TechSpot

Malware check please

By NineMilesHigh
Dec 27, 2010
  1. Hi.
    Thanks in advance for any help.
    I opened a thread in the BSOD forum as after getting the System Tool virus, my Windows XP system was giving a blue screeen error and would not reboot - looked like disk corruption. I got some help from Route44. After running chdsk /r the system started to reboot ok, but I would like to check if all malware is gone, so I have run through the 8-part process recommended.
    Below are the logs:-

    MBAM:-
    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5403

    Windows 5.1.2600 Service Pack 2
    Internet Explorer 8.0.6001.18702

    27/12/2010 20:01:05
    mbam-log-2010-12-27 (20-01-05).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 337923
    Time elapsed: 3 hour(s), 49 minute(s), 43 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 2

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\RP2549\A0630966.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\RP2553\A0631265.dll (Adware.Agent) -> Quarantined and deleted successfully.

    GMER:-
    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2010-12-27 22:13:14
    Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 Maxtor_6Y080L0 rev.YAR41BW0
    Running: kk2dyyhv.exe; Driver: C:\DOCUME~1\William\LOCALS~1\Temp\kwtdipow.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----

    DDS:- Attach

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-12-12.02)

    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume2
    Install Date: 20/12/2003 18:58:12
    System Uptime: 27/12/2010 20:02:10 (2 hours ago)

    Motherboard: Dell Computer Corp. | | 0N2828
    Processor: Intel(R) Pentium(R) 4 CPU 3.06GHz | Microprocessor | 3059/533mhz
    Processor: Intel(R) Pentium(R) 4 CPU 3.06GHz | Microprocessor | 3059/533mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 74 GiB total, 4.124 GiB free.
    D: is CDROM ()
    E: is CDROM ()
    F: is FIXED (FAT) - 2 GiB total, 1.993 GiB free.
    G: is FIXED (NTFS) - 26 GiB total, 15.175 GiB free.

    ==== Disabled Device Manager Items =============

    Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
    Description: Nokia 6303 classic
    Device ID: ROOT\WPD\0000
    Manufacturer: Nokia
    Name: Nokia 6303 classic
    PNP Device ID: ROOT\WPD\0000
    Service: WUDFRd

    ==== System Restore Points ===================

    RP2491: 13/11/2010 13:37:40 - Software Distribution Service 3.0
    RP2492: 14/11/2010 01:36:46 - Software Distribution Service 3.0
    RP2493: 15/11/2010 02:52:26 - System Checkpoint
    RP2494: 15/11/2010 02:54:27 - Software Distribution Service 3.0
    RP2495: 16/11/2010 04:09:05 - Software Distribution Service 3.0
    RP2496: 17/11/2010 00:38:09 - Software Distribution Service 3.0
    RP2497: 18/11/2010 00:53:39 - System Checkpoint
    RP2498: 18/11/2010 03:01:14 - Software Distribution Service 3.0
    RP2499: 19/11/2010 00:53:14 - Software Distribution Service 3.0
    RP2500: 19/11/2010 21:20:51 - Removed Ask Toolbar.
    RP2501: 20/11/2010 01:33:22 - Software Distribution Service 3.0
    RP2502: 21/11/2010 01:36:46 - Software Distribution Service 3.0
    RP2503: 21/11/2010 23:52:04 - Software Distribution Service 3.0
    RP2504: 23/11/2010 00:18:25 - System Checkpoint
    RP2505: 23/11/2010 03:37:11 - Software Distribution Service 3.0
    RP2506: 24/11/2010 01:56:34 - Software Distribution Service 3.0
    RP2507: 24/11/2010 14:29:19 - Installed Nitro PDF Professional
    RP2508: 25/11/2010 01:36:28 - Software Distribution Service 3.0
    RP2509: 25/11/2010 11:15:31 - Printer Driver CutePDF Writer Installed
    RP2510: 25/11/2010 23:04:23 - Removed Ask Toolbar.
    RP2511: 26/11/2010 01:04:57 - Software Distribution Service 3.0
    RP2512: 27/11/2010 00:53:54 - Software Distribution Service 3.0
    RP2513: 27/11/2010 23:29:13 - Software Distribution Service 3.0
    RP2514: 28/11/2010 23:54:55 - System Checkpoint
    RP2515: 29/11/2010 00:04:23 - Software Distribution Service 3.0
    RP2516: 30/11/2010 00:37:06 - System Checkpoint
    RP2517: 30/11/2010 00:53:28 - Software Distribution Service 3.0
    RP2518: 30/11/2010 23:50:51 - Software Distribution Service 3.0
    RP2519: 02/12/2010 02:21:20 - System Checkpoint
    RP2520: 02/12/2010 02:30:27 - Software Distribution Service 3.0
    RP2521: 02/12/2010 23:59:22 - Software Distribution Service 3.0
    RP2522: 04/12/2010 00:20:56 - Software Distribution Service 3.0
    RP2523: 04/12/2010 23:54:41 - Software Distribution Service 3.0
    RP2524: 06/12/2010 00:07:15 - Software Distribution Service 3.0
    RP2525: 07/12/2010 00:04:52 - Software Distribution Service 3.0
    RP2526: 07/12/2010 22:59:45 - Software Distribution Service 3.0
    RP2527: 08/12/2010 22:48:46 - Software Distribution Service 3.0
    RP2528: 09/12/2010 11:36:50 - Installed Sibelius 6
    RP2529: 10/12/2010 02:34:40 - Software Distribution Service 3.0
    RP2530: 11/12/2010 00:15:22 - Software Distribution Service 3.0
    RP2531: 12/12/2010 00:33:03 - System Checkpoint
    RP2532: 12/12/2010 00:34:39 - Software Distribution Service 3.0
    RP2533: 12/12/2010 23:31:31 - Software Distribution Service 3.0
    RP2534: 13/12/2010 23:24:10 - Software Distribution Service 3.0
    RP2535: 14/12/2010 00:05:05 - Software Distribution Service 3.0
    RP2536: 15/12/2010 00:08:05 - Software Distribution Service 3.0
    RP2537: 16/12/2010 01:02:40 - System Checkpoint
    RP2538: 16/12/2010 03:04:29 - Software Distribution Service 3.0
    RP2539: 17/12/2010 01:32:44 - Software Distribution Service 3.0
    RP2540: 18/12/2010 00:45:54 - Software Distribution Service 3.0
    RP2541: 19/12/2010 01:30:12 - System Checkpoint
    RP2542: 19/12/2010 03:51:42 - Software Distribution Service 3.0
    RP2543: 19/12/2010 23:42:39 - Software Distribution Service 3.0
    RP2544: 21/12/2010 01:35:07 - Software Distribution Service 3.0
    RP2545: 22/12/2010 00:03:35 - Software Distribution Service 3.0
    RP2546: 23/12/2010 01:57:02 - Software Distribution Service 3.0
    RP2547: 23/12/2010 23:52:04 - Software Distribution Service 3.0
    RP2548: 24/12/2010 23:46:05 - Software Distribution Service 3.0
    RP2549: 26/12/2010 01:45:08 - Software Distribution Service 3.0
    RP2550: 27/12/2010 12:49:24 - Removed Microsoft Visual C++ 2005 Redistributable
    RP2551: 27/12/2010 12:51:44 - Installed SeaTools for Windows
    RP2552: 27/12/2010 14:27:56 - Installed Java(TM) 6 Update 23
    RP2553: 27/12/2010 14:33:50 - Removed Adobe Reader 9.4.1.

    ==== Installed Programs ======================

    1.6
    32 Bit HP CIO Components Installer
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Photoshop 6.0
    Adobe Reader X
    Adobe Shockwave Player 11.5
    AOL Uninstaller (Choose which Products to Remove)
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Avira AntiVir Personal - Free Antivirus
    BCM V.92 56K Modem
    BitZipper 2010
    Bonjour
    BufferChm
    Camera Window
    Canon Camera Window for ZoomBrowser EX
    Canon Internet Library for ZoomBrowser EX
    Canon RAW Image Task for ZoomBrowser EX
    Canon RemoteCapture Task for ZoomBrowser EX
    Canon Utilities File Viewer Utility 1.3
    Canon Utilities PhotoStitch 3.1
    Canon Utilities RemoteCapture 2.7
    CCleaner
    CDBurnerXP Pro 3
    CdCoverCreator 2.5.3
    Chords & Scales
    CIG
    Copy
    Corel VideoStudio 12
    CutePDF Writer 2.8
    DA920EN
    Delta
    Destinations
    DeviceDiscovery
    Digidesign D-Fi
    Digidesign D-fx
    DJ_AIO_06_F2400_SW_Min
    DVDSentry
    Easy CD and DVD Cover Creator 4.12
    F2400
    File Viewer Utility 1.3.2
    Focusrite d3
    FrostWire 4.21.1
    getPlus(R) Download Manager for Corel
    Google Update Helper
    GPBaseService2
    GrooveBox
    Guitar Pro 5.2
    HDDlife
    HiJackThis
    HijackThis 2.0.2
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows XP (KB942288-v3)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976002-v5)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    HP Deskjet F2400 All-In-One Driver Software 13.0 Rel .6
    HP Imaging Device Functions 13.0
    HP Print Projects 1.0
    HP Solution Center 13.0
    HP Update
    hpPrintProjects
    HPProductAssistant
    hpWLPGInstaller
    Intel(R) PRO Network Adapters and Drivers
    iPod for Windows 2005-03-23
    iPod for Windows 2006-01-10
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 23
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Data Access Components KB870669
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
    Microsoft Office Professional Edition 2003
    Microsoft Silverlight
    Microsoft User-Mode Driver Framework Feature Pack 1.5
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    MSVC80_x86
    MSVCRT
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6 Service Pack 2 (KB973686)
    Nitro PDF Professional
    NVIDIA Drivers
    PC Connectivity Solution
    PhotoStitch
    Pinnacle Studio 14
    Pinnacle Video Driver
    PNY Vibe MP3 Player
    QuickTime
    RAW Image Task
    Reason 3.0.4
    RegScrubXP 3.25
    RemoteCapture 2.7.5
    RemoteCapture Task
    SafeCast Shared Components
    Scan
    SeaTools for Windows
    Security Update for CAPICOM (KB931906)
    Security Update for Windows Internet Explorer 7 (KB928090)
    Security Update for Windows Internet Explorer 7 (KB929969)
    Security Update for Windows Internet Explorer 7 (KB931768)
    Security Update for Windows Internet Explorer 7 (KB933566)
    Security Update for Windows Internet Explorer 7 (KB937143)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB939653)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 7 (KB972260)
    Security Update for Windows Internet Explorer 7 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB958470)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Segoe UI
    Sibelius 6
    Sibelius Scorch (ActiveX Only)
    SmartSound Quicktracks Plugin
    SolutionCenter
    SPT-667 Phrase Trainer 1
    Status
    Steinberg SX Unlocked VST Plugins Pack 1
    Steinberg SX Unlocked VST Plugins Pack 2
    System Requirements Lab
    System Tool2011
    Toolbox
    TrayApp
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 7 (KB976749)
    Update for Windows Internet Explorer 8 (KB975364)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB925720)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB961503)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    USB Device Driver 3.00P
    VideoStudio
    WebFldrs XP
    WebReg
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Imaging Component
    Windows Internet Explorer 8
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Messenger
    Windows Live Sign-in Assistant
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Media Player Hotfix [See Q828026 for more information]
    WinZip 14.0
    XviD MPEG-4 Video Codec

    ==== Event Viewer Messages From Past Week ========

    27/12/2010 14:08:39, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
    27/12/2010 12:32:59, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the COM+ System Application service, but this action failed with the following error: An instance of the service is already running.
    27/12/2010 12:32:58, error: Service Control Manager [7031] - The COM+ System Application service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.
    26/12/2010 22:56:17, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    26/12/2010 22:21:00, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    26/12/2010 22:20:54, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD avgio avipbb Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss ssmdrv Tcpip
    26/12/2010 22:20:54, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
    26/12/2010 22:20:54, error: Service Control Manager [7001] - The QoS RSVP service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
    26/12/2010 22:20:54, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    26/12/2010 22:20:54, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    26/12/2010 22:20:54, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBT service which failed to start because of the following error: A device attached to the system is not functioning.
    26/12/2010 22:20:54, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    26/12/2010 22:20:54, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    26/12/2010 22:20:44, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    26/12/2010 15:14:55, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    26/12/2010 15:05:06, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Apple Mobile Device service to connect.
    26/12/2010 15:05:06, error: Service Control Manager [7000] - The Apple Mobile Device service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    26/12/2010 15:04:04, error: Service Control Manager [7034] - The WMI Performance Adapter service terminated unexpectedly. It has done this 1 time(s).
    26/12/2010 15:04:04, error: Service Control Manager [7034] - The WMDM PMSP Service service terminated unexpectedly. It has done this 1 time(s).
    26/12/2010 15:04:04, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
    26/12/2010 15:04:04, error: Service Control Manager [7034] - The NLS Service service terminated unexpectedly. It has done this 1 time(s).
    26/12/2010 15:04:04, error: Service Control Manager [7034] - The NitroPDFDriverCreatorReadSpool service terminated unexpectedly. It has done this 1 time(s).
    26/12/2010 15:04:04, error: Service Control Manager [7034] - The LexBce Server service terminated unexpectedly. It has done this 1 time(s).
    26/12/2010 15:04:04, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    26/12/2010 15:04:04, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
    26/12/2010 15:04:04, error: Service Control Manager [7034] - The IMAPI CD-Burning COM Service service terminated unexpectedly. It has done this 1 time(s).
    26/12/2010 15:04:04, error: Service Control Manager [7034] - The C-DillaCdaC11BA service terminated unexpectedly. It has done this 1 time(s).
    26/12/2010 15:04:04, error: Service Control Manager [7034] - The AOL Connectivity Service service terminated unexpectedly. It has done this 1 time(s).
    26/12/2010 15:04:04, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    24/12/2010 23:46:12, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft XML Core Services 6.0 Service Pack 2 (KB954459).
    24/12/2010 07:42:25, error: Service Control Manager [7000] - The Upload Manager service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process.
    24/12/2010 07:42:25, error: Service Control Manager [7000] - The Panasonic Digital Palmcorder service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    23/12/2010 09:39:10, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the iPod Service service to connect.
    23/12/2010 09:39:10, error: Service Control Manager [7000] - The iPod Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    23/12/2010 09:39:10, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service iPod Service with arguments "" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}
    21/12/2010 11:17:18, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    21/12/2010 11:16:29, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.

    ==== End Of File ===========================

    DDS:-

    DDS (Ver_10-12-12.02) - NTFSx86
    Run by William at 22:16:25.17 on 27/12/2010
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2559.1919 [GMT 0:00]

    AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    svchost.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\drivers\CDAC11BA.EXE
    C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
    C:\WINDOWS\system32\imapi.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\Program Files\Nitro PDF\Professional\NitroPDFDriverService.exe
    C:\WINDOWS\system32\NLSSRV32.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\wbem\wmiapsrv.exe
    C:\WINDOWS\system32\DeltTray.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Common Files\AOL\1261605241\ee\AOLSoftware.exe
    C:\PROGRA~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\William\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.bbc.co.uk/
    uInternet Connection Wizard,ShellNext = iexplore
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: {2E608F70-C430-4BC5-96F6-608E02EBA5B2} - No File
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
    TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
    TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    {555d4d79-4bd2-4094-a395-cfc534424a05}
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [nwiz] nwiz.exe /install
    mRun: [DeltTray] DeltTray.exe
    mRun: [BCMSMMSG] BCMSMMSG.exe
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [HostManager] c:\program files\common files\aol\1261605241\ee\AOLSoftware.exe
    mRun: [USBToolTip] c:\progra~1\pinnacle\shared~1\programs\usbtip\USBTip.exe
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    uPolicies-explorer: NoSimpleStartMenu = 0 (0x0)
    mPolicies-system: EnableLUA = 0 (0x0)
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
    DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
    DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
    DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
    DPF: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
    DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
    DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/msnmessengersetupdownloader.cab
    DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
    DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.0/jinstall-1_4_0-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

    ============= SERVICES / DRIVERS ===============

    R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-12-27 11608]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-12-27 135336]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-12-27 267944]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-12-27 61960]
    R2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\nitro pdf\professional\NitroPDFDriverService.exe [2010-10-20 196928]
    R2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [2010-10-20 67904]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-8-26 133104]
    S3 FTLUND;Lundinova Filter Driver;c:\windows\system32\drivers\ftlund.sys [2008-1-28 6828]
    S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2009-8-3 17408]
    S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2002-8-29 14336]

    =============== Created Last 30 ================

    2010-12-27 15:45:21 -------- d-----w- c:\docume~1\william\applic~1\Avira
    2010-12-27 15:39:12 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-12-27 15:39:11 -------- d-----w- c:\program files\Avira
    2010-12-27 15:39:11 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira
    2010-12-27 14:28:43 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-12-27 12:51:52 11264 ----a-r- c:\docume~1\william\applic~1\microsoft\installer\{98613c99-1399-416c-a07c-1ee1c585d872}\Icon98613C992.exe
    2010-12-27 12:51:46 -------- d-----w- c:\program files\Seagate
    2010-12-27 12:49:01 -------- d-----w- c:\program files\common files\Wise Installation Wizard
    2010-12-26 14:56:21 0 ----a-w- c:\windows\Tsehahedil.bin
    2010-12-26 14:56:16 -------- d-----w- c:\docume~1\william\locals~1\applic~1\{4F5CD3E9-C7BC-428B-AA17-6895598319D8}
    2010-12-26 14:53:59 -------- d-----w- c:\docume~1\alluse~1\applic~1\mIcLl06511
    2010-12-09 11:40:19 -------- d-----w- c:\docume~1\alluse~1\applic~1\Sibelius Software
    2010-12-09 11:27:16 17464 ----a-w- c:\windows\gboxdrum.dat
    2010-12-09 11:27:15 92728 ----a-w- c:\windows\gbox.dat
    2010-12-09 11:27:02 -------- d-----w- c:\program files\GrooveBox
    2010-12-09 11:23:35 -------- d-----w- c:\program files\Chords & Scales
    2010-12-09 11:18:54 -------- d-----w- c:\program files\PhraseTrainer
    2010-12-09 11:16:13 -------- d-----w- c:\program files\Desktop Metronome

    ==================== Find3M ====================

    2010-11-12 16:34:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-10-20 17:41:22 67904 ----a-w- c:\windows\system32\NLSSRV32.EXE
    2010-10-20 17:38:58 17728 ----a-w- c:\windows\system32\nitrolocalui.dll
    2010-10-20 17:38:56 26432 ----a-w- c:\windows\system32\nitrolocalmon.dll

    ============= FINISH: 22:17:59.76 ===============

    These look like long files - hope it is OK to paste them in as requested.

    Thanks
    William.
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to this part of TechSpot! How do you like our team effort?!

    Yes, pasting is a good thing! We no longer review attached logs unless we have specifically directed the attachment.

    I see you did have Trojan.FakeAlert and Adware.Agent which only show in the restore points- they aren't active in the system and I'll have you drop those restore points at the end. Please do not use the System Restore feature while I'm helping you.

    P2P or 'file sharing' Warning:
    You are using FrostWire, which is a Gnutella Peer-to-Peer client
    Note: Even if you are using a "safe" P2P program, it is only the program that is safe. Be aware that file sharing is a source of malware and I suggest that you uninstall it for the following reasons:
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • File sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.

    Please read the information on P2P Warning to help you better understand these dangers.
    =================================================
    These are a couple of entries need checking so I'd like you to run the following:

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    =================================
    Download Combofix to your desktop from one of these locations:
    Link 1
    Link 2
    • Double click combofix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Query- Recovery Console image
      [​IMG]
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes it will open a text window. Please paste that log in your next reply.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    You can uninstall the HijackThis v2.0.2 as it is outdated. I'll give you a new link later.

    There are 3 entries from the same date that I can't ID- do you know what they are?
    2010-12-26 14:56:21 c:\windows\Tsehahedil.bin
    2010-12-26 14:56:16 c:\docume~1\william\locals~1\applic~1\{4F5CD3E9-C7BC-428B-AA17-6895598319D8}
    2010-12-26 14:53:59 c:\docume~1\alluse~1\applic~1\mIcLl06511
     
  3. NineMilesHigh

    NineMilesHigh TS Rookie Topic Starter Posts: 56

    Update

    Hi Bobbye.

    Update as follows:-
    Uninstalled Frostwire.
    Uninstalled old version of Hijackthis.
    ----------------------------------------------
    Ran Eset - log below....

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6419
    # api_version=3.0.2
    # EOSSerial=f7eab1cd47731b4c816f6feb51ae850f
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-12-28 10:33:31
    # local_time=2010-12-28 10:33:31 (+0000, GMT Standard Time)
    # country="United Kingdom"
    # lang=9
    # osver=5.1.2600 NT Service Pack 2
    # compatibility_mode=512 16777215 100 0 76757 76757 0 0
    # compatibility_mode=768 16777215 100 0 0 0 0 0
    # compatibility_mode=1024 16777215 100 0 0 0 0 0
    # compatibility_mode=1797 16775141 100 93 91744 30101248 103707 0
    # compatibility_mode=8192 67108863 100 0 3806 3806 0 0
    # scanned=147779
    # found=0
    # cleaned=0
    # scan_time=7314
    ---------------------------------------------------------------------

    Then ran Combofix - log below....

    ComboFix 10-12-26.01 - William 28/12/2010 22:53:15.5.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2559.1997 [GMT 0:00]
    Running from: c:\documents and settings\William\Desktop\ComboFix.exe
    AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Application Data\Microsoft
    c:\documents and settings\William\Application Data\Adobe\AdobeUpdate .exe
    c:\documents and settings\William\Application Data\Adobe\plugs
    c:\documents and settings\William\Local Settings\Application Data\{4F5CD3E9-C7BC-428B-AA17-6895598319D8}
    c:\documents and settings\William\Local Settings\Application Data\{4F5CD3E9-C7BC-428B-AA17-6895598319D8}\chrome.manifest
    c:\documents and settings\William\Local Settings\Application Data\{4F5CD3E9-C7BC-428B-AA17-6895598319D8}\chrome\content\_cfg.js
    c:\documents and settings\William\Local Settings\Application Data\{4F5CD3E9-C7BC-428B-AA17-6895598319D8}\chrome\content\overlay.xul
    c:\documents and settings\William\Local Settings\Application Data\{4F5CD3E9-C7BC-428B-AA17-6895598319D8}\install.rdf
    c:\documents and settings\William\Start Menu\Programs\System Tool
    c:\documents and settings\William\Start Menu\Programs\System Tool\System Tool 2011.lnk
    c:\windows\BackUp
    c:\windows\BackUp\S\50916000.DAT
    c:\windows\system\msconfig.exe
    c:\windows\system32\_005028_.tmp.dll
    c:\windows\system32\_005029_.tmp.dll
    c:\windows\system32\_005030_.tmp.dll
    c:\windows\system32\_005031_.tmp.dll
    c:\windows\system32\_005038_.tmp.dll
    c:\windows\system32\_005039_.tmp.dll
    c:\windows\system32\_005040_.tmp.dll
    c:\windows\system32\_005042_.tmp.dll
    c:\windows\system32\_005043_.tmp.dll
    c:\windows\system32\_005046_.tmp.dll
    c:\windows\system32\_005047_.tmp.dll
    c:\windows\system32\_005049_.tmp.dll
    c:\windows\system32\_005050_.tmp.dll
    c:\windows\system32\_005051_.tmp.dll
    c:\windows\system32\_005053_.tmp.dll
    c:\windows\system32\_005056_.tmp.dll
    c:\windows\system32\_005057_.tmp.dll
    c:\windows\system32\_005061_.tmp.dll
    c:\windows\system32\_005062_.tmp.dll
    c:\windows\system32\_005064_.tmp.dll
    c:\windows\system32\_005067_.tmp.dll
    c:\windows\system32\_005069_.tmp.dll
    c:\windows\system32\_005070_.tmp.dll
    c:\windows\system32\_005071_.tmp.dll
    c:\windows\system32\_005072_.tmp.dll
    c:\windows\system32\_005075_.tmp.dll
    c:\windows\system32\_005076_.tmp.dll
    c:\windows\system32\_005077_.tmp.dll
    c:\windows\system32\_005078_.tmp.dll
    c:\windows\system32\_005079_.tmp.dll
    c:\windows\system32\_005084_.tmp.dll
    c:\windows\system32\_005086_.tmp.dll
    c:\windows\system32\_005087_.tmp.dll
    c:\windows\system32\Oeminfo.ini
    c:\windows\UA000106.DLL

    .
    ((((((((((((((((((((((((( Files Created from 2010-11-28 to 2010-12-28 )))))))))))))))))))))))))))))))
    .

    2010-12-28 20:28 . 2010-12-28 20:28 -------- d-----w- c:\windows\LastGood
    2010-12-28 20:28 . 2010-12-28 20:28 -------- d-----w- c:\program files\ESET
    2010-12-27 15:45 . 2010-12-27 15:45 -------- d-----w- c:\documents and settings\William\Application Data\Avira
    2010-12-27 15:39 . 2010-12-13 08:40 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-12-27 15:39 . 2010-12-13 08:40 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2010-12-27 15:39 . 2010-06-17 14:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2010-12-27 15:39 . 2010-06-17 14:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2010-12-27 15:39 . 2010-12-27 15:39 -------- d-----w- c:\program files\Avira
    2010-12-27 15:39 . 2010-12-27 15:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2010-12-27 14:28 . 2010-12-27 14:28 -------- d-----w- c:\program files\Common Files\Java
    2010-12-27 14:28 . 2010-11-12 18:53 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-12-27 12:51 . 2010-12-27 12:51 11264 ----a-r- c:\documents and settings\William\Application Data\Microsoft\Installer\{98613C99-1399-416C-A07C-1EE1C585D872}\Icon98613C992.exe
    2010-12-27 12:51 . 2010-12-27 12:51 -------- d-----w- c:\program files\Seagate
    2010-12-27 12:49 . 2010-12-27 12:49 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2010-12-26 14:56 . 2010-12-27 12:31 0 ----a-w- c:\windows\Tsehahedil.bin
    2010-12-26 14:53 . 2010-12-26 22:40 -------- d-----w- c:\documents and settings\All Users\Application Data\mIcLl06511
    2010-12-09 11:40 . 2010-12-09 11:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Sibelius Software
    2010-12-09 11:32 . 2010-12-09 11:32 -------- d-----w- c:\documents and settings\Gary\Application Data\GuitarNotes
    2010-12-09 11:27 . 2007-04-13 13:35 17464 ----a-w- c:\windows\gboxdrum.dat
    2010-12-09 11:27 . 2007-04-13 13:35 92728 ----a-w- c:\windows\gbox.dat
    2010-12-09 11:27 . 2010-12-09 11:30 -------- d-----w- c:\program files\GrooveBox
    2010-12-09 11:23 . 2010-12-09 11:26 -------- d-----w- c:\documents and settings\Gary\Application Data\Chords & Scales
    2010-12-09 11:23 . 2010-12-09 11:23 -------- d-----w- c:\program files\Chords & Scales
    2010-12-09 11:18 . 2010-12-09 11:19 -------- d-----w- c:\program files\PhraseTrainer
    2010-12-09 11:16 . 2010-12-09 11:16 -------- d-----w- c:\documents and settings\Gary\Application Data\DesktopMetronome
    2010-12-09 11:16 . 2010-12-09 11:16 -------- d-----w- c:\program files\Desktop Metronome

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-12-20 18:09 . 2009-12-08 12:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-20 18:08 . 2009-12-08 12:02 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-11-12 16:34 . 2009-12-12 21:22 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-10-20 17:41 . 2010-10-20 17:41 67904 ----a-w- c:\windows\system32\NLSSRV32.EXE
    2010-10-20 17:38 . 2010-11-24 14:29 17728 ----a-w- c:\windows\system32\nitrolocalui.dll
    2010-10-20 17:38 . 2010-11-24 14:29 26432 ----a-w- c:\windows\system32\nitrolocalmon.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
    "nwiz"="nwiz.exe" [2008-05-16 1630208]
    "DeltTray"="DeltTray.exe" [2004-08-26 56320]
    "BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
    "HostManager"="c:\program files\Common Files\AOL\1261605241\ee\AOLSoftware.exe" [2006-11-14 50736]
    "USBToolTip"="c:\progra~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe" [2007-02-20 199752]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-17 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-13 281768]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoSimpleStartMenu"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "DisableNotifications"= 1 (0x1)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\AOL 9.0 VR\\waol.exe"=
    "c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
    "c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
    "c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
    "c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
    "c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=
    "c:\\Program Files\\Common Files\\aol\\1261605241\\ee\\aolsoftware.exe"=
    "c:\\Program Files\\Pinnacle\\Studio 14\\Programs\\RM.exe"=
    "c:\\Program Files\\Pinnacle\\Studio 14\\Programs\\Studio.exe"=
    "c:\\Program Files\\Pinnacle\\Studio 14\\Programs\\umi.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Sibelius Software\\Sibelius 6\\RegTool.exe"=
    "c:\\Program Files\\Sibelius Software\\Sibelius 6\\Sibelius.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "8484:TCP"= 8484:TCP:TINYPROXY
    "53:TCP"= 53:TCP:TINYPROXY
    "110:TCP"= 110:TCP:svchost
    "3389:TCP"= 3389:TCP:Remote Desktop

    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [27/12/2010 15:39 135336]
    R2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\Nitro PDF\Professional\NitroPDFDriverService.exe [20/10/2010 17:41 196928]
    R2 nlsX86cc;NLS Service;c:\windows\SYSTEM32\NLSSRV32.EXE [20/10/2010 17:41 67904]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [26/08/2009 12:22 133104]
    S3 FTLUND;Lundinova Filter Driver;c:\windows\SYSTEM32\DRIVERS\ftlund.sys [28/01/2008 11:28 6828]
    S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\SYSTEM32\DRIVERS\netaapl.sys [03/08/2009 20:56 17408]
    S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [29/08/2002 05:00 14336]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    getPlusHelper REG_MULTI_SZ getPlusHelper
    nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder

    2010-12-27 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 10:50]

    2010-12-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-08-26 12:21]

    2010-12-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-08-26 12:21]

    2010-12-28 c:\windows\Tasks\User_Feed_Synchronization-{B14CFF69-C8DD-4A82-B21C-7411F963C555}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 04:31]

    2010-12-28 c:\windows\Tasks\User_Feed_Synchronization-{BD2E5706-2047-4302-8F37-7ED704A93E5E}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 04:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.bbc.co.uk/
    uInternet Connection Wizard,ShellNext = iexplore
    .
    - - - - ORPHANS REMOVED - - - -

    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    Notify-dimsntfy - (no file)



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-12-28 23:02
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WINIO]
    "ImagePath"="ˆý\12"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    Completion time: 2010-12-28 23:06:28
    ComboFix-quarantined-files.txt 2010-12-28 23:06

    Pre-Run: 4,268,072,960 bytes free
    Post-Run: 4,235,100,160 bytes free

    - - End Of File - - EB3A8159301A73E44303AA3369FA8597

    ----------------------------------------------------------------------------
    In answer to your question about the following:-

    "There are 3 entries from the same date that I can't ID- do you know what they are?
    2010-12-26 14:56:21 c:\windows\Tsehahedil.bin
    2010-12-26 14:56:16 c:\docume~1\william\locals~1\applic~1\{4F5CD3E9-C7BC-428B-AA17-6895598319D8}
    2010-12-26 14:53:59 c:\docume~1\alluse~1\applic~1\mIcLl06511"


    I do not know what these are.
    Any recommendations welcome. :)

    Thanks for help.
    William.
     
  4. NineMilesHigh

    NineMilesHigh TS Rookie Topic Starter Posts: 56

    Further update / issue

    Hi.

    Know you guys will be busy.
    When you get back to me, one other issue you can perhaps help with:-

    In Internet Explorer 8, nothing happens when I click on any of my favourites. Also all of the icons in there have turned to the 'default icon' - the one which suggests it doesn't recognise the link or program.
    Any suggestions?
    I will check the web for some answers to this one - but don't want to make too many changes whilst we are still clearing up trojan issues.
    The Favorites folder has all the favorites in there - but all with this 'default' icon.
    The reg entry in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders has %USERPROFILES%\Favorites

    Thanks
    W.
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Let's see if we can find anything:
    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      
      :filelook
      c:\windows\Tsehahedil.bin
      
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
    ==========================================
    Regarding the Icons: Custom icons do occasionally return to the default icons: This can be caused by This happens because of a few reasons: 'cleaning' the hard drive, emptying your browser cache , browser window 'crash' corrupting your 'favicons' or any of several other reasons. They aren't permanent (part of the History). To put them back, revisit the site. That should make the favicon reload into the browser cache. If not, delete the Favorites entry and add it again.

    To clarify:
    Do you mean you're getting the Open With screen? If so, that's actually a problem involving file types (extensions) not the icons themselves. Try a few of the Favorites and see if you have 'groups' of Favorites that would be opened with like programs such as Windows Media Player, Word ,m Windows Fax & Picture Viewer. If you need help to review this: Control Panel> Folder Options> View tab. It might be that you have to reset one of the 'groups' or that the program that opens file extensions in that group is corrupt.

    So far, the subsequent scans I've had you run are clean- unless the one entry being identified turns out to be malware.
     
  6. NineMilesHigh

    NineMilesHigh TS Rookie Topic Starter Posts: 56

    Further update

    Hi.
    Ran SystemLook as directed- log below.
    ---------------------------------------------------------
    SystemLook 04.09.10 by jpshortstuff
    Log created at 03:31 on 01/01/2011 by William
    Administrator - Elevation successful

    Invalid Context: filelook

    No Context: c:\windows\Tsehahedil.bin

    -= EOF =-
    -------------------------------------------------------------

    Regarding your question about the icons in 'Favorites' -
    If I click on them nothing happens.
    If I 'right-click' I get options like 'Open', 'Open in New Tab' - but nothing happens when I click these. If I choose 'Properties', it tells me the file type is an Internet shortcut.

    I have tried deleting some of these Favorites, going back to the sites (just using Google to find them) and then doing an 'Add to Favorites'. It adds it to my Favorites with a default icon, but once again nothing happens when I click on it.

    I have checked that Internet Explorer is set as the default browser.
    I have tried IE with no add-ons -- same issue.

    I have checked the issue for another user on the same PC - and the same issue exists for this user too - so I assume all users are affected.

    Some more info:-
    If I go onto the 'History' tab whilst in Favorites, the links there show the right icon and they work ok when I click on them. If I then choose 'Add to Favorites', and go onto the Favorites tab, the link doesn't work when I click on it.

    Thanks
    W.
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:[Be sure to scroll down to include ALL lines.
    Code:
    File::
    c:\windows\Tsehahedil.bin
    Folder::
    c:\docume~1\william\locals~1\applic~1\{4F5CD3E9-C7BC-428B-AA17-6895598319D8}
    c:\docume~1\alluse~1\applic~1\mIcLl06511
    Registry::
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "DisableNotifications"=-
    DDS::
    TB: {2E608F70-C430-4BC5-96F6-608E02EBA5B2} - No File
    TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
    TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    {555d4d79-4bd2-4094-a395-cfc534424a05}
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    When did the problem with the Favorites icons start? I checked the thread you worked on in the other forum. I didn't see anything you did that would cause any kind of corruption. You ran Chkdsk /r- did you have this problem before doing that?

    Have you checked the Folder Options in the Control Panel, the File Types tab to see if the file extensions are set to open with the correct program? Do I understand correctly that you cannot open any Favorites at all?
    =======================================
    Let's see if I can spot any bad entry in HJT:
    Download HijackThis and save to your desktop.
    • Extract it to a directory on your hard drive called c:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

    BTW, I found RootRepeal being started from the Registry. When did you run that? I set the script to remove it.

    Edit: Uninstall the HijackThis you now have. It is an outdated version. Current version is in link I left.
     
  8. NineMilesHigh

    NineMilesHigh TS Rookie Topic Starter Posts: 56

    Results

    Hi.

    Combofix log below....

    ComboFix 11-01-01.01 - William 01/01/2011 23:19:19.6.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2559.2082 [GMT 0:00]
    Running from: c:\documents and settings\William\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\William\Desktop\CFScript.txt
    AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

    FILE ::
    "c:\windows\Tsehahedil.bin"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\docume~1\alluse~1\applic~1\mIcLl06511
    c:\docume~1\alluse~1\applic~1\mIcLl06511\mIcLl06511
    c:\windows\Tsehahedil.bin

    .
    ((((((((((((((((((((((((( Files Created from 2010-12-01 to 2011-01-01 )))))))))))))))))))))))))))))))
    .

    2011-01-01 23:08 . 2011-01-01 23:08 -------- d-----w- C:\HijackThis
    2011-01-01 22:43 . 2011-01-01 22:43 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
    2011-01-01 22:43 . 2011-01-01 22:43 -------- d-----w- c:\program files\McAfee Security Scan
    2011-01-01 20:52 . 2011-01-01 20:55 -------- d-----w- c:\documents and settings\William\NewFavorites
    2010-12-29 17:54 . 2010-12-29 17:54 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2010-12-27 15:45 . 2010-12-27 15:45 -------- d-----w- c:\documents and settings\William\Application Data\Avira
    2010-12-27 15:39 . 2010-12-13 08:40 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-12-27 15:39 . 2010-12-13 08:40 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2010-12-27 15:39 . 2010-06-17 14:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2010-12-27 15:39 . 2010-06-17 14:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2010-12-27 15:39 . 2010-12-27 15:39 -------- d-----w- c:\program files\Avira
    2010-12-27 15:39 . 2010-12-27 15:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2010-12-27 14:28 . 2010-12-27 14:28 -------- d-----w- c:\program files\Common Files\Java
    2010-12-27 14:28 . 2010-11-12 18:53 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-12-27 12:51 . 2010-12-27 12:51 11264 ----a-r- c:\documents and settings\William\Application Data\Microsoft\Installer\{98613C99-1399-416C-A07C-1EE1C585D872}\Icon98613C992.exe
    2010-12-27 12:51 . 2010-12-27 12:51 -------- d-----w- c:\program files\Seagate
    2010-12-27 12:49 . 2010-12-27 12:49 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2010-12-09 11:40 . 2010-12-09 11:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Sibelius Software
    2010-12-09 11:32 . 2010-12-09 11:32 -------- d-----w- c:\documents and settings\Gary\Application Data\GuitarNotes
    2010-12-09 11:27 . 2007-04-13 13:35 17464 ----a-w- c:\windows\gboxdrum.dat
    2010-12-09 11:27 . 2007-04-13 13:35 92728 ----a-w- c:\windows\gbox.dat
    2010-12-09 11:27 . 2010-12-09 11:30 -------- d-----w- c:\program files\GrooveBox
    2010-12-09 11:23 . 2010-12-09 11:26 -------- d-----w- c:\documents and settings\Gary\Application Data\Chords & Scales
    2010-12-09 11:23 . 2010-12-09 11:23 -------- d-----w- c:\program files\Chords & Scales
    2010-12-09 11:18 . 2010-12-09 11:19 -------- d-----w- c:\program files\PhraseTrainer
    2010-12-09 11:16 . 2010-12-09 11:16 -------- d-----w- c:\documents and settings\Gary\Application Data\DesktopMetronome
    2010-12-09 11:16 . 2010-12-09 11:16 -------- d-----w- c:\program files\Desktop Metronome

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-12-20 18:09 . 2009-12-08 12:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-20 18:08 . 2009-12-08 12:02 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-11-12 16:34 . 2009-12-12 21:22 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-10-20 17:41 . 2010-10-20 17:41 67904 ----a-w- c:\windows\system32\NLSSRV32.EXE
    2010-10-20 17:38 . 2010-11-24 14:29 17728 ----a-w- c:\windows\system32\nitrolocalui.dll
    2010-10-20 17:38 . 2010-11-24 14:29 26432 ----a-w- c:\windows\system32\nitrolocalmon.dll
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-12-28_23.02.33 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-01-01 12:12 . 2011-01-01 12:12 16384 c:\windows\temp\Perflib_Perfdata_e0.dat
    + 2010-12-31 12:18 . 2010-12-31 12:18 24064 c:\windows\Installer\bcd5c2.msi
    + 2010-11-06 11:54 . 2011-01-01 22:43 233936 c:\windows\SYSTEM32\Macromed\Flash\FlashUtil10l_ActiveX.exe
    - 2010-11-06 11:54 . 2010-11-22 11:02 233936 c:\windows\SYSTEM32\Macromed\Flash\FlashUtil10l_ActiveX.exe
    + 2010-11-06 11:54 . 2011-01-01 22:43 311248 c:\windows\SYSTEM32\Macromed\Flash\FlashUtil10l_ActiveX.dll
    - 2010-11-06 11:54 . 2010-11-22 11:02 311248 c:\windows\SYSTEM32\Macromed\Flash\FlashUtil10l_ActiveX.dll
    + 2010-10-21 20:04 . 2010-10-21 20:04 2827728 c:\windows\Downloaded Program Files\CONFLICT.42\FP_AX_CAB_INSTALLER.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-12-31 39408]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
    "nwiz"="nwiz.exe" [2008-05-16 1630208]
    "DeltTray"="DeltTray.exe" [2004-08-26 56320]
    "BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
    "HostManager"="c:\program files\Common Files\AOL\1261605241\ee\AOLSoftware.exe" [2006-11-14 50736]
    "USBToolTip"="c:\progra~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe" [2007-02-20 199752]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-17 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-13 281768]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
    McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoSimpleStartMenu"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\AOL 9.0 VR\\waol.exe"=
    "c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
    "c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
    "c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
    "c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
    "c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=
    "c:\\Program Files\\Common Files\\aol\\1261605241\\ee\\aolsoftware.exe"=
    "c:\\Program Files\\Pinnacle\\Studio 14\\Programs\\RM.exe"=
    "c:\\Program Files\\Pinnacle\\Studio 14\\Programs\\Studio.exe"=
    "c:\\Program Files\\Pinnacle\\Studio 14\\Programs\\umi.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Sibelius Software\\Sibelius 6\\RegTool.exe"=
    "c:\\Program Files\\Sibelius Software\\Sibelius 6\\Sibelius.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "8484:TCP"= 8484:TCP:TINYPROXY
    "53:TCP"= 53:TCP:TINYPROXY
    "110:TCP"= 110:TCP:svchost
    "3389:TCP"= 3389:TCP:Remote Desktop

    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [27/12/2010 15:39 135336]
    R2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\Nitro PDF\Professional\NitroPDFDriverService.exe [20/10/2010 17:41 196928]
    R2 nlsX86cc;NLS Service;c:\windows\SYSTEM32\NLSSRV32.EXE [20/10/2010 17:41 67904]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [26/08/2009 12:22 133104]
    S3 FTLUND;Lundinova Filter Driver;c:\windows\SYSTEM32\DRIVERS\ftlund.sys [28/01/2008 11:28 6828]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [15/01/2010 12:49 227232]
    S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\SYSTEM32\DRIVERS\netaapl.sys [03/08/2009 20:56 17408]
    S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [29/08/2002 05:00 14336]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    getPlusHelper REG_MULTI_SZ getPlusHelper
    nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder

    2010-12-27 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 10:50]

    2011-01-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-08-26 12:21]

    2011-01-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-08-26 12:21]

    2011-01-01 c:\windows\Tasks\User_Feed_Synchronization-{B14CFF69-C8DD-4A82-B21C-7411F963C555}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 04:31]

    2011-01-01 c:\windows\Tasks\User_Feed_Synchronization-{BD2E5706-2047-4302-8F37-7ED704A93E5E}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 04:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.bbc.co.uk/
    uInternet Connection Wizard,ShellNext = iexplore
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-01-01 23:27
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WINIO]
    "ImagePath"="ˆý\12"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    Completion time: 2011-01-01 23:30:32
    ComboFix-quarantined-files.txt 2011-01-01 23:30
    ComboFix2.txt 2010-12-28 23:06

    Pre-Run: 3,975,823,360 bytes free
    Post-Run: 3,977,834,496 bytes free

    - - End Of File - - 5CB04E4CFACE9810D2738AE981A9D3CC

    -------------------------------------------------------------------------------
    -------------------------------------------------------------------------------

    HijackThis log below...

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 23:33:30, on 01/01/2011
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\imapi.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Nitro PDF\Professional\NitroPDFDriverService.exe
    C:\WINDOWS\system32\NLSSRV32.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\System32\wbem\wmiapsrv.exe
    C:\WINDOWS\system32\DeltTray.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Common Files\AOL\1261605241\ee\AOLSoftware.exe
    C:\PROGRA~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
    C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5825.1100\swg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1261605241\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [USBToolTip] C:\PROGRA~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: McAfee Security Scan Plus.lnk = ?
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
    O16 - DPF: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
    O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe
    O23 - Service: NitroPDFDriverCreatorReadSpool (NitroDriverReadSpool) - Nitro PDF Software - C:\Program Files\Nitro PDF\Professional\NitroPDFDriverService.exe
    O23 - Service: NLS Service (nlsX86cc) - Nalpeiron Ltd. - C:\WINDOWS\system32\NLSSRV32.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

    --
    End of file - 8956 bytes

    ----------------------------------------------------------------------
    ----------------------------------------------------------------------

    In answer to your questions:-
    RootRepeal must have been there from about a year ago when I was looking for a possible rootkit.
    The problem with Favorites was not there before I ran chkdsk /r. However, difficult to say if that coincided exactly with it. The Favorites problem started about 2 or 3 days ago.
    Things that were run around that time include the following:-
    CCleaner was run including the registry fix.
    SuperAntiSpyware was installed, run and then uninstalled as I already use MBAM and Avira. I tried it just to try a different tool.
    Java was updated.
    Adobe was updated.

    I checked File Types in Folder Options and many different file extensions are there, set to open with the appropriate file type. They all look ok.

    You are correct - I cannot open any Favorites. But if I choose the History Tab under Favorites (this is IE 8 by the way), the links in there work fine. If I then add them to my Favorites and select them from there, they don't work.

    Hope this helps.

    Just noticed:- When I bring up IE and then go to open Favorites, these Favorites appear to have Internet Explorer icons and then they are quickly refreshed downwards and end up as what I would call the 'default' icon - the one that suggests it doesn't know what it is. (Just to explain better- it is the 1st icon in shell32.dll in XP and it is usually called the default file icon. I tried to paste it in here, but it won't accept a paste of it.)

    After that the icons in Favorites remain that way and when I click on them in Favorites nothing happens.

    W.
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sorry for delay- holiday and all behind us now, maybe back to normal!

    Two antivirus programs runningWhy did you install McAfee when you had Avira running?
    2011-01-01 22:43 c:\documents and settings\All Users\Application Data\McAfee Security Scan
    2011-01-01 22:43 c:\program files\McAfee Security Scan


    Please decide whether you want to keep Avira or McAfee and remove the other. Reboot after the removal: Here are Tools to help:
    McAfee Removal
    Uninstall Avira:
    • Start> Settings> Control Panel> Add or Remove Programs (Windows 2000/ XP) or Start - Control Panel - Uninstall a program (Windows Vista / 7)
    • Wait for the list of installed programs to load, then click the name of the Avira program.
    • Click Remove next to the program's name (Windows 2000 / XP) or in the menu above the list (Windows Vista / 7).
    • Press Yes, to confirm the removal and then OK.
    • . Click Next until Finish. The software is removed.
    ==================================================
    What you refer to as the 'default icon' is the icon that looks like a Window and gives the message 'Windows can't open this file'? I take 'default' to mean the 'generic' icon when there is no Favicon for the site.
    =================================================
    I see the entry in Combofix:2011-01-01 c:\documents and settings\William\NewFavorites
    Have you started a folder to save Favorites? I can't figure out how the Favorite are okay in the History directory but not separately. This makes me think that if you clear your History, you'll lose those Favorites- does that seem right?
    =================================================
    Did you put any new addon in the browser before the Favorites problem started? Some addons cause a compatibility problem and it's worth checking that out. Open Tools in IE> Manage addons and select the No addons mode. Reboot and see if that makes any difference. If it does, then put the addons back, one at a time, checking Favorites after each to see which was the bad one.
    ========================================
    I see an entry in the Combofix log that I am uncertain about. I'm going to ask about it and while I'm doing that, please decide whether you want McAfee or Avira and uninstall the other. Please disable CCleaner while we're trying to work this out. It's not one of my favorites.
     
  10. NineMilesHigh

    NineMilesHigh TS Rookie Topic Starter Posts: 56

    Response

    No prob.
    I didn't knowingly install MacAfee - I wonder if it installed with something else - but I dont know what.
    When I noticed this a few days ago, I uninstalled it - so that has already been done.

    Yes - by the default icon I mean the one that looks like an 'old Window' and tends to be used when it doesn't understand the file.

    I decided to try to create a new Favorites folder to see if this would clear the problem. So I tried renaming the old one and creating a new one but it doesn't let you do so. I tried a few permutations, but got nowhere, so I put it back the way it was.
    Perhaps there is a proper way to create a new Favorites folder and start it from scratch - then I could just re-create my Favorites one at a time (if I keep a copy of what they were).
    I have cleared History numerous times - it clears all the links in History ok, but doesn't do anything to Favorites - they remain there with the 'default icon' and do nothing when you click on them.

    Regarding Add-Ons:-I am not aware of adding any new add-on to the browser. However, Google toolbar has been deinstalled and reinstalled I am sure.
    I have tried running IE with No Add-Ons but I just realised I didn't reboot after doing that - only restarted IE. So I will try it again and reboot.

    Thanks
    W.
     
  11. NineMilesHigh

    NineMilesHigh TS Rookie Topic Starter Posts: 56

    Update

    I disabled all IE Add-ons one at a time.
    I rebooted - checked they were all still disabled.
    The IE issue of all icons in Favorites turning into the default icon is still there and nothing happens when I click on them.

    If I go to a new site (say Amazon) it appears in History with a correct icon and I can click on it ok and go back to it any time.
    If I add it to Favorites it gives it the default icon and does nothing when I click on it.
    Strange.

    Have uninstalled CCleaner.

    W.
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sorry for delay- internet was down most of yesterday.

    You can try running the system file checker (SFC) and see if it will repair the Favorites folder: Have the CD for the OS handy so that you can it insert it if you are prompted to do so.

    Click on Start> Run> type in SFC /SCANNOW/b] (note there is a space between SFC and the forward slash)> Click on OK or press Enter. Follow any instructions on the screen. After its done, it should just close. And then reboot the computer.

    You might want to review the Startup menu. Many processes running do not need to start on boot and run in the background. They can be called up when needed:
    Lexmark printer>> LEXBCES.EXE, LEXPPS.EXE
    HP Software Update>> HPWuSchd2.exe
    HP Digital Imaging>> hpqSTE08.exe, hpqbam08.exe, hpqgpc01.exe, hpqtra08.exe
    iPod Service.exe, iTunesHelper.exe
    Nitro PDF Professional>> NitroPDFDriverService.exe
    Nalpeiron Licensing Service>> NLSSRV32.EXE(flexible licensing to the software you write)
    Pinnacle>> USBTip.exe
    MS Office>> WINWORD.EXE


    To remove entries from Startup using the msconfig utility:
    • Click on Start> Run> type in msconfig> enter>
    • Click on Selective Startup
    • Choose the Startup tab:
      This is where you UNCHECK the Startup items. This does not remove the item or uninstall anything> it just stops it from starting on boot. It can be rechecked at any time if wanted.
    • To expand the Command Column, (this shows what the process 'belongs' to) hold left mouse button down on the dividing line on frame above Location and move to the right to expand.
    • Click on Apply> OK when finished.

    NOTE:
    When you reboot the system the first time after making changes using the msconfig utility, a nag message comes up that can be ignored and closed after checking 'don't show this message again.'
    Once you make changes to the Startup menu, you must remain in Selective Startup to retain those changed. If you go back to Normal Startup, everything you unchecked will be checked again and start on boot.

    To change the startup type for any Services related to processes taken off of Startup:
    Start> Run> type in services.msc> enter> double click on the Service> change startup type to Manual.
    Exit Services when finished. You may have to change the Services in Safe Mode.

    Let me know if scannow worked.
     
  13. NineMilesHigh

    NineMilesHigh TS Rookie Topic Starter Posts: 56

    update

    Hi.
    Ran scannow without any issues. This worked ok as I watched the progress bar right to the end and it terminated without any requests for a CD or any errors about missing files. I rebooted. The Favorites problem is still there.

    I amended the Startup menu.
    4 of those items I unchecked in Startup.
    3 of them I had to go into Services to find them and unchecked them.
    The only one I didn't see there anywhere was Winword.
    I rebooted and made sure I was still in Selective mode and that these items were unchecked.
    The Favorites problem is still evident.

    An additional piece of information:- Any Favorites that I have put on the 'Favorites Bar' do not work when I click on them (same as the ones on the 'Favorites tab') - of course these are just shortcuts to some of my Favorites (I just add a few of them to the Favorites bar). They show up on this bar with the right icons, but do nothing when you click them.

    And just to re-iterate - the icons in the History tab are correct and work when you click them.
    The icons in the Favorites tab are all refreshed from IE icons to 'default icons' as soon as you open the tab - you can see them being over-written really quickly.

    W.
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Drat! I was so hopping that would fix the Favorites! I must admit that I am stumped. I have been all over the place looking for help with this. If you can bear with me a bit longer, I'd like to have Broni check this-hopefully offer a suggestion. He is much smarter than I am!

    Don't know what his weekend plans are but will be back soon as I hear.
     
  15. NineMilesHigh

    NineMilesHigh TS Rookie Topic Starter Posts: 56

    Response

    OK. No problem.
    Thanks for your help. Really appreciate it.
    W.
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I hope Broni doesn't mind, but I'm going to quote his reply about this- it's always fun to run into someone else who takes issue with IE!
     
  17. NineMilesHigh

    NineMilesHigh TS Rookie Topic Starter Posts: 56

    Update

    Hi.
    I tried resetting IE from within Internet Options Advanced Tab, but problem remained.
    So I reinstalled IE and the problem has been fixed.
    Thanks for your help with this.

    In terms of malware and any rogue s/w does it look as though the system is clear?
    Were there any other outstanding issues following the Combofix run etc...

    Thanks
    W.
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I am glad to hear that! So IE must have gotten corrupted in the process.

    About Winword: you may have had the Office program open and minimized when you ran the scan, but when you did system scan only to check for removals, it must have been closed. That's why we tell you to check "if present."

    Unless you have gotten a new infection since I check the logs and ran the script 5 days ago, you system is clean and you can Remove all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin

    We removed quite a few files and cleaned some unneeded ones out. You are probably very familiar with how Folder Options work and have become an expert at some things you may not have know before. And you have been very patient with me over the holidays- I appreciate that. It can be hard to juggle things at times.

    You know where we are if you need us again! Let me know if you have any more questions. The following may help keep the system safe, clean and secure:
    Tips for added security and safer browsing:
    1. Browser Security Settings: Custom is fine if the user did the settings. Mine are Custom. Default is okay too, but sometimes too restrictive.
      This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features: Make Internet Explorer safer.
    2. Have layered Security:
      • Antivirus Software(only one):Both of the following programs are free and known to be good:
        [o]Avira Free
        [o]Avast Home
      • Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
        [o]Comodo
        [o]Zone Alarm
      • Antispyware: I recommend all of the following:
        [o]Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
      [o]Download ZonedOut and save to your desktop. this replaces IE/Spyad and manages the Zones in Internet explorer. This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
      For IE7 and IE8, Windows 2000 thru Vista. No Windows 7 yet.
      IE/Spyad is not longer being supported. If you have this on your system, you should replace it with the following program. Make sure your IE8 is Up-to-date before adding sites to your restricted zone.
      Known issue: If you have "immunized" your computer with Spybot Search and Destroy, and use ZonedOut to "Remove All" restricted sites - ZonedOut will remove your trusted sites as well. Note that if you remove Spybot Search and Destroys Immunization the problem goes away...
      [o]Replace the Host Files
      MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
      [o]Google Toolbar Get the free google toolbar to help stop pop up windows.
    3. Stay current on updates:
      [o] Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates.
      [o]Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
      [o]Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.
    4. Reset Cookies to prevent Tracking Cookies:
      [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
      [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
      I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
      AdBlock Plus
      Easy List
    5. Do regular Maintenance
      Remove Temporary Internet Files regularly:
      [o]ATF Cleaner by Atribune
      OR
      [o]TFC
      Disable and Enable System Restore:
      [o]See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.
    6. Practice Safe Email Handling
      [o] Don't open email from anyone you don't know.
      [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
      [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.

    And use a Site Advisor: The Web of Trust (WOT) add-on is a safe surfing tool for your browser. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.Your online email account – Google Mail, Yahoo! Mail and Hotmail is also protected.

    Every time to do a search and the screen comes up with the sites, they will have the rating light. Green (2 shades), Amber/Yellow Caution, Red> not advised. A few sites haven't been rated and show as a blue flashlight.

    If you want to link to another site from the page you're on o another, WOT will give you an Alert that the site is known for fraudulent entries, unreliable or other and the site won't load. Don't worry- those Alerts don't happen if you still to the green rating.

    Give it a try- http://www.mywot.com/en/download
     
  19. NineMilesHigh

    NineMilesHigh TS Rookie Topic Starter Posts: 56

    Thanks

    Hi Bobbye,

    I have carried out these steps.
    Replacing the current Hosts file and using mywot are new for me.
    I will give these a try.

    Sincere thanks for your efforts and congratulations on carrying out such a great service.

    Regards
    W.
     
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You are very welcome! About my WOT. I knew about it but didn't have it. But working in this forum means a lot of searching. I knew sites to stay away from like the torrent ones, but used many other sites to get the information I needed.

    I read a description of WOT about a year ago and saw that they rated for some things I didn't consider like Privacy for instance and Accuracy. So I decided to try it out. I was amazed to see that some of the sites I had used ofter weren't rated well for accuracy or vendor support. I now use only those sites with the 'green light'. And often when I search to identify an entry, I get some indication of it because the sties are mostly rated red for various reasons.

    And it was interesting to learn that one computer site that offers help, but requires a 'membership' of $50 for 6 months was rated well only for Child Safety- the other indices were all low!

    You don't have to use all of the suggestions- I have them all together because it's easier for me. But I have or use almost all of them and it helps to stay safe.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...