New computer and OS (Vista) causing me troubles

Solved
By Kaelkitty
Oct 30, 2010
Topic Status:
Not open for further replies.
  1. OK - I don't know who will be picking up this thread, but PLEASE pass on thanks to Bobbye for me for the help he gave me a few months ago. There may be remnants of stuff from his fix on this system because we hadn't quite completed the process when I was sidelined (bad health) for about three weeks, and when I came back the thread was closed so I let it go as it appeared the problem was remedied, but there are still probably some files in my system from that repair (due to the transferring of everything from my old system), as Bobbye had not done the final clean-up.

    Now, onto my current difficulties!

    About two weeks ago the motherboard died in my old computer, which was running XP (this was the one Bobbye was helping me with) I was quoted $600 to upgrade my old system, or $380 to replace it. Since I had to borrow the money as an advance payment from my Social Security benefits, I opted for the lower amount, which got me a more powerful system in any case. The new system originally had Vista installed but I really wanted to keep XP so the place I got the computer from tried to transfer everything directly from my old system to the new one and initially it seemed to work OK but then we ran into troubles.

    I took it back and was advised that XP really wasn't suited to my new system and that I should upgrade to Vista which I did (reluctantly) - paying out another $50 for the "privilege"! This has given me many problems to sort through as I have fairly severe disability problems (I have fought and sweated to return my desktop appearance to match what I had before (a specially modified version of the Windows Classic theme which takes into account all of the visual peculiarities associated with my Asperger's Syndrome, Keratoconus, Astigmatism and extreme Myopia) I have since spoken with the computer supplier on numerous occasions, and HAD solved some of my difficulties - at least to the point where I felt I should stop imposing on the poor man. My plan was to take his advice and gradually work through all of the software on my system, update it, and remove anything I no longer used - in fact to give my computer and files a long overdue and very much needed clear up.

    However I seemed to have stuffed up today, or something has gone majorly wrong. Yesterday, (about 8.30pm) I noticed that the Vista Service Pack 2 was available so I dutifully clicked on the System Tray icon and installed it - all seemed OK and I went off for the evening. This morning I was pursuing my program of "going through stuff" and I discovered the Problem Reports and Solutions tool in the Control Panel - I was somewhat annoyed to discover that this had been reporting stuff to Microsoft without my knowledge so I changed the permissions to ask me first and then (possibly stupidly) tried to make a shortcut to the tool by dragging to to my desktop (to be fair to me that's how I've always made shortcuts in the past). You can imagine my HORROR when I closed the Control Panel (it was running full-screen) only to find that most of my Icons (about 95%) had disappeared from my desktop!

    I restarted the system and came back to find the Desktop still denuded of all my folders and files. I looked at the Desktop folder in Windows Explorer - still no files appeared, beyond those which matched the remaining icons on the desktop! This gave me the most horrible cold and clammy sensation and I was just about to panic completely when I remembered System Restore. I made a restore point of the "as was" (just in case going back made things worse) and used the most recent System Restore Point I could find which was one from last night. I am not sure if that has removed the Service Pack 2 upgrade or not, but I suspect it may well have done so. Anyway, coming back to the Desktop, I was much relieved to find things back as I had left them before all of the drama. What worries me, as it has done for a long time before I got this new machine, is that I don't know enough to get things how I need them to be, without making a mess of it.

    What I am wondering is if someone here will have the patience and the ability to help me with MORE than just virus cure and prevention. I also really NEED help in fixing the customisation on my system as I suspect that at least some of the trouble I am having is due to my former XP based solutions NOT WORKING in Vista. I am afraid that Service Pack 2 also caused problems when it was installed last night.

    Initially, I have (or had) the following problems

    ON Thursday afternoon I was going through all of the Screensavers in the list in the computer, trying to find something acceptable to replace my beloved old "Starfield" - when I chose the option in between "Matrix Code" and "Mystify" This option was titled "mbt_ss_pc" - as soon as I clicked on it AVG went nuts and my whole computer froze up. I had to use Control/Alt/Del to back out, shut down and restart. Even after running AVG, TFC, and the MalwareBytes program - that option is still showing in my screensaver list - I find it very scary!

    I can't cope with "Search" at all (I had problems with it in XP too, but not as bad) I have had to install a third party search tool (Superfinder XT) but I need to have it run at Startup and I'm not sure how to do that. There are also other (unwanted) entries in Startup that I need to remove - I have disabled them with RegCure but I need some hand holding to go through them and get rid of them for good.

    I need to change several icons permanently viz, the Control Panel Icon, the Default Folder Icon, and the Icon I use for my DOS database program - I think it was rooting around on the Internet yesterday looking for solutions to this which may well have lead to my current virus problem. Actually, what I would REALLY prefer is to have my XP style icons back - I need to have the icons on my screen very small or they interfere with me reading the file and folder names, and the Vista Icons are very hard to see properly at very small sizes so they become non functional.

    Also, I am not sure what function the "User" Icon on the Desktop serves for me as I am the ONLY person who touches this computer - if I don't need it, how can I get it off my screen, as it won't drag and drop? I find myself very confused by the changes between XP and Vista in terms of file permissions and which things should be placed where; I could really use some proper guidance in this area.

    I can't get my "Wake Me Up" utility working and I need it for the Hourly chime. I get a message saying "Unable to execute file: c:\Program File\Wake Me Up\Wake Me Up.exe" "CreateProcess failed; code 740. The requested operation requires elevation." whatever that means! However, the bell Icon for it DOES appear in my System Tray, but when I click on it AVG says it is a virus?

    Another small utility I use, "Date in Tray" is only appearing intermittently at Startup - sometimes the Icon is in the System Tray, sometimes it isn't!

    I'm also having trouble with my taskbar clock - what I NEED is to be able to always see the seconds displayed as well as AM or PM ie 12:38:55pm - I'm currently using a really ugly clock skin for this but I need to change it as the "transparency" feature doesn't work right and it seems to become unstable if you change it back and forth a lot - what I would really prefer is that the system itself just displayed "12:38:55pm" in my normal font and colour scheme all the time - no matter WHAT skin I change this current thing to it remains ugly and obtrusive on my screen!

    Anyway - that is more than enough to start with!

    I am following the 8 Step Program from the beginning again:

    Step 1/ Ran a complete scan with AVG Free - No Issues found

    Step 2/ Downloaded and intalled a fresh instance of Malwarebytes. Updated and ran it
    Found Adware.Dropper in C:\Users_2\Desktop\SetupPlaySushi.exe
    Found Trojan.I.Stole.Windows in C:\Windows\Sysem32\antiwpa.dll

    These were successfully removed - Here are the Log Contents:

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 5003

    Windows 6.0.6001 Service Pack 1
    Internet Explorer 7.0.6001.18000

    31/10/2010 10:04:11 AM
    mbam-log-2010-10-31 (10-04-11).txt

    Scan type: Quick scan
    Objects scanned: 148307
    Time elapsed: 8 minute(s), 0 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 2

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Users\User_2\Desktop\SetupPlaySushi.exe (Adware.Dropper) -> Quarantined and deleted successfully.
    C:\Windows\System32\antiwpa.dll (Trojan.I.Stole.Windows) -> Quarantined and deleted successfully.

    I will come back and add the GMER log in my next post,

    Yours Sincerely, Kaelkitty.
  2. Kaelkitty

    Kaelkitty Newcomer, in training Topic Starter Posts: 59

    Oops,
    I have run Gmer with the internet modem plugged in. Will that cause any problems with the report? Gmer appeared to run fine and found nothing untoward.

    Here are the Gmer.log contents.

    GMER 1.0.15.15477 - http://www.gmer.net
    Rootkit scan 2010-10-31 16:25:08
    Windows 6.0.6001 Service Pack 1
    Running: m2u1jzt9.exe; Driver: C:\Users\User_2\AppData\Local\Temp\kftcqkod.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0x9F3D6780]
    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0x9F3D6830]
    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0x9F3D68D0]
    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0x9F3D6970]

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntoskrnl.exe!KeInsertQueue + 5E1 81C79C28 4 Bytes [80, 67, 3D, 9F] {AND BYTE [EDI+0x3d], 0x9f}
    .text ntoskrnl.exe!KeInsertQueue + 811 81C79E58 8 Bytes [30, 68, 3D, 9F, D0, 68, 3D, ...] {XOR [EAX+0x3d], CH; LAHF ; SHR BYTE [EAX+0x3d], 0x1; LAHF }
    .text ntoskrnl.exe!KeInsertQueue + 871 81C79EB8 4 Bytes CALL BF310F3E
    ? System32\drivers\jbtie.sys The system cannot find the path specified. !

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs sisidex.sys (SISIDEX Driver/Windows (R) 2000 DDK provider)
    AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
    AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
    AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    ---- EOF - GMER 1.0.15 ----

    Sorry about that! I HAVE to go and do some actual work now - I will check back either around midnight, or tomorrow afternoon as I won't be available tomorrow morning.

    Here is some supplementary info you might find useful

    Windows Problem Reports and Solutions Applet information.

    Product Problem Date Status

    BatchIconExtractor.exe Program Compatibility 30/10/2010 6:42 PM Not Reported

    Driver software installation (5)
    Driver software installation Installed generic driver software 23/10/2010 5:41 PM Report Sent
    Driver software installation Could not install driver software for device 23/10/2010 5:41 PM Report Sent
    Driver software installation Installed generic driver software 26/10/2010 6:50 PM Report Sent
    Driver software installation Installed generic driver software 30/10/2010 9:22 PM Report Sent
    Driver software installation Could not install driver software for device 31/10/2010 8.48 PM Report Sent

    Host Process for Wîndows Services
    Host Process for Wîndows Services Windows Update installation problem 30/10/2010 9:23 PM Report Sent

    Powerful replacement of Win Built-In Search
    Powerful replacement of Win Built-In Search Stopped working 28/10/2010 9:00 PM Report Sent

    Standard VGA Graphics Adapter
    Standard VGA Graphics Adapter Could not load driver software 23/10/2010 5:41 PM Report Sent

    Windows
    Windows Shut down unexpectedly 28/10/2010 1:05 PM Report Sent

    Windows Media Player (6)
    Windows Media Player Stopped working 27/10/2010 11:05 PM Report Sent
    Windows Media Player Stopped working 27/10/2010 11:05 PM Report Sent
    Windows Media Player Stopped working 27/10/2010 11:05 PM Report Sent
    Windows Media Player Stopped working 27/10/2010 11:12 PM Report Sent
    Windows Media Player Stopped working 27/10/2010 11:15 PM Report Sent
    Windows Media Player Stopped working 27/10/2010 11:17 PM Report Sent


    Here are the basic specifications for my new computer system

    Operating System: MS Windows Vista Home Premium 32-bit SP1
    Installation Date: 23 October 2010, 18:11
    CPU: Intel Core 2 Duo E6300 @ 1.86GHz Conroe 65nm Technology
    RAM: 2.0GB DDR2
    Motherboard: Dell Inc. 0GX297 (Microprocessor)
    Graphics: CMC 17" AD @ 1280x1024
    Intel(R) Q965/Q963 Express Chipset Family
    Intel(R) Q965/Q963 Express Chipset Family
    Hard Drives: 156.25GB Seagate ST3160815AS ATA Device (Unknown Interface)
    Optical Drives: SONY DVD-ROM DDU810A ATA Device
    Audio: High Definition Audio Device

    I don't want to go any further just now in case you need me to do the Gmer scan again - without the modem plugged in! Please leave a reply regarding this and I will check back within the next 24 hours.
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Welcome back! I'll help with any current malware problems- but If system settings are still a problem when done, I will refer you to the Windows OS forum for that.

    Please realize that the fewer words you use to explain the problem, the better it is to get help. The volume of malware problems in this forum is too large to read through long reports. And you will also need patience. When you get a reply, if you have subscribed to a thread, you will get a notification in your email, so you do not need to check back every few hours.

    I don't understand waht you are referring to about the modem being plugged in during GMER. You do not have to disable any Devices unless there is some problem running GMER.
    ===========================================
    You know what we ask to begin: Please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    When you have finished, leave the logs for review in your next reply .Save telling me you ran a program and just post the logs. We will get further faster that way.

    Important!
    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

    FYI: We close a thread if there hasn't been a reply in 5 days. A member has the option to send the helper a PM and request the thread be reopened.
  4. Kaelkitty

    Kaelkitty Newcomer, in training Topic Starter Posts: 59

    Hello Bobbye,
    Glad to hear from you. Sorry I'm so verbose (it's an Asperger's thing!) I'll try to shut up! I'll repeat the logs here.

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 5003

    Windows 6.0.6001 Service Pack 1
    Internet Explorer 7.0.6001.18000

    31/10/2010 10:04:11 AM
    mbam-log-2010-10-31 (10-04-11).txt

    Scan type: Quick scan
    Objects scanned: 148307
    Time elapsed: 8 minute(s), 0 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 2

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    GMER 1.0.15.15477 - http://www.gmer.net
    Rootkit scan 2010-10-31 16:25:08
    Windows 6.0.6001 Service Pack 1
    Running: m2u1jzt9.exe; Driver: C:\Users\User_2\AppData\Local\Temp\kftcqkod.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0x9F3D6780]
    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0x9F3D6830]
    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0x9F3D68D0]
    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0x9F3D6970]

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntoskrnl.exe!KeInsertQueue + 5E1 81C79C28 4 Bytes [80, 67, 3D, 9F] {AND BYTE [EDI+0x3d], 0x9f}
    .text ntoskrnl.exe!KeInsertQueue + 811 81C79E58 8 Bytes [30, 68, 3D, 9F, D0, 68, 3D, ...] {XOR [EAX+0x3d], CH; LAHF ; SHR BYTE [EAX+0x3d], 0x1; LAHF }
    .text ntoskrnl.exe!KeInsertQueue + 871 81C79EB8 4 Bytes CALL BF310F3E
    ? System32\drivers\jbtie.sys The system cannot find the path specified. !

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs sisidex.sys (SISIDEX Driver/Windows (R) 2000 DDK provider)
    AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
    AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
    AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    ---- EOF - GMER 1.0.15 ----


    DDS logs to follow in next post
  5. Kaelkitty

    Kaelkitty Newcomer, in training Topic Starter Posts: 59

    Here's the DDS Log

    DDS (Ver_10-10-31.01) - NTFSx86
    Run by User_2 at 7:53:41.41 on 01/11/2010
    Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_21
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2037.1058 [GMT 10.5:30]

    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

    ============== Running Processes ===============

    C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\Windows\System32\igfxpers.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\AVG\AVG10\avgtray.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Atomic Clock Sync\Atomic.exe
    C:\Program Files\AVG\AVG10\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\DU Meter\DUMeterSvc.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\WakeMeUp\WMUAgent.exe
    C:\Program Files\DU Meter\DUMeter.exe
    C:\Program Files\SarbyxTrayClock\trayclock.exe
    C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
    C:\Program Files\WakeMeUp\WMUTray.exe
    C:\Program Files\Sharp\Button Manager A\btnman.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\DateInTray\DateInTray.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.exe
    C:\Windows\Explorer.exe
    C:\Program Files\FSL\SuperFinder\SuperFinder.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.bin
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\WakeMeUp\WMUSvc.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    C:\Windows\system32\iashost.exe
    C:\Program Files\AVG\AVG10\avgnsx.exe
    C:\Program Files\AVG\AVG10\avgemcx.exe
    C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\PROGRA~1\AVG\AVG10\avgrsx.exe
    C:\Program Files\AVG\AVG10\avgcsrvx.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Users\User_2\Desktop\dds.scr
    C:\Windows\system32\conime.exe
    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uDefault_Search_URL = hxxp://www.google.com/ie
    uStart Page = about:blank
    uInternet Settings,ProxyOverride =

    *.IPrimus.com.au;192.168.1.254;10.*;172.16.*;172.17.*;172.18.*;172.19.*;172.20.*;172.21.*;172.22.*;172.23.*;172.24.*;172.25.*;172.26.*;172.27.*;172.28.*;172.29.*;172.30.*;172.31.*;192.16

    8.*;<local>
    uInternet Settings,ProxyServer = http=proxy.iprimus.com.au:8080;https=proxy.iprimus.com.au:8080;ftp=proxy.iprimus.com.au:8080
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
    mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: eBay Toolbar Helper: {22d8e815-4a5e-4dfb-845e-aab64207f5bd} - c:\program files\ebay\ebay toolbar2\eBayTB.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
    BHO: Watch for Browser Events: {516e2306-7adf-47ec-aea8-acb6b51899f1} - c:\progra~1\macroe~1\iCapture.dll
    BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
    BHO: TweakMASTER PRO Component: {7daac7de-9ef0-4ff0-bfa5-aff3e899054c} - c:\progra~1\tweakm~1\TweakBHO.dll
    BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
    BHO: IEPlugin Class: {cf7c3cf0-4b15-11d1-abed-709549c10000} - c:\program files\advanced system optimizer\IEHelper.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
    TB: eBay Toolbar: {92085ad4-f48a-450d-bd93-b28cc7df67ce} - c:\program files\ebay\ebay toolbar2\eBayTB.dll
    TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
    uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
    uRun: [autosaver.exe] "c:\program files\autosave\Autosave.exe"
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [DU Meter] c:\program files\du meter\DUMeter.exe
    uRun: [SarbyxTrayClock] c:\program files\sarbyxtrayclock\trayclock.exe
    uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
    uRun: [WMUTray.exe] c:\program files\wakemeup\WMUTray.exe
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [eBayToolbar] c:\program files\ebay\ebay toolbar2\eBayTBDaemon.exe
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [NeroCheck] c:\windows\system32\\NeroCheck.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [TweakMASTER] "c:\program files\tweakmaster\TMTray.exe"
    mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
    mRun: [Atomic.exe] c:\program files\atomic clock sync\Atomic.exe
    mRun: [WMUAgent.exe] c:\program files\wakemeup\WMUAgent.exe
    StartupFolder: c:\users\user_2\appdata\roaming\micros~1\windows\startm~1\programs\startup\datein~1.lnk - c:\program files\dateintray\DateInTray.exe
    StartupFolder: c:\users\user_2\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
    StartupFolder: c:\users\user_2\appdata\roaming\micros~1\windows\startm~1\programs\startup\superf~1.lnk - c:\program files\fsl\superfinder\SuperFinder.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\button~1.lnk - c:\program files\sharp\button manager a\btnman.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: Add to &LinkFox - c:\progra~1\tweakm~1\TweakBHO.dll/IESCRIPT
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
    IE: eBay Search - c:\program files\ebay\ebay toolbar2\eBayTb.dll/RCSearch.html
    IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
    IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
    IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
    IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
    IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
    IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Plants%20vs.%20Zombies/Images/stg_drm.ocx
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Mahjong%20Escape%20-%20Ancient%20Japan/Images/armhelper.ocx
    TCP: {2A38118D-A1F2-4939-98FB-E866EDFE0BD5} = 203.134.64.66,203.134.65.66
    TCP: {B9A7FD29-B4B4-4092-B3E5-6F847B25DC57} = 208.67.220.220,208.67.222.222
    Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
    Notify: Antiwpa - antiwpa.dll
    Notify: igfxcui - igfxdev.dll
    SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\qualcomm\eudora\EuShlExt.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\users\user_2\appdata\roaming\mozilla\firefox\profiles\3e4h8dlg.default\
    FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
    FF - prefs.js: browser.startup.homepage - hxxp://davesgarden.com/tools/journal/viewbycat.php?catsort=name1&cat=50491|http://davesgarden.com/guides/pf/adv_search.php?searcher[common%

    5D=&searcher%5Bfamily%5D=&searcher%5Bgenus%5D=cyperus&searcher%5Bspecies%5D=natalensis&searcher%5Bcultivar%5D=&searcher%5Bhybridizer%5D=&searcher%5Bgrex%

    5D=&search_prefs%5Bblank_cultivar%5D=&search_prefs%5Bsort_by%5D=genus&images_prefs=both&Search=Search|http://davesgarden.com/tools/journal/viewentry.php?

    rid=153878|http://davesgarden.com/tools/journal/viewentry.php?rid=150918|http://www.google.com.au/
    FF - prefs.js: keyword.URL - hxxp://au.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_au&p=
    FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
    FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
    FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
    FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
    FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
    FF - component: c:\program files\siber systems\ai roboform\firefox\components\rfproxy_31.dll
    FF - component: c:\users\user_2\appdata\roaming\mozilla\firefox\profiles\3e4h8dlg.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
    FF - component: c:\users\user_2\appdata\roaming\mozilla\firefox\profiles\3e4h8dlg.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
    FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npigl.dll
    FF - plugin: c:\users\user_2\appdata\roaming\facebook\npfbplugin_1_0_3.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation

    foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

    ============= SERVICES / DRIVERS ===============

    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-18 64160]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 249424]
    R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 298448]
    R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-10-11 6104656]
    R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-9-10 265400]
    R2 DUMeterSvc;DU Meter Service;c:\program files\du meter\DUMeterSvc.exe [2009-3-1 1391136]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 27216]
    R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2008-1-21 179712]
    S2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2010-7-1 632792]
    S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2010-10-26 517448]
    S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-10 1029456]

    =============== Created Last 30 ================

    2010-10-30 07:58:13 -------- d-----w- c:\users\user_2\appdata\roaming\RealWorld
    2010-10-30 07:57:43 -------- d-----w- c:\program files\RealWorld Icon Editor
    2010-10-28 22:26:06 74752 ----a-w- c:\windows\system32\newdev.exe
    2010-10-28 22:26:06 468992 ----a-w- c:\windows\system32\newdev.dll
    2010-10-28 01:20:49 9728 ----a-w- c:\windows\system32\ftlx041e.dll
    2010-10-28 01:20:49 9216 ----a-w- c:\windows\system32\ftlx0411.dll
    2010-10-28 01:20:49 296960 ----a-w- c:\windows\winhlp32.exe
    2010-10-28 01:20:49 194560 ----a-w- c:\windows\system32\ftsrch.dll
    2010-10-27 16:31:44 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
    2010-10-27 16:31:44 49472 ----a-w- c:\windows\system32\netfxperf.dll
    2010-10-27 16:31:44 297808 ----a-w- c:\windows\system32\mscoree.dll
    2010-10-27 16:31:44 295264 ----a-w- c:\windows\system32\PresentationHost.exe
    2010-10-27 16:31:44 1130824 ----a-w- c:\windows\system32\dfshim.dll
    2010-10-27 16:30:54 231936 ----a-w- c:\windows\system32\msshsq.dll
    2010-10-27 11:51:15 -------- d-----w- c:\program files\SarbyxTrayClock
    2010-10-27 10:44:31 -------- d-----w- c:\program files\FSL
    2010-10-27 03:46:02 303616 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-10-27 03:46:02 125952 ----a-w- c:\windows\system32\srvsvc.dll
    2010-10-27 03:46:02 101888 ----a-w- c:\windows\system32\drivers\srvnet.sys
    2010-10-27 03:46:01 17920 ----a-w- c:\windows\system32\netevent.dll
    2010-10-27 03:46:01 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
    2010-10-27 03:45:51 378368 ----a-w- c:\windows\system32\winhttp.dll
    2010-10-27 03:45:45 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
    2010-10-27 03:45:45 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
    2010-10-27 03:45:25 738816 ----a-w- c:\windows\system32\inetcomm.dll
    2010-10-26 17:17:07 80896 ----a-w- c:\windows\system32\MSNP.ax
    2010-10-26 17:17:07 57856 ----a-w- c:\windows\system32\MSDvbNP.ax
    2010-10-26 17:17:07 177664 ----a-w- c:\windows\system32\mpg2splt.ax
    2010-10-26 17:17:04 428544 ----a-w- c:\windows\system32\EncDec.dll
    2010-10-26 17:17:04 293376 ----a-w- c:\windows\system32\psisdecd.dll
    2010-10-26 17:17:04 217088 ----a-w- c:\windows\system32\psisrndr.ax
    2010-10-26 17:05:18 454656 ----a-w- c:\program files\common files\system\msadc\msadce.dll
    2010-10-26 16:49:10 97800 ----a-w- c:\windows\system32\infocardapi.dll
    2010-10-26 16:49:08 105016 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
    2010-10-26 16:49:05 622080 ----a-w- c:\windows\system32\icardagt.exe
    2010-10-26 16:49:05 37384 ----a-w- c:\windows\system32\infocardcpl.cpl
    2010-10-26 16:49:05 11264 ----a-w- c:\windows\system32\icardres.dll
    2010-10-26 16:49:00 781344 ----a-w- c:\windows\system32\PresentationNative_v0300.dll
    2010-10-26 16:40:20 158720 ----a-w- c:\windows\system32\mscorier.dll
    2010-10-26 16:40:15 83968 ----a-w- c:\windows\system32\mscories.dll
    2010-10-26 16:35:19 24064 ----a-w- c:\windows\system32\nshhttp.dll
    2010-10-26 16:35:18 411136 ----a-w- c:\windows\system32\drivers\http.sys
    2010-10-26 16:35:17 31232 ----a-w- c:\windows\system32\httpapi.dll
    2010-10-26 02:35:30 -------- d-----w- c:\users\user_2\appdata\local\AVG Security Toolbar
    2010-10-26 02:20:32 -------- d-----w- c:\users\user_2\appdata\roaming\AVG10
    2010-10-26 02:18:05 -------- d--h--w- c:\progra~2\Common Files
    2010-10-26 02:17:36 -------- d-----w- c:\progra~2\AVG Security Toolbar
    2010-10-26 02:15:34 -------- d-----w- c:\progra~2\AVG10
    2010-10-25 23:10:46 12240896 ----a-w- c:\windows\system32\NlsLexicons0007.dll
    2010-10-25 23:10:43 2644480 ----a-w- c:\windows\system32\NlsLexicons0009.dll
    2010-10-25 23:10:34 801280 ----a-w- c:\windows\system32\NaturalLanguage6.dll
    2010-10-25 22:56:53 168960 ----a-w- c:\program files\windows media player\wmplayer.exe
    2010-10-25 22:55:30 513024 ----a-w- c:\windows\system32\wlansvc.dll
    2010-10-25 22:54:59 430080 ----a-w- c:\windows\system32\vbscript.dll
    2010-10-25 22:53:49 636928 ----a-w- c:\windows\system32\localspl.dll
    2010-10-25 22:52:52 866816 ----a-w- c:\windows\system32\wmpmde.dll
    2010-10-25 22:51:57 313344 ----a-w- c:\windows\system32\wmpdxm.dll
    2010-10-25 22:51:56 43520 ----a-w- c:\windows\system32\msdxm.tlb
    2010-10-25 22:51:56 18432 ----a-w- c:\windows\system32\amcompat.tlb
    2010-10-25 22:51:51 523776 ----a-w- c:\windows\system32\RMActivate_isv.exe
    2010-10-25 22:51:51 511488 ----a-w- c:\windows\system32\RMActivate.exe
    2010-10-25 22:51:51 472576 ----a-w- c:\windows\system32\secproc_isv.dll
    2010-10-25 22:51:51 472064 ----a-w- c:\windows\system32\secproc.dll
    2010-10-25 22:51:51 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
    2010-10-25 22:51:51 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
    2010-10-25 22:51:50 329216 ----a-w- c:\windows\system32\msdrm.dll
    2010-10-25 22:51:50 151040 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
    2010-10-25 22:51:50 151040 ----a-w- c:\windows\system32\secproc_ssp.dll
    2010-10-25 22:51:23 1695744 ----a-w- c:\windows\system32\gameux.dll
    2010-10-25 22:49:35 91136 ----a-w- c:\windows\system32\avifil32.dll
    2010-10-25 22:37:22 2730536 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\backup\mpengine.dll
    2010-10-25 22:37:14 6146896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{8775ad05-0a51-44b3-a9ad-b063b080a53a}\mpengine.dll
    2010-10-25 22:37:13 222080 ------w- c:\windows\system32\MpSigStub.exe
    2010-10-25 22:28:05 171520 ----a-w- c:\windows\system32\wintrust.dll
    2010-10-25 22:27:56 98304 ----a-w- c:\windows\system32\cabview.dll
    2010-10-25 22:21:40 2421760 ----a-w- c:\windows\system32\wucltux.dll
    2010-10-25 22:21:25 87552 ----a-w- c:\windows\system32\wudriver.dll
    2010-10-25 00:22:54 33792 ----a-w- c:\windows\system32\wuapp.exe
    2010-10-25 00:22:54 171608 ----a-w- c:\windows\system32\wuwebv.dll
    2010-10-24 23:47:39 -------- d-----w- c:\users\user_2\appdata\local\VirtualStore
    2010-10-24 01:24:38 -------- d--h--w- C:\$WINDOWS.~Q
    2010-10-24 01:19:57 -------- d--h--w- C:\$INPLACE.~TR
    2010-10-23 06:45:33 -------- d-sh--w- C:\Boot
    2010-10-22 05:14:20 -------- d-----w- c:\program files\Stardock
    2010-10-21 00:20:51 -------- d-----w- c:\progra~2\Alwil Software
    2010-10-20 02:59:52 -------- d-----w- c:\progra~2\MFAData
    2010-10-19 08:03:52 920088 ----a-w- c:\windows\system32\igxpun.exe
    2010-10-19 08:03:52 319456 ----a-w- c:\windows\system32\difxapi.dll
    2010-10-19 08:03:52 -------- d-----w- c:\windows\system32\Lang
    2010-10-19 08:03:45 -------- d-----w- C:\Intel
    2010-10-18 06:54:44 -------- d-----w- c:\users\user_2\appdata\roaming\DeviceDoctorSoftware
    2010-10-18 06:54:39 -------- d-----w- c:\program files\Device Doctor
    2010-10-18 06:49:05 -------- d-----w- c:\program files\Broadcom
    2010-10-18 06:48:20 -------- d-----w- C:\dell
    2010-10-18 02:49:26 -------- d-----w- c:\program files\Online Services

    ==================== Find3M ====================

    2010-09-10 16:37:06 8147456 ----a-w- c:\windows\system32\wmploc.DLL
    2010-09-08 17:26:59 833024 ----a-w- c:\windows\system32\wininet.dll
    2010-09-08 17:23:42 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-09-08 15:53:07 389632 ----a-w- c:\windows\system32\html.iec
    2010-09-08 15:28:29 1383424 ----a-w- c:\windows\system32\mshtml.tlb
    2010-08-31 15:41:42 954752 ----a-w- c:\windows\system32\mfc40.dll
    2010-08-31 15:41:42 954288 ----a-w- c:\windows\system32\mfc40u.dll
    2010-08-31 15:40:26 531968 ----a-w- c:\windows\system32\comctl32.dll
    2010-08-31 13:39:46 2037248 ----a-w- c:\windows\system32\win32k.sys
    2010-08-26 16:07:25 157184 ----a-w- c:\windows\system32\t2embed.dll
    2010-08-26 16:01:35 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
    2010-08-26 16:01:33 459776 ----a-w- c:\windows\apppatch\AcSpecfc.dll
    2010-08-26 16:01:32 541696 ----a-w- c:\windows\apppatch\AcLayers.dll
    2010-08-26 16:01:32 2153984 ----a-w- c:\windows\apppatch\AcGenral.dll
    2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2010-08-17 13:32:33 126464 ----a-w- c:\windows\system32\spoolsv.exe
    2010-08-10 15:02:22 274432 ----a-w- c:\windows\system32\schannel.dll

    ============= FINISH: 7:54:31.16 ===============
  6. Kaelkitty

    Kaelkitty Newcomer, in training Topic Starter Posts: 59

    Here is the Attach Log


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-10-31.01)

    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 23/10/2010 6:11:48 PM
    System Uptime: 31/10/2010 10:14:49 PM (9 hours ago)

    Motherboard: Dell Inc. | | 0GX297
    Processor: Intel(R) Core(TM)2 CPU 6300 @ 1.86GHz | Microprocessor | 1860/1066mhz

    ==== Disk Partitions =========================

    A: is Removable
    C: is FIXED (NTFS) - 149 GiB total, 61.205 GiB free.
    D: is CDROM ()

    ==== Disabled Device Manager Items =============

    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft Tun Miniport Adapter
    Device ID: ROOT\*TUNMP\0001
    Manufacturer: Microsoft
    Name: Teredo Tunneling Pseudo-Interface
    PNP Device ID: ROOT\*TUNMP\0001
    Service: tunmp

    ==== System Restore Points ===================

    RP15: 28/10/2010 12:27:37 AM - Scheduled Checkpoint
    RP16: 28/10/2010 3:00:20 AM - Windows Update
    RP17: 28/10/2010 8:45:34 AM - RegCure Backup
    RP18: 28/10/2010 9:46:20 AM - Windows Update
    RP19: 28/10/2010 11:50:41 AM - Windows Update
    RP20: 28/10/2010 12:05:36 PM - Installed Microsoft Fix it 50105
    RP21: 29/10/2010 10:01:51 AM - Scheduled Checkpoint
    RP22: 30/10/2010 3:00:26 AM - Windows Update
    RP23: 30/10/2010 6:27:27 PM - Installed RealWorld Icon Editor
    RP24: 30/10/2010 7:25:00 PM - Removed RealWorld Icon Editor
    RP25: 30/10/2010 8:45:00 PM - Windows Update
    RP26: 31/10/2010 8:26:36 AM - BUGGY DESKTOP
    RP27: 31/10/2010 8:29:23 AM - Restore Operation

    ==== Installed Programs ======================

    1-abc.net Duplicate Finder (Remove only)
    1-abc.net Folder-To-TXT (Remove only)
    1-abc.net Powersnake (remove only)
    1-abc.net Synchronizer (Remove only)
    ACE Mega CoDecS Pack
    Acrobat.com
    Ad-Aware
    Adobe AIR
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.4.0
    Adobe Shockwave Player 11.5
    ADSL Modem Driver Suite Product
    Advanced System Optimizer 2.01
    AI RoboForm (All Users)
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    ATI - Software Uninstall Utility
    ATI Control Panel
    ATI Display Driver
    ATI HydraVision
    Atomic Clock Sync
    Autosave Your Edit 2.0
    AVG 2011
    Bonjour
    Broadcom Gigabit Integrated Controller
    Brother HL-2040
    CardRd81
    CardRecovery 5.30
    CCleaner
    CCScore
    Clock Tray Skins 4.2
    CR2
    CrossLoop 1.13
    D-Link DSL-200 ADSL Modem
    DateInTray 1.5
    Defraggler
    Device Doctor
    Dracula Files
    DriveImage XML (Private Edition)
    DU Meter
    e-Record 6
    eBay Toolbar
    ESSBrwr
    ESSCDBK
    ESScore
    ESSgui
    ESSini
    ESSPCD
    ESSPDock
    ESSTOOLS
    essvatgt
    Eudora
    Facebook Plug-In
    Fanbase
    FastStone Photo Resizer 2.8
    FileHippo.com Update Checker
    FileNet Desktop eForms
    Flip Words v2.3
    FreeMind
    FreshDiagnose
    Gardenscapes
    GoodSync
    Grocery List Manager 3.0
    HiJackThis
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Icon Restore 1.0
    Insaniquarium Deluxe
    Intel(R) Graphics Media Accelerator Driver
    iPrimus Broadband
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 21
    Kodak EasyShare software
    Korean Fonts Support For Adobe Reader 9
    Macro Express 3
    Mahjong Escape - Ancient Japan
    MailWasher Pro
    Malwarebytes' Anti-Malware
    MasterPlan 7
    Microsoft .NET Framework 3.5 SP1
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    MozBackup 1.4.9
    Mozilla Firefox (3.6.11)
    Mozilla Firefox (3.6.12)
    Mozilla Sunbird (0.9)
    MSXML 4.0 SP2 (KB925672)
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Music Manager
    Mystery Solitaire
    Nero - Burning Rom
    netbrdg
    Netscape Navigator (9.0b3)
    OfotoXMI
    OpenOffice.org 3.0
    PC Inspector File Recovery
    Picasa 3
    Plants vs. Zombies
    PowerDVD
    QuickTime
    Record Keeping Evaluation Tool
    Recuva
    RegCure
    Registry Mechanic 9.0
    Safari
    Santa Balls
    Sarbyx TrayClock v1.1
    ScanToWeb
    SCRABBLE
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Serif PhotoPlus 6.0
    SFR
    ShadowCopy
    SHARP AR-M160/M205/5220 Series MFP Driver
    Sharp Button Manager A
    SHASTA
    Shorter Oxford English Dictionary (Sixth Edition)
    SiS 900 PCI Fast Ethernet Adapter Driver
    skin0001
    SKINXSDK
    SoundMAX
    Speccy
    Spelling Dictionaries Support For Adobe Reader 9
    staticcr
    Super Finder XT 1.6.2.1
    Tame version 5.0 (remove only)
    tooltips
    Tumblebugs
    TuneUp Utilities 2008
    TweakMASTER
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    VPRINTOL
    WakeMeUp!
    WebFldrs XP
    Windows Genuine Advantage v1.3.0254.0
    WIRELESS

    ==== Event Viewer Messages From Past Week ========

    26/10/2010 8:52:18 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-zh-tw-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    26/10/2010 8:52:18 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-zh-hk-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    26/10/2010 8:52:18 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-zh-cn-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    26/10/2010 8:52:18 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-uk-ua-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    26/10/2010 8:52:18 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-tr-tr-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    26/10/2010 8:52:18 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-th-th-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    26/10/2010 8:52:18 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-sv-se-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    26/10/2010 8:52:18 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-sr-latn-cs-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    26/10/2010 8:52:18 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-sl-si-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    26/10/2010 8:52:18 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-sk-sk-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    26/10/2010 8:52:18 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-ru-ru-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    26/10/2010 8:52:18 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-ro-ro-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    26/10/2010 8:52:18 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-pt-pt-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    26/10/2010 8:52:18 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-pt-br-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    26/10/2010 8:52:18 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-ps-ps-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    26/10/2010 8:52:18 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-pl-pl-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    26/10/2010 8:52:18 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-nl-nl-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    26/10/2010 8:52:18 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-Neutral from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Staged(Staged) state
    26/10/2010 8:52:18 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-nb-no-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    26/10/2010 8:52:18 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-lv-lv-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    26/10/2010 8:52:18 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-lt-lt-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    26/10/2010 8:52:18 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-ko-kr-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    26/10/2010 8:52:18 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-ja-jp-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    26/10/2010 8:52:18 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-it-it-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    26/10/2010 8:52:18 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-hu-hu-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    26/10/2010 8:52:18 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-hr-hr-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    26/10/2010 8:52:18 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-he-il-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    26/10/2010 8:52:18 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-fr-fr-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    26/10/2010 8:52:18 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-fi-fi-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    26/10/2010 8:52:18 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-et-ee-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    26/10/2010 8:52:18 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-es-es-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    26/10/2010 8:52:18 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-en-us-LP from package WUClient-SelfUpdate-Aux-Package-en-us-MiniLP(Feature Pack) into Staged(Staged) state
    26/10/2010 8:52:18 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-en-us-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Staged(Staged) state
    26/10/2010 8:52:18 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-el-gr-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    26/10/2010 8:52:18 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-de-de-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    26/10/2010 8:52:18 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-da-dk-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    26/10/2010 8:52:18 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-cs-cz-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    26/10/2010 8:52:18 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-bg-bg-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    26/10/2010 8:52:18 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-ar-sa-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    26/10/2010 8:52:18 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update AuxResourcesLP from package WindowsUpdateClient-SelfUpdate-Aux-Package(Language Pack) into Staged(Staged) state
    26/10/2010 8:52:18 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update AuxComp from package WindowsUpdateClient-SelfUpdate-Aux-Package(Update) into Staged(Staged) state
    26/10/2010 8:52:18 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update Aux from package WindowsUpdateClient-SelfUpdate-Aux-AuxComp-Package_en-US(Language Pack) into Staged(Staged) state
    26/10/2010 8:52:18 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update Aux from package WindowsUpdateClient-SelfUpdate-Aux-AuxComp-Package(Update) into Staged(Staged) state
    26/10/2010 8:52:18 AM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package WUClient-SelfUpdate-Aux-Package-en-us-MiniLP (Feature Pack) into Install Requested(Install Requested) state
    26/10/2010 8:52:18 AM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package WindowsUpdateClient-SelfUpdate-Aux-Package (Update) into Install Requested(Install Requested) state
    26/10/2010 8:52:18 AM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package WindowsUpdateClient-SelfUpdate-Aux-Package (Language Pack) into Install Requested(Install Requested) state
    26/10/2010 8:52:18 AM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package WindowsUpdateClient-SelfUpdate-Aux-AuxComp-Package_en-US (Language Pack) into Install Requested(Install Requested) state
    26/10/2010 8:52:18 AM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package WindowsUpdateClient-SelfUpdate-Aux-AuxComp-Package (Update) into Install Requested(Install Requested) state
    26/10/2010 8:52:18 AM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package KBWUClient-SelfUpdate-Aux (Feature Pack) into Install Requested(Install Requested) state
    26/10/2010 8:47:41 AM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.1.116 for the Network Card with network address 001AA04B0D6E has been denied by the DHCP server 192.168.1.254 (The DHCP Server sent a DHCPNACK message).
    25/10/2010 10:14:54 AM, Error: Service Control Manager [7024] - The Bonjour Service service terminated with service-specific error 4294901759 (0xFFFEFFFF).
    25/10/2010 10:14:45 AM, Error: Service Control Manager [7000] - The TuneUp Theme Extension service failed to start due to the following error: The executable program that this service is configured to run in does not implement the service.

    ==== End Of File ===========================
  7. Kaelkitty

    Kaelkitty Newcomer, in training Topic Starter Posts: 59

    OK That's it. I will await your reply.

    PS Notification in my email is a joke! I currently have 4286 unread messages!
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    The system has a page full of these errors:
    26/10/2010 8:52:18 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-en-us-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Staged(Staged) state
    26/10/2010 8:52:18 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-el-gr-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state

    Do you have any idea what this is referring to?

    I note the you did a Restore today. This changes the logs- restore shouldn't be done while cleaning. If there was/is malware and if it was removed, a restore csn reinfect the system.
    RP26: 31/10/2010 8:26:36 AM - BUGGY DESKTOP
    RP27: 31/10/2010 8:29:23 AM - Restore Operation
  9. Kaelkitty

    Kaelkitty Newcomer, in training Topic Starter Posts: 59

    RP26 BUGGY DESKTOP was created by me when I discovered the desktop with all the icons missing was persisting after restarting. This may be just after the virus was activated. RP27 was me returning to the PREVIOUS restore point (Presumably RP25) to get all my icons back onto my desktop. These two events happened BEFORE I started the "8 step" program - I know better than to do something like that while you are helping me! The logs I have sent were all created AFTER RP27 was done. I will repeat the scans if you want me to do so - please let me know.

    Event ID 4385 appears to pertain to Windows Update Agent 7.4.7600.226 which gives an installation date of 26/10/2010 8:52 AM This is marked as Important and Successful in the view Update History tool but I think it was a windows automatic update - I don't know exactly what I was doing on the computer at the time as my first Firefox Library entry wasn't until 9.03am and that was an automatic link to the AVG "Security Toolbar Installed Successfully" page - presumably because that was the first time I had opened Firefox since James my computer guy re-installed Vista on this machine.

    Can you please address this issue:

    "ON Thursday afternoon I was going through all of the Screensavers in the list in the computer, trying to find something acceptable to replace my beloved old "Starfield" - when I chose the option in between "Matrix Code" and "Mystify" This option was titled "mbt_ss_pc" - as soon as I clicked on it AVG went nuts and my whole computer froze up. I had to use Control/Alt/Del to back out, shut down and restart. Even after running AVG, TFC, and the MalwareBytes program - that option is still showing in my screensaver list - I find it very scary!"

    as this seems to be the cause of my immediate difficulties.
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    A search for mbt_ss_pc on the internet turns up only this thread and the following doesn't give me enough information to go further:
    The file extension for a screen saver is .scr. In actuality, it's the .ext file extension renamed. What is the source of the 2 you mentioned?
  11. Kaelkitty

    Kaelkitty Newcomer, in training Topic Starter Posts: 59

    Look at the list of screen-savers in Vista - Matrix is a screen-saver name and so is Mystify - in between them, in the list of Screensavers on my system, is this entry "mbt_ss_pc" . When I clicked on it my computer went nuts - AVG came up with a virus warning then everything locked up - I had to do a Control/Alt/Del to even get back to the shutdown screen before I could restart.
    Do you want to see a screenshot, or is that enough information?
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I don't have Vista. But consider doing a delete on the "mbt_ss_pc" I couldn't identify this.

    Let's go ahead and do this online virus scan:

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    =================================
    You can follow with the download for ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    ========================================
    Don't try doing the screen saver change until we find what this entry is.
  13. Kaelkitty

    Kaelkitty Newcomer, in training Topic Starter Posts: 59

    After my last post I had a thought or two and I did a bit of hunting around on the computer and found the actual path and filename for the mystery file.

    C:\Windows\System32\mbt_ss_pc.scr

    The properties for this file say it is a "ScreenTime Screensaver Engine" - I looked on Google and this appears to be a legit company & product - maybe the executable is corrupt in some fashion?

    there are also three folders with the same name

    C:\Windows\System32\mbt_ss_pc.dir
    C:\$WINDOWS.~Q\DATA\WINDOWS\System32\mbt_ss_pc.dir
    C:\Users\User_2\AppData\Local\VirtualStore\Windows\System32\mbt_ss_pc.dir

    I'll take your advice as to what to do - I just know it caused a serious system malfunction when I tried to test the screensaver at 1.31 PM Local time on the 23rd of October. Ciao, KK.
  14. Kaelkitty

    Kaelkitty Newcomer, in training Topic Starter Posts: 59

    Here is the ESET log - I had to download a file from ESET to run the scan - apparently it only works online if you are using IE, not Firefox.

    ESETSmartInstaller@High as downloader log:
    all ok
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=1571f510fb53ec49a792abda64b5fe81
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-11-03 01:13:44
    # local_time=2010-11-03 11:43:44 (+0930, Cen. Australia Daylight Time)
    # country="Australia"
    # lang=1033
    # osver=6.0.6001 NT Service Pack 1
    # compatibility_mode=512 16777215 100 0 86379 86379 0 0
    # compatibility_mode=768 16777215 100 0 86521 86521 0 0
    # compatibility_mode=1024 16777215 100 0 0 0 0 0
    # compatibility_mode=2560 16777215 100 0 0 0 0 0
    # compatibility_mode=5892 16776574 100 100 252203 126272683 0 0
    # compatibility_mode=8192 67108863 100 0 2231 2231 0 0
    # scanned=259751
    # found=0
    # cleaned=0
    # scan_time=5089
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    The Eset log is clean- that's always good. Nice job on the Properties!

    The .dir file extension indicates these are Adobe Director Movie files. Movie or animation project created with Macromedia Director, which was acquired by Adobe in 2005; includes project resources, links to externally referenced files, scripting code, and the timeline, which determines how the movie is played back. Part of the Shockwave Studio.

    Director movies can only be opened with the Director version used to create the file or a newer version. Some Director movies may be opened in Adobe Shockwave Player.

    =================================================
    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
  16. Kaelkitty

    Kaelkitty Newcomer, in training Topic Starter Posts: 59

    Hi Bobbye,
    I have some bad news - I can't get Combofix to complete a scan - I have disabled everything I can think of but all it does is start up a window, say it is preparing to scan and then halt - I left the window up for over 4 hours with no joy, now what?
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    A lot of people are having this problem! The malware writers must be adding something- they don't want Combofix to run because it does/can remove malware.

    Before you do this step:
    [4]. Double click combofix.exe & follow the prompts to run.>
    Do a right click on combofix.exe[/b> rename> change name to kittybob.exe.
    Then run the scan.
  18. Kaelkitty

    Kaelkitty Newcomer, in training Topic Starter Posts: 59

    Finally! It still took two tries even after renaming the exe file. The deletion of Desktop.ini was a bit of a shock, I'm glad it came back after I restarted the computer or you wouldn't be getting this report at all.

    Please let me know in advance this time if you propose to remove any programs as I would prefer not to have a repeat of the RegCure incident,

    Thanks, KK.

    ComboFix 10-11-02.06 - User_2 05/11/2010 8:28.3.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2037.1087 [GMT 10.5:30]
    Running from: c:\users\User_2\Desktop\Kittybob.exe
    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    .
    /wow section - STAGE 1


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\desktop.ini

    .
    ((((((((((((((((((((((((( Files Created from 2010-10-04 to 2010-11-04 )))))))))))))))))))))))))))))))
    .

    2010-11-04 22:05 . 2010-11-04 22:05 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-10-30 07:57 . 2010-10-30 08:55 -------- d-----w- c:\program files\RealWorld Icon Editor
    2010-10-28 22:26 . 2008-09-03 03:59 468992 ----a-w- c:\windows\system32\newdev.dll
    2010-10-28 22:26 . 2008-09-03 03:58 74752 ----a-w- c:\windows\system32\newdev.exe
    2010-10-28 01:20 . 2007-02-18 21:11 296960 ----a-w- c:\windows\winhlp32.exe
    2010-10-28 01:20 . 2007-02-18 21:11 194560 ----a-w- c:\windows\system32\ftsrch.dll
    2010-10-28 01:20 . 2007-02-18 21:11 9728 ----a-w- c:\windows\system32\ftlx041e.dll
    2010-10-28 01:20 . 2007-02-18 21:11 9216 ----a-w- c:\windows\system32\ftlx0411.dll
    2010-10-27 21:54 . 2010-10-27 22:15 -------- d-----w- c:\program files\RegCure
    2010-10-27 16:31 . 2009-11-08 00:25 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
    2010-10-27 16:31 . 2009-11-08 00:25 49472 ----a-w- c:\windows\system32\netfxperf.dll
    2010-10-27 16:31 . 2009-11-08 00:25 297808 ----a-w- c:\windows\system32\mscoree.dll
    2010-10-27 16:31 . 2009-11-08 00:25 295264 ----a-w- c:\windows\system32\PresentationHost.exe
    2010-10-27 16:31 . 2009-11-08 00:25 1130824 ----a-w- c:\windows\system32\dfshim.dll
    2010-10-27 16:30 . 2010-09-20 09:25 231936 ----a-w- c:\windows\system32\msshsq.dll
    2010-10-27 11:51 . 2010-10-27 11:51 -------- d-----w- c:\program files\SarbyxTrayClock
    2010-10-27 10:44 . 2010-10-27 10:44 -------- d-----w- c:\program files\FSL
    2010-10-27 03:46 . 2010-09-06 16:24 125952 ----a-w- c:\windows\system32\srvsvc.dll
    2010-10-27 03:46 . 2010-09-06 14:13 303616 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-10-27 03:46 . 2010-09-06 14:12 101888 ----a-w- c:\windows\system32\drivers\srvnet.sys
    2010-10-27 03:46 . 2010-09-06 16:23 17920 ----a-w- c:\windows\system32\netevent.dll
    2010-10-27 03:46 . 2010-09-06 14:12 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
    2010-10-27 03:45 . 2009-08-24 12:16 378368 ----a-w- c:\windows\system32\winhttp.dll
    2010-10-27 03:45 . 2010-08-26 16:01 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
    2010-10-27 03:45 . 2010-08-26 14:11 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
    2010-10-27 03:45 . 2010-05-27 19:16 738816 ----a-w- c:\windows\system32\inetcomm.dll
    2010-10-26 17:17 . 2010-04-14 17:46 80896 ----a-w- c:\windows\system32\MSNP.ax
    2010-10-26 17:17 . 2010-04-14 17:45 177664 ----a-w- c:\windows\system32\mpg2splt.ax
    2010-10-26 17:17 . 2008-04-23 04:41 57856 ----a-w- c:\windows\system32\MSDvbNP.ax
    2010-10-26 17:17 . 2010-04-14 17:47 293376 ----a-w- c:\windows\system32\psisdecd.dll
    2010-10-26 17:17 . 2010-04-14 17:47 217088 ----a-w- c:\windows\system32\psisrndr.ax
    2010-10-26 17:17 . 2010-04-14 17:46 428544 ----a-w- c:\windows\system32\EncDec.dll
    2010-10-26 17:05 . 2008-04-30 05:36 454656 ----a-w- c:\program files\Common Files\System\msadc\msadce.dll
    2010-10-26 16:49 . 2008-06-20 01:14 97800 ----a-w- c:\windows\system32\infocardapi.dll
    2010-10-26 16:49 . 2008-06-20 01:14 105016 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
    2010-10-26 16:49 . 2008-06-20 01:14 37384 ----a-w- c:\windows\system32\infocardcpl.cpl
    2010-10-26 16:49 . 2008-06-20 01:14 11264 ----a-w- c:\windows\system32\icardres.dll
    2010-10-26 16:49 . 2008-06-20 01:14 622080 ----a-w- c:\windows\system32\icardagt.exe
    2010-10-26 16:49 . 2008-06-20 01:14 781344 ----a-w- c:\windows\system32\PresentationNative_v0300.dll
    2010-10-26 16:40 . 2008-07-27 18:03 158720 ----a-w- c:\windows\system32\mscorier.dll
    2010-10-26 16:40 . 2008-07-27 18:03 83968 ----a-w- c:\windows\system32\mscories.dll
    2010-10-26 16:35 . 2010-02-20 23:39 24064 ----a-w- c:\windows\system32\nshhttp.dll
    2010-10-26 16:35 . 2010-02-20 21:18 411136 ----a-w- c:\windows\system32\drivers\http.sys
    2010-10-26 16:35 . 2010-02-20 23:37 31232 ----a-w- c:\windows\system32\httpapi.dll
    2010-10-26 02:18 . 2010-10-26 02:18 -------- d--h--w- c:\programdata\Common Files
    2010-10-26 02:17 . 2010-10-26 02:17 -------- d-----w- c:\programdata\AVG Security Toolbar
    2010-10-26 02:15 . 2010-10-26 02:18 -------- d-----w- c:\programdata\AVG10
    2010-10-25 23:10 . 2008-06-26 01:45 12240896 ----a-w- c:\windows\system32\NlsLexicons0007.dll
    2010-10-25 23:10 . 2008-06-26 01:45 2644480 ----a-w- c:\windows\system32\NlsLexicons0009.dll
    2010-10-25 23:10 . 2008-06-26 03:29 801280 ----a-w- c:\windows\system32\NaturalLanguage6.dll
    2010-10-25 22:55 . 2009-07-11 19:32 513024 ----a-w- c:\windows\system32\wlansvc.dll
    2010-10-25 22:54 . 2010-03-04 18:54 430080 ----a-w- c:\windows\system32\vbscript.dll
    2010-10-25 22:53 . 2009-04-23 12:42 636928 ----a-w- c:\windows\system32\localspl.dll
    2010-10-25 22:52 . 2010-08-20 15:21 866816 ----a-w- c:\windows\system32\wmpmde.dll
    2010-10-25 22:51 . 2009-07-14 13:00 313344 ----a-w- c:\windows\system32\wmpdxm.dll
    2010-10-25 22:51 . 2009-07-14 08:30 43520 ----a-w- c:\windows\system32\msdxm.tlb
    2010-10-25 22:51 . 2009-07-14 08:30 18432 ----a-w- c:\windows\system32\amcompat.tlb
    2010-10-25 22:51 . 2010-01-25 12:48 472576 ----a-w- c:\windows\system32\secproc_isv.dll
    2010-10-25 22:51 . 2010-01-25 12:48 472064 ----a-w- c:\windows\system32\secproc.dll
    2010-10-25 22:51 . 2010-01-25 08:35 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
    2010-10-25 22:51 . 2010-01-25 08:35 523776 ----a-w- c:\windows\system32\RMActivate_isv.exe
    2010-10-25 22:51 . 2010-01-25 08:34 511488 ----a-w- c:\windows\system32\RMActivate.exe
    2010-10-25 22:51 . 2010-01-25 08:34 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
    2010-10-25 22:51 . 2010-01-25 12:48 151040 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
    2010-10-25 22:51 . 2010-01-25 12:48 151040 ----a-w- c:\windows\system32\secproc_ssp.dll
    2010-10-25 22:51 . 2010-01-25 12:45 329216 ----a-w- c:\windows\system32\msdrm.dll
    2010-10-25 22:51 . 2008-03-08 04:21 1695744 ----a-w- c:\windows\system32\gameux.dll
    2010-10-25 22:49 . 2009-12-28 12:35 11776 ----a-w- c:\windows\system32\tsbyuv.dll
    2010-10-25 22:37 . 2010-10-17 23:11 6146896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8775AD05-0A51-44B3-A9AD-B063B080A53A}\mpengine.dll
    2010-10-25 22:37 . 2010-10-19 01:11 222080 ------w- c:\windows\system32\MpSigStub.exe
    2010-10-25 22:28 . 2009-12-23 12:43 171520 ----a-w- c:\windows\system32\wintrust.dll
    2010-10-25 22:27 . 2010-01-15 00:04 98304 ----a-w- c:\windows\system32\cabview.dll
    2010-10-25 22:21 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2.dll
    2010-10-25 22:21 . 2009-08-07 02:24 53472 ----a-w- c:\windows\system32\wuauclt.exe
    2010-10-25 22:21 . 2009-08-07 02:23 1929952 ----a-w- c:\windows\system32\wuaueng.dll
    2010-10-25 22:21 . 2009-08-07 01:45 2421760 ----a-w- c:\windows\system32\wucltux.dll
    2010-10-25 22:21 . 2009-08-07 02:24 35552 ----a-w- c:\windows\system32\wups.dll
    2010-10-25 22:21 . 2009-08-07 02:23 575704 ----a-w- c:\windows\system32\wuapi.dll
    2010-10-25 22:21 . 2009-08-07 01:44 87552 ----a-w- c:\windows\system32\wudriver.dll
    2010-10-25 00:22 . 2009-08-06 08:53 171608 ----a-w- c:\windows\system32\wuwebv.dll
    2010-10-25 00:22 . 2009-08-06 08:14 33792 ----a-w- c:\windows\system32\wuapp.exe
    2010-10-24 01:24 . 2010-10-24 01:24 -------- d-----w- C:\$WINDOWS.~Q
    2010-10-24 01:19 . 2010-10-23 07:39 -------- d-----w- C:\$INPLACE.~TR
    2010-10-23 07:35 . 2010-10-27 07:47 -------- d-----w- c:\windows\Debug
    2010-10-23 07:12 . 2010-10-30 22:11 -------- d-----w- c:\users\User_2
    2010-10-23 07:12 . 2010-10-30 22:11 -------- d-----w- c:\users\Administrator
    2010-10-23 06:45 . 2010-10-30 11:11 -------- d-----w- C:\Boot
    2010-10-22 05:14 . 2010-10-23 07:19 -------- d-----w- c:\program files\Stardock
    2010-10-21 00:21 . 2010-09-07 13:47 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2010-10-21 00:21 . 2010-09-07 13:47 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2010-10-21 00:21 . 2010-09-07 13:46 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2010-10-21 00:20 . 2010-10-26 01:55 -------- d-----w- c:\programdata\Alwil Software
    2010-10-21 00:20 . 2010-10-23 07:17 -------- d-----w- c:\program files\Alwil Software
    2010-10-20 02:59 . 2010-10-26 02:03 -------- d-----w- c:\programdata\MFAData
    2010-10-19 08:03 . 2010-10-23 07:20 -------- d-----w- c:\windows\system32\Lang
    2010-10-19 08:03 . 2008-05-29 08:30 920088 ----a-w- c:\windows\system32\igxpun.exe
    2010-10-19 08:03 . 2006-11-10 05:55 319456 ----a-w- c:\windows\system32\difxapi.dll
    2010-10-19 08:03 . 2010-10-19 08:03 -------- d-----w- C:\Intel
    2010-10-18 06:54 . 2010-10-23 07:17 -------- d-----w- c:\program files\Device Doctor
    2010-10-18 06:49 . 2010-10-23 07:17 -------- d-----w- c:\program files\Broadcom
    2010-10-18 06:48 . 2010-10-18 06:48 -------- d-----w- C:\dell

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-13 05:57 . 2010-09-13 05:57 25680 ----a-w- c:\windows\system32\drivers\AVGIDSEH.sys
    2010-09-06 17:19 . 2010-09-06 17:19 298448 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2010-09-06 17:18 . 2010-09-06 17:18 34384 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
    2010-09-06 17:18 . 2010-09-06 17:18 249424 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2010-09-06 17:18 . 2010-09-06 17:18 26064 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
    2010-08-26 16:01 . 2010-10-27 03:45 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
    2010-08-26 16:01 . 2010-10-27 03:45 459776 ----a-w- c:\windows\apppatch\AcSpecfc.dll
    2010-08-26 16:01 . 2010-10-27 03:45 541696 ----a-w- c:\windows\apppatch\AcLayers.dll
    2010-08-26 16:01 . 2010-10-27 03:45 2153984 ----a-w- c:\windows\apppatch\AcGenral.dll
    2010-08-26 12:52 . 2009-04-15 09:13 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2010-08-19 11:12 . 2010-08-19 11:12 27216 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys
    2010-08-19 11:12 . 2010-08-19 11:12 123472 ----a-w- c:\windows\system32\drivers\AVGIDSDriver.sys
    2010-08-19 11:12 . 2010-08-19 11:12 30288 ----a-w- c:\windows\system32\drivers\AVGIDSFilter.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2010-10-06 2475336]

    [HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
    2010-10-06 01:01 2475336 ----a-w- c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2010-10-06 2475336]

    [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2010-10-06 2475336]

    [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "autosaver.exe"="c:\program files\Autosave\Autosave.exe" [2003-10-19 811520]
    "DU Meter"="c:\program files\DU Meter\DUMeter.exe" [2009-09-04 2749984]
    "SarbyxTrayClock"="c:\program files\SarbyxTrayClock\trayclock.exe" [2006-10-19 60928]
    "RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-10-30 160328]
    "WMUTray.exe"="c:\program files\WakeMeUp\WMUTray.exe" [2007-02-15 734208]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-05-29 150040]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-05-29 170520]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-05-29 141848]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-22 35760]
    "eBayToolbar"="c:\program files\eBay\eBay Toolbar2\eBayTBDaemon.exe" [2009-01-16 632048]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-10 289064]
    "NeroCheck"="c:\windows\System32\\NeroCheck.exe" [2001-07-09 155648]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-02-15 417792]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "TweakMASTER"="c:\program files\TweakMASTER\TMTray.exe" [2009-09-04 322096]
    "AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2010-09-14 2745696]
    "WMUAgent.exe"="c:\program files\WakeMeUp\WMUAgent.exe" [2007-02-15 592384]
    "Atomic.exe"="c:\program files\Atomic Clock Sync\Atomic.exe" [2004-06-17 524288]

    c:\users\User_2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    DateInTray.lnk - c:\program files\DateInTray\DateInTray.exe [2007-9-21 78848]
    OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]
    Super Finder XT.lnk - c:\program files\FSL\SuperFinder\SuperFinder.exe [2010-10-27 2081792]

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Button Manager A.lnk - c:\program files\Sharp\Button Manager A\btnman.exe [2009-1-20 106496]
    Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKLM\~\startupfolder\C:^Documents and Settings^User_2^Start Menu^Programs^Startup^Fanbase.lnk]
    backup=c:\windows\pss\Fanbase.lnkStartup
    backupExtension=Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
    2010-03-04 07:01 524632 ----a-w- c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AME_CSA]
    2002-04-30 15:50 720896 ----a-w- c:\windows\System32\AmeCSA.cpl

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLAGENTEXE]
    2005-08-25 08:47 65536 ----a-w- c:\program files\D-Link\DSL-200\dslagent.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLSTATEXE]
    2005-12-12 08:21 344064 ----a-w- c:\program files\D-Link\DSL-200\dslstat.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkinClock]
    2008-09-30 07:17 1338368 ----a-w- c:\program files\Clock Tray Skins\ClockTraySkins.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "Ati HotKey Poller"=2 (0x2)
    "ATI Smart"=2 (0x2)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
    "ATIPTA"=c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

    R3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [2010-10-06 517448]
    R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-03-04 1029456]
    S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [2010-09-13 25680]
    S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [2010-09-06 26064]
    S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-06-18 64160]
    S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [2010-09-06 249424]
    S1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [2010-09-06 298448]
    S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [2010-10-11 6104656]
    S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG10\avgwdsvc.exe [2010-09-09 265400]
    S2 DUMeterSvc;DU Meter Service;c:\program files\DU Meter\DUMeterSvc.exe [2009-09-04 1391136]
    S2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [2010-04-07 632792]
    S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [2010-08-19 123472]
    S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [2010-08-19 30288]
    S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\AVGIDSShim.Sys [2010-08-19 27216]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-01-21 179712]


    --- Other Services/Drivers In Memory ---

    *Deregistered* - aswFsBlk
    *Deregistered* - aswRdr
    *Deregistered* - aswSP
    *Deregistered* - aswTdi

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    rsmsvcs REG_MULTI_SZ ntmssvc
    dot3svc REG_MULTI_SZ dot3svc
    eapsvcs REG_MULTI_SZ eaphost
    .
    Contents of the 'Scheduled Tasks' folder

    2010-11-03 c:\windows\Tasks\RegCure Program Check.job
    - c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]
    .
    .
    ------- Supplementary Scan -------
    .
    uDefault_Search_URL = hxxp://www.google.com/ie
    uStart Page = about:blank
    uInternet Settings,ProxyOverride = *.IPrimus.com.au;192.168.1.254;10.*;172.16.*;172.17.*;172.18.*;172.19.*;172.20.*;172.21.*;172.22.*;172.23.*;172.24.*;172.25.*;172.26.*;172.27.*;172.28.*;172.29.*;172.30.*;172.31.*;192.168.*;<local>
    uInternet Settings,ProxyServer = http=proxy.iprimus.com.au:8080;https=proxy.iprimus.com.au:8080;ftp=proxy.iprimus.com.au:8080
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Add to &LinkFox - c:\progra~1\TWEAKM~1\TweakBHO.dll/IESCRIPT
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    IE: eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
    IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    TCP: {2A38118D-A1F2-4939-98FB-E866EDFE0BD5} = 203.134.64.66,203.134.65.66
    TCP: {B9A7FD29-B4B4-4092-B3E5-6F847B25DC57} = 208.67.220.220,208.67.222.222
    Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    FF - ProfilePath - c:\users\User_2\AppData\Roaming\Mozilla\Firefox\Profiles\3e4h8dlg.default\
    FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
    FF - prefs.js: browser.startup.homepage - hxxp://davesgarden.com/tools/journal/viewbycat.php?catsort=name1&cat=50491|http://davesgarden.com/guides/pf/ad...ntry.php?rid=150918|http://www.google.com.au/
    FF - prefs.js: keyword.URL - hxxp://au.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_au&p=
    FF - component: c:\program files\AVG\AVG10\Firefox\components\avgssff.dll
    FF - component: c:\program files\AVG\AVG10\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
    FF - component: c:\program files\AVG\AVG10\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
    FF - component: c:\program files\AVG\AVG10\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
    FF - component: c:\program files\AVG\AVG10\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
    FF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dll
    FF - component: c:\users\User_2\AppData\Roaming\Mozilla\Firefox\Profiles\3e4h8dlg.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
    FF - component: c:\users\User_2\AppData\Roaming\Mozilla\Firefox\Profiles\3e4h8dlg.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
    FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npigl.dll
    FF - plugin: c:\users\User_2\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-11-05 08:35
    Windows 6.0.6001 Service Pack 1 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DUMeterSvc]
    "ImagePath"="c:\program files\DU Meter\DUMeterSvc.exe /startedbyscm:E1F6D4BE-40E33354-DUMeterService"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-842925246-1614895754-682003330-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    "??"=hex:02,db,81,be,66,b2,23,bc,f4,94,2b,68,6c,88,02,32,0d,70,b2,07,cf,e4,81,
    25,0e,0d,1b,b3,da,b5,86,c7,ab,ba,31,40,a4,b9,ca,b3,1f,4c,f8,20,66,6b,ef,f2,\
    "??"=hex:bf,08,2f,aa,97,27,21,24,77,d4,6e,7d,ec,3e,1a,fb

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DRM\clsid\{3da165b6-cc41-11d2-bdc6-00c04f79ec6b}\ProgID]
    @Denied: (A) (Everyone)
    @="{DC4A4125-CD94-45D2-9609-2ABDA61834FD}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DRM\clsid\{3da165b6-cc41-11d2-bdc6-00c04f79ec6b}\Version]
    @Denied: (A) (Everyone)
    @="{DC4A4125-CD94-45D2-9609-2ABDA61834FD}"
    .
    Completion time: 2010-11-05 08:39:48
    ComboFix-quarantined-files.txt 2010-11-04 22:09
    ComboFix2.txt 2010-07-04 10:00
    ComboFix3.txt 2010-07-01 03:28

    Pre-Run: 64,079,253,504 bytes free
    Post-Run: 64,031,002,624 bytes free

    - - End Of File - - FF2DFD46992C4D3A0445F77FBC44F242
  19. Kaelkitty

    Kaelkitty Newcomer, in training Topic Starter Posts: 59

    PS: I followed the "turning off AVG" instructions as given by AVG, before running ComboFix but it still gave me a warning while ComboFix was running. I told it to leave ComboFix alone and that seems to have worked OK but there may be some AVG related entries in the log because of that.
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please run this Custom CFScript


    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    
    DirLook::
    C:\$WINDOWS.~Q
    C:\$INPLACE.~TR
    
    RegNull::
    [HKEY_USERS\S-1-5-21-842925246-1614895754-682003330-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    
    RegLock::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DRM\clsid\{3da165b6-cc41-11d2-bdc6-00c04f79ec6b}\Version]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DRM\clsid\{3da165b6-cc41-11d2-bdc6-00c04f79ec6b}\ProgID]
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
  21. Kaelkitty

    Kaelkitty Newcomer, in training Topic Starter Posts: 59

    I can't get that script to run, darn it!

    Combofix starts, does the registry backup, and then just halts with the command window in inactive mode. Clicking on the taskbar to reactivate the window just results in a blinking yellow underscore and no further activity. Should I rename ComboFix again?
  22. Kaelkitty

    Kaelkitty Newcomer, in training Topic Starter Posts: 59

    I can't get that script to run, darn it!

    Combofix starts, does the registry backup, and then just halts with the command window in inactive mode. Clicking on the taskbar to reactivate the window just results in a blinking yellow underscore and no further activity. Should I rename ComboFix again?
  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I think you are using an unfamiliar operating system and don't have basic knowledge of how it is different from the previous OS. In this forum, which is so busy all of the time, we mainly try to identity malware entreis that are causing problems, then removing them-if possible.If you want help with customizing how the system looks like the desktop, icons, folder, etc. You wou;d have a better chance to get help in the Windows OS forum where those members have the time tot ry and walk you through.

    To be honest, cosmetic changes you might want to make on the system are not high priority in this forum. The most basic books I always recommend are the "Dummies For (the operating system) in your case 'Vista'." I don't use any technical manuals- I can't understand most of their language and have been referring to the "Dummies" series for all my reference books. It would make you more comfortable understand these processes and what you can do to make changes.

    The files you were choosing for a screen saver wasn't a screensaver. It just sounds like the files was in the wrong directory.

    You've already run Combofix- it should be on the desktop. It shouldn't be any trouble to just update it, follow the instructions to run the script, then leave the log.
  24. Kaelkitty

    Kaelkitty Newcomer, in training Topic Starter Posts: 59

    Hi Bobbye, I got slammed with a big on-line cross referencing job, so I haven't been able to turn everything off and try the script again yet - I'll try again tomorrow morning.

    Just to confirm, before I run Combofix, I am closing all browser windows, then disabling Windows Firewall, AVG 2011 Anti Virus and Spyware, Windows Update has been off since we started this process, and User Account Control is off. The only file I have open during my attempts to run Combofix is the Notepad file I am reading the instructions from.

    If you can see anything else I should be doing to get combofix to run please let me know. I'll be checking in again in about 6 hours, just before I make another attempt to run combofix.

    Never mind about the customisation etc - I'll check in on the other forums you have suggested I try - I just didn't realise that is where I should go to do that.

    Ciao, KK.
  25. Kaelkitty

    Kaelkitty Newcomer, in training Topic Starter Posts: 59

    ComboFix is still not scanning. I'm going over to BleepingComputer to see if they can help.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.