TechSpot

PC crashes in the same place when runing Avira/Norton

By nihi
Feb 23, 2011
  1. Hello,

    I firstly tried to have full system scan by Norton but PC crashes, then I uninstalled Norton & used Avira, but same thing happens. I totally tried 4 times separately with these 2 anti-virus progams.

    Every time my PC crashes when scaning "C:\windows\winsxs\manifests\x86_microsoft-windows-hal_31bf3856ad364e35_6.0.6001.18000_none_ab8fa4".

    I continued the 8-step & logs as below.

    Thank you for your help~

    Nihi

    ----------------------------
    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org


    Database version: 5844

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 8.0.6001.19019

    2/23/2011 12:28:16 AM
    mbam-log-2011-02-23 (00-28-16).txt

    Scan type: Quick scan
    Objects scanned: 146678
    Time elapsed: 4 minute(s), 20 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 2
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\Typelib\{87CA3845-37FE-414C-81CF-E08A7D0F6779} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{A1DD29ED-2598-48E9-9793-64A9CD08AC94} (Trojan.BHO) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    --------------------------------------------------------
    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit scan 2011-02-23 00:57:48
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 FUJITSU_ rev.0000
    Running: o8h0cqui.exe; Driver: C:\Users\hmfung\AppData\Local\Temp\awryrpog.sys


    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\Mozilla Firefox\firefox.exe[4204] ntdll.dll!LdrLoadDll 777693A8 5 Bytes JMP 008B13F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5964] USER32.dll!TrackPopupMenu 778914F3 4 Bytes JMP 64492342 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----


    -----------------------------------------------------------

    DDS (Ver_10-12-12.02) - NTFSx86
    Run by hmfung at 0:58:33.28 on Wed 02/23/2011
    Internet Explorer: 8.0.6001.19019 BrowserJavaVersion: 1.6.0_23
    Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.3025.1675 [GMT 1:00]

    AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Program Files\Softex\OmniPass\OmniServ.exe
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\WLANExt.exe
    C:\Windows\System32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\agrsmsvc.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Intel\WiFi\bin\EvtEng.exe
    c:\Windows\system32\o2flash.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    c:\Program Files\Fujitsu\PSUtility\PSUService.exe
    C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
    C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    C:\Program Files\SFR\Gestionnaire de Connexion\SFR.DashBoard.Service.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
    C:\Windows\RtHDVCpl.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\Fujitsu\PSUtility\TrayManager.exe
    C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
    C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Softex\OmniPass\opvapp.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Users\hmfung\Downloads\dds.scr
    C:\Windows\system32\conime.exe
    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uStart Page = about:blank
    uDefault_Page_URL = hxxp://hk.fujitsu.com/pc
    mDefault_Page_URL = hxxp://hk.fujitsu.com/pc
    uInternet Settings,ProxyOverride = *.local
    BHO: WebThunder Browser Helper: {00000aaa-a363-466e-bef5-9bb68697aa7f} - c:\program files\thunder network\webthunder\WebThunderBHO_Now.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [LoadFUJ02E3] c:\program files\fujitsu\fuj02e3\FUJ02E3.exe
    mRun: [RtHDVCpl] RtHDVCpl.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [TvOutSwitch] c:\program files\fujitsu\dispswitch\DispSwitchLauncher.exe
    mRun: [PSUtility] c:\program files\fujitsu\psutility\TrayManager.exe
    mRun: [LoadFujitsuQuickTouch] c:\program files\fujitsu\application panel\QuickTouch.exe
    mRun: [LoadBtnHnd] c:\program files\fujitsu\btnhnd\BtnHnd.exe
    mRun: [Skytel] Skytel.exe
    mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {09BA8F6D-CB54-424B-839C-C2A6C8E6B436}
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
    Notify: igfxcui - igfxdev.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\users\hmfung\appdata\roaming\mozilla\firefox\profiles\ulepel1f.default\
    FF - plugin: c:\program files\common files\thunder network\kankan\npDapCtrlFirefox.2.0.5901.12.(309).dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
    FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: Dictionnaire français «Moderne»: fr-moderne@dictionaries.addons.mozilla.org - %profile%\extensions\fr-moderne@dictionaries.addons.mozilla.org

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - true
    ============= SERVICES / DRIVERS ===============

    R0 FJGSDisk;G-Sensor Application Filter Driver;c:\windows\system32\drivers\FJGSDisk.sys [2008-6-26 12712]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-2-22 135336]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-2-22 267944]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-2-22 61960]
    R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
    R2 PowerSavingUtilityService;PowerSavingUtilityService;c:\program files\fujitsu\psutility\PSUService.exe [2008-2-1 62760]
    R2 SFR.DashBoard.Service;SFR.DashBoard.Service;c:\program files\sfr\gestionnaire de connexion\SFR.DashBoard.Service.exe [2010-12-2 18272]
    R3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\drivers\fuj02e3.sys [2008-4-28 5632]
    R3 NETw5v32;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\drivers\NETw5v32.sys [2008-5-1 3660800]
    R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2008-2-5 47448]
    R3 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2008-1-22 41560]
    R3 SMSCIRDA;SMSC Infrared Device Driver;c:\windows\system32\drivers\smscirda.sys [2006-11-2 30720]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 LvIBTSvr;Logitech IBT Service;c:\program files\common files\logishrd\lvibtsvr\LvIBTSvr.exe [2007-4-3 76576]
    S3 ADVNTDRV;ADVNTDRV;c:\windows\system32\drivers\ADVNTDRV.SYS [2009-2-22 3872]
    S3 massfilter;Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2010-12-2 9216]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    S3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\drivers\ZTEusbnet.sys [2010-12-2 114688]
    S3 ZTEusbvoice;ZTE VoUSB Port;c:\windows\system32\drivers\ZTEusbvoice.sys [2010-12-2 105088]

    =============== Created Last 30 ================

    2011-02-22 23:33:49 -------- d-----w- c:\users\hmfung\appdata\local\CrashDumps
    2011-02-22 23:18:49 709456 ----a-w- c:\windows\isRS-000.tmp
    2011-02-22 23:18:09 -------- d-----w- c:\users\hmfung\appdata\roaming\Malwarebytes
    2011-02-22 23:17:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-02-22 23:17:51 -------- d-----w- c:\progra~2\Malwarebytes
    2011-02-22 23:17:48 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-02-22 23:17:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-02-22 22:13:51 -------- d-----w- c:\users\hmfung\appdata\roaming\Avira
    2011-02-22 22:09:53 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-02-22 22:09:52 -------- d-----w- c:\program files\Avira
    2011-02-22 22:09:52 -------- d-----w- c:\progra~2\Avira
    2011-02-22 19:53:20 -------- d-----w- c:\progra~2\Norton
    2011-02-22 19:53:08 -------- d-----w- c:\progra~2\NortonInstaller
    2011-02-22 19:06:36 5890896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{363956a2-aa80-40f1-bf0c-7be3ebb09332}\mpengine.dll
    2011-02-15 21:10:01 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
    2011-02-15 21:10:00 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll
    2011-02-15 00:02:07 -------- d-----w- c:\program files\iPod
    2011-02-14 13:54:16 413696 ----a-w- c:\windows\system32\odbc32.dll
    2011-02-14 13:54:15 708608 ----a-w- c:\program files\common files\system\ado\msado15.dll
    2011-02-14 13:54:15 57344 ----a-w- c:\program files\common files\system\msadc\msadcs.dll
    2011-02-14 13:54:15 253952 ----a-w- c:\program files\common files\system\ado\msadox.dll
    2011-02-14 13:54:15 241664 ----a-w- c:\program files\common files\system\ado\msadomd.dll
    2011-02-14 13:54:15 180224 ----a-w- c:\program files\common files\system\msadc\msadco.dll
    2011-02-14 13:54:10 2039808 ----a-w- c:\windows\system32\win32k.sys
    2011-02-14 13:54:07 3602320 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-02-14 13:54:07 1205080 ----a-w- c:\windows\system32\ntdll.dll
    2011-02-14 13:54:06 3550096 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-02-14 13:54:02 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat

    ==================== Find3M ====================

    2011-02-02 16:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-01-20 16:08:16 478720 ----a-w- c:\windows\system32\dxgi.dll
    2011-01-20 16:08:06 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
    2011-01-20 16:08:06 189952 ----a-w- c:\windows\system32\d3d10core.dll
    2011-01-20 16:08:06 160768 ----a-w- c:\windows\system32\d3d10_1.dll
    2011-01-20 16:08:06 1029120 ----a-w- c:\windows\system32\d3d10.dll
    2011-01-20 16:07:58 37376 ----a-w- c:\windows\system32\cdd.dll
    2011-01-20 16:07:42 258048 ----a-w- c:\windows\system32\winspool.drv
    2011-01-20 16:07:16 586240 ----a-w- c:\windows\system32\stobject.dll
    2011-01-20 16:06:38 2873344 ----a-w- c:\windows\system32\mf.dll
    2011-01-20 16:06:35 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
    2011-01-20 16:04:54 98816 ----a-w- c:\windows\system32\mfps.dll
    2011-01-20 16:04:54 209920 ----a-w- c:\windows\system32\mfplat.dll
    2011-01-20 14:28:38 1554432 ----a-w- c:\windows\system32\xpsservices.dll
    2011-01-20 14:27:50 876032 ----a-w- c:\windows\system32\XpsPrint.dll
    2011-01-20 14:26:30 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
    2011-01-20 14:25:25 847360 ----a-w- c:\windows\system32\OpcServices.dll
    2011-01-20 14:24:32 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
    2011-01-20 14:24:26 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
    2011-01-20 14:15:10 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
    2011-01-20 14:14:39 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
    2011-01-20 14:14:03 302592 ----a-w- c:\windows\system32\mfmp4src.dll
    2011-01-20 14:14:03 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
    2011-01-20 14:12:46 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
    2011-01-20 14:11:34 486400 ----a-w- c:\windows\system32\d3d10level9.dll
    2011-01-20 13:47:51 683008 ----a-w- c:\windows\system32\d2d1.dll
    2011-01-20 13:44:05 1068544 ----a-w- c:\windows\system32\DWrite.dll
    2011-01-20 13:44:03 797184 ----a-w- c:\windows\system32\FntCache.dll
    2011-01-08 08:47:50 34304 ----a-w- c:\windows\system32\atmlib.dll
    2011-01-08 06:28:49 292352 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-18 06:27:04 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-12-18 06:22:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-12-18 06:22:27 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-12-18 06:22:11 71680 ----a-w- c:\windows\system32\iesetup.dll
    2010-12-18 06:22:11 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2010-12-18 05:25:26 385024 ----a-w- c:\windows\system32\html.iec
    2010-12-18 04:48:39 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2010-12-18 04:47:11 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2010-12-14 14:49:23 1169408 ----a-w- c:\windows\system32\sdclt.exe
    2010-11-29 16:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-11-29 16:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts

    ============= FINISH: 0:58:50.26 ===============



    -----------------------------------------------------------
    Attach.txt

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-12-12.02)

    Microsoft® Windows Vista™ Home Basic
    Boot Device: \Device\HarddiskVolume2
    Install Date: 1/14/2009 11:56:10 AM
    System Uptime: 2/23/2011 12:19:31 AM (0 hours ago)

    Motherboard: FUJITSU | | FJNB1E6
    Processor: Intel(R) Core(TM)2 Duo CPU P8600 @ 2.40GHz | Onboard | 1600/266mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 112 GiB total, 61.504 GiB free.
    D: is FIXED (NTFS) - 112 GiB total, 103.946 GiB free.
    E: is CDROM ()

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP426: 12/31/2010 10:12:10 AM - Scheduled Checkpoint
    RP427: 12/31/2010 2:46:32 PM - Windows Update
    RP428: 1/1/2011 1:31:57 PM - Scheduled Checkpoint
    RP429: 1/4/2011 7:13:42 PM - Windows Update
    RP430: 1/6/2011 12:11:22 PM - Scheduled Checkpoint
    RP431: 1/7/2011 9:39:57 AM - Windows Update
    RP432: 2/14/2011 2:49:02 PM - Windows Update
    RP433: 2/14/2011 3:22:41 PM - Windows Update
    RP434: 2/15/2011 12:59:01 AM - Device Driver Package Install: Apple, Inc. Universal Serial Bus controllers
    RP435: 2/15/2011 12:59:29 AM - Device Driver Package Install: Apple Network adapters
    RP436: 2/15/2011 1:04:58 PM - Windows Update
    RP437: 2/15/2011 2:19:10 PM - Windows Update
    RP438: 2/16/2011 7:54:15 PM - Scheduled Checkpoint
    RP439: 2/17/2011 8:46:10 PM - Windows Update
    RP440: 2/18/2011 1:02:36 PM - Windows Update
    RP441: 2/20/2011 12:32:40 PM - Scheduled Checkpoint
    RP442: 2/21/2011 8:53:27 PM - Scheduled Checkpoint
    RP443: 2/22/2011 8:06:20 PM - Windows Update
    RP444: 2/22/2011 8:25:22 PM - Windows Update

    ==== Installed Programs ======================

    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 8.2.6
    Agere Systems HDA Modem
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    AuthenTec Fingerprint Sensor Minimum Install
    Avira AntiVir Personal - Free Antivirus
    Bluetooth Stack for Windows by Toshiba
    Bonjour
    Chinese Simplified Fonts Support For Adobe Reader 8
    CyberLink PowerDirector
    D3DX10
    Fujitsu Display Manager
    Fujitsu Hardware Diagnostics Tool
    Fujitsu Hotkey Utility
    Fujitsu MobilityCenter Extension Utility
    Fujitsu System Extension Utility
    Fujitsu WebCam
    Gestionnaire de Connexion SFR 3.1
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Inst5657
    Intel PROSet Wireless
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) PROSet/Wireless WiFi Software
    iSilo
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 18
    Java(TM) 6 Update 23
    Java(TM) 6 Update 6
    Junk Mail filter update
    LifeBook Application Panel
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Application Error Reporting
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Excel MUI (French) 2007
    Microsoft Office Home and Student 2007
    Microsoft Office OneNote MUI (French) 2007
    Microsoft Office PowerPoint MUI (French) 2007
    Microsoft Office Proof (Arabic) 2007
    Microsoft Office Proof (Dutch) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (German) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (French) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Shared MUI (French) 2007
    Microsoft Office Suite Activation Assistant
    Microsoft Office Word MUI (French) 2007
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Mise à jour Microsoft Office Excel 2007 Help (KB963678)
    Mise à jour Microsoft Office Powerpoint 2007 Help (KB963669)
    Mise à jour Microsoft Office Word 2007 Help (KB963665)
    MobileMe Control Panel
    Mozilla Firefox (3.6.13)
    MSVC80_x86_v2
    MSVCRT
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Nokia Connectivity Cable Driver
    Nokia PC Suite
    O2Micro Flash Memory Card Windows Driver
    OmniPass 5.01.04
    OpenOffice.org 3.2
    OZ711 SCR Driver V3.0.1.4
    PC Connectivity Solution
    Power Saving Utility
    PowerDVD
    QuickTime
    RealPlayer
    Realtek High Definition Audio Driver
    RealUpgrade 1.0
    Roxio Central Audio
    Roxio Central Copy
    Roxio Central Core
    Roxio Central Data
    Roxio Central Tools
    Roxio Creator LJ
    Safari
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2289158)
    Security Update for 2007 Microsoft Office System (KB2344875)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft Office Excel 2007 (KB2345035)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB982158)
    Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Segoe UI
    Shock Sensor Utility
    Skype Toolbars
    Skype™ 4.2
    Synaptics Pointing Device Driver
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office OneNote 2007 (KB980729)
    Windows Driver Package - Nokia Modem (06/01/2009 7.01.0.4)
    Windows Driver Package - Nokia Modem (10/05/2009 4.2)
    Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live FolderShare
    Windows Live ID Sign-in Assistant
    Windows Live Installer
    Windows Live Mail
    Windows Live Messenger
    Windows Live MIME IFilter
    Windows Live Movie Maker
    Windows Live Photo Common
    Windows Live Photo Gallery
    Windows Live PIMT Platform
    Windows Live SOXE
    Windows Live SOXE Definitions
    Windows Live UX Platform
    Windows Live UX Platform Language Pack
    Windows Live Writer
    Windows Live Writer Resources
    WinRAR archiver

    ==== Event Viewer Messages From Past Week ========

    2/23/2011 12:09:09 AM, Error: Service Control Manager [7034] - The Softex OmniPass Service service terminated unexpectedly. It has done this 1 time(s).
    2/23/2011 12:02:42 AM, Error: EventLog [6008] - The previous system shutdown at 11:56:16 PM on 2/22/2011 was unexpected.
    2/22/2011 9:36:29 PM, Error: EventLog [6008] - The previous system shutdown at 9:31:55 PM on 2/22/2011 was unexpected.
    2/22/2011 11:20:39 PM, Error: Service Control Manager [7022] - The Windows Update service hung on starting.
    2/22/2011 11:14:02 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the SFR.DashBoard.Service service to connect.
    2/22/2011 11:14:02 PM, Error: Service Control Manager [7000] - The SFR.DashBoard.Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    2/22/2011 11:10:19 PM, Error: Service Control Manager [7006] - The ScRegSetValueExW call failed for Start with the following error: Access is denied.
    2/22/2011 11:01:31 PM, Error: EventLog [6008] - The previous system shutdown at 10:47:37 PM on 2/22/2011 was unexpected.
    2/22/2011 10:40:04 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Intel® PROSet/Wireless Registry Service service to connect.
    2/22/2011 10:40:04 PM, Error: Service Control Manager [7000] - The Intel® PROSet/Wireless Registry Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    2/22/2011 10:39:41 PM, Error: Microsoft-Windows-WLAN-AutoConfig [10000] - WLAN Extensibility Module has failed to start. Module Path: C:\Windows\System32\IWMSSvc.dll Error Code: 258
    2/22/2011 10:38:37 PM, Error: EventLog [6008] - The previous system shutdown at 10:33:42 PM on 2/22/2011 was unexpected.
    2/22/2011 10:19:42 PM, Error: EventLog [6008] - The previous system shutdown at 10:10:30 PM on 2/22/2011 was unexpected.
    2/21/2011 8:22:07 PM, Error: Microsoft-Windows-Dhcp-Client [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 0016EA8890C4. The following error occurred: The semaphore timeout period has expired.. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
    2/19/2011 2:56:52 PM, Error: Microsoft-Windows-Dhcp-Client [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 0016EA8890C4. The following error occurred: The operation was canceled by the user.. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

    ==== End Of File ===========================
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! I'll help with the malware- but you need to do some housekeeping first:

    1. Go to the Control Panel> Add/Remove Programs> Uninstall Java v6u6 and Java v6u18, Java V623. Update to current v6u24: Check this site .Java Updates The Java updates don't overwrite the previous version, so you must uninstall it each time as it is a vulnerability for the system.

    2. While in Add/Remove Programs, look for anything associated with Thunder Network, "Thunder" download manager, WebThunder Browser Helper or anything listed under xunlei.com. This program comes bundled with spyware and the home site itself is not a safe site.

    After the uninstalls, use Windows Explorer( Windows key +E)> My Computer> Local Drive Programs> look for and do a right click> Delete on any folders for the same above listings.

    3. Norton is still loading. Please run the Norton Removal Tool
    ====================================
    Reboot the computer and empty the Recycle Bin when through with above.
    ====================================
    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Click on "Copy to Clipboard"> (you won't see the 'clipboard')
    10. Click anywhere in the post where you want the logs to go, the do Ctrl V. The log will be sent from the clipboard and pasted in the post.
    11. Re-enable your Antivirus software.
      NOTE: If you forget to copy to the clipboard, you can find the log here:
      C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
     
  3. nihi

    nihi TS Rookie Topic Starter

    Hi Bobbye,

    Thank you for your reply.

    I followed your steps until i ran the Eset NOD32 Online AntiVirus. It stops at the same place when scaning "C:\windows\winsxs\manifests\x86_microsoft-windows-hal_31bf3856ad364e35_6.0.6001.18000_none_ab8fa458a:......"

    In fact, it finished 49% & the time continues to count and the cursor works too. However, when i tried to close the webpage or stop scaning or click other progam, it crashes. I forced to shut down the PC.....

    Pls kindly help~

    Thanks again
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, please run the following first, then try the Eset scan again:

    Download Combofix to your desktop from one of these locations:
    Link 1
    Link 2
    • Double click combofix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Query- Recovery Console image
      [​IMG]
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes it will open a text window. Please paste that log in your next reply.
    Re-enable your Antivirus software.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
     
  5. nihi

    nihi TS Rookie Topic Starter

    Hi Bobbye,

    Here is the log from Combofix but I still couldn't finish the Eset scan for the same problem, always stopped at the same place.

    Tks~~

    Nihi

    ----------------------------------------------
    ComboFix 11-02-24.01 - hmfung 02/24/2011 21:32:38.1.2 - x86
    Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.3025.1693 [GMT 1:00]
    Running from: c:\users\hmfung\Downloads\ComboFix.exe
    AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
    SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .

    ((((((((((((((((((((((((( Files Created from 2011-01-24 to 2011-02-24 )))))))))))))))))))))))))))))))
    .

    2011-02-24 20:36 . 2011-02-24 20:36 -------- d-----w- c:\users\hmfung\AppData\Local\temp
    2011-02-24 20:36 . 2011-02-24 20:36 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-02-23 19:44 . 2011-02-23 19:44 -------- d-----w- c:\program files\ESET
    2011-02-23 19:17 . 2011-02-23 19:17 -------- d-----w- c:\program files\Common Files\Java
    2011-02-23 19:14 . 2011-02-23 19:14 -------- d-----w- c:\programdata\McAfee
    2011-02-22 23:33 . 2011-02-22 23:33 -------- d-----w- c:\users\hmfung\AppData\Local\CrashDumps
    2011-02-22 23:18 . 2011-02-22 23:18 -------- d-----w- c:\users\hmfung\AppData\Roaming\Malwarebytes
    2011-02-22 23:17 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-02-22 23:17 . 2011-02-22 23:17 -------- d-----w- c:\programdata\Malwarebytes
    2011-02-22 23:17 . 2011-02-22 23:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-02-22 23:17 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-02-22 22:13 . 2011-02-22 22:13 -------- d-----w- c:\users\hmfung\AppData\Roaming\Avira
    2011-02-22 22:09 . 2011-01-10 13:23 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-02-22 22:09 . 2011-01-10 13:23 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-02-22 22:09 . 2011-02-22 22:09 -------- d-----w- c:\programdata\Avira
    2011-02-22 22:09 . 2011-02-22 22:09 -------- d-----w- c:\program files\Avira
    2011-02-22 19:53 . 2011-02-22 22:13 -------- d-----w- c:\programdata\Norton
    2011-02-22 19:46 . 2011-02-22 19:52 -------- d-----w- c:\users\hmfung\AppData\Roaming\Download Manager
    2011-02-22 19:06 . 2011-01-13 09:41 5890896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{363956A2-AA80-40F1-BF0C-7BE3EBB09332}\mpengine.dll
    2011-02-15 21:10 . 2011-02-15 21:10 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
    2011-02-15 21:10 . 2011-02-15 21:10 719832 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll
    2011-02-15 00:02 . 2011-02-15 00:02 -------- d-----w- c:\program files\iPod
    2011-02-14 13:54 . 2010-12-28 15:55 413696 ----a-w- c:\windows\system32\odbc32.dll
    2011-02-14 13:54 . 2010-12-28 15:53 253952 ----a-w- c:\program files\Common Files\System\ado\msadox.dll
    2011-02-14 13:54 . 2010-12-28 15:53 241664 ----a-w- c:\program files\Common Files\System\ado\msadomd.dll
    2011-02-14 13:54 . 2010-12-28 15:53 708608 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
    2011-02-14 13:54 . 2010-12-28 15:53 57344 ----a-w- c:\program files\Common Files\System\msadc\msadcs.dll
    2011-02-14 13:54 . 2010-12-28 15:53 180224 ----a-w- c:\program files\Common Files\System\msadc\msadco.dll
    2011-02-14 13:54 . 2010-12-31 13:57 2039808 ----a-w- c:\windows\system32\win32k.sys
    2011-02-14 13:54 . 2010-10-15 14:08 3602320 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-02-14 13:54 . 2010-10-15 13:48 1205080 ----a-w- c:\windows\system32\ntdll.dll
    2011-02-14 13:54 . 2010-10-15 14:08 3550096 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-02-14 13:54 . 2011-01-06 10:51 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-23 19:14 . 2010-04-23 08:01 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-02-02 16:11 . 2009-10-02 16:12 222080 ------w- c:\windows\system32\MpSigStub.exe
    2010-11-29 16:38 . 2010-11-29 16:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-11-29 16:38 . 2010-11-29 16:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2009-06-12 05:34 . 2009-04-08 09:12 42760 ----a-w- c:\program files\mozilla firefox\components\NsThunderLoader.dll
    2009-03-17 17:20 . 2009-04-08 09:12 53248 ----a-w- c:\program files\mozilla firefox\components\ThunderComponent.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-04-20 26192680]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LoadFUJ02E3"="c:\program files\Fujitsu\FUJ02E3\FUJ02E3.exe" [2008-02-01 88616]
    "RtHDVCpl"="RtHDVCpl.exe" [2008-04-17 6111232]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-23 170520]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-23 145944]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-11 1045800]
    "TvOutSwitch"="c:\program files\Fujitsu\DispSwitch\DispSwitchLauncher.exe" [2008-04-02 102400]
    "PSUtility"="c:\program files\Fujitsu\PSUtility\TrayManager.exe" [2008-02-01 136488]
    "LoadFujitsuQuickTouch"="c:\program files\Fujitsu\Application Panel\QuickTouch.exe" [2006-11-26 260912]
    "LoadBtnHnd"="c:\program files\Fujitsu\BtnHnd\BtnHnd.exe" [2006-11-12 68400]
    "Skytel"="Skytel.exe" [2007-11-20 1826816]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-05-02 202256]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-01-22 40368]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-14 47904]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-01-10 281768]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-909818264-3692995831-1060911529-1000]
    "EnableNotificationsRef"=dword:00000001

    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 LvIBTSvr;Logitech IBT Service;c:\program files\Common Files\LogiShrd\LvIBTSvr\LvIBTSvr.exe [2007-04-03 76576]
    R3 ADVNTDRV;ADVNTDRV;c:\windows\System32\drivers\ADVNTDRV.SYS [1999-11-19 3872]
    R3 massfilter;Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2010-04-14 9216]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    R3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\DRIVERS\ZTEusbnet.sys [2009-07-21 114688]
    R3 ZTEusbvoice;ZTE VoUSB Port;c:\windows\system32\DRIVERS\ZTEusbvoice.sys [2009-07-21 105088]
    S0 FJGSDisk;G-Sensor Application Filter Driver;c:\windows\system32\DRIVERS\FJGSDisk.sys [2008-06-26 12712]
    S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-01-10 135336]
    S2 PowerSavingUtilityService;PowerSavingUtilityService;c:\program files\Fujitsu\PSUtility\PSUService.exe [2008-02-01 62760]
    S2 SFR.DashBoard.Service;SFR.DashBoard.Service;c:\program files\SFR\Gestionnaire de Connexion\SFR.DashBoard.Service.exe [2010-05-31 18272]
    S3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\DRIVERS\FUJ02E3.sys [2006-11-01 5632]
    S3 NETw5v32;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-05-01 3660800]
    S3 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2008-02-05 47448]
    S3 O2SDRDR;O2SDRDR;c:\windows\system32\DRIVERS\o2sd.sys [2008-01-21 41560]
    S3 SMSCIRDA;SMSC Infrared Device Driver;c:\windows\system32\DRIVERS\SMSCirda.sys [2006-11-02 30720]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    IE: {{09BA8F6D-CB54-424B-839C-C2A6C8E6B436}
    FF - ProfilePath - c:\users\hmfung\AppData\Roaming\Mozilla\Firefox\Profiles\ulepel1f.default\
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - user.js: yahoo.homepage.dontask - true
    .
    - - - - ORPHANS REMOVED - - - -

    AddRemove-InstallShield_{CB099890-1D5F-11D5-9EA9-0050BAE317E1} - c:\program files\InstallShield Installation Information\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}\setup.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-02-24 21:36
    Windows 6.0.6002 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-909818264-3692995831-1060911529-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="WindowsLiveMail.Email.1"

    [HKEY_USERS\S-1-5-21-909818264-3692995831-1060911529-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="WindowsLiveMail.VCard.1"

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2011-02-24 21:38:25
    ComboFix-quarantined-files.txt 2011-02-24 20:38

    Pre-Run: 66,459,873,280 bytes free
    Post-Run: 66,204,336,128 bytes free

    - - End Of File - - 31777DC9A68059315AF14E26F5AC1D85
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You have processes for 3 antivirus programs running:
    Avira> If this is your current AV Program, Please run the removal tools for the following:
    Norton: >Norton Removal Tool
    McAfee:>McAfee Removal

    Please reboot the computer when finished.

    If you will verify which AV you are keeping, I can include the 'left over' processes, if any, for the AV programs you are removing, in the script I will have you run through Combofix.
    ====================================
    Please uninstall these outdated versions of Java as they are vulnerabilities for the system:
    Java(TM) 6 Update 18
    Java(TM) 6 Update 23
    Java(TM) 6 Update 6

    Update to current v6u24: Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs
    =====================================
    See if you can get an online virus scan from this: Run Kaspersky Online Scanner in Internet Explorer

    Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
    • Click Accept and the web scanner will begin to load
    • If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
    • You will be prompted to install an ActiveX component from Kaspersky, click Install
    • If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT and then Scan Settings
    • In the scan settings make that the following are selected:
      [o] Scan using the following Anti-Virus database> Extended (if available otherwise Standard)
      [o] Scan Options: Scan Archives> Scan Mail Bases
    • Click OK
    • Now under select a target to scan:
      [o] Select My Computer
    • The program will start to scan your system.
    • Once the scan is complete, click on the Save as Text button and save the file to your desktop
    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.
     
  7. nihi

    nihi TS Rookie Topic Starter

    Hi,

    I cleaned 2 anti virus and left Avira runing but I failed to run the Kaspersky Online Scanner. It indicated "the license has expired"

    Then I ran the Combofix again:

    -------------------------------------------------
    ComboFix 11-02-24.01 - hmfung 02/26/2011 14:57:14.2.2 - x86
    Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.3025.1970 [GMT 1:00]
    Running from: c:\users\hmfung\Downloads\ComboFix.exe
    AV: AntiVir Desktop *Disabled/Outdated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
    SP: AntiVir Desktop *Disabled/Outdated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .

    ((((((((((((((((((((((((( Files Created from 2011-01-26 to 2011-02-26 )))))))))))))))))))))))))))))))
    .

    2011-02-26 14:02 . 2011-02-26 14:02 -------- d-----w- c:\users\hmfung\AppData\Local\temp
    2011-02-26 14:02 . 2011-02-26 14:02 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-02-25 21:34 . 2011-02-11 06:54 5943120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{FDCFAB1C-877B-4583-81A0-B51797C90AFD}\mpengine.dll
    2011-02-23 19:44 . 2011-02-23 19:44 -------- d-----w- c:\program files\ESET
    2011-02-23 19:17 . 2011-02-23 19:17 -------- d-----w- c:\program files\Common Files\Java
    2011-02-22 23:33 . 2011-02-22 23:33 -------- d-----w- c:\users\hmfung\AppData\Local\CrashDumps
    2011-02-22 23:18 . 2011-02-22 23:18 -------- d-----w- c:\users\hmfung\AppData\Roaming\Malwarebytes
    2011-02-22 23:17 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-02-22 23:17 . 2011-02-22 23:17 -------- d-----w- c:\programdata\Malwarebytes
    2011-02-22 23:17 . 2011-02-22 23:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-02-22 23:17 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-02-22 22:13 . 2011-02-22 22:13 -------- d-----w- c:\users\hmfung\AppData\Roaming\Avira
    2011-02-22 22:09 . 2011-01-10 13:23 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-02-22 22:09 . 2011-01-10 13:23 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-02-22 22:09 . 2011-02-22 22:09 -------- d-----w- c:\programdata\Avira
    2011-02-22 22:09 . 2011-02-22 22:09 -------- d-----w- c:\program files\Avira
    2011-02-22 19:53 . 2011-02-22 22:13 -------- d-----w- c:\programdata\Norton
    2011-02-22 19:46 . 2011-02-22 19:52 -------- d-----w- c:\users\hmfung\AppData\Roaming\Download Manager
    2011-02-15 21:10 . 2011-02-15 21:10 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
    2011-02-15 21:10 . 2011-02-15 21:10 719832 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll
    2011-02-15 00:02 . 2011-02-15 00:02 -------- d-----w- c:\program files\iPod
    2011-02-14 13:54 . 2010-12-28 15:55 413696 ----a-w- c:\windows\system32\odbc32.dll
    2011-02-14 13:54 . 2010-12-28 15:53 253952 ----a-w- c:\program files\Common Files\System\ado\msadox.dll
    2011-02-14 13:54 . 2010-12-28 15:53 241664 ----a-w- c:\program files\Common Files\System\ado\msadomd.dll
    2011-02-14 13:54 . 2010-12-28 15:53 708608 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
    2011-02-14 13:54 . 2010-12-28 15:53 57344 ----a-w- c:\program files\Common Files\System\msadc\msadcs.dll
    2011-02-14 13:54 . 2010-12-28 15:53 180224 ----a-w- c:\program files\Common Files\System\msadc\msadco.dll
    2011-02-14 13:54 . 2010-12-31 13:57 2039808 ----a-w- c:\windows\system32\win32k.sys
    2011-02-14 13:54 . 2010-10-15 14:08 3602320 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-02-14 13:54 . 2010-10-15 13:48 1205080 ----a-w- c:\windows\system32\ntdll.dll
    2011-02-14 13:54 . 2010-10-15 14:08 3550096 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-02-14 13:54 . 2011-01-06 10:51 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-23 19:14 . 2010-04-23 08:01 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-02-02 16:11 . 2009-10-02 16:12 222080 ------w- c:\windows\system32\MpSigStub.exe
    2010-11-29 16:38 . 2010-11-29 16:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-11-29 16:38 . 2010-11-29 16:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-04-20 26192680]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LoadFUJ02E3"="c:\program files\Fujitsu\FUJ02E3\FUJ02E3.exe" [2008-02-01 88616]
    "RtHDVCpl"="RtHDVCpl.exe" [2008-04-17 6111232]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-23 170520]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-23 145944]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-11 1045800]
    "TvOutSwitch"="c:\program files\Fujitsu\DispSwitch\DispSwitchLauncher.exe" [2008-04-02 102400]
    "PSUtility"="c:\program files\Fujitsu\PSUtility\TrayManager.exe" [2008-02-01 136488]
    "LoadFujitsuQuickTouch"="c:\program files\Fujitsu\Application Panel\QuickTouch.exe" [2006-11-26 260912]
    "LoadBtnHnd"="c:\program files\Fujitsu\BtnHnd\BtnHnd.exe" [2006-11-12 68400]
    "Skytel"="Skytel.exe" [2007-11-20 1826816]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-05-02 202256]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-01-22 40368]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-14 47904]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-01-10 281768]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-909818264-3692995831-1060911529-1000]
    "EnableNotificationsRef"=dword:00000001

    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 LvIBTSvr;Logitech IBT Service;c:\program files\Common Files\LogiShrd\LvIBTSvr\LvIBTSvr.exe [2007-04-03 76576]
    R3 ADVNTDRV;ADVNTDRV;c:\windows\System32\drivers\ADVNTDRV.SYS [1999-11-19 3872]
    R3 massfilter;Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2010-04-14 9216]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    R3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\DRIVERS\ZTEusbnet.sys [2009-07-21 114688]
    R3 ZTEusbvoice;ZTE VoUSB Port;c:\windows\system32\DRIVERS\ZTEusbvoice.sys [2009-07-21 105088]
    S0 FJGSDisk;G-Sensor Application Filter Driver;c:\windows\system32\DRIVERS\FJGSDisk.sys [2008-06-26 12712]
    S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-01-10 135336]
    S2 PowerSavingUtilityService;PowerSavingUtilityService;c:\program files\Fujitsu\PSUtility\PSUService.exe [2008-02-01 62760]
    S2 SFR.DashBoard.Service;SFR.DashBoard.Service;c:\program files\SFR\Gestionnaire de Connexion\SFR.DashBoard.Service.exe [2010-05-31 18272]
    S3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\DRIVERS\FUJ02E3.sys [2006-11-01 5632]
    S3 NETw5v32;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-05-01 3660800]
    S3 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2008-02-05 47448]
    S3 O2SDRDR;O2SDRDR;c:\windows\system32\DRIVERS\o2sd.sys [2008-01-21 41560]
    S3 SMSCIRDA;SMSC Infrared Device Driver;c:\windows\system32\DRIVERS\SMSCirda.sys [2006-11-02 30720]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    IE: {{09BA8F6D-CB54-424B-839C-C2A6C8E6B436}
    FF - ProfilePath - c:\users\hmfung\AppData\Roaming\Mozilla\Firefox\Profiles\ulepel1f.default\
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - user.js: yahoo.homepage.dontask - true
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-02-26 15:02
    Windows 6.0.6002 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-909818264-3692995831-1060911529-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="WindowsLiveMail.Email.1"

    [HKEY_USERS\S-1-5-21-909818264-3692995831-1060911529-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="WindowsLiveMail.VCard.1"

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2011-02-26 15:03:30
    ComboFix-quarantined-files.txt 2011-02-26 14:03
    ComboFix2.txt 2011-02-24 20:38

    Pre-Run: 65,105,223,680 bytes free
    Post-Run: 65,219,461,120 bytes free

    - - End Of File - - 165454289BE7EC964FA0EDA0BAC01057
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    For the errors you are getting with the online virus scans:
    Check the system date (Time, Date, Time Zone) settings on your PC. Make sure they are correct. (Right click on Time in Notification Area> Adjust/Date & Time> Check all.)
    If you find the wrong setting and fix it, reboot and try Eset again. If that won't scan, try Kaspersky- but since they all give the same error and it is based on expiration AKA Time, that should resolve the problem.
    ===============================================
    Edit to add:
    I just noticed that your clock is set to Military time. This is a 24 hour clock, not 12 hour
    Click on this site to find the Time Zone for your country: http://wwp.greenwichmeantime.com/gmt-converter2.htm
    You ran DDS at 058:00 on 2/23/2011. That means it was 58 min. after midnight, or rounded off, GMT 1:00, which in one o'clock in the morning or 1AM on a 12 hours clock.
    But you need to make sure the correct time zone is set for your country or the time will be wrong.
    ============================================
    Do you plan to keep Avira as the AV program?

    Before I give you script to run in Combofix, please run the following:

    Download Security Check by screen317 from HERE or HERE .
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
    =================================
    If neither of the online virus scans still won't run after checking/setting time and date, please run the following:
    Download CKScanner and save to your desktop.
    • Doubleclick CKScanner.exe and click Search For Files.
    • When the cursor hourglass disappears, click Save List To File.
    • A message box will verify that the file is saved.
    • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents
      in your next reply.

    I note that it appears the system has Chinese and French entries in addition to English. There is a small possibility that it may be a language problem preventing the virus scans, but not likely.
     
  9. nihi

    nihi TS Rookie Topic Starter

    Hi there,

    I've checked the system date & time zone (GMT+1) was correct and then I used Eset scan again but failed for the same reason.

    I do need to type French, Chinese & English so I have to keep these language options in the PC. However, if I have to change the setting, I don't mind to change all system data to be English.

    I'd like to keep Avira as the AV program. Here is the checkup.txt;

    ----------------------
    Results of screen317's Security Check version 0.99.9
    Windows Vista Service Pack 2 (UAC is enabled)
    Internet Explorer 8
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Enabled!
    Avira AntiVir Personal - Free Antivirus
    ESET Online Scanner v3
    WMI entry may not exist for antivirus; attempting automatic update.
    Avira successfully updated!
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Malwarebytes' Anti-Malware
    Java(TM) 6 Update 24
    Adobe Flash Player 10.2.152.26
    Adobe Reader 8.2.6
    Chinese Simplified Fonts Support For Adobe Reader 8
    Out of date Adobe Reader installed!
    Mozilla Firefox (3.6.13)
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    Avira Antivir avgnt.exe
    Avira Antivir avguard.exe
    ``````````End of Log````````````

    -----------------------------------------------------

    Then I ran the CKScanner. Here is the content:

    ---------------------------

    CKScanner - Additional Security Risks - These are not necessarily bad
    scanner sequence 3.RP.11
    ----- EOF -----


    Millions thanks again for your kind help~~~

    Nihi
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I'm going to push once more for date and time check. If you want to keep the military clock, be sure it is set correctly. And on the Internet Time tab. click on the Update Now button to force a check. The errors with both virus scan are classical errors of time or date.

    Try to run Avira again after you get the time check.

    So far, so good. I'd like to get more security on the system. Avira is fine for AV. Windows Firewall only listens to incoming, not outgoing. So I'd recommend on of these for firewall:
    • Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
      [o]Comodo
      [o]Zone Alarm
    • Antispyware: I recommend all of the following:
      [o]Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
      [o]ZonedOut This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
      [o]MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
      [o]Google Toolbar Get the free google toolbar to help stop pop up windows.
    • Update the Adobe Reader: Visit this Adobe Reader site Uninstall the earlier update as it are vulnerabilities.

    I'll be back after dinner to go over the Combofi log.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...