I need help with my 8-step program

Solved
By Kaelkitty
Jun 27, 2010
Topic Status:
Not open for further replies.
  1. Hi,
    I was directed here by Chuck (of Software by Chuck fame). I have yet another case of the Search engine redirect virus lurking in my system. I gather from reading and searching online that I am not alone! I have read all of the stickies here and printed out the 8-step program but I think I need a bit of hand holding to complete it successfully.

    This is a summary of my efforts so far.

    Step 1: I have both AVG Free 9 and Spybot S&D. Both programs are always on, always running with daily updates - S&D updates and runs at 2AM and AVG at 4AM. Windows XP Auto Update runs at 3AM - I figured that SHOULD do. I have other AV software on my system to try if those fail but those are the two mainstays.

    Step 2: Downloaded and Ran TFC - removed 186 MB of temp files.

    Step 3: Checked with Microsoft: I have Microsoft Windows XP Home Edition Version 2002
    Service Pack 3 with all the latest Security Updates.

    Checked with Java - I have the latest Java installed (Version 6 Update 20).

    I had trouble with Adobe Reader. I hadn't used it for ages (This system is a bit old and slow and PDFs tend to hang on it) I downloaded from the link on the 8-steps page but when I tried to install it I repeatedly got the following error message.

    Error 1316. A network error occurred while attempting to read from the file
    C:\Documents and Settings\User_2\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\AdbeRdr930_en_US.msi

    Clicking on OK gave

    Setup Completed
    Setup was interrupted before Adobe Reader 9.3.2 could be completely installed.
    Your System has not been modified. To complete installation at another time please run setup again.
    Click Finish to exit Setup.

    After 3 repeats of that I gave up and went to Add and Remove Programs and removed the Adobe Reader entirely then I re-installed Reader from the Adobe Download page.
    I do know whether this was just a peculiarity of my own system or not, but you might want to get someone to check that link and the download it links to!

    I have checked in add or remove programs - there are only these versions of Java and the Reader installed.

    Step 4: Installed and ran MBAM - Annoyed to find 5 things which I followed your instructions, checked and acted on. Here is the MBAM Log Info.

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4245

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    27/06/2010 3:29:58 PM
    mbam-log-2010-06-27 (15-29-58).txt

    Scan type: Quick scan
    Objects scanned: 135321
    Time elapsed: 12 minute(s), 41 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 2
    Registry Values Infected: 1
    Registry Data Items Infected: 2
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Screensavers.com (Adware.Comet) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    I got the restart prompt - (I hate restarting my system by the way it takes forever because I have a lot of utilities in my Startup which I need because I have disability issues due to visual problems and other things associated with my Aspeger's/Autism Syndrome Disorder)

    When the system came back on line things got interesting - Windows had a fit and said my firewall was down and basically kept bugging me about it until I re-enabled it. I found this odd, because I thought it was OFF before I started this process and it had ALWAYS been off, because AVG and S&D were doing that job for me - WEIRD!

    Now I am up to step 5 Which is where I think I need a bit of help
    I have downloaded and saved the GMER file to my desktop

    Question 1: # Disconnect from the Internet and close all running programs.

    Does this include closing the Notepad file I am using to document this debugging process
    Does this include all the stuff in the System Tray?
    I permanently have the following in my Systems Tray
    Spybot-SD Resident
    OpenOffice.org 3.0 Quickstarter
    Kodak Easyshare Starter
    Sharp Button Manager A
    DU Meter
    Date in Tray Calendar
    Wake Me Up! State
    Roboform
    Atomic Clock Sync
    AVG Anti-Virus Free
    ATI Control Panel
    Volume Control
    Ebay Alerts

    Question 2: # Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.

    I know how to Exit SD Resident and AVG, but I am not sure how to kill the windows firewall that it just made me enable!

    I await a replay at your convenience

    Yours Sincerely, Kaelkitty.
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Skip the Windows update for now.

    It means no active Windows running. Where is the 'disconnect from the internet' you refer to? Spybot and AVG would be the only programs to disable.

    Don't worry about the Windows Firewall. But if you do want to turn it off, do so in the Security Center.

    Please run the scanning programs and leave the logs for us so we'll have something to work with.
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

  4. Kaelkitty

    Kaelkitty Newcomer, in training Topic Starter Posts: 59

    Hi, My apologies for the multiple postings yesterday, but I did not get the "moderators have to look at your post first" page, until the third go, so I thought my post was disappearing into the ether. I am also sorry to take so long to reply but I am having problems. I couldn't find my post or your reply post from the link you gave for the longest time - eventually (at 2.30am - about 4&1/2 hours ago). I had to give up and go to bed.

    When I came back on just now it still didn't show your reply and I had to refresh the page three times before I could get the whole thread. The two questions I quoted were copied directly from the stage 5 of the 8 step program relating to GMER which is where I need help.

    I am not sure where the Windows Security Centre is to be found - please be aware that I am still running Windows XP in Classic Mode because I couldn't cope with the changes when I went from 2000 to XP due to my Asperger's/Autism. Any function I do NOT use on a regular basis I generally have trouble finding - all of the stuff I use regularly lives on my Desktop. Unless I am told where to look for something I usually can't find it because my brain does not derive general rules well - I need to be explicitly told where to find stuff and what to do with it.

    I think I will HAVE to turn this firewall off before I can go any further - My Internet download speed is normally 800kbps - 1.3Mbps. Now it is down to under 50kbps and while I was trying to get to see your reply it kept dwindling down to 0.0 and stopping. I am going a bit nuts here because this is my only computer and I need it for work related stuff.
  5. Kaelkitty

    Kaelkitty Newcomer, in training Topic Starter Posts: 59

    Strike that - My ISP had rate limited me yesterday - the cheapskates made me pay another $5.95 to go back to my normal speed.

    Please read the instructions given in step FIVE of the 8 step plan they may need further clarification - I will try it with just AVG and S&D turned off and get back to you.
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    The Security Center looks like this: The shield is the icon for it. [​IMG]
  7. Kaelkitty

    Kaelkitty Newcomer, in training Topic Starter Posts: 59

    OK, I found the Security Centre in the Control Panel and turned the Firewall off. I had to run GMER twice - the first time I had missed an AVG process and it hung my system - I couldn't even get Task Manager up for a restart and I had to use the start button on the case! (As far as I know, the only way to kill AVG is to delete it's running processes in Task Manager, but even then some processes spontaneously regenerate and refuse to be killed.)

    Here is the GMER log file info

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit quick scan 2010-06-28 10:00:29
    Windows 5.1.2600 Service Pack 3
    Running: u73ie068.exe; Driver: C:\DOCUME~1\User_2\LOCALS~1\Temp\kfeoqkod.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs sisidex.sys (SISIDEX Driver/Windows (R) 2000 DDK provider)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat sisidex.sys (SISIDEX Driver/Windows (R) 2000 DDK provider)
    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    ---- EOF - GMER 1.0.15 ----


    I am going to need help with the next bit

    Step 6 DDS

    I don't know if I have any script blocking applications - I don't really understand scripts, except for the fact that Java runs them and they hang on my system fairly frequently when I am using facebook.

    Can you advise me BEFORE I download DDS?

    Also, since I ran GMER the text I am typing into the Forum Box is coming out scrambled. For Example "coming out scrambled" is appearing as "jrmcbi rgy ojpamxn.e" so I have had to type this in Notepad and Copy and Paste it.
  8. Kaelkitty

    Kaelkitty Newcomer, in training Topic Starter Posts: 59

    Um! I just got a pop-up saying that Firefox 3.6.6 had downloaded and would be installed the next time I started Firefox. I will have to stop Firefox to run DDS so it will update when I reconnect and re-open Firefox to send you the logs. What should I do?
  9. Kaelkitty

    Kaelkitty Newcomer, in training Topic Starter Posts: 59

    OK, I had to close my Firefox session at 2 AM to let Spybot S&D run, so the Firefox update has processed and installed itself - if that has stuffed things up you will HAVE to tell me what to do now.
    Please adviise urgently about DDS as requested in post #7 above as I cannot proceed until I understand what it is I have to do. Thank you.
  10. Kaelkitty

    Kaelkitty Newcomer, in training Topic Starter Posts: 59

    Step 6: DDS Results

    global replaced "firefox" with "ff" Attached original text.

    DDS (Ver_10-03-17.01) - NTFSx86
    Run by User_2 at 17:18:04.32 on 29/06/2010
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.61.1033.18.512.303 [GMT 9.5:30]

    AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    ============== Running Processes =

    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\DU Meter\DUMeterSvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\Program Files\WakeMeUp\WMUSvc.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
    C:\PROGRA~1\AVG\AVG9\avgtray.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\WakeMeUp\WMUAgent.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\DU Meter\DUMeter.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
    C:\Program Files\WakeMeUp\WMUTray.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Sharp\Button Manager A\btnman.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\DateInTray\DateInTray.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.bin
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Documents and Settings\User_2\Desktop\dds.scr

    ============== Pseudo HJT Report =

    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uStart Page = hxxp://www.iprimus.com.au
    uDefault_Page_URL = hxxp://www.iprimus.com.au
    uDefault_Search_URL = hxxp://www.google.com/ie
    uInternet Connection Wizard,ShellNext = hxxp://www.seagate.com/www/en-US/redirects/retail_news
    uInternet Settings,ProxyOverride = *.IPrimus.com.au;192.168.1.254;10.*;172.16.*;172.17.*;172.18.*;172.19.*;172.20.*;172.21.*;172.22.*;172.23.*;172.24.*;172.25.*;172.26.*;172.27.*;172.28.*;172.29.*;172.30.*;172.31.*;192.168.*;<local>
    uInternet Settings,ProxyServer = http=proxy.iprimus.com.au:8080;https=proxy.iprimus.com.au:8080;ftp=proxy.iprimus.com.au:8080
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mSearchAssistant = hxxp://www.google.com/ie
    uURLSearchHooks: H - No File
    uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: eBay Toolbar Helper: {22d8e815-4a5e-4dfb-845e-aab64207f5bd} - c:\program files\ebay\ebay toolbar2\eBayTB.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
    BHO: Watch for Browser Events: {516e2306-7adf-47ec-aea8-acb6b51899f1} - c:\progra~1\macroe~1\iCapture.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
    BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
    BHO: TweakMASTER PRO Component: {7daac7de-9ef0-4ff0-bfa5-aff3e899054c} - c:\progra~1\tweakm~1\TweakBHO.dll
    BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    BHO: IEPlugin Class: {cf7c3cf0-4b15-11d1-abed-709549c10000} - c:\program files\advanced system optimizer\IEHelper.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: eBay Toolbar: {92085ad4-f48a-450d-bd93-b28cc7df67ce} - c:\program files\ebay\ebay toolbar2\eBayTB.dll
    TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
    TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    TB: {22D003CE-6952-46C5-80B9-D19B479620AB} - No File
    TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    uRun: [DU Meter] c:\program files\du meter\DUMeter.exe
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [autosaver.exe] "c:\program files\autosave\Autosave.exe"
    uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
    uRun: [WMUTray.exe] c:\program files\wakemeup\WMUTray.exe
    mRun: [eBayToolbar] c:\program files\ebay\ebay toolbar2\eBayTBDaemon.exe
    mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
    mRun: [TweakMASTER] "c:\program files\tweakmaster\TMTray.exe"
    mRun: [NeroCheck] c:\windows\system32\\NeroCheck.exe
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
    mRun: [AGRSMMSG] AGRSMMSG.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [WMUAgent.exe] c:\program files\wakemeup\WMUAgent.exe
    mRun: [Atomic.exe] c:\program files\atomic clock sync\Atomic.exe
    mRunOnce: [NSSInstallation] c:\windows\system32\adobe\shockwave 11\nssstub.exe /runonce /rm
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    dRun: [ALUAlert] c:\program files\symantec\liveupdate\ALUNotify.exe
    StartupFolder: c:\docume~1\user_2\startm~1\programs\startup\datein~1.lnk - c:\program files\dateintray\DateInTray.exe
    StartupFolder: c:\docume~1\user_2\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\button~1.lnk - c:\program files\sharp\button manager a\btnman.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
    IE: Add to &LinkFox - c:\progra~1\tweakm~1\TweakBHO.dll/IESCRIPT
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
    IE: eBay Search - c:\program files\ebay\ebay toolbar2\eBayTb.dll/RCSearch.html
    IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
    IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
    IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
    IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
    IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
    IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Plants%20vs.%20Zombies/Images/stg_drm.ocx
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Mahjong%20Escape%20-%20Ancient%20Japan/Images/armhelper.ocx
    TCP: NameServer = 208.67.220.220,208.67.222.222
    TCP: {2A38118D-A1F2-4939-98FB-E866EDFE0BD5} = 203.134.64.66,203.134.65.66
    TCP: {B9A7FD29-B4B4-4092-B3E5-6F847B25DC57} = 208.67.220.220,208.67.222.222
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
    Notify: AtiExtEvent - Ati2evxx.dll
    Notify: avgrsstarter - avgrsstx.dll
    SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\qualcomm\eudora\EuShlExt.dll
    Hosts: 127.0.0.1 www.spywareinfo.com

    ================= ff =

    FF - ProfilePath - c:\docume~1\user_2\applic~1\mozilla\ff\profiles\3e4h8dlg.default\
    FF - prefs.js: browser.search.selectedEngine - Answers.com
    FF - prefs.js: browser.startup.homepage - hxxp://davesgarden.com/tools/journal/viewbycat.php?catsort=name1&cat=50491|http://davesgarden.com/guides/pf/ad...ntry.php?rid=150918|http://www.google.com.au/
    FF - prefs.js: keyword.URL - hxxp://au.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_au&p=
    FF - component: c:\documents and settings\user_2\application data\mozilla\ff\profiles\3e4h8dlg.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
    FF - component: c:\documents and settings\user_2\application data\mozilla\ff\profiles\3e4h8dlg.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
    FF - component: c:\program files\avg\avg9\ff\components\avgssff.dll
    FF - component: c:\program files\avg\avg9\toolbar\ff\avg@igeared\components\IGeared_tavgp_xputils2.dll
    FF - component: c:\program files\avg\avg9\toolbar\ff\avg@igeared\components\IGeared_tavgp_xputils3.dll
    FF - component: c:\program files\avg\avg9\toolbar\ff\avg@igeared\components\IGeared_tavgp_xputils35.dll
    FF - component: c:\program files\avg\avg9\toolbar\ff\avg@igeared\components\xpavgtbapi.dll
    FF - component: c:\program files\siber systems\ai roboform\ff\components\rfproxy_31.dll
    FF - plugin: c:\documents and settings\user_2\application data\facebook\npfbplugin_1_0_3.dll
    FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
    FF - plugin: c:\program files\mozilla ff\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla ff\plugins\npigl.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla ff\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

    ---- ff POLICIES ----
    c:\program files\mozilla ff\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\mozilla ff\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\mozilla ff\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\mozilla ff\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\mozilla ff\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\mozilla ff\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\mozilla ff\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files\mozilla ff\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files\mozilla ff\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files\mozilla ff\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\mozilla ff\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files\mozilla ff\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files\mozilla ff\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files\mozilla ff\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\mozilla ff\greprefs\all.js - pref("network.proxy.type", 5);
    c:\program files\mozilla ff\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
    c:\program files\mozilla ff\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\mozilla ff\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\mozilla ff\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\mozilla ff\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\mozilla ff\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\mozilla ff\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\mozilla ff\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\mozilla ff\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\mozilla ff\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\mozilla ff\greprefs\all.js - pref("accelerometer.enabled", true);
    c:\program files\mozilla ff\greprefs\all.js - pref("html5.enable", false);
    c:\program files\mozilla ff\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\mozilla ff\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\mozilla ff\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\mozilla ff\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\mozilla ff\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
    c:\program files\mozilla ff\defaults\pref\ff-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\mozilla ff\defaults\pref\ff-branding.js - pref("app.update.url.manual", "http://www.ff.com");
    c:\program files\mozilla ff\defaults\pref\ff-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\mozilla ff\defaults\pref\ff.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla ff\defaults\pref\ff.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla ff\defaults\pref\ff.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\mozilla ff\defaults\pref\ff.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\mozilla ff\defaults\pref\ff.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\mozilla ff\defaults\pref\ff.js - pref("browser.allTabs.previews", false);
    c:\program files\mozilla ff\defaults\pref\ff.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\mozilla ff\defaults\pref\ff.js - pref("plugins.update.notifyUser", false);
    c:\program files\mozilla ff\defaults\pref\ff.js - pref("toolbar.customization.usesheet", false);
    c:\program files\mozilla ff\defaults\pref\ff.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
    c:\program files\mozilla ff\defaults\pref\ff.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
    c:\program files\mozilla ff\defaults\pref\ff.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
    c:\program files\mozilla ff\defaults\pref\ff.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
    c:\program files\mozilla ff\defaults\pref\ff.js - pref("dom.ipc.plugins.enabled", false);
    c:\program files\mozilla ff\defaults\pref\ff.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\mozilla ff\defaults\pref\ff.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\mozilla ff\defaults\pref\ff.js - pref("browser.taskbar.previews.cachetime", 20);

    ============= SERVICES / DRIVERS =

    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-18 64160]
    R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-23 216200]
    R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-5-23 29584]
    R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-23 242896]
    R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-13 308064]
    R2 DUMeterSvc;DU Meter Service;c:\program files\du meter\DUMeterSvc.exe [2009-3-1 1391136]
    R2 Seagate Sync Service;Seagate Sync Service;c:\program files\seagate\sync\SeaSyncServices.exe [2007-1-18 24120]
    S2 MAINTE;Integration Maintenance Program Version 4.01 Generic USB Driver;c:\windows\system32\drivers\usbscan.sys [2004-5-31 15104]
    S3 AmeAtmPc;AmeAtmPc;c:\windows\system32\drivers\ameatmpc.sys [2007-9-21 110839]
    S3 AtmElan;ATM Emulated LAN;c:\windows\system32\drivers\atmlane.sys [2003-3-31 55808]
    S3 AtmLane;ATM LAN Emulation;c:\windows\system32\drivers\atmlane.sys [2003-3-31 55808]
    S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-10 1029456]

    =============== Created Last 30 =

    2010-06-27 05:40:32 0 d-----w- c:\docume~1\user_2\applic~1\Malwarebytes
    2010-06-27 05:40:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-06-27 05:40:12 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2010-06-27 05:40:10 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-06-27 05:40:09 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-06-16 22:40:33 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

    ==================== Find3M =

    2010-06-02 23:11:41 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\win32k.sys
    2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
    2010-04-12 07:59:19 411368 ----a-w- c:\windows\system32\deployJava1.dll
    2009-07-02 05:28:30 16384 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
    2008-10-14 23:05:38 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008101520081016\index.dat

    ============= FINISH: 17:19:37.03 =

    Attached Files:

  11. Kaelkitty

    Kaelkitty Newcomer, in training Topic Starter Posts: 59

    I need an update on this thread

    Hi Bobbye,
    It is 1.48am here and I am going to bed now. If it is not too much trouble can you have a look at the logs I have posted so far and tell me what to do next? I have also added my computer specifications to my posts if that is of any help.

    I will come back in the morning and check to see what I need to do next.

    Thank You, KK.
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..

    This will give me more information. I'm not sure how your internet connection is set up.

    I notice in the Restore points that Spybot-S&D Spyware removal appears at lest every day and sometimes more than one time a day. Do you know what is going on with this program?

    Edit: It look likle you may have installed Spybot Search & Destroy twice:
    Spybot - Search & Destroy
    Spybot - Search & Destroy 1.3
  13. Kaelkitty

    Kaelkitty Newcomer, in training Topic Starter Posts: 59

    Thats for geting back to me

    I hope your problem (Broni said) is fixed up. I was getting worried on your behalf. I must have missed you by about 20 minutes last night (7 hours ago was 2.33 am here) It is possible Spybot is double installed - I was prompted to update it a couple of months ago. I will check in the installed programs list before I do the Combo fix thing, FYI I usually try to knock the browser on its head before 2am every day so I can get some sleep! - I am not sure what time that is for you. Hopefully I will be back within an hour from this message. I have all day today free - basically the next 8 hours or so.
     
  14. Kaelkitty

    Kaelkitty Newcomer, in training Topic Starter Posts: 59

    Urr, the title should have read "Thanks for getting back to me" (dyslexia strikes again)
  15. Kaelkitty

    Kaelkitty Newcomer, in training Topic Starter Posts: 59

    OK,
    I've been digging into the Spybot thing and I found this

    In my "Add or Remove Programs" window I have the following entries -

    Spybot - Search & DestroySize 50.26MB
    click here for support information Used occasionally
    Last used on 23/12/2008
    AND

    Spybot - Search & Destroy 1.3 Size 12.68MB
    click here for support information Used occasionally
    Last used on 01/10/2004

    Spybot - Search & Destroy 1.6.2 doesn't show up in Add or Remove Programs at all! Even though I know it IS there and working - As of last nights entry: Spybot - S&D 1.6.2.46 - Latest detection update 30/06/2010!

    However, in the Uninstall list WITHIN Spybot itself I found -

    Spybot - Search & Destroy 1.3 1.3 (Spybot - Search & Destroy_is1)
    uninstall cmd: "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
    publisher: Safer Networking Limited

    AND

    Spybot - Search & Destroy 1.6.2 ({B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1)
    install date: 20100514
    install location: C:\Program Files\Spybot - Search & Destroy\
    uninstall cmd: "C:\Program Files\Spybot - Search & Destroy\unins001.exe"

    I have decided to leave everything as it is for now, rather than mess with something that doesn't make sense to me and I have put in a forum request to resolve this on the Spybot forum for further instructions.

    I will proceed with the Combo.fix now and post the results as soon as I get them.
  16. Kaelkitty

    Kaelkitty Newcomer, in training Topic Starter Posts: 59

    Also you said "I'm not sure how your internet connection is set up."

    Okay, I'm not surprised. I have been through a number of different Modem setups etc as my ISP has updated the available connections. The old stuff is probably still on my system as the ISP is not particularly helpful over the phone - they are constantly telling me it would be SO much easier if I was using IE instead of Firefox - I think NOT!

    I am currently connected to the Internet via the Ethernet port in my system using the Connect 622 modem.

    There should also be a backup "dial up" connection set up to 01 9838 0000 (local dial up access)

    Web browser setting is proxy.iprimus.com.au on Port 8080
    Primary DNS server is 203.134.64.66 Secondary DNS server is 203.134.65.66

    I hope this helps.
  17. Kaelkitty

    Kaelkitty Newcomer, in training Topic Starter Posts: 59

    Here is the Combofix Log. Please note that I was unsuccessful in closing AVG down completely, and I have just sent a complaint to their forum on this subject. However Combofix seems to have run successfully and once I restarted my system all the normal startups/TSRs seem to be working OK.

    -------------------------- LOG --------------------------------------------------------

    ComboFix 10-06-30.03 - User_2 01/07/2010 12:37:24.1.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.61.1033.18.512.196 [GMT 9.5:30]
    Running from: c:\documents and settings\User_2\Desktop\ComboFix.exe
    AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\test.txt

    .
    ((((((((((((((((((((((((( Files Created from 2010-06-01 to 2010-07-01 )))))))))))))))))))))))))))))))
    .

    2010-06-27 05:40 . 2010-06-27 05:40 -------- d-----w- c:\documents and settings\User_2\Application Data\Malwarebytes
    2010-06-27 05:40 . 2010-04-29 06:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-06-27 05:40 . 2010-06-27 05:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-06-27 05:40 . 2010-04-29 06:09 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-06-27 05:40 . 2010-06-27 05:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-06-16 22:40 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-07-01 02:53 . 2009-11-11 03:18 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
    2010-07-01 02:30 . 2007-09-23 02:30 -------- d-----w- c:\documents and settings\User_2\Application Data\MailWasherPro
    2010-06-30 21:57 . 2009-11-28 03:36 0 ----a-w- c:\documents and settings\User_2\Local Settings\Application Data\prvlcl.dat
    2010-06-27 06:05 . 2009-03-26 02:51 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
    2010-06-27 05:26 . 2004-05-31 08:29 -------- d-----w- c:\program files\Common Files\Adobe
    2010-06-27 05:11 . 2010-06-27 05:11 71680 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
    2010-06-19 02:41 . 2010-06-19 02:41 2568656 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
    2010-06-18 03:43 . 2009-03-13 12:34 1 ----a-w- c:\documents and settings\User_2\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
    2010-06-11 11:48 . 2010-06-26 04:58 52224 ----a-w- c:\documents and settings\User_2\Application Data\Mozilla\Firefox\Profiles\3e4h8dlg.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
    2010-06-11 11:48 . 2010-06-26 04:58 101376 ----a-w- c:\documents and settings\User_2\Application Data\Mozilla\Firefox\Profiles\3e4h8dlg.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
    2010-06-04 00:23 . 2008-01-10 00:14 -------- d-----w- c:\program files\RegCure
    2010-06-02 23:13 . 2010-06-02 23:13 29512 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
    2010-06-02 23:13 . 2010-06-02 23:13 242896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
    2010-06-02 23:11 . 2008-05-23 02:39 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2010-06-02 23:11 . 2008-05-23 02:39 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
    2010-05-18 02:32 . 2010-05-18 02:32 50354 ----a-w- c:\documents and settings\User_2\Application Data\Facebook\uninstall.exe
    2010-05-18 02:32 . 2010-05-18 02:32 -------- d-----w- c:\documents and settings\User_2\Application Data\Facebook
    2010-05-13 18:46 . 2004-09-29 10:06 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-05-13 18:26 . 2004-09-29 10:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-05-13 17:29 . 2010-05-13 17:27 -------- d-----w- c:\program files\Speccy
    2010-05-08 05:23 . 2010-05-08 05:23 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
    2010-05-06 10:41 . 2004-02-06 09:35 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-05-06 04:15 . 2010-01-30 08:53 -------- d-----w- c:\program files\Defraggler
    2010-05-02 05:22 . 2003-03-31 12:00 1851264 ------w- c:\windows\system32\win32k.sys
    2010-04-20 05:30 . 2003-03-31 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
    2010-04-12 07:59 . 2010-04-15 04:47 411368 ----a-w- c:\windows\system32\deployJava1.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

    [HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
    2010-04-19 00:55 2117704 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

    [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

    [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    "DU Meter"="c:\program files\DU Meter\DUMeter.exe" [2009-09-04 2749984]
    "autosaver.exe"="c:\program files\Autosave\Autosave.exe" [2003-10-19 811520]
    "RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-04-10 160328]
    "WMUTray.exe"="c:\program files\WakeMeUp\WMUTray.exe" [2007-02-15 734208]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "eBayToolbar"="c:\program files\eBay\eBay Toolbar2\eBayTBDaemon.exe" [2009-01-16 632048]
    "AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-06-02 2065248]
    "TweakMASTER"="c:\program files\TweakMASTER\TMTray.exe" [2009-09-04 322096]
    "NeroCheck"="c:\windows\System32\\NeroCheck.exe" [2001-07-09 155648]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-10 289064]
    "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
    "AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 88209]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-02-15 417792]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-10 149280]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-21 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
    "WMUAgent.exe"="c:\program files\WakeMeUp\WMUAgent.exe" [2007-02-15 592384]
    "Atomic.exe"="c:\program files\Atomic Clock Sync\Atomic.exe" [2004-06-17 524288]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "NSSInstallation"="c:\windows\system32\Adobe\Shockwave 11\nssstub.exe" [2010-06-24 497016]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

    c:\documents and settings\User_2\Start Menu\Programs\Startup\
    DateInTray.lnk - c:\program files\DateInTray\DateInTray.exe [2007-9-21 78848]
    OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Button Manager A.lnk - c:\program files\Sharp\Button Manager A\btnman.exe [2009-1-20 106496]
    Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2010-03-12 22:57 12464 ----a-w- c:\windows\system32\avgrsstx.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"

    [HKLM\~\startupfolder\C:^Documents and Settings^User_2^Start Menu^Programs^Startup^Fanbase.lnk]
    backup=c:\windows\pss\Fanbase.lnkStartup
    backupExtension=Startup
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
    2010-03-04 07:01 524632 ----a-w- c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AME_CSA]
    2002-04-30 15:50 720896 ----a-w- c:\windows\system32\AmeCSA.cpl

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLAGENTEXE]
    2005-08-25 08:47 65536 ------w- c:\program files\D-Link\DSL-200\dslagent.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLSTATEXE]
    2005-12-12 08:21 344064 ------w- c:\program files\D-Link\DSL-200\dslstat.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkinClock]
    2008-09-30 07:17 1338368 ----a-w- c:\program files\Clock Tray Skins\ClockTraySkins.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "AppleSyncNotifier"=c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
    "c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
    "c:\\WINDOWS\\system32\\spoolsv.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "1723:TCP"= 1723:TCP:mad:xpsp2res.dll,-22015
    "1701:UDP"= 1701:UDP:mad:xpsp2res.dll,-22016
    "500:UDP"= 500:UDP:mad:xpsp2res.dll,-22017

    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [18/06/2009 5:30 PM 64160]
    R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [23/05/2008 12:09 PM 216200]
    R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [23/05/2008 12:09 PM 242896]
    R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [13/03/2010 8:26 AM 308064]
    R2 DUMeterSvc;DU Meter Service;c:\program files\DU Meter\DUMeterSvc.exe [01/03/2009 3:13 PM 1391136]
    R2 Seagate Sync Service;Seagate Sync Service;c:\program files\Seagate\Sync\SeaSyncServices.exe [18/01/2007 1:20 PM 24120]
    S2 MAINTE;Integration Maintenance Program Version 4.01 Generic USB Driver;c:\windows\system32\drivers\usbscan.sys [31/05/2004 5:54 PM 15104]
    S3 AmeAtmPc;AmeAtmPc;c:\windows\system32\drivers\ameatmpc.sys [21/09/2007 3:43 PM 110839]
    S3 AtmElan;ATM Emulated LAN;c:\windows\system32\drivers\atmlane.sys [31/03/2003 9:30 PM 55808]
    S3 AtmLane;ATM LAN Emulation;c:\windows\system32\drivers\atmlane.sys [31/03/2003 9:30 PM 55808]
    S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [10/03/2009 4:36 AM 1029456]

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    UxTuneUp
    .
    Contents of the 'Scheduled Tasks' folder

    2010-07-01 c:\windows\Tasks\1-Click Maintenance.job
    - c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-23 07:23]

    2010-06-28 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 07:01]

    2010-06-26 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 03:04]

    2010-07-01 c:\windows\Tasks\Install.job
    - c:\windows\system32\Adobe\Shockwave 11\nssstub.exe [2010-06-24 06:28]

    2010-06-30 c:\windows\Tasks\RegCure Program Check.job
    - c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]

    2010-06-30 c:\windows\Tasks\RegCure Startup.job
    - c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]

    2010-06-30 c:\windows\Tasks\RegCure.job
    - c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]

    2010-06-30 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
    - c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2004-05-11 06:01]

    2010-06-24 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
    - c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2008-07-26 06:01]
    .
    .


    ---------------- PART 2 in NEXT POST -------------------
  18. Kaelkitty

    Kaelkitty Newcomer, in training Topic Starter Posts: 59

    ---------------- COMBOFIX LOG PART 2 -------------------

    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.iprimus.com.au
    uDefault_Search_URL = hxxp://www.google.com/ie
    uInternet Connection Wizard,ShellNext = hxxp://www.seagate.com/www/en-US/redirects/retail_news
    uInternet Settings,ProxyOverride = *.IPrimus.com.au;192.168.1.254;10.*;172.16.*;172.17.*;172.18.*;172.19.*;172.20.*;172.21.*;172.22.*;172.23.*;172.24.*;172.25.*;172.26.*;172.27.*;172.28.*;172.29.*;172.30.*;172.31.*;192.168.*;<local>
    uInternet Settings,ProxyServer = http=proxy.iprimus.com.au:8080;https=proxy.iprimus.com.au:8080;ftp=proxy.iprimus.com.au:8080
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Add to &LinkFox - c:\progra~1\TWEAKM~1\TweakBHO.dll/IESCRIPT
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    IE: eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
    IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    TCP: {2A38118D-A1F2-4939-98FB-E866EDFE0BD5} = 203.134.64.66,203.134.65.66
    TCP: {B9A7FD29-B4B4-4092-B3E5-6F847B25DC57} = 208.67.220.220,208.67.222.222
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    FF - ProfilePath - c:\documents and settings\User_2\Application Data\Mozilla\Firefox\Profiles\3e4h8dlg.default\
    FF - prefs.js: browser.search.selectedEngine - Answers.com
    FF - prefs.js: browser.startup.homepage - hxxp://davesgarden.com/tools/journal/viewbycat.php?catsort=name1&cat=50491|http://davesgarden.com/guides/pf/ad...ntry.php?rid=150918|http://www.google.com.au/
    FF - prefs.js: keyword.URL - hxxp://au.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_au&p=
    FF - component: c:\documents and settings\User_2\Application Data\Mozilla\Firefox\Profiles\3e4h8dlg.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
    FF - component: c:\documents and settings\User_2\Application Data\Mozilla\Firefox\Profiles\3e4h8dlg.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
    FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
    FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
    FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
    FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
    FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
    FF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dll
    FF - plugin: c:\documents and settings\User_2\Application Data\Facebook\npfbplugin_1_0_3.dll
    FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npigl.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    - - - - ORPHANS REMOVED - - - -

    HKU-Default-Run-ALUAlert - c:\program files\Symantec\LiveUpdate\ALUNotify.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-07-01 12:50
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DUMeterSvc]
    "ImagePath"="c:\program files\DU Meter\DUMeterSvc.exe /startedbyscm:E1F6D4BE-40E33354-DUMeterService"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-842925246-1614895754-682003330-1005\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)

    [HKEY_USERS\S-1-5-21-842925246-1614895754-682003330-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    "??"=hex:1d,c1,f5,ca,60,4d,d6,ac,88,5f,80,fc,60,a2,75,0e,71,a6,52,30,37,0e,78,
    c7,1a,59,41,91,42,cf,71,94,a2,41,7e,0f,0a,ad,0c,d9,09,9d,5c,0e,cc,93,60,09,\
    "??"=hex:bf,08,2f,aa,97,27,21,24,77,d4,6e,7d,ec,3e,1a,fb
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(376)
    c:\windows\system32\Ati2evxx.dll
    .
    Completion time: 2010-07-01 12:58:35
    ComboFix-quarantined-files.txt 2010-07-01 03:28

    Pre-Run: 21,484,703,744 bytes free
    Post-Run: 21,524,680,704 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

    - - End Of File - - 174FF0EF07277A9AB9FA54786CA37FDA


    That is the lot, I'll check back in later today. Ciao, KK.
  19. Kaelkitty

    Kaelkitty Newcomer, in training Topic Starter Posts: 59

    11:36 PM here,

    A quick update before I buzz off for the night

    I got a reply from the Safer Networking forum re my Spybot installations and I have removed version 1.3 via their instructions.

    I have also had a reply from the AVG forum who have given me a method of turning off the AVG program completely, so I will be able to do that if I need to run Combofix again in the future.

    I will be back in the morning, when I hope to be able to hear from you, as to what we need to do next.
    Bye for Now, KK.
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Well, my router went bad Thursday night and I just got it replaced today- Saturday. But thanks to the fact that you pasted your logs, I was able to work on part of the thread.

    I'm sorry you went to all that trouble with Spybot S&D and AVG. I could have handled it as I have done below. I didn't have all the logs in my email, but I set up the following for you: It may be outdated depending on how much you went ahead and did.
    -----------------------------------
    I notice that you have both AdWatch from AdAware and Tea Timer from Search & Destroy running from Startup. I suggest that you stop one of them. They are both Real Time programs and can potentially cause a conflict as they are both trying to do the same thing.

    I have moved all the entries for Spybot and AdAware. After we get bit further long, you can then download the current version of Spybot and decide whether you want to run AdWatch or Tea Timer. Honestly, I don't recommend running either of these Real Timers!

    Custom CFScript


    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\program files\RegCure\RegCure.exe
    c:\program files\Spybot - Search & Destroy\TeaTimer.exe>>> 2009
    c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
    
    Folder::
    c:\program files\RegCure
    c:\program files\Spybot - Search & Destroy>>> 2004
    c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy>> 2004
    c:\documents and settings\All Users\Application Data\McAfee
    
    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]>> 2009
    "SpybotSD TeaTimer"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
    
    RegNull::
    [HKEY_USERS\S-1-5-21-842925246-1614895754-682003330-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    
    Driver::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
    Go to the Control Panel> Scheduled Tasks> Remove all of the following:
    3 RegCure tasks:
    I recommend uninstalling this Registry cleaner. Most of us don't recommend having a Registry cleaner and even if you decde to keep the program, you do not need it in Scheduled Updates.
    2 Spybot Search & Destroy tasks: SpybotSD.exe was set in 2004 and SDUpdate.exe set in 2008. I suggest you uninstall Spybot now- use the uninstaller that comes with the program. I'll write script to remove any left over entries. Then, when all the different versions and processes have been removed, download the current version. I don't recommend putting the program in Scheduled tasks. Update right before you scan.

    The script will generate a new Combofix log. Please leave that in your next reply. Rather than going to other forums about programs you have. if I have mentioned them, please allow me to handle them.
  21. Kaelkitty

    Kaelkitty Newcomer, in training Topic Starter Posts: 59

    HI Bobbye,
    I've just come in from the garden and found your message.

    I use Reg Cure because every file I take from my desktop, stuff in the recycle bin and then delete leaves a leftover entry in my Registry for some reason. By the time the computer has been up and running for 7 or 8 days without a break, the registry is a mess and the system starts to get slow and buggy if I don't run it. RegCure is also the way I have been interacting with my system startups. Files are coming and going on my desktop all the time because I do a great deal of photographic work for my botanical research. I blame Kodak Easyshare (it's a dreadful program, but the trouble is that it came with my camera and I didn't know any better at the time, and now I've got a legacy of over 15,000 hand typed photo captions that only Easyshare will read and search through!)

    I would prefer to keep Reg Cure for two reasons. Firstly it does not stuff up my system and I've been using it for years without trouble, secondly, it's been less than 2 weeks since I paid Pareto $49.95 US to re-up my subscription. It runs twice a week, in the middle of the night - the same as my other "clean-up/av" etc programs. I really do prefer everything possible to run automatically between 2 am and 6 am simply because I cannot work on my system at all if any of the AV or other cleaning programs are active - it is just too slow. Also, because of my Asperger's I have a very bad relationship with time, and if I have to do anything manually it just wont get done - I've been promising myself that I was going to back up and defrag this thing for about 6 weeks now, but I just keep forgetting to do it because it is not an automated process - I have to remember to get the external drive out and hook it up each time. My problem is that when I am actually sitting at the computer I want to be doing something - either working, or enjoying myself (I confess I do play the odd few computer games, LOL!) What I don't want to be doing is waiting for the darn thing to finish backing up / defragging/ running the anti virus/ etc etc. Darn it, back in the DOS days I used to be SO disciplined
    about computer maintenance, but now, It just seems to have gotten beyond me!

    Anyhow, I'll follow your instructions to the letter and get the logs to you ASAP. TTFN. KK.
  22. Kaelkitty

    Kaelkitty Newcomer, in training Topic Starter Posts: 59

    Here is the new Combofix log. I have attached it as it is way too big for posting. I hope that is OK. I had a bit of a weird thing happen when I restarted the computer after running Combofix - Windows kept trying to Install Masterplan 7 - which Is odd because It should already be installed. I kept hitting cancel and the installer kept restarting itself - eventually (after about 20 goes) it asked for a CD and gave me an option to stop! I don't know what it was trying to do.

    I'll go and remove the Spybot S&D now, but I wanted to get this log posted for you first, in case you check in in the meantime. it will take me an hour or so, as there is some internal log info in it that I want to keep. I can always re-install it later on, as you say. I hope to hear from you soon, and I am sorry you had trouble with your router - it seems like with computers there is always something!
  23. Kaelkitty

    Kaelkitty Newcomer, in training Topic Starter Posts: 59

    Grrr! Log didn't post! Trying Again!

    Attached Files:

  24. Kaelkitty

    Kaelkitty Newcomer, in training Topic Starter Posts: 59

    I have uninstalled Spybot S&D for the moment but I will be putting it back, unless you can suggest something better.

    Here is the last few Spybot log entries...
    -------------------------------------------------------Found --------------------- Fixed
    Spam.VistaPrint 49 10/02/2010 48 10/02/2010
    Win32.Agent.ieu 1 08/05/2010 1 08/05/2010
    RightMedia 3 12/05/2010 2 08/05/2010
    Win32.PornPopUp 1 03/06/2010 5 03/06/2010
    Win32.FraudLoad 3 17/06/2010 4 17/06/2010

    As you can see from that, I DO need Something to do it's job!
  25. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    It is your system. Keep the registry cleaner if you want.

    Easiest way to handle the Masterplan 7 problem is to take it off of Startup.

    I did not intend to infer you didn't need Spybot S&D. I attempted to remove the fragments of different versions of the program so that could could install the current version.

    About RegCure: when I was working offline on your Combofix report, I had included RegCure with a switch to remove all related entries. I can try to restore it but you will need to get the Qoobox log for me:
    Do a search for C:\Qoobox\Combofix-quarantined-files.txt

    Paste this in your next reply.
    If you would rather not do this, you should be able to re-download and install the program easily.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.