TechSpot

Need help, task manager running two iexplorers, computer running really slow!

By chelle400z
Sep 16, 2011
  1. Hi to all!
    Have been trying to find out whats wrong with my computer, its running really slow and its driving me mad!! Have been looking on here for a few weeks and think that maybe I got infected.
    I, by my own admission, am really not techy so dont understand most of whats written on here :) but am willing to listen and learn, albeit, slowly. I would be grateful if someone could have a run over my HJT scan and let me know if all is ok
    Thanks in advance

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 00:39:29, on 17/09/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\AVG\AVG10\avgwdsvc.exe
    C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\AVG\AVG10\avgtray.exe
    C:\Program Files\HTC\HTC Sync 3.0\htcUPCTLoader.exe
    C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
    C:\Program Files\AVG\AVG10\avgnsx.exe
    C:\Program Files\AVG\AVG10\avgemcx.exe
    C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
    C:\Program Files\Trust\MI-2500X OPTICAL MOUSE\Mouse32a.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\AVG\AVG10\avgrsx.exe
    C:\Program Files\AVG\AVG10\avgcsrvx.exe
    C:\Program Files\HTC\HTC Sync 3.0\adb.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Home\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.topcashback.co.uk/home
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL
    R3 - URLSearchHook: (no name) - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - (no file)
    O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll
    O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [EPSON Stylus Photo R240 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE /F "C:\WINDOWS\TEMP\E_S8F.tmp" /EF "HKLM"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe
    O4 - HKLM\..\Run: [HTC Sync Loader] "C:\Program Files\HTC\HTC Sync 3.0\htcUPCTLoader.exe" -startup
    O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w /h
    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe icon
    O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
    O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Trust\MI-2500X OPTICAL MOUSE\Mouse32a.exe
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [DriverFinder] C:\Program Files\DriverFinder\DriverFinder.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolba...YGB&si=&a=HWaE23pF7cx6QsKBKQ4zuQ&n=2011063015
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-31-0.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F397BB4F-2E94-4E1E-8CBA-4EB0D3ECD51E}: NameServer = 195.184.228.6 195.184.228.7
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: My Web Search Service (MyWebSearchService) - MyWebSearch.com - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe
    O23 - Service: Internet Pass-Through Service (PassThru Service) - Unknown owner - C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
    O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe

    --
    End of file - 7685 bytes
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! I'll help sort through the problems.

    If you have IE8, it is normal for 2 or more iexplore.exe to be running. And 'slow' can be caused by many different things. But we'll check and see what's on the system.

    We don't screen for malware with HijackThis, so If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
    =======================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you, including a Registry Cleaner or make changes in the Registry.
      [o] Please Do not Attach logs or put in code boxes
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.
    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    ===========================
    I note that you have MyWebSearch on the system. If it has been on for a while or/and if it's downloaded frequently from pre-checked download sites, it can put enough processes on the system to slow it down. You can help that by going to the Control Panel>Add/Remove Programs> uninstall any entries for MyWebSearch and FunWebProducts.
     
  3. chelle400z

    chelle400z TS Rookie Topic Starter

    Hiya, thanks for the quick reply, I am running IE8, but something doesnt seem right, I can be doing nothing much and still using almost all my resources, I will hopefully be able to wade through the malware link that you sent me in the next couple of days, and will let you know if it improves things. Thanks for your help :)
     
  4. chelle400z

    chelle400z TS Rookie Topic Starter

    hi again! didnt expect that to go as quick as it did, think ive managed to do the malware checks properly, these are the results of the scans.......

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 7736

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    17/09/2011 22:50:15
    mbam-log-2011-09-17 (22-50-15).txt

    Scan type: Quick scan
    Objects scanned: 157564
    Time elapsed: 5 minute(s), 8 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 28
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 10
    Files Infected: 6

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\CLSID\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\TypeLib\{1D4DB7D0-6EC9-47a3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{1D4DB7D1-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\FunWebProductsInstaller.Start.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\FunWebProductsInstaller.Start (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{A4730EBE-43A6-443e-9776-36915D323AD3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{00A6FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF6-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EAB-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59C7FC09-1C83-4648-B3E6-003D2BBC7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68AF847F-6E91-45dd-9B68-D6A12C30E5D7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170B96C-28D4-4626-8358-27E6CAEEF907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D1A71FA0-FF48-48dd-9B6D-7A13A3E42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DDB1968E-EAD6-40fd-8DAE-FF14757F60C7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F138D901-86F0-4383-99B6-9CDD406036DA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    c:\program files\funwebproducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\program files\funwebproducts\Installr (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\program files\funwebproducts\Installr\2.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\program files\funwebproducts\screensaver (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\program files\funwebproducts\screensaver\Images (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\program files\funwebproducts\Shared (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\program files\mywebsearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\program files\mywebsearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\program files\mywebsearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\program files\mywebsearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.

    Files Infected:
    c:\program files\funwebproducts\Installr\2.bin\F3EZSETP.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\program files\uninstall fun web products.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\program files\funwebproducts\Installr\2.bin\F3PLUGIN.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\program files\funwebproducts\Installr\2.bin\NPFUNWEB.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\program files\mywebsearch\bar\History\search3 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\program files\mywebsearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2011-09-17 23:01:55
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e ST3160815AS rev.3.CHF
    Running: g9np0bou.exe; Driver: C:\DOCUME~1\Home\LOCALS~1\Temp\kfpdifob.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    ---- EOF - GMER 1.0.15 ----
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702
    Run by Home at 23:04:17 on 2011-09-17
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.263 [GMT 1:00]
    .
    AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    FW: AVG Firewall *Disabled*
    .
    ============== Running Processes ===============
    .
    C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\AVG\AVG10\avgwdsvc.exe
    svchost.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\AVG\AVG10\avgnsx.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\AVG\AVG10\avgtray.exe
    C:\Program Files\AVG\AVG10\avgemcx.exe
    C:\Program Files\HTC\HTC Sync 3.0\htcUPCTLoader.exe
    C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
    C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
    C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe
    C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
    C:\Program Files\Trust\MI-2500X OPTICAL MOUSE\Mouse32a.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\AVG\AVG10\avgrsx.exe
    C:\Program Files\AVG\AVG10\avgcsrvx.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.topcashback.co.uk/home
    uURLSearchHooks: H - No File
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [DriverFinder] c:\program files\driverfinder\DriverFinder.exe
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [SkyTel] SkyTel.EXE
    mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    mRun: [EPSON Stylus Photo R240 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatiahe.exe /f "c:\windows\temp\E_S8F.tmp" /EF "HKLM"
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
    mRun: [HTC Sync Loader] "c:\program files\htc\htc sync 3.0\htcUPCTLoader.exe" -startup
    mRun: [DSLSTATEXE] c:\program files\voyager 105 adsl modem\dslstat.exe icon
    mRun: [DSLAGENTEXE] c:\program files\voyager 105 adsl modem\dslagent.exe
    mRun: [FLMOFFICE4DMOUSE] c:\program files\trust\mi-2500x optical mouse\Mouse32a.exe
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
    DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-31-0.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: Interfaces\{F397BB4F-2E94-4E1E-8CBA-4EB0D3ECD51E} : NameServer = 195.184.228.6 195.184.228.7
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
    Notify: igfxcui - igfxdev.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 22992]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]
    R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2011-8-21 53816]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 248656]
    R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34896]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 297168]
    R1 RapportCerberus_29574;RapportCerberus_29574;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\baseline\RapportCerberus32_29574.sys [2011-8-21 216912]
    R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2011-8-21 66360]
    R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2011-8-21 158904]
    R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-8-18 7390560]
    R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-9-17 366152]
    R2 PassThru Service;Internet Pass-Through Service;c:\program files\htc\internet pass-through\PassThruSvr.exe [2010-9-16 80896]
    R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2011-8-21 870200]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 134480]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 24144]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 27216]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-9-17 22216]
    S2 Ca1528av;SPCA1528 Video Camera Service;c:\windows\system32\drivers\Ca1528av.sys [2011-3-6 516480]
    S3 Bulk1528;SPCA1528 Still Camera Service;c:\windows\system32\drivers\Bulk1528.sys [2011-3-6 11648]
    S3 cpuz132;cpuz132;\??\c:\docume~1\home\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\home\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
    S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2010-10-1 24576]
    S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [2010-6-22 21248]
    S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
    .
    =============== Created Last 30 ================
    .
    2011-09-17 21:42:40 -------- d-----w- c:\documents and settings\home\application data\Malwarebytes
    2011-09-17 21:42:25 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    2011-09-17 21:42:22 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-09-17 21:42:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-09-03 10:17:37 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll
    2011-08-31 01:24:31 -------- d-----w- c:\documents and settings\home\local settings\application data\Temp
    2011-08-27 15:40:49 -------- d-----w- c:\documents and settings\home\local settings\application data\Deployment
    2011-08-23 14:52:56 -------- dc-h--w- c:\windows\ie8
    2011-08-23 14:40:30 24576 ----a-w- c:\windows\system32\CoInst.dll
    2011-08-23 14:40:30 148338 ----a-w- c:\windows\system32\drivers\gwausb.sys
    2011-08-23 14:40:25 12288 ------w- c:\windows\system32\CplEng.dll
    2011-08-23 14:40:25 -------- d-----w- c:\program files\Voyager 105 ADSL Modem
    2011-08-23 14:11:35 160951 ------w- c:\windows\system32\drivers\gtipdsp_.bin
    2011-08-21 09:00:36 53816 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
    .
    ==================== Find3M ====================
    .
    2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-08-03 07:58:08 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
    2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-06-23 18:36:30 43520 ------w- c:\windows\system32\licmgr10.dll
    2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-06-23 12:05:13 385024 ------w- c:\windows\system32\html.iec
    2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
    .
    ============= FINISH: 23:05:07.20 ===============
    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume1
    Install Date: 31/05/2010 15:37:12
    System Uptime: 17/09/2011 22:54:00 (1 hours ago)
    .
    Motherboard: Foxconn | | 946 7MA Series
    Processor: Intel(R) Pentium(R) D CPU 2.80GHz | Socket 775 | 2812/200mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 149 GiB total, 113.24 GiB free.
    D: is CDROM ()
    F: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP341: 20/06/2011 20:26:19 - System Checkpoint
    RP342: 21/06/2011 21:28:56 - System Checkpoint
    RP343: 22/06/2011 21:31:46 - System Checkpoint
    RP344: 24/06/2011 14:26:01 - System Checkpoint
    RP345: 25/06/2011 19:16:21 - System Checkpoint
    RP346: 26/06/2011 19:45:09 - System Checkpoint
    RP347: 27/06/2011 22:40:12 - System Checkpoint
    RP348: 28/06/2011 00:10:05 - Software Distribution Service 3.0
    RP349: 29/06/2011 10:05:11 - Removed HTC Sync.
    RP350: 29/06/2011 10:05:40 - Installed HTC Sync.
    RP351: 29/06/2011 12:01:28 - Software Distribution Service 3.0
    RP352: 30/06/2011 14:16:24 - System Checkpoint
    RP353: 01/07/2011 23:51:20 - System Checkpoint
    RP354: 03/07/2011 00:22:47 - System Checkpoint
    RP355: 04/07/2011 14:23:55 - System Checkpoint
    RP356: 04/07/2011 22:59:39 - Removed Living Marine Aquarium 2
    RP357: 07/07/2011 09:50:39 - System Checkpoint
    RP358: 08/07/2011 19:13:27 - System Checkpoint
    RP359: 09/07/2011 20:50:46 - System Checkpoint
    RP360: 10/07/2011 21:03:16 - System Checkpoint
    RP361: 12/07/2011 19:10:15 - System Checkpoint
    RP362: 12/07/2011 23:24:57 - Software Distribution Service 3.0
    RP363: 14/07/2011 11:44:45 - Installed Rapport
    RP364: 16/07/2011 19:46:44 - System Checkpoint
    RP365: 18/07/2011 13:36:05 - System Checkpoint
    RP366: 19/07/2011 20:43:38 - System Checkpoint
    RP367: 21/07/2011 14:24:44 - System Checkpoint
    RP368: 25/07/2011 17:01:33 - System Checkpoint
    RP369: 25/07/2011 22:50:22 - Installed WinZip 15.5
    RP370: 27/07/2011 10:36:11 - System Checkpoint
    RP371: 31/07/2011 09:23:32 - System Checkpoint
    RP372: 02/08/2011 21:39:39 - System Checkpoint
    RP373: 05/08/2011 19:42:46 - System Checkpoint
    RP374: 08/08/2011 19:07:19 - System Checkpoint
    RP375: 09/08/2011 19:49:42 - System Checkpoint
    RP376: 10/08/2011 21:41:30 - System Checkpoint
    RP377: 12/08/2011 07:44:43 - Software Distribution Service 3.0
    RP378: 14/08/2011 17:18:02 - System Checkpoint
    RP379: 17/08/2011 03:06:58 - System Checkpoint
    RP380: 18/08/2011 11:31:04 - System Checkpoint
    RP381: 19/08/2011 19:07:50 - System Checkpoint
    RP382: 20/08/2011 20:57:39 - System Checkpoint
    RP383: 22/08/2011 12:55:45 - System Checkpoint
    RP384: 23/08/2011 13:12:22 - System Checkpoint
    RP385: 23/08/2011 15:54:11 - Installed Windows Internet Explorer 8.
    RP386: 23/08/2011 15:55:26 - Software Distribution Service 3.0
    RP387: 24/08/2011 01:24:45 - Software Distribution Service 3.0
    RP388: 24/08/2011 10:25:18 - Installed Rapport
    RP389: 24/08/2011 23:50:31 - Software Distribution Service 3.0
    RP390: 26/08/2011 16:52:32 - System Checkpoint
    RP391: 27/08/2011 17:20:36 - System Checkpoint
    RP392: 28/08/2011 17:23:37 - System Checkpoint
    RP393: 29/08/2011 20:47:22 - System Checkpoint
    RP394: 30/08/2011 21:03:21 - System Checkpoint
    RP395: 31/08/2011 00:57:29 - Removed Adobe Reader 9.3.
    RP396: 31/08/2011 00:57:59 - Installed Adobe Reader X (10.1.0).
    RP397: 01/09/2011 21:31:05 - System Checkpoint
    RP398: 03/09/2011 19:46:54 - System Checkpoint
    RP399: 04/09/2011 20:36:20 - System Checkpoint
    RP400: 05/09/2011 20:49:17 - System Checkpoint
    RP401: 06/09/2011 21:33:16 - System Checkpoint
    RP402: 07/09/2011 22:25:08 - System Checkpoint
    RP403: 08/09/2011 01:00:17 - Software Distribution Service 3.0
    RP404: 09/09/2011 19:43:23 - System Checkpoint
    RP405: 10/09/2011 20:38:29 - System Checkpoint
    RP406: 12/09/2011 12:55:03 - System Checkpoint
    RP407: 13/09/2011 19:26:39 - System Checkpoint
    RP408: 14/09/2011 20:02:45 - System Checkpoint
    RP409: 15/09/2011 01:53:41 - Software Distribution Service 3.0
    RP410: 16/09/2011 13:08:17 - System Checkpoint
    RP411: 17/09/2011 13:52:10 - System Checkpoint
    .
    ==== Installed Programs ======================
    .
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Reader X (10.1.0)
    Apple Application Support
    Apple Software Update
    AVG 2011
    AVG PC Tuneup 2011
    BlackBerry Desktop Software 6.0
    BlackBerry Device Software Updater
    EPSON Printer Software
    Free DVD Video Burner version 1.1
    Free Video Dub version 1.4
    Free Video Flip and Rotate version 1.4
    Free Video to DVD Converter version 1.1
    Free YouTube Uploader version 2.2
    HiJackThis
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB2570791)
    HTC BMP USB Driver
    HTC Driver Installer
    HTC Sync
    Malwarebytes' Anti-Malware version 1.51.2.1300
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
    Microsoft National Language Support Downlevel APIs
    Microsoft Office PowerPoint Viewer 2007 (English)
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    MSXML 4.0 SP3 Parser
    MSXML 4.0 SP3 Parser (KB973685)
    OpenOffice.org 3.1
    QuickTime
    Rapport
    Realtek High Definition Audio Driver
    Safari
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2559049)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2503665)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB2536276)
    Security Update for Windows XP (KB2544893)
    Security Update for Windows XP (KB2555917)
    Security Update for Windows XP (KB2562937)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2567680)
    Security Update for Windows XP (KB2570222)
    Security Update for Windows XP (KB2570947)
    SPCA1528 PC Driver
    TRUST MI-2500X OPTICAL MOUSE
    Uninstall 1.0.0.1
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 7 (KB980182)
    Update for Windows Internet Explorer 8 (KB2447568)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB2607712)
    Update for Windows XP (KB2616676)
    Update for Windows XP (KB971029)
    Voyager 105 ADSL Modem
    WebFldrs XP
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows XP Service Pack 3
    WinZip 15.5
    .
    ==== Event Viewer Messages From Past Week ========
    .
    17/09/2011 22:54:42, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
    13/09/2011 16:19:03, error: Service Control Manager [7000] - The SPCA1528 Video Camera Service service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    .
    ==== End Of File ===========================
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, as expected, there are many processes for MyWeb Search Mbam has removed many of the entrie.s I will see more in the registry entries for this program in Combofix. I will remove those using script to run through Combofix.
    ====================================
    Combofix will not run with AVG on the system so you will have to temporarily remov eit:
    Download AppRemover and save to the desktop
    1. Double click the setup on the desktop> click Next
    2. Select “Remove Security Application”
    3. Let scan finish to determine security apps
    4. A screen like below will appear:
      [​IMG]
    5. Click on Next after choice has been made
    6. Check the AVG program you want to uninstall
    7. After uninstall shows complete, follow online prompts to Exit the program.
    =============================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    =================================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
    ===============================
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish

    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    =====================================
    I would like for you to disable the MyWeb Search[/b] Service as follows:
    Click on Start> Run> type in services.mscenter>
    • Right click on mwssvc.exe or MyWeb Search
    • Change the Startup Type toDisabled> Stop the Service
      Exit the Services.
      Stay away from sites like

      • * WebProducts.
        * My Web Search (Smiley Central or FWP product as applicable)
        * My Way Speedbar (Smiley Central or other FWP as applicable)
        * My Way Speedbar (AOL and Yahoo Messengers) (beta users only)
        * My Way Speedbar (Outlook, Outlook Express, and IncrediMail)
        * Search Assistant - My Way
        [/QUOTE]
     
  6. chelle400z

    chelle400z TS Rookie Topic Starter

    need helo, task manager running 2 iexplorers

    Thanks for the help, it is much appreciated! Apologies it has taken so long to get back to you but I have done the scans as asked and the results are as follows:

    ComboFix 11-09-26.01 - Home 26/09/2011 0:30.1.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.583 [GMT 1:00]
    Running from: c:\documents and settings\Home\Desktop\ComboFix.exe
    FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Home\Application Data\PriceGong
    c:\documents and settings\Home\Application Data\PriceGong\Data\1.xml
    c:\documents and settings\Home\Application Data\PriceGong\Data\a.xml
    c:\documents and settings\Home\Application Data\PriceGong\Data\b.xml
    c:\documents and settings\Home\Application Data\PriceGong\Data\c.xml
    c:\documents and settings\Home\Application Data\PriceGong\Data\d.xml
    c:\documents and settings\Home\Application Data\PriceGong\Data\e.xml
    c:\documents and settings\Home\Application Data\PriceGong\Data\f.xml
    c:\documents and settings\Home\Application Data\PriceGong\Data\g.xml
    c:\documents and settings\Home\Application Data\PriceGong\Data\h.xml
    c:\documents and settings\Home\Application Data\PriceGong\Data\i.xml
    c:\documents and settings\Home\Application Data\PriceGong\Data\J.xml
    c:\documents and settings\Home\Application Data\PriceGong\Data\k.xml
    c:\documents and settings\Home\Application Data\PriceGong\Data\l.xml
    c:\documents and settings\Home\Application Data\PriceGong\Data\m.xml
    c:\documents and settings\Home\Application Data\PriceGong\Data\mru.xml
    c:\documents and settings\Home\Application Data\PriceGong\Data\n.xml
    c:\documents and settings\Home\Application Data\PriceGong\Data\o.xml
    c:\documents and settings\Home\Application Data\PriceGong\Data\p.xml
    c:\documents and settings\Home\Application Data\PriceGong\Data\q.xml
    c:\documents and settings\Home\Application Data\PriceGong\Data\r.xml
    c:\documents and settings\Home\Application Data\PriceGong\Data\s.xml
    c:\documents and settings\Home\Application Data\PriceGong\Data\t.xml
    c:\documents and settings\Home\Application Data\PriceGong\Data\u.xml
    c:\documents and settings\Home\Application Data\PriceGong\Data\v.xml
    c:\documents and settings\Home\Application Data\PriceGong\Data\w.xml
    c:\documents and settings\Home\Application Data\PriceGong\Data\x.xml
    c:\documents and settings\Home\Application Data\PriceGong\Data\y.xml
    c:\documents and settings\Home\Application Data\PriceGong\Data\z.xml
    C:\install.exe
    c:\windows\system32\comct332.ocx
    c:\windows\system32\d3d9caps.dat
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-08-25 to 2011-09-25 )))))))))))))))))))))))))))))))
    .
    .
    2011-09-17 21:42 . 2011-09-17 21:42 -------- d-----w- c:\documents and settings\Home\Application Data\Malwarebytes
    2011-09-17 21:42 . 2011-09-17 21:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-09-17 21:42 . 2011-09-17 21:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-09-17 21:42 . 2011-08-31 16:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-09-03 10:17 . 2011-09-09 09:12 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll
    2011-08-31 01:24 . 2011-08-31 01:24 -------- d-----w- c:\documents and settings\Home\Local Settings\Application Data\Temp
    2011-08-30 23:58 . 2011-08-30 23:58 -------- d-----w- c:\program files\Common Files\Adobe
    2011-08-27 15:40 . 2011-08-27 15:41 -------- d-----w- c:\documents and settings\Home\Local Settings\Application Data\Deployment
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-09-09 09:12 . 2004-08-12 13:56 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-08-21 09:00 . 2011-08-21 09:00 53816 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
    2011-08-03 07:58 . 2011-08-03 07:58 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-07-15 13:29 . 2004-08-12 14:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-07-08 14:02 . 2004-08-12 14:01 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-06-23 98304]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-06-23 86016]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2006-06-23 81920]
    "RTHDCPL"="RTHDCPL.EXE" [2006-06-01 16208384]
    "SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-17 421888]
    "HTC Sync Loader"="c:\program files\HTC\HTC Sync 3.0\htcUPCTLoader.exe" [2011-01-27 585728]
    "DSLSTATEXE"="c:\program files\Voyager 105 ADSL Modem\dslstat.exe" [2004-05-27 1659050]
    "DSLAGENTEXE"="c:\program files\Voyager 105 ADSL Modem\dslagent.exe" [2004-05-27 16384]
    "FLMOFFICE4DMOUSE"="c:\program files\Trust\MI-2500X OPTICAL MOUSE\Mouse32a.exe" [2011-08-26 370176]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
    2005-05-03 10:43 69632 -c--a-w- c:\windows\ALCMTR.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 04:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HTC Sync Loader]
    2011-01-27 17:57 585728 ----a-w- c:\program files\HTC\HTC Sync 3.0\htcUPCTLoader.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 04:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
    .
    R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [21/08/2011 10:00 53816]
    R1 RapportCerberus_29574;RapportCerberus_29574;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_29574.sys [21/08/2011 10:03 216912]
    R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [21/08/2011 10:00 66360]
    R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [21/08/2011 10:00 158904]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [17/09/2011 22:42 366152]
    R2 PassThru Service;Internet Pass-Through Service;c:\program files\HTC\Internet Pass-Through\PassThruSvr.exe [16/09/2010 14:06 80896]
    R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [21/08/2011 10:00 870200]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [17/09/2011 22:42 22216]
    S2 Ca1528av;SPCA1528 Video Camera Service;c:\windows\system32\drivers\Ca1528av.sys [06/03/2011 18:07 516480]
    S3 Bulk1528;SPCA1528 Still Camera Service;c:\windows\system32\drivers\Bulk1528.sys [06/03/2011 18:07 11648]
    S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [01/10/2010 00:20 24576]
    S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [22/06/2010 18:01 21248]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-09-24 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.topcashback.co.uk/home
    TCP: Interfaces\{F397BB4F-2E94-4E1E-8CBA-4EB0D3ECD51E}: NameServer = 195.184.228.6 195.184.228.7
    .
    - - - - ORPHANS REMOVED - - - -
    .
    URLSearchHooks-{81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - (no file)
    Toolbar-Locked - (no file)
    HKCU-Run-DriverFinder - c:\program files\DriverFinder\DriverFinder.exe
    AddRemove-{09FF4DB8-7DE9-4D47-B7DB-915DB7D9A8CA} - c:\documents and settings\All Users\Application Data\{AB2D8F2E-F7AD-4446-A11A-50D846B2CF2A}\bm_installer.exe
    AddRemove-{50316C0A-CC2A-460A-9EA5-F486E54AC17D}_is1 - c:\program files\AVG\AVG PC Tuneup 2011\unins000.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-09-26 00:34
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-1993962763-823518204-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    .
    Completion time: 2011-09-26 00:35:51
    ComboFix-quarantined-files.txt 2011-09-25 23:35
    .
    Pre-Run: 122,124,259,328 bytes free
    Post-Run: 122,335,059,968 bytes free
    .
    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
    .
    - - End Of File - - A21949BCDD3CC6FB9AAF2A14454CB9B6

    C:\System Volume Information\_restore{0C8D1A6C-3FCF-47AD-9431-4B64316DD3EA}\RP352\A0045610.exe a variant of Win32/Toolbar.MyWebSearch.O application
    C:\System Volume Information\_restore{0C8D1A6C-3FCF-47AD-9431-4B64316DD3EA}\RP352\A0045612.DLL a variant of Win32/Toolbar.MyWebSearch.M application
    C:\System Volume Information\_restore{0C8D1A6C-3FCF-47AD-9431-4B64316DD3EA}\RP352\A0045613.DLL a variant of Win32/Toolbar.MyWebSearch application
    C:\System Volume Information\_restore{0C8D1A6C-3FCF-47AD-9431-4B64316DD3EA}\RP352\A0045614.DLL Win32/Toolbar.MyWebSearch application
    C:\System Volume Information\_restore{0C8D1A6C-3FCF-47AD-9431-4B64316DD3EA}\RP356\A0045979.dll Win32/Adware.Yontoo.A application
    C:\System Volume Information\_restore{0C8D1A6C-3FCF-47AD-9431-4B64316DD3EA}\RP356\A0045981.dll a variant of Win32/Adware.Yontoo.B application
    C:\System Volume Information\_restore{0C8D1A6C-3FCF-47AD-9431-4B64316DD3EA}\RP364\A0047157.exe Win32/Toolbar.MyWebSearch application
    C:\System Volume Information\_restore{0C8D1A6C-3FCF-47AD-9431-4B64316DD3EA}\RP411\A0054903.scr Win32/Toolbar.MyWebSearch application
    C:\System Volume Information\_restore{0C8D1A6C-3FCF-47AD-9431-4B64316DD3EA}\RP411\A0054905.DLL Win32/Toolbar.MyWebSearch application
    C:\System Volume Information\_restore{0C8D1A6C-3FCF-47AD-9431-4B64316DD3EA}\RP411\A0054906.DLL Win32/Adware.FunWeb application
    C:\System Volume Information\_restore{0C8D1A6C-3FCF-47AD-9431-4B64316DD3EA}\RP411\A0054907.DLL Win32/Adware.FunWeb application
    C:\System Volume Information\_restore{0C8D1A6C-3FCF-47AD-9431-4B64316DD3EA}\RP411\A0054908.DLL Win32/Toolbar.MyWebSearch.G application
    C:\System Volume Information\_restore{0C8D1A6C-3FCF-47AD-9431-4B64316DD3EA}\RP411\A0054909.DLL Win32/Toolbar.MyWebSearch application
    C:\System Volume Information\_restore{0C8D1A6C-3FCF-47AD-9431-4B64316DD3EA}\RP411\A0054910.DLL Win32/Toolbar.MyWebSearch application
    C:\System Volume Information\_restore{0C8D1A6C-3FCF-47AD-9431-4B64316DD3EA}\RP411\A0054911.DLL Win32/Adware.FunWeb application
    C:\System Volume Information\_restore{0C8D1A6C-3FCF-47AD-9431-4B64316DD3EA}\RP411\A0054912.SCR Win32/Toolbar.MyWebSearch application
    C:\System Volume Information\_restore{0C8D1A6C-3FCF-47AD-9431-4B64316DD3EA}\RP411\A0054913.DLL Win32/Toolbar.MyWebSearch.G application
    C:\System Volume Information\_restore{0C8D1A6C-3FCF-47AD-9431-4B64316DD3EA}\RP411\A0054914.DLL Win32/Toolbar.MyWebSearch.D application
    C:\System Volume Information\_restore{0C8D1A6C-3FCF-47AD-9431-4B64316DD3EA}\RP411\A0054915.DLL Win32/Toolbar.MyWebSearch application
    C:\System Volume Information\_restore{0C8D1A6C-3FCF-47AD-9431-4B64316DD3EA}\RP411\A0054916.EXE Win32/Adware.FunWeb application
    C:\System Volume Information\_restore{0C8D1A6C-3FCF-47AD-9431-4B64316DD3EA}\RP411\A0054917.DLL Win32/Toolbar.MyWebSearch.P application
    C:\System Volume Information\_restore{0C8D1A6C-3FCF-47AD-9431-4B64316DD3EA}\RP411\A0054920.DLL Win32/Toolbar.MyWebSearch.F application
    C:\System Volume Information\_restore{0C8D1A6C-3FCF-47AD-9431-4B64316DD3EA}\RP411\A0054921.DLL Win32/Toolbar.MyWebSearch.P application
    C:\System Volume Information\_restore{0C8D1A6C-3FCF-47AD-9431-4B64316DD3EA}\RP411\A0054922.EXE Win32/Toolbar.MyWebSearch application
    C:\System Volume Information\_restore{0C8D1A6C-3FCF-47AD-9431-4B64316DD3EA}\RP411\A0054924.DLL Win32/Toolbar.MyWebSearch application
    C:\System Volume Information\_restore{0C8D1A6C-3FCF-47AD-9431-4B64316DD3EA}\RP411\A0054925.DLL Win32/Toolbar.MyWebSearch.J application
    C:\System Volume Information\_restore{0C8D1A6C-3FCF-47AD-9431-4B64316DD3EA}\RP411\A0054926.DLL Win32/Toolbar.MyWebSearch application
    C:\System Volume Information\_restore{0C8D1A6C-3FCF-47AD-9431-4B64316DD3EA}\RP411\A0054927.DLL Win32/Toolbar.MyWebSearch.P application
    C:\System Volume Information\_restore{0C8D1A6C-3FCF-47AD-9431-4B64316DD3EA}\RP411\A0054928.EXE Win32/Toolbar.MyWebSearch application
    C:\System Volume Information\_restore{0C8D1A6C-3FCF-47AD-9431-4B64316DD3EA}\RP411\A0054929.EXE Win32/Toolbar.MyWebSearch.J application
    C:\System Volume Information\_restore{0C8D1A6C-3FCF-47AD-9431-4B64316DD3EA}\RP411\A0054930.EXE Win32/Toolbar.MyWebSearch.I application
    C:\System Volume Information\_restore{0C8D1A6C-3FCF-47AD-9431-4B64316DD3EA}\RP411\A0054931.DLL Win32/Toolbar.MyWebSearch.I application
    C:\System Volume Information\_restore{0C8D1A6C-3FCF-47AD-9431-4B64316DD3EA}\RP411\A0054932.DLL Win32/Toolbar.MyWebSearch application
    C:\System Volume Information\_restore{0C8D1A6C-3FCF-47AD-9431-4B64316DD3EA}\RP411\A0054933.EXE Win32/Toolbar.MyWebSearch application
    C:\System Volume Information\_restore{0C8D1A6C-3FCF-47AD-9431-4B64316DD3EA}\RP411\A0054934.DLL Win32/Toolbar.MyWebSearch application
    C:\System Volume Information\_restore{0C8D1A6C-3FCF-47AD-9431-4B64316DD3EA}\RP411\A0054935.DLL Win32/Toolbar.MyWebSearch application
    C:\System Volume Information\_restore{0C8D1A6C-3FCF-47AD-9431-4B64316DD3EA}\RP411\A0054943.DLL Win32/Toolbar.MyWebSearch.B application
    C:\System Volume Information\_restore{0C8D1A6C-3FCF-47AD-9431-4B64316DD3EA}\RP411\A0054944.DLL Win32/Toolbar.MyWebSearch.H application
    C:\System Volume Information\_restore{0C8D1A6C-3FCF-47AD-9431-4B64316DD3EA}\RP411\A0054945.DLL Win32/Toolbar.MyWebSearch.I application
    C:\System Volume Information\_restore{0C8D1A6C-3FCF-47AD-9431-4B64316DD3EA}\RP411\A0054946.DLL Win32/Toolbar.MyWebSearch.P application
    C:\System Volume Information\_restore{0C8D1A6C-3FCF-47AD-9431-4B64316DD3EA}\RP411\A0054947.DLL Win32/Toolbar.MyWebSearch.K application
    C:\System Volume Information\_restore{0C8D1A6C-3FCF-47AD-9431-4B64316DD3EA}\RP411\A0054948.EXE Win32/Toolbar.MyWebSearch application
    C:\System Volume Information\_restore{0C8D1A6C-3FCF-47AD-9431-4B64316DD3EA}\RP411\A0054949.DLL Win32/Toolbar.MyWebSearch.J application
    C:\System Volume Information\_restore{0C8D1A6C-3FCF-47AD-9431-4B64316DD3EA}\RP411\A0054950.DLL Win32/Toolbar.MyWebSearch application
    C:\System Volume Information\_restore{0C8D1A6C-3FCF-47AD-9431-4B64316DD3EA}\RP411\A0054951.DLL Win32/Toolbar.MyWebSearch application


    Hope this is of use to you, its all gibberish to me!
    I have tried to disable the MyWebservice as instructed, but for some reason neither of the files are there, and as I dont understand what any of the files are for..............I thought I'd tell you before disabling things
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, going by he large number of restore points withMy Web Search and Fun Web Products, you've had these malware entries on the system for a while. I will have you drop the old restore point and set a new clean one when we finish. But you do need to stop frequenting these sites.
    --------------------------------
    Please reopen HijackThis to 'do system scan only.' Check each of the following if present:

    C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    C:\Program Files\Trust\MI-2500X OPTICAL MOUSE\Mouse32a.exe
    R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL
    R3 - URLSearchHook: (no name) - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - (no file)
    O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
    O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w /h
    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Trust\MI-2500X OPTICAL MOUSE\Mouse32a.exe
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKCU\..\Run: [DriverFinder] C:\Program Files\DriverFinder\DriverFinder.exe
    O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...Q&n=2011063015
    O23 - Service: My Web Search Service (MyWebSearchService) - MyWebSearch.com - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe


    Close all Windows except HijackThis and click on "Fix Checked."
    ====================================
    Details to remove FunWebProducts site and their partner sites:.
    1. Click on Start> Settings> Control Panel> Add/Remove Programs
    2. Find "My Web Search" in the list of installed programs and click on Change/Remove to uninstall it. You may also want to uninstall any of the following items associated with FunWebProducts.
      [o] My Web Search (Smiley Central or FWP product as applicable)
      [o] My Way Speedbar (Smiley Central or other FWP as applicable)
      [o] My Way Speedbar (AOL and Yahoo Messengers) (beta users only)
      [o] My Way Speedbar (Outlook, Outlook Express, and IncrediMail)
      [o] Search Assistant - My Way
    3. Reboot your Computer.
    4. Right click on Start> Choose Explore.
    5. My Computer> Local Drive (C)> double-click on the Program Files folder
    6. Right-click and delete the folders for:
      [o] FunWebProducts
      [o] MyWebSearch
    7. If you have FunWebProducts saved as a Bookmark or Favorite, delete it
    8. Start> Run> type in services.msc> enter> double click on MyWebSearchService> change Startup type to Disabled> Stop the Service.
    --------------------------------
    Stay away from: Other FunWebProducts
    Smiley Central
    Cursor Mania
    FunBuddyIcons
    My Mail Stationery
    My Mail Signature
    My Mail Stamps
    Popular Screensavers
    Webfetti
    ============================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    c:\windows\system32\CoInst.dll
    c:\windows\system32\drivers\gwausb.sys
    Folder::
    c:\documents and settings\home\local settings\application data\Temp
    c:\documents and settings\home\local settings\application data\Deployment
    DDS::
    uURLSearchHooks: H - No File
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    uRun: [DriverFinder] c:\program files\driverfinder\DriverFinder.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [FLMOFFICE4DMOUSE] c:\program files\trust\mi-2500x optical mouse\Mouse32a.exe
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "QuickTime Task"=-
    "FLMOFFICE4DMOUSE"=-
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
     
  8. chelle400z

    chelle400z TS Rookie Topic Starter

    RE: Need help, task manager running2 iexplorers, comp running really slow

    Hi Bobbye, am grateful for all the help u giving me, have done as asked again, although it did cause a few problems.......my modem refused to work properly, and by hook or by crook I managed sort it out.........all on me own! The log of the scan you aske for is here:

    ComboFix 11-09-27.01 - Home 27/09/2011 19:45:39.2.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.452 [GMT 1:00]
    Running from: c:\documents and settings\Home\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Home\Desktop\CFScript.txt
    FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
    .
    FILE ::
    "c:\windows\system32\CoInst.dll"
    "c:\windows\system32\drivers\gwausb.sys"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\home\local settings\application data\Deployment
    c:\documents and settings\home\local settings\application data\Temp
    c:\program files\common files\adobe\arm\1.0\AdobeARM.exe
    c:\program files\quicktime\qttask.exe
    c:\program files\trust\mi-2500x optical mouse\Mouse32a.exe
    c:\windows\system32\CoInst.dll
    c:\windows\system32\drivers\gwausb.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Service_wanusb
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-08-27 to 2011-09-27 )))))))))))))))))))))))))))))))
    .
    .
    2011-09-26 00:54 . 2011-09-26 00:54 -------- d-----w- c:\documents and settings\Home\Application Data\AVG2012
    2011-09-26 00:51 . 2011-09-27 18:51 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
    2011-09-26 00:51 . 2011-09-26 00:51 -------- d-----w- c:\program files\AVG
    2011-09-26 00:48 . 2011-09-27 18:35 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
    2011-09-25 23:39 . 2011-09-25 23:39 -------- d-----w- c:\program files\ESET
    2011-09-17 21:42 . 2011-09-17 21:42 -------- d-----w- c:\documents and settings\Home\Application Data\Malwarebytes
    2011-09-17 21:42 . 2011-09-17 21:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-09-17 21:42 . 2011-09-17 21:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-09-17 21:42 . 2011-08-31 16:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-09-03 10:17 . 2011-09-09 09:12 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll
    2011-08-30 23:58 . 2011-08-30 23:58 -------- d-----w- c:\program files\Common Files\Adobe
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-09-09 09:12 . 2004-08-12 13:56 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-08-21 09:00 . 2011-08-21 09:00 53816 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
    2011-08-03 07:58 . 2011-08-03 07:58 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-07-15 13:29 . 2004-08-12 14:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-07-08 14:02 . 2004-08-12 14:01 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-09-25_23.34.15 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-09-27 18:51 . 2011-09-27 18:51 16384 c:\windows\temp\Perflib_Perfdata_37c.dat
    + 2011-09-26 00:52 . 2011-09-26 00:52 4658688 c:\windows\Installer\56fa52.msi
    + 2011-09-26 00:51 . 2011-09-26 00:51 2185216 c:\windows\Installer\56fa4e.msi
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-06-23 98304]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-06-23 86016]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2006-06-23 81920]
    "RTHDCPL"="RTHDCPL.EXE" [2006-06-01 16208384]
    "SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
    "HTC Sync Loader"="c:\program files\HTC\HTC Sync 3.0\htcUPCTLoader.exe" [2011-01-27 585728]
    "DSLSTATEXE"="c:\program files\Voyager 105 ADSL Modem\dslstat.exe" [2004-05-27 1659050]
    "DSLAGENTEXE"="c:\program files\Voyager 105 ADSL Modem\dslagent.exe" [2004-05-27 16384]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=QUFTWUwtR1o5VzItTlFIWEMtUVRJUlctWVlKQlktUQ&inst=NzYtOTMxNzA4NTk4LVNUMTJPSSsxLUREVCswLUVVTEErMS1TVDEyQVBQKzE&prod=92&ver=2012.0.1809&mid=db64ee367e3cf4c5dead84c92d371cae-06ce4fc639803a2e3563922518183d8e94088cb9" [?]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
    2005-05-03 10:43 69632 -c--a-w- c:\windows\ALCMTR.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 04:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HTC Sync Loader]
    2011-01-27 17:57 585728 ----a-w- c:\program files\HTC\HTC Sync 3.0\htcUPCTLoader.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 04:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
    .
    R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [21/08/2011 10:00 53816]
    R1 RapportCerberus_29574;RapportCerberus_29574;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_29574.sys [21/08/2011 10:03 216912]
    R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [21/08/2011 10:00 66360]
    R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [21/08/2011 10:00 158904]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [17/09/2011 22:42 366152]
    R2 PassThru Service;Internet Pass-Through Service;c:\program files\HTC\Internet Pass-Through\PassThruSvr.exe [16/09/2010 14:06 80896]
    R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [21/08/2011 10:00 870200]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [17/09/2011 22:42 22216]
    S2 Ca1528av;SPCA1528 Video Camera Service;c:\windows\system32\drivers\Ca1528av.sys [06/03/2011 18:07 516480]
    S3 Bulk1528;SPCA1528 Still Camera Service;c:\windows\system32\drivers\Bulk1528.sys [06/03/2011 18:07 11648]
    S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [01/10/2010 00:20 24576]
    S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [22/06/2010 18:01 21248]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-09-24 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.topcashback.co.uk/home
    TCP: Interfaces\{F397BB4F-2E94-4E1E-8CBA-4EB0D3ECD51E}: NameServer = 195.184.228.6 195.184.228.7
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-09-27 19:51
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-1993962763-823518204-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(2368)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\RTHDCPL.EXE
    c:\windows\system32\rundll32.exe
    c:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2011-09-27 19:54:07 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-09-27 18:54
    ComboFix2.txt 2011-09-25 23:35
    .
    Pre-Run: 122,255,855,616 bytes free
    Post-Run: 122,216,013,824 bytes free
    .
    - - End Of File - - C0C3F1B6099B87A6A283F01D9233A8CB


    Of the files you asked me to delete in HJT, there was only three, and have looked in add/remove and there are no "MYWEB" anything, so may have deleted it previously. Will try to avoid the sites you told me about, dont really use the comp for much else than ebay and facebook..........Thanks again for your help :)
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Can you give me an update on the system status please.
     
  10. chelle400z

    chelle400z TS Rookie Topic Starter

    Thanks for the reply, sorry it took so long to answer, at the moment, I have only this page open and iexplorer.exe is running at 135,284k and the system is running at 122,036. Although the computer tends to load pages quite quickly at times, other times it seems to freeze...........not sure if this is the infor you want but please let me know if you need specifics, am not the best when it comes to computer-speak.....
    Thanks
    Chelle
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Questions:

    1. Do you have to run this the entire time? http://www.topcashback.co.uk/
    Be aware the you do not get something for nothing on the internet! At the very least, you will get adware> something has to generate the cash they give back!

    2. Do you know how much RAM is installed? To check:
    Start> Control Panel> System> the RAM should be given on the lower part of the page.

    3. Did you know that none of the following need to start on boot? Each can be opened through All Programs. They can be unchecked using the msconfig utility as follows:
    To remove entries from the Startup Menu using the msconfig utility:
    • Click on Start> Run> type in msconfig> enter>
      [​IMG]
    • Click on Selective Startup
    • Choose the Startup tab:
      [​IMG]
      All images courtesy NetSquirrel
    • To expand the Command Column, (this shows what the process 'belongs' to) hold left mouse button down on the dividing line on frame above Location and move to the right to expand.
    • Uncheck any processes you do not need to start on boot.
    • Click on Apply> OK when finished.
    NOTE:
    When you reboot the system the first time after making changes using the msconfig utility, a nag message comes up that can be ignored and closed after checking 'don't show this message again.' Remain in Selective Startup to retain those changes.
    ----------------------------------
    The list above is from your installed programs. Remove any auto-updaters. They will start on boot, run in the background and contact the internet many times each day looking for an update. The only programs that need to auto-update is the AV program.

    Printers, cameras, CD/DVD burning software, uploaders, etc. can be opened as needed.
    Windows XP has a built in extractor {unzipper). You don't need to run Win Zip.

    Taking the programs off of Startup does not uninstall them.
    =================================
    You can also run the'do system scan only' again for HijackThis and running processes for the above can be stopped. If you'd like to do this also, run the program but don't make any changes- leave the log for me to check.
     
  12. chelle400z

    chelle400z TS Rookie Topic Starter

    Thanks again Bobeye for quick response. Have done the msconfig, and also removed some of the programs u mentioned, ones I felt safe doing.....also ran HJT after everything else, this is scan came up with:
    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 23:45:16, on 09/10/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
    C:\Program Files\AVG\AVG2012\avgcsrvx.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\AVG\AVG2012\avgwdsvc.exe
    C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe
    C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
    C:\Program Files\AVG\AVG2012\avgtray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\AVG\AVG2012\avgnsx.exe
    C:\Program Files\AVG\AVG2012\avgemcx.exe
    C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Home\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe icon
    O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
    O4 - HKLM\..\Run: [AVG_TRAY] "C:\Program Files\AVG\AVG2012\avgtray.exe"
    O4 - HKLM\..\RunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=QUFTWUwtR1o5VzItTlFIWEMtUVRJUlctWVlKQlktUQ"&"inst=NzYtOTMxNzA4NTk4LVNUMTJPSSsxLUREVCswLUVVTEErMS1TVDEyQVBQKzE"&"prod=92"&"ver=2012.0.1809"&"mid=db64ee367e3cf4c5dead84c92d371cae-06ce4fc639803a2e3563922518183d8e94088cb9
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-31-0.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F397BB4F-2E94-4E1E-8CBA-4EB0D3ECD51E}: NameServer = 195.184.228.6 195.184.228.7
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
    O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\avgwdsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Internet Pass-Through Service (PassThru Service) - Unknown owner - C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
    O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe

    --
    End of file - 6001 bytes
    Chelle
     
  13. chelle400z

    chelle400z TS Rookie Topic Starter

    OH, forgot............have 0.99GB ram installed, and use the topcashback website when browsing Ebay lol, have to learn not to :)
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Better said the you have 1024mb.

    For Windows XP to run well, you need at least 512MB of RAM. Double that and you have .99GB.
    So you're pushing the limits!
    ===================================
    We need to do 2 short scans:

    Please run this Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    File::
    FileLook::
    c:\windows\system32\winsrv.dll
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    Then update and run the Eset online scan.
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...