows\pss\Logitech Desktop Messenger Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Paul^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Paul\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 01:04 39792 -c--a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
2005-04-04 14:11 16384 ----a-w- c:\windows\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2008-12-29 10:40 687560 ----a-w- h:\exe.progs\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 11:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LGODDFU]
2005-04-12 10:11 229376 -c--a-w- c:\program files\lg_fwupdate\fwupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
2008-02-18 16:29 2221352 ----a-w- c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2008-04-28 16:14 570664 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-10-22 11:22 7700480 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 15:07 2260480 ------w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
2006-05-08 04:17 81920 ----a-w- c:\progra~1\Sony\SONICS~1\SSAAD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-06-10 03:27 144784 -c--a-w- c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2008-08-03 23:02 36352 ----a-w- c:\program files\Winamp\winampa.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2005\\sandra.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2005\\RpcSandraSrv.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2005\\RpcDataSrv.exe"=
"c:\\Program Files\\Macromedia\\Fireworks MX\\Fireworks.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"h:\\exe.progs\\Soulseek\\slsk.exe"=
"h:\\exe.progs\\BitLord\\BitLord.exe"=
"h:\\exe.progs\\SopCast\\SopCast.exe"=
"c:\\Documents and Settings\\Paul\\Application Data\\SopCast\\adv\\SopAdver.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"h:\\exe.progs\\Thunderbird\\thunderbird.exe"=

R0 VOBID;VOBID;c:\windows\system32\drivers\vobid.sys [01/08/2003 15:47 29239]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [28/07/2008 21:23 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [28/07/2008 21:23 243024]
R1 vobiw;vobiw;c:\windows\system32\drivers\vobIW.sys [02/07/2004 09:44 188416]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [16/07/2010 10:42 308136]
R2 hcw88ts;Hauppauge WinTV 88x TS Capture;c:\windows\system32\drivers\hcw88ts.sys [13/10/2004 13:30 13888]
R3 HCW88BDA;Hauppauge WinTV 88x DVB Tuner/Demod;c:\windows\system32\drivers\hcw88bda.sys [28/09/2004 01:10 141888]
R3 hcw88rc5;Hauppauge WinTV 88x IR Decoder;c:\windows\system32\drivers\hcw88rc5.sys [24/06/2004 11:02 10305]
R3 hcw88vid;Hauppauge WinTV 88x Video;c:\windows\system32\drivers\hcw88vid.sys [28/09/2004 01:09 577296]
S2 gupdate1ca4d0117b3322a;Google Update Service (gupdate1ca4d0117b3322a);c:\program files\Google\Update\GoogleUpdate.exe [14/10/2009 20:03 133104]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 20:19 13592]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [17/04/2010 22:05 369920]
S3 Bthatide;Bthatide; [x]
S3 BulkUsb;VoIPUSBDriver.sys;c:\windows\system32\drivers\VoIPUSBDriver.sys [16/09/2005 16:14 149504]
S3 cdrdrv;Cdrdrv;c:\windows\system32\drivers\Cdrdrv.sys [01/06/2004 13:41 64000]
S3 lgmcbus;LGE Mobile driver (WDM);c:\windows\system32\drivers\lgmcbus.sys [15/11/2008 17:57 83584]
S3 lgmcmdfl;LGE Mobile USB WMC Modem Filter;c:\windows\system32\drivers\lgmcmdfl.sys [15/11/2008 17:57 14976]
S3 lgmcmdm;LGE Mobile USB WMC Modem Driver;c:\windows\system32\drivers\lgmcmdm.sys [15/11/2008 17:57 110464]
S3 lgmcmgmt;LGE Mobile USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\lgmcmgmt.sys [15/11/2008 17:57 104448]
S3 lgmcnd5;LGE Mobile USB WMC Ethernet ELDA (NDIS);c:\windows\system32\drivers\lgmcnd5.sys [15/11/2008 17:57 25344]
S3 lgmcobex;LGE Mobile USB WMC OBEX Interface;c:\windows\system32\drivers\lgmcobex.sys [15/11/2008 17:57 100480]
S3 lgmcunic;LGE Mobile USB WMC Ethernet ELDA (WDM);c:\windows\system32\drivers\lgmcunic.sys [15/11/2008 17:57 109952]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [01/06/2009 19:53 717296]
.
Contents of the 'Scheduled Tasks' folder

2009-06-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-06-11 14:57]

2010-10-24 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2010-10-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cabd38f710e229.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-14 19:03]

2010-10-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-14 19:03]

2010-10-25 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 14:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.incredimail.com/page.asp?page=reg_success&lang=9&version=5252598&setup_id=7&aff_id=1&addon=IncrediMail
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
FF - ProfilePath - c:\documents and settings\Paul\Application Data\Mozilla\Firefox\Profiles\f19tzaav.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:eek:fficial
FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_uk&p=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPXPEE.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
FF - plugin: h:\exe.progs\Plugins\npqtplugin.dll
FF - plugin: h:\exe.progs\Plugins\npqtplugin2.dll
FF - plugin: h:\exe.progs\Plugins\npqtplugin3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-AsioReg - CTASIO.DLL
HKLM-Run-CmPCIaudio - CMICNFG3.cpl
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
MSConfigStartUp-Yahoo! Pager - c:\program files\Yahoo!\Messenger\YahooMessenger.exe
AddRemove-GameSpy Arcade - i:\progra~1\GAMESP~1\UNWISE.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-25 21:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3960)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\blueyonder\PCguard\fws.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Command Software\dvpapi.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\IoctlSvc.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\RunDll32.exe
c:\program files\Common Files\Nero\Lib\NMIndexingService.exe
.
**************************************************************************
.
Completion time: 2010-10-25 21:40:05 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-25 20:40

Pre-Run: 5,119,598,592 bytes free
Post-Run: 5,116,977,152 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 6C20A0C3EDED61F2A3F82DC346EE258B
 
A few things to discuss here:

1. False Positive: Host File Hijack> Hosts: 127.0.0.1 www.spywareinfo.com
See this for explanation: http://www.pctools.com/forum/showthread.php?t=55852

2. You have 2 antivirus programs running: This makes the system more vulnerable.
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
AV: PCguard Anti-Virus *On-access scanning disabled* (Outdated)
FW: PCguard Firewall *enabled*

Even if it's outdated, it's still loading. Please remove one of these AV programs.

I don't know if you can use the PCTools FW separately.

3. About this: I can't run as Admin as no password (inherited pc with no such thing as passwords)!
You are going to be limited in what you can do as some features and functions require the Administrative account. You need to reset the OS to have that account available, even if you have to reformat.reinstall.

4. Please Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner
  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the Active X control to install
  4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  5. Click Start
  6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  7. Click Scan
  8. Wait for the scan to finish
  9. Re-enable your Antivirus software.
  10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

I'll wait until I see the log from the Eset scan before I write script to run through Combofix.
 
Hi,

The PCGuard was originally provided by my ISP. I've tried several times to get this removed, but it keeps failing to uninstall - why I don't know, but it's a right pain in the @rse :mad:

As for Administrator priveleges etc I know the issues around not having this, but again, I have no discs etc. When my dad upgraded and gave me this, he didn't keep track of the Windows disk. Looked everywhere for it, as thought a complete format/re-install may be the only way out. The only other way I can think of doing this would be maybe to switch to LINUX? If I can't get rid of this virus without Admin privileges, that may the only other option I have....

I'll run ESET tonight when I get home as I'm at work at the moment and post the results later.

Thanks
 
Hi again,

Here is the ESAT log file:

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=a247ecd8a60c364587d22d3d41bc5bcc
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-10-29 07:29:00
# local_time=2010-10-29 08:29:00 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1024 16777191 100 0 16836955 16836955 0 0
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 188 188 0 0
# scanned=145683
# found=3
# cleaned=0
# scan_time=5486
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\tcpip.sys.vir Win32/Olmarik.ZC trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{A3BA6E80-23E8-4658-B048-CCA215816FE2}\RP1240\A0192977.sys Win32/Olmarik.ZC trojan 00000000000000000000000000000000 I
H:\exe.progs\nero 8\Nero-8.3.2.1b_eng_trial.exe Win32/Toolbar.AskSBar application 00000000000000000000000000000000 I


Thanks
 
Please download OTMovit by Old Timer and save to your desktop.
  • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code:
    :Processes	
    
    :Files 
    H:\exe.progs\nero 8\Nero-8.3.2.1b_eng_trial.exe 
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
=======================================
Before I write script to run in Combofix, I want to ask about these executables loading from the H drive, with Firewall Permissions. All are file sharing programs.
"h:\\exe.progs\\Soulseek\\slsk.exe"= >>> Trojab Dllhost EXPLOIT and/or a file sharing app
"h:\\exe.progs\\BitLord\\BitLord.exe"= >>> P2P
"h:\\exe.progs\\SopCast\\SopCast.exe"= >>> P2P for TV & Video
"c:\\Documents and Settings\\Paul\\Application Data\\SopCast\\adv\\SopAdver.exe"= >>P2P
"h:\\exe.progs\\Thunderbird\\thunderbird.exe"=
I know this is Mozilla email, but don't understand the entry

P2P- File Sharing Warning
I recommend that you uninstall these P2P programs for the following reasons:
  • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
  • Malware writers use these program to include malicious content.
  • Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
  • The'sharing' also includes malware that the shared system has on it.
  • Files that are illegal can be spread through file sharing.

Please read the information on P2P Warning to help you better understand these dangers.

I find slsk.exe identified as Trojan Dllhost EXPLOIT, but on another reference site is find it's a File sharing application. BitLord of course is also P2p
 
Hi - sorry for taking my time getting back to you - kids!

Here's the MoveIt log:

All processes killed
========== PROCESSES ==========
========== FILES ==========
H:\exe.progs\nero 8\Nero-8.3.2.1b_eng_trial.exe moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Bob
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 65748 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: Paul
->Temp folder emptied: 272255 bytes
->Temporary Internet Files folder emptied: 214736 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 18002792 bytes
->Flash cache emptied: 456 bytes

User: Tracy
->Temp folder emptied: 1429 bytes
->Temporary Internet Files folder emptied: 164172 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 15671825 bytes
->Flash cache emptied: 611 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1476133 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 34.00 mb


OTM by OldTimer - Version 3.1.17.2 log created on 11042010_190601

Files moved on Reboot...

Registry entries deleted on Reboot...

Have removed Soulseek & Sop cast, although couldn't find c:\\docs&settings\\Paul\\Application data\\SopCast\\adv\\Sopadver.exe?

I've kept BItLord, but warning heeded. I still can't get rid of the PCGuard Anti Virus programme - keep getting an "error -access denied" message.

Awaiting further instructions :)
 
Okay, I think I found all the PCGuard entries. When you run the script below, be sure the AV is disabled. After you run the script, if PCGuard still shows in the Comofix header, I can remove it. We're almost done!

Please run this Custom CFScript

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad and copy/paste the text in the code below into it:
Code:
KillAll::
File::
c:\program files\blueyonder\PCguard\fws.exe

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"=-
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger Agent.lnk]
path=-
backup=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=-
"h:\\exe.progs\\Soulseek\\slsk.exe"=-
"h:\\exe.progs\\SopCast\\SopCast.exe"=-
"c:\\Documents and Settings\\Paul\\Application Data\\SopCast\\adv\\SopAdver.exe"=-

DDS::
mSearch Page =
uURLSearchHooks: H - No File
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: PopKill Class: {3c060ea2-e6a9-4e49-a530-d4657b8c449a} - c:\program files\blueyonder\pcguard\pkR.dll
BHO: c:\program files\blueyonder\pcguard\fbhr.dll: c:\program files\spybot - search & destroy\SDHelper.dll: {56071e0d-c61b-11d3-b41c-00e02927a304} - ZKBho Class
BHO: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - No File
BHO: {B56A7D7D-6927-48C8-A975-17DF180C71AC} - No File
BHO: 1 (0x1) - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
IE: {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - {A1EDC4A1-940F-48E0-8DFD-E38F1D501021}
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/betapit/PCPitStop.CAB
DPF: {CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.3.1/jinstall-1_3_1_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

Driver::
Bthatide
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
 
Hi there,

Got a problem running ComboFIx. It asked me to unistall AVG as it said it would cause errors etc. so I tried to uninstall AVG, and guess what - It won't unistall properly :mad: Why can't people just make stuff that does what it's supposed to do!

So now, I have no AV at all as AVG won't work but won't uninstall, so I can't run ComboFic either as that still recognises AVG as being present!

Any ideas would be welcome!

Thanks
 
Open your browser> Click on File> Check 'Work Offline.' You can stay offline to do this since both VG and Combofix are already on the system.

Boot into Safe Mode
  • Restart your computer and start pressing the F8 key on your keyboard.
  • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
To temporarily disable AVG:
In AVG Anti-Virus, the main module (Resident Shield) is typically the only component that needs to be temporarily disabled.


  • [1]Right-click on the "Resident Shield" icon located on the right side of the taskbar, then select "Open AVG User Interface."
    AVG_Anti_Virus_Free_Edition-86223.png

    [2]Double-click on "Resident Shield" in the middle of the AVG User Interface window. As an alternative, click on "Tools," then "Advanced Settings," and then select "Resident Shield."
    [3]Uncheck "Resident Shield Active" under the Resident Shield settings section, then click "Save Changes." This will disable the Resident Shield but keep the Email Scanner and other virus protection features active.
    Reboot the computer back in to Normal Mode.

    Let me know if you have more trouble. By the way, doesn't Combofix say to 'disable' AVG instead of 'uninstall'?
    [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
 
Hi,

Booting into safe mode is no help - still get the same error message when running Combofix: Combofix cannot run when AVG is installed. This is due to AVGs targeting of ComboFix's files/processes. It would be dangerous to continue. Please uninstall AVG or use another tool.

Unfortunately, as stated before, I now can't uninstall or even re-install AVG - to put it bluntly, it's shagged! It doesn't appear as a useable program (won't launch etc), so tried to re-install it, and I now get an error when trying to do this: Error. Action failed for registry key HKLM\SOFTWARE\Microsoft\Windows NT\Current Version\Windows: creating registry key.... Access is denied.

I know this is probably stupid, but what has NT got to do with anything? I'm running XP Pro?!?

Seem to be stuck in some sort of loop here which is getting quite depressing :(
 
Okay, do this: Right click on combofix.exe on the desktop> Choose Rename> change to paulsrun.exe

Now try the scan.
 
Hi there,

No joy again I'm afraid same message. Although this time it did try launching a dos window, but it just disappeared and nothing happened.

Left it for around 10mins in case, but nothing. :(

I've even re-downloaded it in case I'd done something to the original Combofix programme, but this just gives the same message.

Sorry - I know this must be getting rather frustrating for you too! Thanks for all your help so far - much appreciated.
 
When you rename Combofix, AVG shouldn't recognize it! AVG must have added something in a recent update. I'm helping someone else who is getting the same message. He ended up uninstalling AVG and running Combofix offline.

I don't know what "shagged" means. If you want to try doing this offline and removing AVG in the meantime:

Boot into Safe Mode
  • Restart your computer and start pressing the F8 key on your keyboard.
  • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

While in Safe Mode, disable all the AVG processes and uninstall it. To protect yourself while doing the scan, click on File> check 'Work offline' first.
 
Hi,

Sorry - "shagged" is a euphamism for not working!

I've tried uninstalling AVG, but can't get rid of it. I've seen something called Perfect Uninstaller which claims to be able to forcibly remove AVG - have you ever heard of this? Had a look on the net and appears to be genuine.

Other than that, do you know of any good reliable uninstallers that can forcibly remove AVG? The situation I am in at the moment is that AVG won't run, but is still active somewhere in the background so is stopping ComboFix. I can't launch AVG to shutdown Resident Shield, can't Uninstall AVG and can't re-install AVG to try and fix whatever issue there currently is with it!

Without knowing every process AVG is running, I can't "kill" anything via task manager either.

Thanks
 
What has probably happened is that it's uninstaller has become corrupt. I use thw Windows Installer Cleanup Utility to remove entry problems like this: http://support.microsoft.com/default.aspx?scid=kb;en-us;290301

Before you do this, you should get another AV downloaded: Use either one of these for now:
Both of the following programs are free and known to be good:
Avira Free
Avast Home

Download the Windows Uninstaller first, then either of the new AV programs. Once done, go to the Work Offline mode through File> Work Offline.
Boot into Safe Mode and run the Uninstaller, removing any and all AVG files.
Then double click to run the new AV.
Reboot into Normal Mode and check for updates.

You will need to disable the AV to run Combofix, but it shouldn't be a problem.
 
Status
Not open for further replies.
Back