Iexplore eating physical memory:(

By dangermouseyork
Jan 7, 2011
Topic Status:
Not open for further replies.
  1. Hi folks,

    I've noticed iexplore.exe is eating physical memory on my partners laptop.
    this has only just happened recently and there are always 2 instances of iexplore.exe running in task manager.
    Its really slowing down browsing the net, just loading a page can take 5 minutes sometimes, and links tend to be non functioning.
    After scanning the forums i see this may be a virus or malware problem, but i am a complete noob in this department!
    I know this has been covered before but dont want to start following instuctions for other people as i am nervous of making things worse!
    Any advice or fixes would be very much appreciated, but please bear in mind my computer skills are fairly minimal!

    Appreciation in advance

  2. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    Welcome aboard [​IMG]

    Please, complete all steps listed here:
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
  3. dangermouseyork

    dangermouseyork Newcomer, in training Topic Starter

    will do


    Thanks for your reply, i will begin the process today and keep you informed!

    (edit) Shall i post the logs as i go?

  4. dangermouseyork

    dangermouseyork Newcomer, in training Topic Starter

    malware bytes log

    Malwarebytes' Anti-Malware

    Database version: 5475

    Windows 6.0.6001 Service Pack 1
    Internet Explorer 7.0.6001.18000

    07/01/2011 13:10:25
    mbam-log-2011-01-07 (13-10-25).txt

    Scan type: Quick scan
    Objects scanned: 152744
    Time elapsed: 11 minute(s), 40 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\AppID\activex.DLL (Adware.180Solutions) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
  5. dangermouseyork

    dangermouseyork Newcomer, in training Topic Starter

    gmer log

    GMER -
    Rootkit quick scan 2011-01-07 13:17:39
    Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9160310AS rev.0303
    Running: 8oc7pqpi.exe; Driver: C:\Users\Sammy\AppData\Local\Temp\kglcypoc.sys

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\tdx \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----
  6. dangermouseyork

    dangermouseyork Newcomer, in training Topic Starter

    dds log

    DDS (Ver_10-12-12.02) - NTFSx86
    Run by Sammy at 13:27:06.09 on 07/01/2011
    Internet Explorer: 7.0.6001.18000
    Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.44.1033.18.765.164 [GMT 0:00]

    AV: Norton 360 *Disabled/Outdated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
    AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
    SP: Norton 360 *Disabled/Outdated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
    FW: Norton 360 *Enabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}

    ============== Running Processes ===============

    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
    C:\Program Files\EMACHINES\eMachines Recovery Management\Service\ETService.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
    C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Virgin Media\HUB\ServicepointService.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    c:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\Launch Manager\LManager.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Virgin Media\HUB\VirginMediaHUB.exe
    C:\Program Files\DivX\DivX Update\DivXUpdate.exe
    C:\Program Files\DivX\DivX Plus Web Player\DDMService.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Program Files\Internet Explorer\ieuser.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
    C:\Program Files\Virgin Media\HUB\VirginMediaHUBComHandler.exe

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://
    uSearch Page = hxxp://
    uDefault_Page_URL = hxxp://
    uSearch Bar = hxxp://
    mStart Page = hxxp://
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
    BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
    BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.6\coIEPlg.dll
    BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1150596.exe -Update -1150596 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; GTB6.4; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30618)" -""
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
    mRun: [RtHDVCpl] RtHDVCpl.exe
    mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
    mRun: [osCheck] "c:\program files\norton 360\osCheck.exe"
    mRun: [BkupTray] "c:\program files\newtech infosystems\nti backup now 5\BkupTray.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [LManager] c:\progra~1\launch~1\LManager.exe
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [eRecoveryService]
    mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
    mRun: [WarReg_PopUp] c:\program files\emachines\wr_popup\WarReg_PopUp.exe
    mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [VirginMediaHUB.exe] "c:\program files\virgin media\hub\VirginMediaHUB.exe" /AUTORUN
    mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
    mRun: [DivX Download Manager] "c:\program files\divx\divx plus web player\DDmService.exe" start
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
    StartupFolder: c:\users\sammy\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    DPF: {000F1EA4-5E08-4564-A29B-29076F63A37A} - hxxp://
    DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://
    DPF: {21BB8360-F943-447E-98F3-3C22345375A7} - hxxp://
    DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://
    DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://
    DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://
    DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://
    AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL

    ============= SERVICES / DRIVERS ===============

    R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\ipsdefs\20090506.001\IDSvix86.sys [2009-5-9 272432]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-1-7 61960]
    S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]

    =============== Created Last 30 ================

    2011-01-07 12:56:42 -------- d-----w- c:\users\sammy\appdata\roaming\Malwarebytes
    2011-01-07 12:56:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-01-07 12:56:10 -------- d-----w- c:\progra~2\Malwarebytes
    2011-01-07 12:56:06 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-01-07 12:56:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-01-07 12:03:08 -------- d-----w- c:\users\sammy\appdata\roaming\Avira
    2011-01-07 11:53:09 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-01-07 11:52:37 -------- d-----w- c:\program files\Avira
    2011-01-07 11:52:37 -------- d-----w- c:\progra~2\Avira
    2011-01-04 22:35:31 -------- d-----w- c:\users\sammy\appdata\roaming\Local
    2011-01-04 22:22:18 -------- d-----w- c:\progra~2\DivX
    2011-01-04 18:29:47 -------- d-----w- c:\program files\BitTorrent
    2011-01-04 18:28:45 -------- d-----w- c:\users\sammy\appdata\roaming\BitTorrent
    2010-12-21 14:50:23 -------- d-----w- c:\program files\common files\Windows Live
    2010-12-17 18:02:05 66048 ----a-w- c:\program files\windows mail\wabmig.exe
    2010-12-17 18:02:05 515584 ----a-w- c:\program files\windows mail\wab.exe
    2010-12-17 18:02:05 33280 ----a-w- c:\program files\windows mail\wabfind.dll
    2010-12-17 18:01:58 2037248 ----a-w- c:\windows\system32\win32k.sys
    2010-12-17 18:01:44 603648 ----a-w- c:\windows\system32\schedsvc.dll
    2010-12-17 18:01:44 357376 ----a-w- c:\windows\system32\taskschd.dll
    2010-12-17 18:01:43 345088 ----a-w- c:\windows\system32\wmicmiplugin.dll
    2010-12-17 18:01:43 171520 ----a-w- c:\windows\system32\taskeng.exe
    2010-12-17 18:01:42 270336 ----a-w- c:\windows\system32\taskcomp.dll
    2010-12-17 18:01:19 81920 ----a-w- c:\windows\system32\consent.exe
    2010-12-17 18:01:07 292352 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-17 18:01:06 34304 ----a-w- c:\windows\system32\atmlib.dll
    2010-12-17 18:01:05 72704 ----a-w- c:\windows\system32\fontsub.dll
    2010-12-17 17:59:16 2048 ----a-w- c:\windows\system32\tzres.dll
    2010-12-17 17:57:15 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
    2010-12-17 12:55:10 -------- d-----w- c:\users\sammy\appdata\roaming\Virgin Media
    2010-12-17 12:54:44 -------- d-----w- c:\progra~2\Radialpoint
    2010-12-17 12:54:38 -------- d-----w- c:\program files\Virgin Media
    2010-12-17 12:54:38 -------- d-----w- c:\progra~2\Virgin Media
    2010-12-15 21:07:19 -------- d-----w- c:\progra~2\Oberonv1005
    2010-12-12 20:10:34 -------- d-----w- c:\progra~2\Oberon Games

    ==================== Find3M ====================

    2010-11-12 00:44:54 94208 ----a-w- c:\windows\system32\dpl100.dll
    2010-11-08 22:57:04 353592 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl
    2010-10-20 17:45:29 833024 ----a-w- c:\windows\system32\wininet.dll
    2010-10-20 17:41:28 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-10-20 16:16:50 389632 ----a-w- c:\windows\system32\html.iec
    2010-10-20 15:51:56 1383424 ----a-w- c:\windows\system32\mshtml.tlb

    ============= FINISH: 13:28:54.42 ===============
  7. dangermouseyork

    dangermouseyork Newcomer, in training Topic Starter

    dds attach log


    DDS (Ver_10-12-12.02)

    Microsoft® Windows Vista™ Home Basic
    Boot Device: \Device\HarddiskVolume2
    Install Date: 26/12/2008 16:34:06
    System Uptime: 07/01/2011 12:27:47 (1 hours ago)

    Motherboard: eMachines | | eMachines D620
    Processor: AMD Athlon(tm) Processor 2650e | Socket M2/S1G1 | 1600/200mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 139 GiB total, 65.699 GiB free.
    D: is CDROM ()

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    ==== Installed Programs ======================
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Reader 9
    Adobe Shockwave Player 11.5
    Agatha Christie Death on the Nile
    Alice Greenfingers
    Amazing Adventures The Lost Tomb
    AMD USB Audio Driver Filter
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    ATI Catalyst Install Manager
    Avira AntiVir Personal - Free Antivirus
    Bejeweled 2 Deluxe
    Bookworm Deluxe
    Bricks of Egypt
    Cake Mania
    CAM UnZip 4.42
    Catalyst Control Center Core Implementation
    Catalyst Control Center Graphics Full Existing
    Catalyst Control Center Graphics Full New
    Catalyst Control Center Graphics Light
    Catalyst Control Center Graphics Previews Vista
    Catalyst Control Center InstallProxy
    Catalyst Control Center Localization Chinese Standard
    Catalyst Control Center Localization Chinese Traditional
    Catalyst Control Center Localization Czech
    Catalyst Control Center Localization Danish
    Catalyst Control Center Localization Dutch
    Catalyst Control Center Localization Finnish
    Catalyst Control Center Localization French
    Catalyst Control Center Localization German
    Catalyst Control Center Localization Greek
    Catalyst Control Center Localization Hungarian
    Catalyst Control Center Localization Italian
    Catalyst Control Center Localization Japanese
    Catalyst Control Center Localization Korean
    Catalyst Control Center Localization Norwegian
    Catalyst Control Center Localization Polish
    Catalyst Control Center Localization Portuguese
    Catalyst Control Center Localization Russian
    Catalyst Control Center Localization Spanish
    Catalyst Control Center Localization Swedish
    Catalyst Control Center Localization Thai
    Catalyst Control Center Localization Turkish
    CCC Help Chinese Standard
    CCC Help Chinese Traditional
    CCC Help Czech
    CCC Help Danish
    CCC Help Dutch
    CCC Help English
    CCC Help Finnish
    CCC Help French
    CCC Help German
    CCC Help Greek
    CCC Help Hungarian
    CCC Help Italian
    CCC Help Japanese
    CCC Help Korean
    CCC Help Norwegian
    CCC Help Polish
    CCC Help Portuguese
    CCC Help Russian
    CCC Help Spanish
    CCC Help Swedish
    CCC Help Thai
    CCC Help Turkish
    Compatibility Pack for the 2007 Office system
    Diner Dash
    DivX Converter
    DivX Plus DirectShow Filters
    DivX Setup
    DivX Version Checker
    Dream Day First Home
    eMachines Recovery Management
    Farm Frenzy
    Google Desktop
    Google Toolbar for Internet Explorer
    Google Update Helper
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    InterVideo WinDVD 8
    Java Auto Updater
    Java(TM) 6 Update 18
    Launch Manager
    LiveUpdate (Symantec Corporation)
    Mahjong Escape Ancient China
    Malwarebytes' Anti-Malware
    Marvell Miniport Driver
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Home and Student 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office PowerPoint Viewer 2007 (English)
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Suite Activation Assistant
    Microsoft Office Word MUI (English) 2007
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Works
    MobileMe Control Panel
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Musicnotes Software Suite 1.4.1
    Mystery Case Files - Huntsville
    Mystery Solitaire - Secret Island
    Norton 360
    Norton 360 (Symantec Corporation)
    Norton 360 HTMLHelp
    Norton Confidential Core
    Norton Security Scan
    NTI Backup Now 5
    NTI Backup Now Standard
    NTI Media Maker 8
    Realtek High Definition Audio Driver
    Rome - Total War
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2289158)
    Security Update for 2007 Microsoft Office System (KB2344875)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft Office Excel 2007 (KB2345035)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB982158)
    Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Sid Meier's Railroad Tycoon
    Silent Hunter III
    SPBBC 32bit
    Steel Panthers World At War v8.20
    Symantec Real Time Storage Protection Component
    Symantec Technical Support Controls
    Synaptics Pointing Device Driver
    Turbo Pizza
    Unity Web Player
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Microsoft Office OneNote 2007 Help (KB963670)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    VC80CRTRedist - 8.0.50727.4053
    Virgin Media HUB 3.5.12
    WinZip 12.0
    Youda Camper
    Zuma Deluxe

    ==== End Of File ===========================
  8. dangermouseyork

    dangermouseyork Newcomer, in training Topic Starter

    got there in the end!

    Ok managed to complete all the steps, took a couple of tries due to links not working, and it taking forever to load pages.

    seem to be updated with windows, java and adobe.

    let me know if i have messed up anywhere along the line!

    your time and help is greatly appreciated.

    Thanks again.

  9. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    You're running two AV programs, Norton and Avira.
    One of them has to go.
    If Norton, make sure to use this tool to uninstall it:


    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    Enter N to exit.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.


    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it:
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.

    Make sure, you re-enable your security programs, when you're done with Combofix.


    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  10. dangermouseyork

    dangermouseyork Newcomer, in training Topic Starter


    Ok, will remove norton first thing in the morning, continue with the steps you requested, and keep you updated.

    (edit) norton was a free trial so should have removed it long ago as it has been doing nothing for about six months!

    many thanks once again.

  11. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    Sure thing :)
  12. dangermouseyork

    dangermouseyork Newcomer, in training Topic Starter


    This may be a very stupid question, but how do i know which version of norton 360 i have installed?


  13. dangermouseyork

    dangermouseyork Newcomer, in training Topic Starter

    MBR check log

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Windows Version: Windows Vista Home Basic Edition
    Windows Information: Service Pack 1 (build 6001), 32-bit
    Base Board Manufacturer: eMachines
    BIOS Manufacturer: Phoenix Technologies LTD
    System Manufacturer: eMachines
    System Product Name: eMachines D620
    Logical Drives Mask: 0x0000000c

    Kernel Drivers (total 138):
    0x81E05000 \SystemRoot\system32\ntkrnlpa.exe
    0x821BE000 \SystemRoot\system32\hal.dll
    0x8040F000 \SystemRoot\system32\kdcom.dll
    0x80417000 \SystemRoot\system32\PSHED.dll
    0x80428000 \SystemRoot\system32\BOOTVID.dll
    0x80430000 \SystemRoot\system32\CLFS.SYS
    0x80471000 \SystemRoot\system32\CI.dll
    0x80551000 \SystemRoot\system32\drivers\Wdf01000.sys
    0x805CD000 \SystemRoot\system32\drivers\WDFLDR.SYS
    0x8060F000 \SystemRoot\system32\drivers\acpi.sys
    0x80655000 \SystemRoot\system32\drivers\WMILIB.SYS
    0x8065E000 \SystemRoot\system32\drivers\msisadrv.sys
    0x80666000 \SystemRoot\system32\drivers\pci.sys
    0x8068D000 \SystemRoot\System32\drivers\partmgr.sys
    0x8069C000 \SystemRoot\system32\DRIVERS\compbatt.sys
    0x8069F000 \SystemRoot\system32\DRIVERS\BATTC.SYS
    0x806A9000 \SystemRoot\system32\drivers\volmgr.sys
    0x806B8000 \SystemRoot\System32\drivers\volmgrx.sys
    0x80702000 \SystemRoot\system32\drivers\pciide.sys
    0x80709000 \SystemRoot\system32\drivers\PCIIDEX.SYS
    0x80717000 \SystemRoot\System32\drivers\mountmgr.sys
    0x80727000 \SystemRoot\System32\Drivers\UBHelper.sys
    0x8072F000 \SystemRoot\system32\drivers\atapi.sys
    0x80737000 \SystemRoot\system32\drivers\ataport.SYS
    0x80755000 \SystemRoot\system32\drivers\fltmgr.sys
    0x80787000 \SystemRoot\system32\drivers\fileinfo.sys
    0x85A0D000 \SystemRoot\System32\Drivers\ksecdd.sys
    0x85A7E000 \SystemRoot\system32\drivers\ndis.sys
    0x85B89000 \SystemRoot\system32\drivers\msrpc.sys
    0x85BB4000 \SystemRoot\system32\drivers\NETIO.SYS
    0x85C07000 \SystemRoot\System32\drivers\tcpip.sys
    0x85CF0000 \SystemRoot\System32\drivers\fwpkclnt.sys
    0x85E0F000 \SystemRoot\System32\Drivers\Ntfs.sys
    0x85F1E000 \SystemRoot\system32\drivers\volsnap.sys
    0x85F57000 \SystemRoot\System32\Drivers\spldr.sys
    0x85F5F000 \SystemRoot\System32\Drivers\mup.sys
    0x85F6E000 \SystemRoot\System32\drivers\ecache.sys
    0x85F95000 \SystemRoot\system32\drivers\disk.sys
    0x85FA6000 \SystemRoot\system32\drivers\CLASSPNP.SYS
    0x85FC7000 \SystemRoot\system32\DRIVERS\AtiPcie.sys
    0x85FCF000 \SystemRoot\system32\drivers\crcdisk.sys
    0x85E00000 \SystemRoot\system32\DRIVERS\tunnel.sys
    0x85D0B000 \SystemRoot\system32\DRIVERS\tunmp.sys
    0x85D14000 \SystemRoot\system32\DRIVERS\amdk8.sys
    0x85D24000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
    0x89609000 \SystemRoot\system32\DRIVERS\atikmdag.sys
    0x85D2D000 \SystemRoot\System32\drivers\dxgkrnl.sys
    0x89BA0000 \SystemRoot\System32\drivers\watchdog.sys
    0x89BAD000 \SystemRoot\system32\DRIVERS\yk60x86.sys
    0x89E08000 \SystemRoot\system32\DRIVERS\bcmwl6.sys
    0x89F0A000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0x89F22000 \SystemRoot\system32\DRIVERS\NTIDrvr.sys
    0x89F2A000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
    0x89F30000 \SystemRoot\system32\DRIVERS\usbohci.sys
    0x89F3A000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0x89F78000 \SystemRoot\system32\DRIVERS\usbfilter.sys
    0x89F81000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0x89F83000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0x89F92000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0x89FA4000 \SystemRoot\system32\DRIVERS\CmBatt.sys
    0x89FA8000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0x89FBB000 \SystemRoot\system32\DRIVERS\DKbFltr.sys
    0x89FC5000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0x89FD0000 \SystemRoot\system32\DRIVERS\SynTP.sys
    0x85DCC000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0x80797000 \SystemRoot\system32\DRIVERS\msiscsi.sys
    0x8A006000 \SystemRoot\system32\DRIVERS\storport.sys
    0x8A047000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0x8A052000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0x8A069000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0x8A074000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0x8A097000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0x8A0A6000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0x8A0BA000 \SystemRoot\system32\DRIVERS\rassstp.sys
    0x8A0CF000 \SystemRoot\system32\DRIVERS\termdd.sys
    0x8A0DF000 \SystemRoot\system32\DRIVERS\swenum.sys
    0x8A0E1000 \SystemRoot\system32\DRIVERS\ks.sys
    0x8A10B000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0x8A115000 \SystemRoot\system32\DRIVERS\umbus.sys
    0x8A122000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0x8A156000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0x8A40A000 \SystemRoot\system32\drivers\RTKVHDA.sys
    0x8A617000 \SystemRoot\system32\drivers\portcls.sys
    0x8A644000 \SystemRoot\system32\drivers\drmk.sys
    0x8A669000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0x8A672000 \SystemRoot\System32\Drivers\Null.SYS
    0x8A679000 \SystemRoot\System32\Drivers\Beep.SYS
    0x8A680000 \SystemRoot\System32\drivers\vga.sys
    0x8A68C000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
    0x8A6AD000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0x8A6B5000 \SystemRoot\system32\drivers\rdpencdd.sys
    0x8A6BD000 \SystemRoot\System32\Drivers\Msfs.SYS
    0x8A6C8000 \SystemRoot\System32\Drivers\Npfs.SYS
    0x8A6D6000 \SystemRoot\System32\DRIVERS\rasacd.sys
    0x8A6DF000 \SystemRoot\system32\DRIVERS\tdx.sys
    0x8A6F5000 \SystemRoot\system32\DRIVERS\smb.sys
    0x8A709000 \SystemRoot\system32\drivers\afd.sys
    0x8A751000 \SystemRoot\System32\DRIVERS\netbt.sys
    0x8A783000 \SystemRoot\system32\DRIVERS\pacer.sys
    0x8A799000 \SystemRoot\system32\DRIVERS\netbios.sys
    0x8A7A7000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0x8A7BA000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
    0x8A7C0000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0x8A400000 \SystemRoot\system32\drivers\nsiproxy.sys
    0x8A167000 \SystemRoot\System32\Drivers\dfsc.sys
    0x8A17E000 \SystemRoot\system32\DRIVERS\avipbb.sys
    0x8A1A4000 \SystemRoot\System32\Drivers\crashdmp.sys
    0x8A1B1000 \SystemRoot\System32\Drivers\dump_dumpata.sys
    0x8A1BC000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0x91820000 \SystemRoot\System32\win32k.sys
    0x8A1C4000 \SystemRoot\System32\drivers\Dxapi.sys
    0x8A1CE000 \SystemRoot\system32\DRIVERS\monitor.sys
    0x91A40000 \SystemRoot\System32\TSDDD.dll
    0x91A60000 \SystemRoot\System32\cdd.dll
    0x8A1DD000 \SystemRoot\system32\drivers\luafv.sys
    0x85FD8000 \SystemRoot\system32\DRIVERS\avgntflt.sys
    0x85FED000 \SystemRoot\system32\DRIVERS\lltdio.sys
    0x807C5000 \SystemRoot\system32\DRIVERS\nwifi.sys
    0x85DD7000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0x85DE1000 \SystemRoot\system32\DRIVERS\rspndr.sys
    0x94C0D000 \SystemRoot\system32\drivers\HTTP.sys
    0x94C7A000 \SystemRoot\system32\drivers\spsys.sys
    0x94D29000 \SystemRoot\System32\DRIVERS\srvnet.sys
    0x94D46000 \SystemRoot\system32\DRIVERS\bowser.sys
    0x94D5F000 \SystemRoot\System32\drivers\mpsdrv.sys
    0x94D74000 \SystemRoot\system32\drivers\mrxdav.sys
    0x94D94000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0x94DB3000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    0x805DA000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    0x95807000 \SystemRoot\System32\DRIVERS\srv2.sys
    0x9582F000 \SystemRoot\System32\DRIVERS\srv.sys
    0x95895000 \??\C:\Windows\system32\drivers\int15.sys
    0x9589C000 \SystemRoot\system32\drivers\peauth.sys
    0x9597A000 \SystemRoot\system32\drivers\regi.sys
    0x9597C000 \SystemRoot\System32\Drivers\secdrv.SYS
    0x95986000 \SystemRoot\System32\drivers\tcpipreg.sys
    0x95992000 \SystemRoot\system32\DRIVERS\cdfs.sys
    0x771E0000 \Windows\System32\ntdll.dll

    Processes (total 74):
    0 System Idle Process
    4 System
    412 C:\Windows\System32\smss.exe
    480 csrss.exe
    540 C:\Windows\System32\wininit.exe
    548 csrss.exe
    592 C:\Windows\System32\winlogon.exe
    620 C:\Windows\System32\services.exe
    636 C:\Windows\System32\lsass.exe
    644 C:\Windows\System32\lsm.exe
    840 C:\Windows\System32\svchost.exe
    920 C:\Windows\System32\svchost.exe
    1100 C:\Windows\System32\Ati2evxx.exe
    1116 C:\Windows\System32\svchost.exe
    1148 C:\Windows\System32\svchost.exe
    1168 C:\Windows\System32\svchost.exe
    1252 C:\Windows\System32\audiodg.exe
    1272 C:\Windows\System32\svchost.exe
    1296 C:\Windows\System32\SLsvc.exe
    1316 C:\Windows\System32\svchost.exe
    1444 C:\Windows\System32\Ati2evxx.exe
    1492 C:\Windows\System32\svchost.exe
    1700 C:\Windows\System32\wlanext.exe
    1812 C:\Windows\System32\spoolsv.exe
    1872 C:\Program Files\Avira\AntiVir Desktop\sched.exe
    1892 C:\Windows\System32\svchost.exe
    296 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    396 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    436 C:\Program Files\Bonjour\mDNSResponder.exe
    460 C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
    536 C:\Program Files\EMACHINES\eMachines Recovery Management\Service\ETService.exe
    788 C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
    1008 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    1328 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    1484 C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
    616 C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
    1936 C:\Windows\System32\svchost.exe
    1736 C:\Program Files\Virgin Media\HUB\ServicepointService.exe
    1244 C:\Windows\System32\svchost.exe
    1964 C:\Windows\System32\svchost.exe
    2072 C:\Windows\System32\SearchIndexer.exe
    2316 C:\Windows\System32\taskeng.exe
    2648 C:\Windows\System32\taskeng.exe
    2224 C:\Windows\System32\dwm.exe
    2468 C:\Windows\explorer.exe
    3148 C:\Windows\RtHDVCpl.exe
    3436 C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe
    3524 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    3504 C:\Windows\System32\wuauclt.exe
    3336 C:\Program Files\Launch Manager\LManager.exe
    3472 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    3636 C:\Program Files\iTunes\iTunesHelper.exe
    1852 C:\Program Files\Common Files\Java\Java Update\jusched.exe
    3904 C:\Program Files\Virgin Media\HUB\VirginMediaHUB.exe
    3900 C:\Program Files\DivX\DivX Update\DivXUpdate.exe
    3944 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    3232 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    1360 C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    3228 C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    2688 C:\Users\Sammy\AppData\Local\Temp\RtkBtMnt.exe
    2356 C:\Program Files\iPod\bin\iPodService.exe
    1640 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    1004 WmiPrvSE.exe
    4844 C:\Program Files\Virgin Media\HUB\VirginMediaHUBComHandler.exe
    3460 C:\Program Files\Internet Explorer\iexplore.exe
    4868 C:\Program Files\Internet Explorer\iexplore.exe
    2436 C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
    5144 C:\Windows\System32\Macromed\Flash\FlashUtil10e.exe
    6020 C:\Program Files\Internet Explorer\iexplore.exe
    3512 C:\Windows\System32\SearchProtocolHost.exe
    4184 C:\Windows\System32\SearchFilterHost.exe
    1672 WmiPrvSE.exe
    4628 <unknown>
    3664 C:\Users\Sammy\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`71100000 (NTFS)

    PhysicalDrive0 Model Number: ST9160310AS, Rev: 0303

    Size Device Name MBR Status
    149 GB \\.\PhysicalDrive0 Unknown MBR code
    SHA1: F85B7CD526802923C3EA061081FBF03E1B7455C7

    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:

  14. dangermouseyork

    dangermouseyork Newcomer, in training Topic Starter

    combfix log

    ComboFix 11-01-07.02 - Sammy 08/01/2011 18:01:49.1.1 - x86
    Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.44.1033.18.765.293 [GMT 0:00]
    Running from: c:\users\Sammy\Desktop\ComboFix.exe
    AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
    SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    ((((((((((((((((((((((((( Files Created from 2010-12-08 to 2011-01-08 )))))))))))))))))))))))))))))))

    2011-01-08 18:14 . 2011-01-08 18:14 -------- d-----w- c:\users\Sammy\AppData\Local\temp
    2011-01-07 14:02 . 2010-10-19 04:27 7680 ----a-w- c:\program files\Internet Explorer\iecompat.dll
    2011-01-07 13:59 . 2010-11-02 06:03 638232 ----a-w- c:\program files\Internet Explorer\iexplore.exe
    2011-01-07 12:56 . 2011-01-07 12:56 -------- d-----w- c:\users\Sammy\AppData\Roaming\Malwarebytes
    2011-01-07 12:56 . 2010-12-20 18:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-01-07 12:56 . 2011-01-07 12:56 -------- d-----w- c:\programdata\Malwarebytes
    2011-01-07 12:56 . 2010-12-20 18:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-01-07 12:56 . 2011-01-07 12:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-01-07 12:03 . 2011-01-07 12:03 -------- d-----w- c:\users\Sammy\AppData\Roaming\Avira
    2011-01-07 11:53 . 2010-12-13 08:40 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-01-07 11:53 . 2010-12-13 08:40 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-01-07 11:52 . 2011-01-07 11:52 -------- d-----w- c:\programdata\Avira
    2011-01-07 11:52 . 2011-01-07 11:52 -------- d-----w- c:\program files\Avira
    2011-01-04 22:22 . 2011-01-04 22:35 -------- d-----w- c:\programdata\DivX
    2011-01-04 18:29 . 2011-01-04 18:29 -------- d-----w- c:\program files\BitTorrent
    2011-01-04 18:28 . 2011-01-07 01:51 -------- d-----w- c:\users\Sammy\AppData\Roaming\BitTorrent
    2010-12-31 01:33 . 2010-12-31 01:33 -------- d-----w- c:\users\Matthew\AppData\Roaming\Apple Computer
    2010-12-31 01:33 . 2010-12-31 01:33 -------- d-----w- c:\users\Matthew\AppData\Roaming\Virgin Media
    2010-12-21 14:50 . 2010-12-21 14:50 -------- d-----w- c:\program files\Common Files\Windows Live
    2010-12-17 18:02 . 2010-10-12 15:48 33280 ----a-w- c:\program files\Windows Mail\wabfind.dll
    2010-12-17 18:02 . 2010-10-12 13:52 66048 ----a-w- c:\program files\Windows Mail\wabmig.exe
    2010-12-17 18:02 . 2010-10-12 13:52 515584 ----a-w- c:\program files\Windows Mail\wab.exe
    2010-12-17 18:01 . 2010-10-18 13:56 2037248 ----a-w- c:\windows\system32\win32k.sys
    2010-12-17 18:01 . 2010-11-06 11:10 357376 ----a-w- c:\windows\system32\taskschd.dll
    2010-12-17 18:01 . 2010-11-06 11:09 603648 ----a-w- c:\windows\system32\schedsvc.dll
    2010-12-17 18:01 . 2010-11-06 11:10 345088 ----a-w- c:\windows\system32\wmicmiplugin.dll
    2010-12-17 18:01 . 2010-11-05 00:53 171520 ----a-w- c:\windows\system32\taskeng.exe
    2010-12-17 18:01 . 2010-11-06 11:10 270336 ----a-w- c:\windows\system32\taskcomp.dll
    2010-12-17 18:01 . 2010-10-18 14:01 81920 ----a-w- c:\windows\system32\consent.exe
    2010-12-17 18:01 . 2010-10-28 13:03 292352 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-17 18:01 . 2010-10-28 15:02 34304 ----a-w- c:\windows\system32\atmlib.dll
    2010-12-17 18:01 . 2010-06-16 15:12 72704 ----a-w- c:\windows\system32\fontsub.dll
    2010-12-17 17:59 . 2010-10-28 12:56 2048 ----a-w- c:\windows\system32\tzres.dll
    2010-12-17 17:57 . 2010-11-03 10:51 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
    2010-12-17 12:55 . 2010-12-17 12:55 -------- d-----w- c:\users\Sammy\AppData\Roaming\Virgin Media
    2010-12-17 12:54 . 2010-12-17 12:55 -------- d-----w- c:\programdata\Radialpoint
    2010-12-17 12:54 . 2010-12-17 12:54 -------- d-----w- c:\programdata\Virgin Media
    2010-12-17 12:54 . 2010-12-17 12:54 -------- d-----w- c:\program files\Virgin Media
    2010-12-15 21:07 . 2010-12-15 21:07 -------- d-----w- c:\programdata\Oberonv1005
    2010-12-12 20:10 . 2010-12-12 20:10 -------- d-----w- c:\programdata\Oberon Games

    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    2010-11-12 00:44 . 2010-11-12 00:44 94208 ----a-w- c:\windows\system32\dpl100.dll
    2010-11-08 22:57 . 2010-11-08 22:57 353592 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    *Note* empty entries & legit default entries are not shown

    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-15 68856]

    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
    "RtHDVCpl"="RtHDVCpl.exe" [2008-07-14 6253088]
    "BkupTray"="c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [2008-04-07 34040]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
    "LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-09-02 809480]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1049896]
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-30 30192]
    "WarReg_PopUp"="c:\program files\eMachines\WR_PopUp\WarReg_PopUp.exe" [2008-05-09 49152]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-22 141608]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
    "VirginMediaHUB.exe"="c:\program files\Virgin Media\HUB\VirginMediaHUB.exe" [2009-12-14 4277488]
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-12-09 1226608]
    "DivX Download Manager"="c:\program files\DivX\DivX Plus Web Player\DDmService.exe" [2010-12-08 63360]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-13 281768]

    c:\users\Sammy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 135664]
    R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2008-04-04 131072]
    R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-08-30 30192]
    R3 WisINT15;WisINT15;c:\windows\System32\OEM\factory\WisINT15.SYS [x]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-12-13 135336]
    S2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [2008-03-03 16384]
    S2 ETService;Empowering Technology Service;c:\program files\EMACHINES\eMachines Recovery Management\Service\ETService.exe [2008-06-11 24576]
    S2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2008-04-07 50424]
    S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-18 11032]
    S2 ServicepointService;ServicepointService;c:\program files\Virgin Media\HUB\ServicepointService.exe [2009-12-14 668912]
    S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [2008-05-29 22072]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
    Contents of the 'Scheduled Tasks' folder

    2011-01-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 13:29]

    2011-01-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 13:29]

    2011-01-07 c:\windows\Tasks\Norton Security Scan for Sammy.job
    - c:\program files\Norton Security Scan\Engine\\Nss.exe [2010-09-21 05:32]
    ------- Supplementary Scan -------
    uStart Page = hxxp://
    mStart Page = hxxp://
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
    DPF: {000F1EA4-5E08-4564-A29B-29076F63A37A} - hxxp://
    DPF: {21BB8360-F943-447E-98F3-3C22345375A7} - hxxp://
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-eRecoveryService - (no file)
    AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe


    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
    Rootkit scan 2011-01-08 18:14
    Windows 6.0.6001 Service Pack 1 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    Completion time: 2011-01-08 18:20:23
    ComboFix-quarantined-files.txt 2011-01-08 18:20

    Pre-Run: 70,448,586,752 bytes free
    Post-Run: 70,421,819,392 bytes free

    - - End Of File - - D15F581842AF88D14820578F3674F100
  15. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    Combofix looks good, but MBR doesn't.
    We need to double check it....

    Download Bootkit Remover to your Desktop.

    • You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip:
    • After extracing remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
  16. dangermouseyork

    dangermouseyork Newcomer, in training Topic Starter

    Was it me?

    Did i do something wrong along the way?

    I was also wondering what I am actually doing with these tools?

    Might help me understand a little more!

    Thanks again, you have been fantastic!


    Bootkit Remover
    (c) 2009 eSage Lab

    Program version:
    OS Version: Microsoft Windows Vista Home Basic Edition Service Pack 1 (build 600
    1), 32-bit

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000002`71100000
    Boot sector MD5 is: c3f4814ee2c87f8f4fc3acd72454a04d

    Size Device Name MBR Status
    149 GB \\.\PhysicalDrive0 Unknown boot code

    Unknown boot code has been found on some of your physical disks.
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>

    Press any key to quit...
  17. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    You did everything just fine.
    What are we doing?
    Checking, if your computer is clean.

    We need to fix your MBR...

    Please download NTBR by noahdfear and save it to your Desktop.
    File size: 2.44 MB (2,565,432 bytes)

    • Place a blank CD in your CD drive.
    • Double click on NTBR_CD.exe file and a folder of the same name will appear.
    • Open the folder and double click on BurnItCD.cmd file. If your CD drive will open, simply close it back.
    • Follow the prompts to burn the CD.
    • Now you will need to set the CD-Rom as first boot device if it isn't already (if you don't know how to do it, see HERE)
    • If you have any questions about this step, ask before you proceed. If you enter the BIOS and are unsure if you have carried out the step correctly, there should be an option to exit without keeping changes, so you won't do any harm.
    • Insert the newly created CD into your infected PC and reboot your computer.
    • Once you have rebooted please press Enter when prompted to continue booting from CD - you have a whole 15 seconds to do this!
    • Read the warning and then continue as prompted.
    • You first need to select your keyboard layout - press Enter for English.
    • Next you want to select the appropriate tool. Enter 1 to choose 1. MBRWORK
    • On the following screen enter 5 to select Install Standard MBR code.
    • Enter 1 to overwrite the infected MBR Code with the Standard MBR code.
    • When asked to confirm please do so.
    • Afterwards, please enter E to leave MBRWORK, then 6 to leave the bootable CD.
    • Eject the disc and then press ctrl+alt+del to reboot the PC.
    Once rebooted, run MBRCheck again and post its log.

    **Important note to Dell users - fixing the MBR may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. If this is Dell computer, let me know before proceeding.
Topic Status:
Not open for further replies.

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...

Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.