TechSpot

[Not curable - Ramnit] Followed 8 Steps - VBS/Generic;Win32/Heur;Win32/Zbot.E

By willdud
Oct 12, 2010
  1. Hi,

    AVG first reported a Win32/Heur and VBS/Generic virus on my laptop yesterday (some 2563 files and 74 more today).

    I have since been following the 8 steps guide, here are the logs (except GMER which caused bsod twice).


    "Scan ""Scan whole computer"" completed."
    "Infections";"74";"74";"0"
    "Folders selected for scanning:";"Scan whole computer"
    "Scan started:";"12 October 2010, 19:20:12"
    "Scan finished:";"12 October 2010, 20:40:56 (1 hour(s) 20 minute(s) 43 second(s))"
    "Total object scanned:";"265686"
    "User who launched the scan:";"Zoe"

    "Infections"
    "File";"Infection";"Result"
    "C:\TOOLSCD\Sound Driver\WDM\RTLCPL.EXE";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\TOOLSCD\Display Driver\Intel\Win2000\igfxress.dll";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\TOOLSCD\Display Driver\Intel\Win2000\ialmgicd.dll";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\TOOLSCD\Config Free\Package\NDSFiles\NDSParts.dll";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\SUPPORT\TOOLS\MSRDPCLI.EXE";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\SUPPORT\TOOLS\FASTWIZ.EXE";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\WirelessFTP.exe";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\TosBtProc.exe";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\Textease\Textease.exe";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\Textease\ltkrn10N.dll";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\Textease\directx8a\dsetup32.dll";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\Sonic\RecordNow!\RecordNow.exe";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\Sonic\RecordNow!\gdiplus.dll";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\SMART Technologies Inc\Notebook Software\pdflib.dll";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\Real\RealPlayer\rpplugins\rjbdll.dll";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\Nikon\PictureProject\NkRotateLib3.dll";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\Nikon\PictureProject\NkbTransfer.exe";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\Nikon\PictureProject\NkbPProj.exe";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\Nikon\PictureProject\NkbNEF.dll";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\Nikon\PictureProject\NEFLibrary3.dll";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\Nikon\PictureProject\Asteroid6.dll";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\Mozilla Firefox\freebl3.dll";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\Microsoft Works\wkwpac.dll";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\Microsoft Works\wksss.exe";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\Microsoft Works\wksdb.exe";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\Messenger\msmsgs.exe";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\MagicISO\misosh.dll";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\Java\jre6\bin\client\jvm.dll";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\InterVideo\WinDVD\GPIProxy.dll";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\InterVideo\Common\Bin\GPIProxy.dll";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\HP\Temp\{BDBE2F3E-42DB-4d4a-8CB1-19BA765DBC6C}\setup\msxml3.dll";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\HP\Temp\{BDBE2F3E-42DB-4d4a-8CB1-19BA765DBC6C}\setup\hpzscr01.exe";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\HP\Temp\{BDBE2F3E-42DB-4d4a-8CB1-19BA765DBC6C}\setup\hpzrcv01.exe";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\HP\Temp\{BDBE2F3E-42DB-4d4a-8CB1-19BA765DBC6C}\setup\hpzmsi01.exe";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\HP\Digital Imaging\extcapuninstall\hpzscr01.exe";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\HP\Digital Imaging\extcapuninstall\hpzmsi01.exe";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\HP\Digital Imaging\esupport\hpzscr01.exe";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\HP\Digital Imaging\esupport\hpzmsi01.exe";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\HP\Digital Imaging\devicemanagement\hpzscr01.exe";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\HP\Digital Imaging\devicemanagement\hpzmsi01.exe";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\HP\Digital Imaging\bin\hpqvwr08.exe";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\HP\Digital Imaging\bin\hpqusgh.exe";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\HP\Digital Imaging\bin\hpqtbp01.dll";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\HP\Digital Imaging\{BDBE2F3E-42DB-4d4a-8CB1-19BA765DBC6C}\xmlparse.dll";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\HP\Digital Imaging\{BDBE2F3E-42DB-4d4a-8CB1-19BA765DBC6C}\setup\hpzshl01.exe";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\HP\Digital Imaging\{BDBE2F3E-42DB-4d4a-8CB1-19BA765DBC6C}\setup\hpzscr01.exe";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\HP\Digital Imaging\{BDBE2F3E-42DB-4d4a-8CB1-19BA765DBC6C}\setup\hpzmsi01.exe";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\HP\Digital Imaging\{BDBE2F3E-42DB-4d4a-8CB1-19BA765DBC6C}\setup\hpzdui01.exe";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\Google\Google Earth\plugin\ie\5.2.1.1588\plugin_ax.dll";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\Google\Google Earth\plugin\googleearth_free.dll";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\Common Files\SMART Technologies Inc\SMART Product Update\QtGui4.dll";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\Common Files\SMART Technologies Inc\SMART Product Update\QtCore4.dll";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\Common Files\SMART Technologies Inc\SMART Product Update\pdflib.dll";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\Common Files\SMART Technologies Inc\pdflib.dll";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\Common Files\Nikon\Services\NkvBurnIM.exe";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\Common Files\Nikon\Services\muveePlugin.dll";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\Common Files\Nikon\Library\NkBrowseLib4.dll";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\Common Files\Microsoft Shared\Visual Database Tools\vdt70.dll";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\Common Files\Microsoft Shared\VBA\VBA6\VBE6.DLL";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\Common Files\Microsoft Shared\PROOF\1033\MSGR3EN.DLL";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\Common Files\Java\Update\Base Images\jre1.5.0.b64\patch-jre1.5.0_01.b08\patchjre.exe";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\Common Files\DivX Shared\Qt4.5\QtCore4.dll";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\Common Files\Activ Software\qt-mt334.dll";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\Adobe\Reader 8.0\Reader\rt3d.dll";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\Activ Software\Inspire\Inspire.exe";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\Activ Software\Inspire\hwr\engine\bin\win-i586\MyScriptHWR.dll";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\I386\WINNT32U.DLL";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\I386\WINNT32A.DLL";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Documents and Settings\Zoe\My Documents\Zoe's Work\Uni Work\Year 4\School Exp 4\School Exp Resources\Resources\Textease\Textease.exe";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Documents and Settings\Zoe\My Documents\Zoe's Work\Uni Work\Year 4\School Exp 4\School Exp Resources\Resources\Textease\ltkrn10N.dll";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Documents and Settings\Zoe\Desktop\Lower Fields\Resources\Textease\Textease.exe";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Documents and Settings\Zoe\Desktop\Lower Fields\Resources\Textease\ltkrn10N.dll";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Documents and Settings\Zoe\Application Data\U3\temp\Launchpad Removal.exe";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"



    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4052

    Windows 5.1.2600 Service Pack 2
    Internet Explorer 8.0.6001.18702

    12/10/2010 21:40:29
    mbam-log-2010-10-12 (21-40-29).txt

    Scan type: Quick scan
    Objects scanned: 117206
    Time elapsed: 8 minute(s), 55 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 3
    Registry Data Items Infected: 0
    Folders Infected: 2
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\gaopdxserv.sys (Trojan.Agent) -> No action taken.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nonep (Trojan.Agent) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\realteks (Trojan.Agent) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\rlist (Malware.Trace) -> No action taken.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    C:\Documents and Settings\All Users\Application Data\00539421 (Rogue.Multiple) -> No action taken.
    C:\Program Files\system32 (Backdoor.Bifrose) -> No action taken.

    Files Infected:
    C:\Documents and Settings\Zoe\Start Menu\Programs\Security Tool.LNK (Rogue.SecurityTool) -> No action taken.
     
  2. willdud

    willdud TS Rookie Topic Starter

    More logs

    DDS (Ver_10-10-10.03) - NTFSx86
    Run by Zoe at 22:07:07.54 on 12/10/2010
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1270.730 [GMT 1:00]

    AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    ============== Running Processes ===============

    C:\WINDOWS\system32\savedump.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
    C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe
    C:\WINDOWS\system32\TCtrlIOHook.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\PROGRA~1\AVG\AVG9\avgtray.exe
    C:\Program Files\Activ Software\ActivDriver\ActivControl2.exe
    C:\WINDOWS\system32\TPSBattM.exe
    C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I091.EXE
    C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe
    C:\Program Files\Activ Software\ActivDriver\activmgr.exe
    C:\Documents and Settings\Zoe\Desktop\dds.scr
    C:\WINDOWS\system32\wuauclt.exe

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uDefault_Search_URL = hxxp://www.google.com/ie
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\program files\microsoft\desktoplayer.exe,
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
    BHO: CIEDownload Object: {67bcf957-85fc-4036-8dc4-d4d80e00a77b} - c:\program files\smart technologies inc\notebook software\NotebookPlugin.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
    TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
    uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [EPSON Stylus C48 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S4I091.EXE /P23 "EPSON Stylus C48 Series" /M "Stylus C48" /EF "HKCU"
    uRun: [{BD972598-1D92-82F2-BA8A-971A5279E659}] "c:\documents and settings\zoe\application data\bimo\xaup.exe"
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
    mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe
    mRun: [AGRSMMSG] AGRSMMSG.exe
    mRun: [CeEKEY] c:\program files\toshiba\e-key\CeEKey.exe
    mRun: [TOSHIBA Accessibility] c:\program files\toshiba\accessibility\FnKeyHook.exe
    mRun: [HWSetup] c:\program files\toshiba\toshiba applet\HWSetup.exe hwSetUP
    mRun: [SVPWUTIL] c:\program files\toshiba\windows utilities\SVPWUTIL.exe SVPwUTIL
    mRun: [TCtryIOHook] TCtrlIOHook.exe
    mRun: [TPSMain] TPSMain.exe
    mRun: [NDSTray.exe] NDSTray.exe
    mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
    mRun: [EPSON Stylus C48 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S4I091.EXE /P23 "EPSON Stylus C48 Series" /O6 "USB001" /M "Stylus C48"
    mRun: [adiras] adiras.exe
    mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
    mRun: [ActivControl] c:\program files\activ software\activdriver\ActivControl2.exe
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
    DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
    DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
    Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} -
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
    Notify: avgrsstarter - avgrsstx.dll
    Notify: igfxcui - igfxsrvc.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\zoe\applic~1\mozilla\firefox\profiles\4lyals0n.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
    FF - plugin: c:\documents and settings\zoe\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

    ============= SERVICES / DRIVERS ===============

    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-9-5 216400]
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-1-2 29584]
    R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-9-5 243024]
    R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-17 308136]
    R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-15 34064]
    R3 ActivHidSerMini;Promethean Serial Board Driver;c:\windows\system32\drivers\activhidsermini.sys [2010-5-26 74752]
    R3 prmvmouse;Promethean HID Mouse Service;c:\windows\system32\drivers\activmouse.sys [2010-5-26 6144]
    S3 SMART Web Server;SMART Web Server;c:\program files\smart technologies inc\smart board software\WebServer.exe [2007-11-2 767240]
    S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-7-7 136176]

    =============== Created Last 30 ================

    2010-10-12 17:28:07 -------- d-----w- c:\program files\system
    2010-10-11 16:59:46 -------- d-----w- c:\program files\windows
    2010-10-11 06:32:40 -------- d-----w- c:\program files\tmp
    2010-10-09 21:32:25 14808 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
    2010-10-09 21:32:23 718296 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll
    2010-10-07 17:34:54 5632 ----a-w- c:\windows\system32\ptpusb.dll
    2010-10-07 17:34:53 159232 ----a-w- c:\windows\system32\ptpusd.dll
    2010-10-03 16:42:43 -------- d--h--w- c:\windows\PIF
    2010-09-23 19:16:43 1409 ----a-w- c:\windows\QTFont.for

    ==================== Find3M ====================

    2010-07-17 08:56:31 12536 ----a-w- c:\windows\system32\avgrsstx.dll

    ============= FINISH: 22:09:44.79 ===============
     
  3. willdud

    willdud TS Rookie Topic Starter

    DDS (Ver_10-10-10.03)

    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume1
    Install Date: 01/05/2006 15:56:28
    System Uptime: 10/12/2010 22:04:51 (-1416 hours ago)

    Motherboard: TOSHIBA | | ECU00
    Processor: Intel(R) Pentium(R) M processor 1.73GHz | U1 | 1728/mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 37 GiB total, 10.197 GiB free.
    D: is CDROM ()

    ==== Disabled Device Manager Items =============

    Class GUID: {4D36E97B-E325-11CE-BFC1-08002BE10318}
    Description: AUY876WB IDE Controller
    Device ID: ACPI\PNPA000\4&5D18F2DF&0
    Manufacturer: (Standard mass storage controllers)
    Name: AUY876WB IDE Controller
    PNP Device ID: ACPI\PNPA000\4&5D18F2DF&0
    Service: axn3ikuj

    ==== System Restore Points ===================

    RP488: 12/10/2010 19:28:51 - Removed Creative Memories StoryBook Creator Plus 3

    ==== Installed Programs ======================

    µTorrent
    ActivDriver x86 v5.5
    ActivInspire Help (GBR) v1
    ActivInspire HWR Resources (ENU) v1
    ActivInspire v1
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 8.1.3
    Adobe Shockwave Player 11.5
    AiO_Scan_CDA
    AiOSoftwareNPI
    ALPS Touch Pad Driver
    ArcSoft Panorama Maker 3
    AVG Free 9.0
    Bluetooth Stack for Windows by Toshiba
    Broadband Help
    BroadJump Client Foundation
    BufferChm
    CD/DVD Drive Acoustic Silencer
    Critical Update for Windows Media Player 11 (KB959772)
    CustomerResearchQFolder
    Destinations
    DeviceManagementQFolder
    DivX Setup
    Driving Test Success - All Tests (2008-2009)
    EPSON Printer Software
    eSupportQFolder
    F300
    F300_Help
    Fax_CDA
    Google Chrome
    Google Earth Plug-in
    Google Update Helper
    Horrible Science
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB914440)
    Hotfix for Windows XP (KB915865)
    Hotfix for Windows XP (KB926239)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976002-v5)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    HP Customer Participation Program 7.0
    HP Imaging Device Functions 7.0
    HP Photosmart Essential
    HP Photosmart, Officejet and Deskjet 7.0.A
    HP Solution Center 7.0
    HPPhotoSmartExpress
    HPProductAssistant
    InstantShareDevicesMFC
    Intel(R) Graphics Media Accelerator Driver for Mobile
    InterVideo WinDVD for TOSHIBA
    J2SE Runtime Environment 5.0 Update 1
    Java Auto Updater
    Java(TM) 6 Update 18
    Macromedia Flash Player
    Malwarebytes' Anti-Malware
    MarketResearch
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office OneNote 2003
    Microsoft Office Word Viewer 2003
    Microsoft Office XP Media Content
    Microsoft Office XP Professional with FrontPage
    Microsoft Text-to-Speech Engine 4.0 (English)
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Works
    Mozilla Firefox (3.6.10)
    MSN
    MSVCRT
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6 Service Pack 2 (KB973686)
    NewCopy_CDA
    Nikon Message Center
    OOBE06_Exp2
    Pictogram
    PictureProject
    PictureProject In Touch Downloader 1.0
    ProductContextNPI
    QuickTime
    Readme
    RealPlayer
    Realtek AC'97 Audio
    SAGEM F@st 800-840
    Scan
    ScannerCopy
    SD Secure Module
    Secure Game Player
    Security Update for CAPICOM (KB931906)
    Security Update for Step By Step Interactive Training (KB898458)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Internet Explorer 7 (KB928090)
    Security Update for Windows Internet Explorer 7 (KB929969)
    Security Update for Windows Internet Explorer 7 (KB931768)
    Security Update for Windows Internet Explorer 7 (KB933566)
    Security Update for Windows Internet Explorer 7 (KB937143)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB939653)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 7 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB890046)
    Security Update for Windows XP (KB893756)
    Security Update for Windows XP (KB896358)
    Security Update for Windows XP (KB896423)
    Security Update for Windows XP (KB896424)
    Security Update for Windows XP (KB896428)
    Security Update for Windows XP (KB899587)
    Security Update for Windows XP (KB899591)
    Security Update for Windows XP (KB900725)
    Security Update for Windows XP (KB901017)
    Security Update for Windows XP (KB901214)
    Security Update for Windows XP (KB902400)
    Security Update for Windows XP (KB904706)
    Security Update for Windows XP (KB905414)
    Security Update for Windows XP (KB905749)
    Security Update for Windows XP (KB908519)
    Security Update for Windows XP (KB911562)
    Security Update for Windows XP (KB911567)
    Security Update for Windows XP (KB911927)
    Security Update for Windows XP (KB912919)
    Security Update for Windows XP (KB913580)
    Security Update for Windows XP (KB914388)
    Security Update for Windows XP (KB914389)
    Security Update for Windows XP (KB917159)
    Security Update for Windows XP (KB917344)
    Security Update for Windows XP (KB917422)
    Security Update for Windows XP (KB917953)
    Security Update for Windows XP (KB918118)
    Security Update for Windows XP (KB918439)
    Security Update for Windows XP (KB918899)
    Security Update for Windows XP (KB919007)
    Security Update for Windows XP (KB920213)
    Security Update for Windows XP (KB920214)
    Security Update for Windows XP (KB920670)
    Security Update for Windows XP (KB920683)
    Security Update for Windows XP (KB920685)
    Security Update for Windows XP (KB921398)
    Security Update for Windows XP (KB921503)
    Security Update for Windows XP (KB921883)
    Security Update for Windows XP (KB922616)
    Security Update for Windows XP (KB922819)
    Security Update for Windows XP (KB923191)
    Security Update for Windows XP (KB923414)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB923694)
    Security Update for Windows XP (KB923980)
    Security Update for Windows XP (KB924191)
    Security Update for Windows XP (KB924270)
    Security Update for Windows XP (KB924496)
    Security Update for Windows XP (KB924667)
    Security Update for Windows XP (KB925454)
    Security Update for Windows XP (KB925486)
    Security Update for Windows XP (KB925902)
    Security Update for Windows XP (KB926255)
    Security Update for Windows XP (KB926436)
    Security Update for Windows XP (KB927779)
    Security Update for Windows XP (KB927802)
    Security Update for Windows XP (KB928255)
    Security Update for Windows XP (KB928843)
    Security Update for Windows XP (KB929123)
    Security Update for Windows XP (KB930178)
    Security Update for Windows XP (KB931261)
    Security Update for Windows XP (KB931784)
    Security Update for Windows XP (KB932168)
    Security Update for Windows XP (KB933729)
    Security Update for Windows XP (KB935839)
    Security Update for Windows XP (KB935840)
    Security Update for Windows XP (KB936021)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB938829)
    Security Update for Windows XP (KB941202)
    Security Update for Windows XP (KB941568)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB941644)
    Security Update for Windows XP (KB941693)
    Security Update for Windows XP (KB943055)
    Security Update for Windows XP (KB943460)
    Security Update for Windows XP (KB943485)
    Security Update for Windows XP (KB944653)
    Security Update for Windows XP (KB945553)
    Security Update for Windows XP (KB946026)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB948590)
    Security Update for Windows XP (KB948881)
    Security Update for Windows XP (KB950749)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958470)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
     
  4. willdud

    willdud TS Rookie Topic Starter

    DDS Attach Cont...


    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Segoe UI
    SMART Board Software
    SMART Essentials for Educators
    SMSC IrCC V5.1.3600.5 SP2
    Softease
    SolutionCenter
    Sonic DLA
    Sonic RecordNow!
    Spotify
    Status
    Texas Instruments PCIxx21/x515 drivers.
    Textease
    Theme Park Inc
    TIxx21/x515
    Toolbox
    TOSHIBA Accessibility
    TOSHIBA Assist
    TOSHIBA ConfigFree
    TOSHIBA Controls
    TOSHIBA Controls Driver
    TOSHIBA Hardware Setup
    TOSHIBA Hotkey Utility
    TOSHIBA Manuals
    TOSHIBA PC Diagnostic Tool
    TOSHIBA Power Saver
    TOSHIBA Power Saver Driver
    TOSHIBA SD Memory Card Format
    TOSHIBA Software Modem
    TOSHIBA Supervisor Password
    TOSHIBA Virtual Sound
    TOSHIBA Zooming Hook
    TOSHIBA Zooming Utility
    Touch and Launch
    TouchPad On/Off Utility
    TrayApp
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB973874)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB894391)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB900485)
    Update for Windows XP (KB904942)
    Update for Windows XP (KB908531)
    Update for Windows XP (KB910437)
    Update for Windows XP (KB911280)
    Update for Windows XP (KB916595)
    Update for Windows XP (KB920872)
    Update for Windows XP (KB922582)
    Update for Windows XP (KB925720)
    Update for Windows XP (KB927891)
    Update for Windows XP (KB929338)
    Update for Windows XP (KB930916)
    Update for Windows XP (KB931836)
    Update for Windows XP (KB932823-v3)
    Update for Windows XP (KB933360)
    Update for Windows XP (KB936357)
    Update for Windows XP (KB938828)
    Update for Windows XP (KB942763)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB961503)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    USB Mass Storage Toolbox
    Utility Common Driver
    VC80CRTRedist - 8.0.50727.4053
    VLC media player 0.9.2
    WebFldrs XP
    WebReg
    Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
    Windows Genuine Advantage Notifications (KB905474)
    Windows Imaging Component
    Windows Installer 3.1 (KB893803)
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Messenger
    Windows Live Sign-in Assistant
    Windows Live Upload Tool
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows XP Hotfix - KB867282
    Windows XP Hotfix - KB873333
    Windows XP Hotfix - KB873339
    Windows XP Hotfix - KB884018
    Windows XP Hotfix - KB885250
    Windows XP Hotfix - KB885835
    Windows XP Hotfix - KB885836
    Windows XP Hotfix - KB885855
    Windows XP Hotfix - KB885884
    Windows XP Hotfix - KB886185
    Windows XP Hotfix - KB887472
    Windows XP Hotfix - KB888113
    Windows XP Hotfix - KB888302
    Windows XP Hotfix - KB889673
    Windows XP Hotfix - KB890047
    Windows XP Hotfix - KB890175
    Windows XP Hotfix - KB890859
    Windows XP Hotfix - KB891781

    ==== Event Viewer Messages From Past Week ========

    12/10/2010 22:06:40, error: System Error [1003] - Error code 000000f4, parameter1 00000003, parameter2 8a37cda0, parameter3 8a37cf14, parameter4 805fa2f8.
    12/10/2010 21:56:33, error: System Error [1003] - Error code 000000f4, parameter1 00000003, parameter2 8a3763e8, parameter3 8a37655c, parameter4 805fa2f8.
    12/10/2010 21:44:03, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: IntelIde
    12/10/2010 21:06:52, error: Service Control Manager [7034] - The Pml Driver HPZ12 service terminated unexpectedly. It has done this 1 time(s).
    12/10/2010 21:06:52, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    12/10/2010 21:06:52, error: Service Control Manager [7034] - The ConfigFree Service service terminated unexpectedly. It has done this 1 time(s).
    12/10/2010 21:06:52, error: Service Control Manager [7031] - The AVG Free WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
    12/10/2010 19:53:07, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\windows media player\migrate.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 10.0.0.3646.
    12/10/2010 19:40:02, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\outlook express\msoe.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 6.0.2900.3664.
    12/10/2010 19:38:09, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\movie maker\moviemk.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 2.1.4027.0.
    12/10/2010 19:29:03, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
    11/10/2010 21:11:48, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\windows media player\migrate.exe. This file was restored to the original version to maintain system stability. The file version of the bad file is 10.0.0.3646, the version of the system file is 10.0.0.3646.
    11/10/2010 19:56:48, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\windows media player\npdsplay.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 3.0.2.628.
    11/10/2010 19:56:48, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\windows media player\mpvis.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 10.0.0.3646.
    11/10/2010 19:56:47, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\windows media player\wmplayer.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 10.0.0.3646.
    11/10/2010 19:55:18, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\windows nt\accessories\wordpad.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.3355.
    11/10/2010 19:55:12, information: Windows File Protection [64002] - File replacement was attempted on the protected system file wmplayer.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 10.0.0.3646.
    11/10/2010 19:55:02, information: Windows File Protection [64002] - File replacement was attempted on the protected system file npdsplay.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 3.0.2.628.
    11/10/2010 19:55:02, information: Windows File Protection [64002] - File replacement was attempted on the protected system file mpvis.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 10.0.0.3646.
    11/10/2010 19:55:02, information: Windows File Protection [64001] - File replacement was attempted on the protected system file migrate.exe. This file was restored to the original version to maintain system stability. The file version of the bad file is 10.0.0.3646, the version of the system file is 10.0.0.3646.
    11/10/2010 19:40:18, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\outlook express\wabimp.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 6.0.2900.3138.
    11/10/2010 19:40:06, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\outlook express\msoe.dll. This file was restored to the original version to maintain system stability. The file version of the bad file is 6.0.2900.3664, the version of the system file is 6.0.2900.3664.
    11/10/2010 19:37:48, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\movie maker\moviemk.exe. This file was restored to the original version to maintain system stability. The file version of the bad file is 2.1.4027.0, the version of the system file is 2.1.4027.0.
    11/10/2010 19:28:18, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\common files\system\wab32.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 6.0.2900.3138.
    11/10/2010 19:28:01, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\common files\system\directdb.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 6.0.2900.3138.
    11/10/2010 19:28:00, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\common files\system\ado\msjro.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 2.81.1128.0.
    11/10/2010 19:28:00, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\common files\system\ado\msadox.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 2.81.1128.0.
    11/10/2010 19:27:59, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\common files\system\ado\msadomd.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 2.81.1128.0.
    11/10/2010 19:27:58, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\common files\system\ado\msado15.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 2.81.1128.0.
    09/10/2010 16:00:00, error: Schedule [7901] - The At41.job command failed to start due to the following error: %%2147942402
    09/10/2010 16:00:00, error: Schedule [7901] - The At17.job command failed to start due to the following error: %%2147942402
    09/10/2010 15:00:00, error: Schedule [7901] - The At40.job command failed to start due to the following error: %%2147942402
    09/10/2010 15:00:00, error: Schedule [7901] - The At16.job command failed to start due to the following error: %%2147942402
    09/10/2010 14:00:00, error: Schedule [7901] - The At39.job command failed to start due to the following error: %%2147942402
    09/10/2010 14:00:00, error: Schedule [7901] - The At15.job command failed to start due to the following error: %%2147942402
    08/10/2010 23:00:00, error: Schedule [7901] - The At48.job command failed to start due to the following error: %%2147942402
    08/10/2010 23:00:00, error: Schedule [7901] - The At24.job command failed to start due to the following error: %%2147942402
    07/10/2010 22:36:23, error: ipnathlp [32003] - The Network Address Translator (NAT) was unable to request an operation of the kernel-mode translation module. This may indicate misconfiguration, insufficient resources, or an internal error. The data is the error code.
    07/10/2010 22:00:00, error: Schedule [7901] - The At47.job command failed to start due to the following error: %%2147942402
    07/10/2010 22:00:00, error: Schedule [7901] - The At23.job command failed to start due to the following error: %%2147942402
    07/10/2010 21:00:00, error: Schedule [7901] - The At46.job command failed to start due to the following error: %%2147942402
    07/10/2010 21:00:00, error: Schedule [7901] - The At22.job command failed to start due to the following error: %%2147942402
    07/10/2010 20:00:00, error: Schedule [7901] - The At45.job command failed to start due to the following error: %%2147942402
    07/10/2010 20:00:00, error: Schedule [7901] - The At21.job command failed to start due to the following error: %%2147942402
    07/10/2010 19:00:00, error: Schedule [7901] - The At44.job command failed to start due to the following error: %%2147942402
    07/10/2010 19:00:00, error: Schedule [7901] - The At20.job command failed to start due to the following error: %%2147942402
    07/10/2010 18:00:00, error: Schedule [7901] - The At43.job command failed to start due to the following error: %%2147942402
    07/10/2010 18:00:00, error: Schedule [7901] - The At19.job command failed to start due to the following error: %%2147942402
    07/10/2010 17:46:54, error: Service Control Manager [7000] - The General Purpose USB Driver (adildr.sys) service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    06/10/2010 17:00:00, error: Schedule [7901] - The At42.job command failed to start due to the following error: %%2147942402
    06/10/2010 17:00:00, error: Schedule [7901] - The At18.job command failed to start due to the following error: %%2147942402
    06/10/2010 16:49:37, error: Dhcp [1002] - The IP address lease 192.168.1.3 for the Network Card with network address 00166F2E8641 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

    ==== End Of File ===========================


    Side effects seem to be random install files launching whenever a document, program or folder is opened. AVG Resident shield keeps popping up not sure if it is legit.

    Any help would be greatly appreciated, thanks :)
     
  5. Broni

    Broni Malware Annihilator Posts: 47,048   +256

    Welcome aboard [​IMG]

    Please, do NOT wrap your logs in code.

    Your MBAM log says "No action taken" after each line.
    Re-run MBAM, FIX all issues and post fresh log.
     
  6. willdud

    willdud TS Rookie Topic Starter

    Thank you, sorry about the code. I posted the mbam log before I clicked fix last time by mistake (although I did then fix them). Here is yesterdays actual log:


    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4052

    Windows 5.1.2600 Service Pack 2
    Internet Explorer 8.0.6001.18702

    12/10/2010 21:41:30
    mbam-log-2010-10-12 (21-41-30).txt

    Scan type: Quick scan
    Objects scanned: 117206
    Time elapsed: 8 minute(s), 55 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 3
    Registry Data Items Infected: 0
    Folders Infected: 2
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\gaopdxserv.sys (Trojan.Agent) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nonep (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\realteks (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\rlist (Malware.Trace) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    C:\Documents and Settings\All Users\Application Data\00539421 (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Program Files\system32 (Backdoor.Bifrose) -> Quarantined and deleted successfully.

    Files Infected:
    C:\Documents and Settings\Zoe\Start Menu\Programs\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.



    I then ran it again this morning and nothing was found:


    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4052

    Windows 5.1.2600 Service Pack 2
    Internet Explorer 8.0.6001.18702

    12/10/2010 21:41:30
    mbam-log-2010-10-12 (21-41-30).txt

    Scan type: Quick scan
    Objects scanned: 117206
    Time elapsed: 8 minute(s), 55 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 3
    Registry Data Items Infected: 0
    Folders Infected: 2
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\gaopdxserv.sys (Trojan.Agent) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nonep (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\realteks (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\rlist (Malware.Trace) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    C:\Documents and Settings\All Users\Application Data\00539421 (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Program Files\system32 (Backdoor.Bifrose) -> Quarantined and deleted successfully.

    Files Infected:
    C:\Documents and Settings\Zoe\Start Menu\Programs\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.

    However, installer is still running when I try to open anything. (The installer is not relevant to the program/folder I am trying to open).
     
  7. Broni

    Broni Malware Annihilator Posts: 47,048   +256

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    Enter N to exit.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.

    ========================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  8. willdud

    willdud TS Rookie Topic Starter

    MBR

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Home Edition
    Windows Information: Service Pack 2 (build 2600)
    Logical Drives Mask: 0x0000000c

    Kernel Drivers (total 106):
    0x804D7000 \WINDOWS\system32\ntoskrnl.exe
    0x806EC000 \WINDOWS\system32\hal.dll
    0xF7987000 \WINDOWS\system32\KDCOM.DLL
    0xF7897000 \WINDOWS\system32\BOOTVID.dll
    0xF74D5000 spoo.sys
    0xF7989000 \WINDOWS\System32\Drivers\WMILIB.SYS
    0xF74BD000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
    0xF748F000 ACPI.sys
    0xF747E000 pci.sys
    0xF75F7000 ohci1394.sys
    0xF7607000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
    0xF7617000 isapnp.sys
    0xF789B000 compbatt.sys
    0xF789F000 \WINDOWS\system32\DRIVERS\BATTC.SYS
    0xF7A4F000 pciide.sys
    0xF7707000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xF798B000 intelide.sys
    0xF7859000 pcmcia.sys
    0xF7627000 MountMgr.sys
    0xF783A000 ftdisk.sys
    0xF78A3000 ACPIEC.sys
    0xF7A50000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
    0xF770F000 PartMgr.sys
    0xF7637000 VolSnap.sys
    0xF796F000 atapi.sys
    0xF7647000 disk.sys
    0xF7657000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xBA7E0000 fltMgr.sys
    0xBA7CE000 sr.sys
    0xBA7B9000 drvmcdb.sys
    0xF7667000 PxHelp20.sys
    0xBA702000 KSecDD.sys
    0xBA6EF000 WudfPf.sys
    0xBA662000 Ntfs.sys
    0xBA635000 NDIS.sys
    0xBA61A000 Mup.sys
    0xBA53B000 \SystemRoot\system32\DRIVERS\yk51x86.sys
    0xF772F000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0xBA518000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xF7737000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xBA205000 \SystemRoot\system32\DRIVERS\w29n51.sys
    0xF7687000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0xF773F000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xBA1EC000 \SystemRoot\system32\DRIVERS\Apfiltr.sys
    0xF7747000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xF7697000 \SystemRoot\system32\DRIVERS\imapi.sys
    0xF7991000 \SystemRoot\system32\drivers\sscdbhk5.sys
    0xF76A7000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xF76B7000 \SystemRoot\system32\DRIVERS\redbook.sys
    0xBA1C9000 \SystemRoot\system32\DRIVERS\ks.sys
    0xBA1B6000 \SystemRoot\system32\DRIVERS\activhidsermini.sys
    0xF76C7000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0xF7767000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0xBA17C000 \SystemRoot\system32\DRIVERS\bridge.sys
    0xF7777000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xF7787000 \SystemRoot\system32\DRIVERS\rasirda.sys
    0xF76D7000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xBA5F2000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xBA165000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xF76E7000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xF76F7000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xBA0B4000 \SystemRoot\system32\DRIVERS\psched.sys
    0xF746E000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xF77A7000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xF77B7000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xF745E000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xF7999000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xBA05B000 \SystemRoot\system32\DRIVERS\update.sys
    0xBA5E6000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xBA5DA000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0xF77BF000 \SystemRoot\system32\DRIVERS\activmouse.sys
    0xF744E000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xF743E000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xF799F000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xF79A3000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xF7A5F000 \SystemRoot\System32\Drivers\Null.SYS
    0xF79A7000 \SystemRoot\System32\Drivers\Beep.SYS
    0xF77FF000 \SystemRoot\system32\drivers\ssrtln.sys
    0xF7807000 \SystemRoot\System32\drivers\vga.sys
    0xB9FCF000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
    0xF79AB000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xF7817000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xF774F000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xF7923000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xB9F74000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xB9F1C000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xB9EE2000 \SystemRoot\System32\Drivers\avgtdix.sys
    0xB9EC1000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xB9E99000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xB9E6D000 \SystemRoot\System32\drivers\afd.sys
    0xF742E000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xB9E42000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xB9DD3000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xF7887000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xB9D93000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xF79B1000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xBA04B000 \SystemRoot\System32\drivers\Dxapi.sys
    0xF77AF000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xF7A6B000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBFF50000 \SystemRoot\System32\framebuf.dll
    0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
    0xB989B000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xB95CC000 \SystemRoot\system32\DRIVERS\srv.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 19):
    0 System Idle Process
    4 System
    736 C:\WINDOWS\system32\smss.exe
    784 csrss.exe
    808 C:\WINDOWS\system32\winlogon.exe
    852 C:\WINDOWS\system32\services.exe
    864 C:\WINDOWS\system32\lsass.exe
    1008 C:\WINDOWS\system32\svchost.exe
    1076 svchost.exe
    1152 C:\WINDOWS\system32\svchost.exe
    1236 svchost.exe
    1268 C:\Program Files\AVG\AVG9\avgchsvx.exe
    1288 svchost.exe
    1492 C:\Program Files\AVG\AVG9\avgcsrvx.exe
    1520 C:\Program Files\AVG\AVG9\avgcsrvx.exe
    292 C:\WINDOWS\explorer.exe
    308 C:\WINDOWS\system32\svchost.exe
    564 wmiprvse.exe
    1220 C:\Documents and Settings\Zoe\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

    PhysicalDrive0 Model Number: HTS541040G9AT00, Rev: MB2OA60A

    Size Device Name MBR Status
    --------------------------------------------
    37 GB \\.\PhysicalDrive0 Windows 98 MBR code detected
    SHA1: 48F01D7E76A0F3C038D08611E3FDC0EE4EF9FD3E


    Done!
     
  9. willdud

    willdud TS Rookie Topic Starter

    ComboFix 10-10-12.03 - Zoe 13/10/2010 8:09.1.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1270.803 [GMT 1:00]
    Running from: c:\documents and settings\Zoe\Desktop\ComboFix.exe
    AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Zoe\Application Data\Bimo
    c:\documents and settings\Zoe\Application Data\Bimo\xaup.exe
    c:\program files\Microsoft\DesktopLayer.exe
    c:\program files\WinPCap
    c:\program files\WinPCap\rpcapd.exe
    c:\windows\system32\dmlconf.dat
    c:\windows\system32\drivers\npf.sys
    c:\windows\system32\Packet.dll
    c:\windows\system32\pthreadVC.dll
    c:\windows\system32\WanPacket.dll
    c:\windows\system32\wpcap.dll

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_NPF
    -------\Service_npf


    ((((((((((((((((((((((((( Files Created from 2010-09-13 to 2010-10-13 )))))))))))))))))))))))))))))))
    .

    2010-10-12 17:28 . 2010-10-13 05:30 -------- d-----w- c:\program files\system
    2010-10-11 16:59 . 2010-10-13 06:44 -------- d-----w- c:\program files\windows
    2010-10-11 06:32 . 2010-10-13 05:30 -------- d-----w- c:\program files\tmp
    2010-10-09 21:32 . 2010-10-09 21:32 14808 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
    2010-10-09 21:32 . 2010-10-09 21:32 718296 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll
    2010-10-07 17:34 . 2001-08-17 21:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
    2010-10-07 17:34 . 2004-08-03 23:56 159232 ----a-w- c:\windows\system32\ptpusd.dll
    2010-10-03 16:42 . 2010-10-03 16:42 -------- d--h--w- c:\windows\PIF
    2010-09-23 19:16 . 2010-09-23 19:16 1409 ----a-w- c:\windows\QTFont.for

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 65536]
    "EPSON Stylus C48 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I091.EXE" [2005-05-16 99840]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-11-02 155648]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]
    "Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-24 196608]
    "Tvs"="c:\program files\TOSHIBA\Tvs\TvsTray.exe" [2005-04-05 73728]
    "AGRSMMSG"="AGRSMMSG.exe" [2004-12-22 88358]
    "CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2005-05-10 675840]
    "TOSHIBA Accessibility"="c:\program files\TOSHIBA\Accessibility\FnKeyHook.exe" [2004-04-30 24576]
    "SVPWUTIL"="c:\program files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2005-02-25 65536]
    "TCtryIOHook"="TCtrlIOHook.exe" [2005-03-30 28672]
    "TPSMain"="TPSMain.exe" [2005-01-21 266240]
    "NDSTray.exe"="NDSTray.exe" [BU]
    "dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-01-14 122939]
    "EPSON Stylus C48 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I091.EXE" [2005-05-16 99840]
    "SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-11 118784]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-12-23 98304]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
    "AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-10-04 2067808]
    "ActivControl"="c:\program files\Activ Software\ActivDriver\ActivControl2.exe" [2010-06-10 1092896]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Userinit"="c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2010-07-17 08:56 12536 ----a-w- c:\windows\system32\avgrsstx.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DSLMON.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DSLMON.lnk
    backup=c:\windows\pss\DSLMON.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
    backup=c:\windows\pss\Google Updater.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
    backup=c:\windows\pss\NkbMonitor.exe.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SMART Board Tools.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SMART Board Tools.lnk
    backup=c:\windows\pss\SMART Board Tools.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^Zoe^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
    path=c:\documents and settings\Zoe\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
    backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2008-10-15 00:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
    2003-01-27 16:16 376912 ----a-w- c:\program files\BroadJump\Client Foundation\CFD.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
    2009-10-21 20:32 133104 ----atw- c:\documents and settings\Zoe\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]
    2004-11-17 09:56 1077327 ----a-w- c:\program files\TOSHIBA\Touch and Launch\PadExe.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2007-12-23 14:52 98304 ----a-w- c:\program files\QuickTime\qttask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2008-04-27 09:04 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zooming]
    2004-07-14 15:07 24576 ----a-w- c:\windows\system32\ZoomingHook.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\Spotify\\spotify.exe"=
    "%windir%\\system32\\drivers\\svchost.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
    "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
    "c:\\Documents and Settings\\Zoe\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
    "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
    "c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [05/09/2009 14:52 216400]
    R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [05/09/2009 14:52 243024]
    R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [17/07/2010 09:56 308136]
    R3 ActivHidSerMini;Promethean Serial Board Driver;c:\windows\system32\drivers\activhidsermini.sys [26/05/2010 15:20 74752]
    R3 prmvmouse;Promethean HID Mouse Service;c:\windows\system32\drivers\activmouse.sys [26/05/2010 15:21 6144]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [01/05/2009 16:31 38224]
    S3 SMART Web Server;SMART Web Server;c:\program files\SMART Technologies Inc\SMART Board Software\WebServer.exe [02/11/2007 06:48 767240]
    S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [07/07/2010 22:45 136176]
    S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [02/10/2009 20:44 721904]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-10-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-07-07 16:58]

    2010-10-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-07-07 16:58]

    2010-10-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3278279896-2615095426-3511913592-1006Core.job
    - c:\documents and settings\Zoe\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-21 20:32]

    2010-10-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3278279896-2615095426-3511913592-1006UA.job
    - c:\documents and settings\Zoe\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-21 20:32]

    2006-05-01 c:\windows\Tasks\Registration reminder 1.job
    - c:\windows\system32\OOBE\oobebaln.exe [2005-05-20 12:00]

    2006-05-01 c:\windows\Tasks\Registration reminder 2.job
    - c:\windows\system32\OOBE\oobebaln.exe [2005-05-20 12:00]

    2006-05-01 c:\windows\Tasks\Registration reminder 3.job
    - c:\windows\system32\OOBE\oobebaln.exe [2005-05-20 12:00]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uDefault_Search_URL = hxxp://www.google.com/ie
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\Zoe\Application Data\Mozilla\Firefox\Profiles\4lyals0n.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
    FF - plugin: c:\documents and settings\Zoe\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-{BD972598-1D92-82F2-BA8A-971A5279E659} - c:\documents and settings\Zoe\Application Data\Bimo\xaup.exe
    HKLM-Run-HWSetup - c:\program files\TOSHIBA\TOSHIBA Applet\HWSetup.exe
    HKLM-Run-adiras - adiras.exe
    SafeBoot-AVG Anti-Spyware Driver
    SafeBoot-AVG Anti-Spyware Guard
    MSConfigStartUp-Broadbandadvisor - c:\program files\Virgin Broadband\advisor\Broadbandadvisor.exe
    MSConfigStartUp-DAEMON Tools Lite - c:\program files\DAEMON Tools Lite\daemon.exe
    MSConfigStartUp-DivXUpdate - c:\program files\DivX\DivX Update\DivXUpdate.exe
    MSConfigStartUp-HP Software Update - c:\program files\HP\HP Software Update\HPWuSchd2.exe
    MSConfigStartUp-IS CfgWiz - c:\program files\Norton Internet Security\cfgwiz.exe
    MSConfigStartUp-TPNF - c:\program files\TOSHIBA\TouchPad\TPTray.exe
    MSConfigStartUp-workflow - d:\installs\workflow.exe
    AddRemove-HP Imaging Device Functions - c:\program files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe
    AddRemove-HP Solution Center & Imaging Support Tools - c:\program files\HP\Digital Imaging\eSupport\hpzscr01.exe
    AddRemove-HPExtendedCapabilities - c:\program files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe
    AddRemove-InstallShield_{3A57482F-BEBC-47E4-ADA1-6302403C7E50} - c:\progra~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe
    AddRemove-InstallShield_{51B4E156-14A5-4904-9AE4-B1AA2A0E46BE} - c:\progra~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe
    AddRemove-InstallShield_{5279374D-87FE-4879-9385-F17278EBB9D3} - c:\progra~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe
    AddRemove-InstallShield_{7900D3A6-A9E8-4954-ACCB-AB15867978BF} - c:\progra~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe
    AddRemove-InstallShield_{80977342-27E8-4FF7-8B6A-D8D89461DA7F} - c:\progra~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe
    AddRemove-InstallShield_{F47B2DF8-35EC-4B51-B5F2-0E03EF5F51DA} - c:\progra~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe
    AddRemove-MSNINST - c:\program files\MSN\MsnInstaller\msninst.exe
    AddRemove-RealJukebox 1.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe
    AddRemove-RealPlayer 6.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe
    AddRemove-{BDBE2F3E-42DB-4d4a-8CB1-19BA765DBC6C} - c:\program files\HP\Digital Imaging\{BDBE2F3E-42DB-4d4a-8CB1-19BA765DBC6C}\setup\hpzscr01.exe


    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(508)
    c:\windows\system32\WININET.dll
    c:\documents and settings\All Users\Application Data\ACTIV Software\ActivApplications\ActivFocusHook.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    c:\windows\system32\TPwrCfg.DLL
    c:\windows\system32\TPwrReg.dll
    c:\windows\system32\TPSTrace.DLL
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\AVG\AVG9\avgchsvx.exe
    c:\program files\AVG\AVG9\avgrsx.exe
    c:\program files\AVG\AVG9\avgcsrvx.exe
    c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\system32\HPZipm12.exe
    c:\program files\AVG\AVG9\avgnsx.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\AGRSMMSG.exe
    c:\windows\system32\TCtrlIOHook.exe
    c:\program files\Apoint2K\Apntex.exe
    c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
    c:\windows\system32\TPSBattM.exe
    c:\program files\Toshiba\TOSHIBA Controls\TFncKy.exe
    c:\program files\Activ Software\ActivDriver\activmgr.exe
    c:\windows\system32\msiexec.exe
    .
    **************************************************************************
    .
    Completion time: 2010-10-13 08:22:14 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-10-13 07:22

    Pre-Run: 13,978,071,040 bytes free
    Post-Run: 13,845,954,560 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

    - - End Of File - - 9731847C2DDA903A619C448B5B3ED84E


    EDIT--
    As I posted this AVG spotted several Zbot.E
     
  10. Broni

    Broni Malware Annihilator Posts: 47,048   +256

    I'm afraid I have very bad news.

    Win32/Ramnit.A is a file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

    -- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.
    With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

    Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of infection can vary.

    Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

    In my opinion, Ramnit.A is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

    Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:
    Backdoors and What They Mean to You

    This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

    Important Note:: If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to to include those used for banking, email, eBay, paypal and any online activities which require a username and password. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity.
     
  11. willdud

    willdud TS Rookie Topic Starter

    Hey thanks for all your help. Do you know if there is any way I can save some data from this machine? its my girlfriends laptop and its got all her teacher resources and lessons on it.

    --Edit--

    What from the log indicates this virus? So I can maybe interporate logs like these myself in-future.
     
     
  12. Broni

    Broni Malware Annihilator Posts: 47,048   +256

    See here: http://about-threats.trendmicro.com/ArchiveMalware.aspx?language=us&name=PE_RAMNIT.A

    If you look at your Combofix log, you can see:
    c:\program files\Microsoft\DesktopLayer.exe
    and
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Userinit"="c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe"

    ======================================================================

    Yes, you can backup data, but you have to be very careful and stick to certain procedures.
    Let me know, where are you planning to back up data to and I'll let you know what to do.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.