TechSpot

PC crashes, only runs in safe mode

By bewsh
May 17, 2011
  1. Hi,
    have a problem that is driving me nuts!

    PC networked to a Server running SBS/MS Exchange
    Server LAN is networked through a Sonicwall TZ170 firewall into a Netgear Rangemaster to the WAN

    PC is XP Pro SP2
    hardware is:
    MSI K9N Ultra Board
    AMD dual 4200+ CPU
    2GB DDR2 RAM
    3x SATA HDD's
    C: running win XP pro SP2 single partition
    D:File Dump folders
    E:File Dump folders
    2 x DVDRW
    Graphics - Asus ATI Radeon EAH3650 twin screen set up.
    built in Coolermaster case with 550WPSU

    AV : runs Symantec Enterprise up to date 24/7

    built about 3 years ago it has run fine with occasional issue (I got a horrible virus about two years ago but managed to clear it, had a similar crashing thing which seemed to go away when I cleaned the inside of the case.

    About a week ago the PC crashed on me. not restart, just crash, like a switchoff
    I restarted and it seemed to work just fine.
    (no new hardware or software installed previously and no viruses flagged)

    happened again about a day later.
    My first guess was too hot. been a while since I cleaned it.
    It has a front fan, a rear fan, a PSU fan and a CPU fan with mesh front case and a CPU vent on the side but it was dusty and the CPU fan and cooler was caked in dust.

    all cleaned and dusted.
    monitored the temps and they never got over 50deg C
    cut off in the BIOS is set for 55deg

    crashing increased in frequency and occasionally the green power light stayed on even when the machine is off. had to remove the power cord and press reset to clear it.
    Thought maybe the CPU had been cooked so took the heatsink off and checked paste etc, smells OK, no obvious issues. bubbles, cracks etc
    put it back together, ran for a while then crashing increased to point where now it wont complete normal Boot, crashes at blue win logo and recyles to startup again.
    Works fine in safe mode with and without networking. ( I am on it now!!)
    never had a BSOD, just a switch off style crash or a reboot cycle from the splash screen.

    I pulled the C: drive and put it into an old HP chassis I have, worked fine in normal mode, tried my damdest to crash it by opening multiple apps during final boot etc etc, no problem. flicking from Ap to Ap, multiple Chrome tabs (which is when it started crashing)

    refitted it to the coolermaster case but pulled all the unused peripherals (optical and hard drives, all USB except mouse/KB).
    I tried to run Acronis to get an image of the C: but it kept forcing a crash.
    I pulled two drives out and ran them in the HP box again and managed to get an image copied from C: to D:

    I switched the RAM for known good RAM = crashed on restart, safe mode OK

    I have tried to get a bootlog but it only shows the safe mode log. even tried a bootlog on normal mode, let it crash and remove the ntbtlog.txt file from the C: drive with ERD commander so safe mode cant overwrite it. It kept crashing ERD.
    managed to do it with the C:in the HP chassis but it still shows a Safe boot mode.

    C: Drive has been scanned with chkdsk and a drive fitness test, generic one not for the Maxtor HDD, it returned a "Disposition Code 0x72" message but otherwise clean.

    have run Symantec full scan = Clean
    ran Malwarebytes - two infections, cleaned and quarantined (full log below)

    disabled all startup entires in MSConfig = crashed on restart
    disabled all (unwanted) services = crashed on restart
    uninstalled the graphics card = crashed on restart
    reinstalled graphics card and updated the driver = crashed on restart
    updated chipset drivers = crashed on restart

    have attempted to copy a fresh BIOS driver flash onto a 3.5" floppy but my A: drive wont recognise the discs for some reason!

    I cant switch the graphics card out as I dont have a spare compatible one (sold it less than a month ago on eBAY!!)

    I have a spare PSU but it is not from a SATA enabled box so I would need IDE/SATA power adapters to run all or any of the drives...I am not convinced it is the power source though.

    I posted this in the BSOD forum but was advised to come here and do the 5 step malware scan.

    Any help would be great.
    thanks

    *******************************************************************************************************

    logs below
    MalwareBytes:

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6588

    Windows 5.1.2600 Service Pack 2 (Safe Mode)
    Internet Explorer 7.0.5730.13

    16/05/2011 13:54:12
    mbam-log-2011-05-16 (13-54-12).txt

    Scan type: Full scan (C:\|D:\|G:\|)
    Objects scanned: 348264
    Time elapsed: 31 minute(s), 29 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 2
    Registry Values Infected: 0
    Registry Data Items Infected: 2
    Folders Infected: 20
    Files Infected: 323

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{F5F14E7A-F59D-45A0-BDC5-A9F5454F0BCF} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BB05BD70-4605-4829-93FC-AD80D8CC5B66} (Rogue.PerformanceCenter) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    c:\documents and settings\ed.ersg\application data\Zango (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\IESkins (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0 (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostOI (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostOI\dynamic (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostOI\static (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostOL (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostOL\dynamic (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostOL\static (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1 (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\DownLoad (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\dynamic (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\dynamic\tooltipxml (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\dynamic\ustat (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1 (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad (Adware.Zango) -> Quarantined and deleted successfully.

    Files Infected:
    c:\documents and settings\ed.ersg\start menu\advanced virus remover.lnk (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\config\systemprofile\start menu\Programs\Startup\scandisk.lnk (Trojan.Downloader) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\030104_emte10_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\030104_emte11_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\030104_emte12_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\030104_emte13_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\030104_emte14_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\030104_emte19_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\030104_emte20_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\030104_emte21_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\030104_emte9_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\030203lib_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\033102angel_1_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\033102bigluf_1_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\033102bigsmile_1_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\033102birthday_1_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\033102cheers_1_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\033102flo_1_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\033102good_1_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\033102jump_1_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\033102king_1_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\033102lough_1_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\033102luf_1_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\033102smiled_1_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\033102smile_1_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\033102sor_1_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\033102thanx_1_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\033102uhu_1_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\040103ahh_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\040103wow_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\040104_emi2_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\042102_1134_112_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\050103big_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\050103gig_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\050103hm_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\050103nomail_emoti_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\050103norm_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\060104_ema15_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\060104_ema16_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\060104_ema17_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\060104_ema18_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\060104_ema19_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\060104_ema20_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\060104_ema21_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\060104_ema24_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\060104_ema25_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\060104_ema26_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\060104_ema30_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\060104_ema33_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\060104_ema34_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\062802hippi_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\062802jumpie_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\080402argh_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\080402oops_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\080402ouch_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\082502no_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\082502yes_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\110103_boring1_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\110103_confused_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\110103_crying_ugly_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\110103_fantastic_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\110103_feel_better_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\110103_gimme_break_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\110103_heehee_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\110103_hlopaet_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\110103_ign_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\110103_lol_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\110103_no_comment_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\110103_peace_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\110103_smashing_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\110103_talk2thehand_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\avatar.res (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\blocked.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\blocked2.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\block_sm.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\block_sm2.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\block_smli.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\block_smli2.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\btn_add-but.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\btn_back-but.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\btn_left_cut_enabled_1.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\btn_left_enabled_1.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\btn_left_pressed_1.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\btn_middle_enabled_1.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\btn_middle_pressed_1.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\btn_right_cut_enabled_1.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\btn_right_enabled_1.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\btn_right_pressed_1.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\business_promo.htm (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\buttondir.txt (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\components.cdf (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\css2_main.css (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\css2_pagingmodule.css (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\css2_topbuttons.css (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\css_cattree.css (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\css_flashpreview.css (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\cursors.res (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\delete.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\edit_clear_sound.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\edit_fs.htm (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\edit_select.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def-511724-543450.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def-511724-548964.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def-511724-589306.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def-511724-591943.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def-511724-592579.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def-511724-598579.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def-511724-603763.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def-511724-9595.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def-511724-9696.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def-511745-514279.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def-email-backgrounds.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def-email-bcards.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def-email-ecards.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def-email-emoticons.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def-email-estationery.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def-email-funny.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def-email-help.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def-email-images.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def-email-info.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def-email-more.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def-email-my.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def-email-new.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def-email-new2.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def-email-options.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def-email-people.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def-email-photo.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def-email-tell.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def-email-temp.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def-email-text.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def-email-voice.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def.cdf (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-premium-email-premium.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-t1-bg.res (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-temp-bg.res (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\estatationery.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\flashpatch.js (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\flashpreview.htm (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\fs3.htm (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\hotbar_promo.htm (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\icon_checked_1.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\icon_close_1.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\icon_close_pressed_1.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\icon_edit_preview.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\icon_edit_send.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\icon_flash_preview.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\icon_recently_used.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\icon_remove_1.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\icon_remove_pressed_1.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\icon_sand-clock2.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\icon_tell_1.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\icon_tell_pressed_1.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\icon_tree_null.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\icon_unchecked_1.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\icon_unchecked_pressed_1.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\img_barlayout.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\img_barlayout2.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\img_barlayout4.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\img_corner_left.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\img_local_logo.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\js2_basetemplate.js (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\js2_hbgroups.js (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\js2_hbobject3.js (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\js2_hbobjectset3.js (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\js2_hotbarwrapper.js (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\js2_iteratorsandreaders3nf.js (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\js2_pagingmoduleobj3.js (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\js2_texts3.js (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\js2_xmltree3nf.js (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\layout.cdf (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\linkpathlegal.txt (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\n.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\nav_bb_2.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\nav_b_2.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\nav_ff_2.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\nav_f_2.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\progress.res (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\sales_buttons.res (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\searchbtn.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\submit.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\tab_bg.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\tab_bga.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\tab_bgia.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\tab_l.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\tab_la.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\tab_lia.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\tab_r.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\tab_ra.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\tab_ria.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\treedata_animations.xml (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\treedata_backgrounds.xml (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\treedata_ecards.xml (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\treedata_emoticons.xml (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\treedata_notifiers.xml (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\treedata_text.xml (Adware.Zango) -> Quarantined and deleted successfully.
     
  2. bewsh

    bewsh TS Rookie Topic Starter Posts: 21

    continued logs:

    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\tree_dots.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\tree_minus.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\tree_plus.gif (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\zango_btn.res (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\DownLoad\avatar.xip (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\DownLoad\business_promo.xip (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\DownLoad\buttondir.xip (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\DownLoad\code.xip (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\DownLoad\cursors.xip (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\DownLoad\email-def.xip (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\DownLoad\email-t1-bg.xip (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\DownLoad\email-temp-bg.xip (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\DownLoad\hotbar_promo.xip (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\DownLoad\images.xip (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\DownLoad\layout.xip (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\DownLoad\linkpathlegal.xip (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\DownLoad\localcontent.xip (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\DownLoad\progress.xip (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\DownLoad\sales_buttons.xip (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\DownLoad\treexml.xip (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\DownLoad\zango_btn.xip (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\dynamic\1284985.sdf (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\dynamic\domains.txt (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\dynamic\tooltipxml\15024 (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\dynamic\tooltipxml\18721 (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\dynamic\tooltipxml\6556 (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\dynamic\tooltipxml\6558 (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\dynamic\tooltipxml\83723 (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\dynamic\ustat\3812.dat (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\avatar.res (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\btntrans.idx (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\btntrans1.dat (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\buttondir.txt (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\components.cdf (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\cursors.res (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\default.cdf (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\default_511745-514279.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\default_bidzc_zt_ie-ca.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\default_bidzc_zt_ie-us.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\default_categorize.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\default_comparison.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\default_explorer-mails.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\default_explorer-people.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\default_favorites.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\default_games.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\default_hide.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\default_hotbarcom.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\default_hotmail.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\default_hsskin.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\default_jemster.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\default_jemsterie.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\default_jemsteruk.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\default_jobsearch.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\default_mails.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\default_mobilesidewalk.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\default_new.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\default_premium.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\default_reun.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\default_ringtones.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\default_searchboxtrapper.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\default_searchfor.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\default_searchgo.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\default_weather.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\default_yellowpages.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\d_icons_buttons_1000.res (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\d_icons_buttons_2000.res (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\d_icons_buttons_3000.res (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\d_icons_buttons_bar.res (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\d_icons_buttons_bbar1.res (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\d_icons_buttons_logos.res (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\d_icons_buttons_other.res (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\d_icons_weather.res (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\editblbuttons.res (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\email-def-511724-548964.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\email-def-511724-9595.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\email-t1-bg.res (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\icons2.res (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\ie_games_icon.res (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\ie_video.res (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\keywords.sdf (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\keywords1.dat (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\layout.cdf (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\linkpathlegal.txt (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\progress.res (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\sales_buttons.res (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\sdfmodifier.xml (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\s_icons_buttons.res (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\t2_bg.res (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\theweb.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\top7.cdf (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\top7_theweb.mnu (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\tsd_bg.res (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\zango_btn.res (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\zango_ie_menu.res (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\avatar.xip (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\BtnTrans.xip (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\btntrans1.xip (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\buttondir.xip (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\cursors.xip (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\default.xip (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_1000.xip (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_2000.xip (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_3000.xip (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_bar.xip (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_bbar1.xip (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_logos.xip (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_other.xip (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\d_icons_weather.xip (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\editblbuttons.xip (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\email-t1-bg.xip (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\icons2.xip (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\ie_games_icon.xip (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\ie_video.xip (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\keywords.xip (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\keywords1.xip (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\layout.xip (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\linkpathlegal.xip (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\progress.xip (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\sales_buttons.xip (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\samplegroups2.txt (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\samplegroups2.xip (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\sdfmodifier.xip (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\s_icons_buttons.xip (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\t2_bg.xip (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\top7.xip (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\tsd_bg.xip (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\zango_btn.xip (Adware.Zango) -> Quarantined and deleted successfully.
    c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\zango_ie_menu.xip (Adware.Zango) -> Quarantined and deleted successfully.

    *******************************************************************************
    GMER log:
    the quick scan showed no data in the log so I did a full scan just in case -

    I can post that log if it helps but was instructed not to.



    Attach.txt:

    DDS (Ver_11-03-05.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 03/11/2006 14:20:13
    System Uptime: 16/05/2011 20:14:40 (13 hours ago)
    .
    Motherboard: MSI | | MS-7250
    Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4200+ | CPU 1 | 2211/200mhz
    Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4200+ | CPU 2 | 2211/mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 149 GiB total, 102.745 GiB free.
    D: is FIXED (NTFS) - 298 GiB total, 15.596 GiB free.
    E: is CDROM ()
    F: is CDROM ()
    G: is FIXED (NTFS) - 298 GiB total, 63.112 GiB free.
    H: is NetworkDisk (NTFS) - 119 GiB total, 32.889 GiB free.
    I: is NetworkDisk (NTFS) - 119 GiB total, 32.889 GiB free.
    Y: is NetworkDisk (NTFS) - 119 GiB total, 32.889 GiB free.
    Z: is NetworkDisk (NTFS) - 119 GiB total, 32.889 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E96B-E325-11CE-BFC1-08002BE10318}
    Description: Logitech PS/2 Keyboard
    Device ID: ACPI\PNP0303\4&D6E1DD7&0
    Manufacturer: Logitech
    Name: Logitech PS/2 Keyboard
    PNP Device ID: ACPI\PNP0303\4&D6E1DD7&0
    Service: i8042prt
    .
    ==== System Restore Points ===================
    .
    No restore point in system.
    .
    ==== Installed Programs ======================
    .
    2600
    2600_Help
    2600Trb
    32 Bit HP CIO Components Installer
    AAC Decoder
    Ad-Aware
    Adobe Acrobat - Reader 6.0.2 Update
    Adobe Acrobat 6.0.1 Standard
    Adobe Acrobat and Reader 6.0.3 Update
    Adobe Acrobat and Reader 6.0.4 Update
    Adobe Acrobat and Reader 6.0.5 Update
    Adobe Acrobat and Reader 6.0.6 Update
    Adobe Atmosphere Player for Acrobat and Adobe Reader
    Adobe Download Manager
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Photoshop 7.0
    Adobe Shockwave Player 11.5
    AiO_Scan
    AiOSoftware
    Apple Mobile Device Support
    Apple Software Update
    Application Suite
    ASUS VGA Driver
    Athlon 64 Processor Driver
    ATI - Software Uninstall Utility
    ATI AVIVO Codecs
    ATI Catalyst Control Center
    ATI Display Driver
    ATI Parental Control & Encoder
    µTorrent
    AutoUpdate
    BadCopy Pro
    Bloomberg Excel Tools
    Bloomberg PFM Upload Tool for Microsoft Excel
    Bloomberg SFD Data Dictionary
    Bloomberg, V.06.08.09
    BufferChm
    CamView 2.0.6
    Cards_Calendar_OrderGift_DoMorePlugout
    Catalyst Control Center - Branding
    Catalyst Control Center Core Implementation
    Catalyst Control Center Graphics Full Existing
    Catalyst Control Center Graphics Full New
    Catalyst Control Center Graphics Light
    Catalyst Control Center Localization Chinese Standard
    Catalyst Control Center Localization Chinese Traditional
    Catalyst Control Center Localization Czech
    Catalyst Control Center Localization Danish
    Catalyst Control Center Localization Dutch
    Catalyst Control Center Localization Finnish
    Catalyst Control Center Localization French
    Catalyst Control Center Localization German
    Catalyst Control Center Localization Greek
    Catalyst Control Center Localization Hungarian
    Catalyst Control Center Localization Italian
    Catalyst Control Center Localization Japanese
    Catalyst Control Center Localization Korean
    Catalyst Control Center Localization Norwegian
    Catalyst Control Center Localization Polish
    Catalyst Control Center Localization Portuguese
    Catalyst Control Center Localization Russian
    Catalyst Control Center Localization Spanish
    Catalyst Control Center Localization Swedish
    Catalyst Control Center Localization Thai
    Catalyst Control Center Localization Turkish
    ccc-core-preinstall
    ccc-core-static
    ccc-utility
    CCC Help Chinese Standard
    CCC Help Chinese Traditional
    CCC Help Czech
    CCC Help Danish
    CCC Help Dutch
    CCC Help English
    CCC Help Finnish
    CCC Help French
    CCC Help German
    CCC Help Greek
    CCC Help Hungarian
    CCC Help Italian
    CCC Help Japanese
    CCC Help Korean
    CCC Help Norwegian
    CCC Help Polish
    CCC Help Portuguese
    CCC Help Russian
    CCC Help Spanish
    CCC Help Swedish
    CCC Help Thai
    CCC Help Turkish
    Compatibility Pack for the 2007 Office system
    Copy
    CP_AtenaShokunin1Config
    cp_dwShrek2Albums1
    cp_dwShrek2Cards1
    CPUID CPU-Z 1.57.1
    CreativeProjects
    CreativeProjectsTemplates
    CueTour
    CustomerResearchQFolder
    Destinations
    Director
    DivX Codec
    DivX Converter
    DivX Player
    DivX Plus DirectShow Filters
    DivX Version Checker
    DivX Web Player
    DocProc
    DocProcQFolder
    DocumentViewer
    DVD Decrypter (Remove Only)
    EZDetach (remove only)
    Fax
    Flock (Photobucket Edition) 0.7
    Google Chrome
    Google Earth
    Google Toolbar for Internet Explorer
    Google Update Helper
    Google Updater
    H.264 Decoder
    High Definition Audio Driver Package - KB888111
    HijackThis 2.0.2
    Hotfix for Windows XP (KB909394)
    Hotfix for Windows XP (KB915865)
    Hotfix for Windows XP (KB926239)
    HP Extended Capabilities 4.7
    HP Image Zone 4.7
    HP Photosmart Essential 2.5
    HP PSC & OfficeJet 4.7
    HP Software Update
    HPPhotoSmartDiscLabel_PaperLabel
    HPPhotoSmartDiscLabel_PrintOnDisc
    HPPhotoSmartDiscLabelContent1
    hpphotosmartdisclabelplugin
    HPPhotoSmartPhotobookWebPack1
    HPProductAssistant
    HPSSupply
    HPSystemDiagnostics
    InstantShare
    iTunes
    J2SE Runtime Environment 5.0 Update 7
    J2SE Runtime Environment 5.0 Update 9
    Java Auto Updater
    Java(TM) 6 Update 24
    Joost (tm) 0.11.0
    LinkedIn Outlook Connector
    LiveUpdate 3.2 (Symantec Corporation)
    Logitech SetPoint
    Malwarebytes' Anti-Malware
    MarketResearch
    MGI VideoWave III (Remove Only)
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 2.0
    Microsoft .NET Framework 3.0
    Microsoft ActiveSync
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Professional Edition 2003
    Microsoft Silverlight
    Microsoft User-Mode Driver Framework Feature Pack 1.5
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Works 6-9 Converter
    MKV Splitter
    MobileMe Control Panel
    MotionDV STUDIO 5.3E LE for DV
    Mozilla Firefox (3.6.16)
    MSVC80_x86_v2
    MSXML 6.0 Parser
    MUSICMATCH® Jukebox
    MVCpromo
    Nero 7 Premium
    Nokia Connectivity Cable Driver
    NVIDIA Drivers
    NVIDIA WDM Drivers
    OCR Software by I.R.I.S. 10.0
    Origin Internet Update Utility V1.33
    PanoStandAlone
    PC Connectivity Solution
    PC Inspector File Recovery
    PhotoGallery
    play2p
    ProductContext
    PSSWCORE
    QuickTime
    Reader Rabbit Year 1 Capers on Cloud Nine!(TM)
    Readme
    Realtek High Definition Audio Driver
    Safari
    Scan
    ScannerCopy
    Shop for HP Supplies
    SiSoftware Sandra Lite 2011.SP2
    Skins
    SkinsHP1
    Skype Toolbars
    Skype™ 4.2
    SmartWebPrintingOC
    SpeedFan (remove only)
    Spy Sweeper
    SpywareBlaster 4.0
    Symantec Client Security
    TasksPlus
    TrayApp
    Unity Web Player
    Unload
    Update for Windows XP (KB898461)
    VC80CRTRedist - 8.0.50727.762
    Video Stream Driver for Panasonic DVC
    VideoToolkit01
    VLC media player 0.9.9
    WebFldrs XP
    WebReg
    Windows Communication Foundation
    Windows Driver Package - AMD System (04/06/2006 1.0.1.0)
    Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
    Windows Imaging Component
    Windows Installer 3.1 (KB893803)
    Windows Internet Explorer 7
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Presentation Foundation
    Windows Workflow Foundation
    WinRAR archiver
    XML Paper Specification Shared Components Pack 1.0
    Yahoo! Install Manager
    Yahoo! Messenger
    Zero Assumption Recovery Version 8.4
    .
    ==== Event Viewer Messages From Past Week ========
    .
    16/05/2011 16:51:45, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}
    16/05/2011 12:52:53, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
    16/05/2011 12:48:40, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service ntmssvc with arguments "-Service" in order to run the server: {D61A27C6-8F53-11D0-BFA0-00A024151983}
    13/05/2011 14:07:24, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    13/05/2011 14:06:05, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    12/05/2011 16:21:44, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    12/05/2011 15:32:16, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdK8 eeCtrl Fips i8042prt SAVRT SAVRTPEL SPBBCDrv SYMTDI
    12/05/2011 15:32:11, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    12/05/2011 15:25:36, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK8 eeCtrl Fips i8042prt IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SAVRT SAVRTPEL SPBBCDrv SYMTDI Tcpip
    12/05/2011 15:25:36, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
    12/05/2011 15:25:36, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    12/05/2011 15:25:36, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    12/05/2011 15:25:36, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    12/05/2011 15:25:36, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    12/05/2011 11:51:35, error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    12/05/2011 11:51:08, error: NETLOGON [5719] - No Domain Controller is available for domain ERSG due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
    12/05/2011 10:18:16, error: Service Control Manager [7031] - The Symantec AntiVirus service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.
    12/05/2011 10:07:54, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    11/05/2011 17:55:13, error: Service Control Manager [7023] - The hpqcxs08 service terminated with the following error: The system cannot find the file specified.
    11/05/2011 17:55:13, error: Service Control Manager [7023] - The HP CUE DeviceDiscovery Service service terminated with the following error: The system cannot find the file specified.
    11/05/2011 17:55:13, error: Service Control Manager [7023] - The HID Input Service service terminated with the following error: The system cannot find the file specified.
    11/05/2011 17:55:13, error: Service Control Manager [7000] - The nVidia WDM Video Capture (universal) service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    11/05/2011 17:55:13, error: Service Control Manager [7000] - The nVidia WDM A/V Crossbar service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    11/05/2011 13:56:26, error: NetBT [4321] - The name "ERSG :1d" could not be registered on the Interface with IP address 172.16.100.66. The machine with the IP address 172.16.100.10 did not allow the name to be claimed by this machine.
    10/05/2011 23:21:49, error: MRxSmb [8003] - The master browser has received a server announcement from the computer ERSGSERVER01 that believes that it is the master browser for the domain on transport NetBT_Tcpip_{6847CC8F-177B-4. The master browser is stopping or an election is being forced.
    10/05/2011 11:42:33, error: Service Control Manager [7034] - The WebClient service terminated unexpectedly. It has done this 1 time(s).
    10/05/2011 11:42:33, error: Service Control Manager [7034] - The TCP/IP NetBIOS Helper service terminated unexpectedly. It has done this 1 time(s).
    10/05/2011 11:42:33, error: Service Control Manager [7031] - The Remote Registry service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.
    .
    ==== End Of File ===========================


    DDT.txt:

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_11-03-05.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 03/11/2006 14:20:13
    System Uptime: 16/05/2011 20:14:40 (13 hours ago)
    .
    Motherboard: MSI | | MS-7250
    Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4200+ | CPU 1 | 2211/200mhz
    Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4200+ | CPU 2 | 2211/mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 149 GiB total, 102.745 GiB free.
    D: is FIXED (NTFS) - 298 GiB total, 15.596 GiB free.
    E: is CDROM ()
    F: is CDROM ()
    G: is FIXED (NTFS) - 298 GiB total, 63.112 GiB free.
    H: is NetworkDisk (NTFS) - 119 GiB total, 32.889 GiB free.
    I: is NetworkDisk (NTFS) - 119 GiB total, 32.889 GiB free.
    Y: is NetworkDisk (NTFS) - 119 GiB total, 32.889 GiB free.
    Z: is NetworkDisk (NTFS) - 119 GiB total, 32.889 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E96B-E325-11CE-BFC1-08002BE10318}
    Description: Logitech PS/2 Keyboard
    Device ID: ACPI\PNP0303\4&D6E1DD7&0
    Manufacturer: Logitech
    Name: Logitech PS/2 Keyboard
    PNP Device ID: ACPI\PNP0303\4&D6E1DD7&0
    Service: i8042prt
    .
    ==== System Restore Points ===================
    .
    No restore point in system.
    .
    ==== Installed Programs ======================
    .
    2600
    2600_Help
    2600Trb
    32 Bit HP CIO Components Installer
    AAC Decoder
    Ad-Aware
    Adobe Acrobat - Reader 6.0.2 Update
    Adobe Acrobat 6.0.1 Standard
    Adobe Acrobat and Reader 6.0.3 Update
    Adobe Acrobat and Reader 6.0.4 Update
    Adobe Acrobat and Reader 6.0.5 Update
    Adobe Acrobat and Reader 6.0.6 Update
    Adobe Atmosphere Player for Acrobat and Adobe Reader
    Adobe Download Manager
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Photoshop 7.0
    Adobe Shockwave Player 11.5
    AiO_Scan
    AiOSoftware
    Apple Mobile Device Support
    Apple Software Update
    Application Suite
    ASUS VGA Driver
    Athlon 64 Processor Driver
    ATI - Software Uninstall Utility
    ATI AVIVO Codecs
    ATI Catalyst Control Center
    ATI Display Driver
    ATI Parental Control & Encoder
    µTorrent
    AutoUpdate
    BadCopy Pro
    Bloomberg Excel Tools
    Bloomberg PFM Upload Tool for Microsoft Excel
    Bloomberg SFD Data Dictionary
    Bloomberg, V.06.08.09
    BufferChm
    CamView 2.0.6
    Cards_Calendar_OrderGift_DoMorePlugout
    Catalyst Control Center - Branding
    Catalyst Control Center Core Implementation
    Catalyst Control Center Graphics Full Existing
    Catalyst Control Center Graphics Full New
    Catalyst Control Center Graphics Light
    Catalyst Control Center Localization Chinese Standard
    Catalyst Control Center Localization Chinese Traditional
    Catalyst Control Center Localization Czech
    Catalyst Control Center Localization Danish
    Catalyst Control Center Localization Dutch
    Catalyst Control Center Localization Finnish
    Catalyst Control Center Localization French
    Catalyst Control Center Localization German
    Catalyst Control Center Localization Greek
    Catalyst Control Center Localization Hungarian
    Catalyst Control Center Localization Italian
    Catalyst Control Center Localization Japanese
    Catalyst Control Center Localization Korean
    Catalyst Control Center Localization Norwegian
    Catalyst Control Center Localization Polish
    Catalyst Control Center Localization Portuguese
    Catalyst Control Center Localization Russian
    Catalyst Control Center Localization Spanish
    Catalyst Control Center Localization Swedish
    Catalyst Control Center Localization Thai
    Catalyst Control Center Localization Turkish
    ccc-core-preinstall
    ccc-core-static
    ccc-utility
    CCC Help Chinese Standard
    CCC Help Chinese Traditional
    CCC Help Czech
    CCC Help Danish
    CCC Help Dutch
    CCC Help English
    CCC Help Finnish
    CCC Help French
    CCC Help German
    CCC Help Greek
    CCC Help Hungarian
    CCC Help Italian
    CCC Help Japanese
    CCC Help Korean
    CCC Help Norwegian
    CCC Help Polish
    CCC Help Portuguese
    CCC Help Russian
    CCC Help Spanish
    CCC Help Swedish
    CCC Help Thai
    CCC Help Turkish
    Compatibility Pack for the 2007 Office system
    Copy
    CP_AtenaShokunin1Config
    cp_dwShrek2Albums1
    cp_dwShrek2Cards1
    CPUID CPU-Z 1.57.1
    CreativeProjects
    CreativeProjectsTemplates
    CueTour
    CustomerResearchQFolder
    Destinations
    Director
    DivX Codec
    DivX Converter
    DivX Player
    DivX Plus DirectShow Filters
    DivX Version Checker
    DivX Web Player
    DocProc
    DocProcQFolder
    DocumentViewer
    DVD Decrypter (Remove Only)
    EZDetach (remove only)
    Fax
    Flock (Photobucket Edition) 0.7
    Google Chrome
    Google Earth
    Google Toolbar for Internet Explorer
    Google Update Helper
    Google Updater
    H.264 Decoder
    High Definition Audio Driver Package - KB888111
    HijackThis 2.0.2
    Hotfix for Windows XP (KB909394)
    Hotfix for Windows XP (KB915865)
    Hotfix for Windows XP (KB926239)
    HP Extended Capabilities 4.7
    HP Image Zone 4.7
    HP Photosmart Essential 2.5
    HP PSC & OfficeJet 4.7
    HP Software Update
    HPPhotoSmartDiscLabel_PaperLabel
    HPPhotoSmartDiscLabel_PrintOnDisc
    HPPhotoSmartDiscLabelContent1
    hpphotosmartdisclabelplugin
    HPPhotoSmartPhotobookWebPack1
    HPProductAssistant
    HPSSupply
    HPSystemDiagnostics
    InstantShare
    iTunes
    J2SE Runtime Environment 5.0 Update 7
    J2SE Runtime Environment 5.0 Update 9
    Java Auto Updater
    Java(TM) 6 Update 24
    Joost (tm) 0.11.0
    LinkedIn Outlook Connector
    LiveUpdate 3.2 (Symantec Corporation)
    Logitech SetPoint
    Malwarebytes' Anti-Malware
    MarketResearch
    MGI VideoWave III (Remove Only)
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 2.0
    Microsoft .NET Framework 3.0
    Microsoft ActiveSync
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Professional Edition 2003
    Microsoft Silverlight
    Microsoft User-Mode Driver Framework Feature Pack 1.5
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Works 6-9 Converter
    MKV Splitter
    MobileMe Control Panel
    MotionDV STUDIO 5.3E LE for DV
    Mozilla Firefox (3.6.16)
    MSVC80_x86_v2
    MSXML 6.0 Parser
    MUSICMATCH® Jukebox
    MVCpromo
    Nero 7 Premium
    Nokia Connectivity Cable Driver
    NVIDIA Drivers
    NVIDIA WDM Drivers
    OCR Software by I.R.I.S. 10.0
    Origin Internet Update Utility V1.33
    PanoStandAlone
    PC Connectivity Solution
    PC Inspector File Recovery
    PhotoGallery
    play2p
    ProductContext
    PSSWCORE
    QuickTime
    Reader Rabbit Year 1 Capers on Cloud Nine!(TM)
    Readme
    Realtek High Definition Audio Driver
    Safari
    Scan
    ScannerCopy
    Shop for HP Supplies
    SiSoftware Sandra Lite 2011.SP2
    Skins
    SkinsHP1
    Skype Toolbars
    Skype™ 4.2
    SmartWebPrintingOC
    SpeedFan (remove only)
    Spy Sweeper
    SpywareBlaster 4.0
    Symantec Client Security
    TasksPlus
    TrayApp
    Unity Web Player
    Unload
    Update for Windows XP (KB898461)
    VC80CRTRedist - 8.0.50727.762
    Video Stream Driver for Panasonic DVC
    VideoToolkit01
    VLC media player 0.9.9
    WebFldrs XP
    WebReg
    Windows Communication Foundation
    Windows Driver Package - AMD System (04/06/2006 1.0.1.0)
    Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
    Windows Imaging Component
    Windows Installer 3.1 (KB893803)
    Windows Internet Explorer 7
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Presentation Foundation
    Windows Workflow Foundation
    WinRAR archiver
    XML Paper Specification Shared Components Pack 1.0
    Yahoo! Install Manager
    Yahoo! Messenger
    Zero Assumption Recovery Version 8.4
    .
    ==== Event Viewer Messages From Past Week ========
    .
    16/05/2011 16:51:45, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}
    16/05/2011 12:52:53, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
    16/05/2011 12:48:40, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service ntmssvc with arguments "-Service" in order to run the server: {D61A27C6-8F53-11D0-BFA0-00A024151983}
    13/05/2011 14:07:24, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    13/05/2011 14:06:05, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    12/05/2011 16:21:44, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    12/05/2011 15:32:16, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdK8 eeCtrl Fips i8042prt SAVRT SAVRTPEL SPBBCDrv SYMTDI
    12/05/2011 15:32:11, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    12/05/2011 15:25:36, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK8 eeCtrl Fips i8042prt IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SAVRT SAVRTPEL SPBBCDrv SYMTDI Tcpip
    12/05/2011 15:25:36, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
    12/05/2011 15:25:36, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    12/05/2011 15:25:36, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    12/05/2011 15:25:36, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    12/05/2011 15:25:36, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    12/05/2011 11:51:35, error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    12/05/2011 11:51:08, error: NETLOGON [5719] - No Domain Controller is available for domain ERSG due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
    12/05/2011 10:18:16, error: Service Control Manager [7031] - The Symantec AntiVirus service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.
    12/05/2011 10:07:54, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    11/05/2011 17:55:13, error: Service Control Manager [7023] - The hpqcxs08 service terminated with the following error: The system cannot find the file specified.
    11/05/2011 17:55:13, error: Service Control Manager [7023] - The HP CUE DeviceDiscovery Service service terminated with the following error: The system cannot find the file specified.
    11/05/2011 17:55:13, error: Service Control Manager [7023] - The HID Input Service service terminated with the following error: The system cannot find the file specified.
    11/05/2011 17:55:13, error: Service Control Manager [7000] - The nVidia WDM Video Capture (universal) service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    11/05/2011 17:55:13, error: Service Control Manager [7000] - The nVidia WDM A/V Crossbar service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    11/05/2011 13:56:26, error: NetBT [4321] - The name "ERSG :1d" could not be registered on the Interface with IP address 172.16.100.66. The machine with the IP address 172.16.100.10 did not allow the name to be claimed by this machine.
    10/05/2011 23:21:49, error: MRxSmb [8003] - The master browser has received a server announcement from the computer ERSGSERVER01 that believes that it is the master browser for the domain on transport NetBT_Tcpip_{6847CC8F-177B-4. The master browser is stopping or an election is being forced.
    10/05/2011 11:42:33, error: Service Control Manager [7034] - The WebClient service terminated unexpectedly. It has done this 1 time(s).
    10/05/2011 11:42:33, error: Service Control Manager [7034] - The TCP/IP NetBIOS Helper service terminated unexpectedly. It has done this 1 time(s).
    10/05/2011 11:42:33, error: Service Control Manager [7031] - The Remote Registry service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.
    .
    ==== End Of File ===========================
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! I think you may have confused the issue with some of the things you did to try and fix the problem! You have numerous rogue malware programs. So any 'alerts' you got most likely weren't actual problems.

    1) Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
    ============================================
    2) Show Hidden Files and Folders in Windows Vista and Windows 7:
    • Click on the Start button and select Computer
    • Press the Alt key on your keyboard and click on Tools
    • Select Folder Options
    • Click the View tab and make sure that Show hidden files and folders is selected under Hidden files and folders
    • Next, uncheck the box next to Hide protected operating system files (Recommended)
    • Then, uncheck the box next to Hide extensions for known filetypes
    • Click Apply then click OK

    3). Go into Windows Explorer> Windows key + E> Find the Documents & Settings for user ed.ersg> Click on the + sign to the left of Applications Data> Do a right click> Delete on everything for Zango> Exit WE and rehide the files and folders (this is important)

    4) See if you can boot into Normal Mode. If you cannot please download Combofix to a flash drive,:connect the flash drive and Run Combofix on the problem computer, in Safe Mode.

    5) Download Combofix from HERE or HERE and save to the desktop

    • ===========Start her to connect the flash drive and run Combofix=================
    • Connect the flash drive and run Combofix in Safe Mode.
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      ===========Omit the Recovery Console Quesry if from Flash Drive===============
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    =============================================
    Do a search on the compouter for Zango and uninstal if it shows up on Add/Remove Programs as a program. Do a right click> Delete on all other entries.

    Let me know how this goes.
     
  4. bewsh

    bewsh TS Rookie Topic Starter Posts: 21

    Hi thanks for the reply.
    I was directed here by someone on the BSOD/Crashing forum who suggested that it was probably malware related.
    I was fairly confident that it was hardware related as the OS runs normally on a different MB/CPU

    It was a lengthy first post so I appreciate you may not have read it all but:

    1) Boot into Safe Mode
    I can only boot in safe mode, no other option

    2) Show Hidden Files and Folders in Windows Vista and Windows 7:

    Its an XP Pro SP2 OS

    3). Go into Windows Explorer> Windows key + E> Find the Documents & Settings for user ed.ersg> Click on the + sign to the left of Applications Data> Do a right click> Delete on everything for Zango> Exit WE and rehide the files and folders (this is important)
    Zango and everything associated with it has already been deleted by the malwarebytes run

    4) See if you can boot into Normal Mode. If you cannot please download Combofix to a flash drive,:connect the flash drive and Run Combofix on the problem computer, in Safe Mode.

    is combofix the next step? It is already downloaded on the desktop and ready to go from the last time I needed it!
    is there something in the logs that stands out?

    thanks
     
  5. bewsh

    bewsh TS Rookie Topic Starter Posts: 21

    OK I followed instructions.
    Combofix crashed the PC the first time I ran it but it was fine the 2nd time.

    log below:

    ComboFix 11-05-17.01 - ed 18/05/2011 10:28:34.3.2 - x86 NETWORK
    Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.2047.1648 [GMT 1:00]
    Running from: \\ERSGServer01\Users\Ed\Downloads\ComboFix.exe
    AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
    FW: Symantec Client Firewall *Enabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Administrator\GoToAssistDownloadHelper.exe
    c:\documents and settings\Administrator\WINDOWS
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-04-18 to 2011-05-18 )))))))))))))))))))))))))))))))
    .
    .
    2011-05-16 16:40 . 2011-05-16 16:40 -------- d-----w- C:\test
    2011-05-16 16:33 . 2006-08-14 11:09 1428 ----a-w- c:\windows\system32\drivers\nvphy.bin
    2011-05-16 16:31 . 2011-05-16 16:31 -------- d-----w- c:\program files\AMD
    2011-05-16 16:22 . 2011-05-16 16:34 -------- d-----w- c:\windows\LastGood.Tmp
    2011-05-16 16:22 . 2010-11-03 17:15 359016 ----a-w- c:\windows\vncutil.exe
    2011-05-16 16:22 . 2010-11-03 17:15 1833576 ----a-w- c:\windows\SkyTel.exe
    2011-05-16 16:22 . 2011-04-15 14:48 56936 ----a-w- c:\windows\system32\RtkCoInstXP.dll
    2011-05-16 16:22 . 2010-11-03 17:14 129640 ----a-w- c:\windows\RtkAudioService.exe
    2011-05-16 16:22 . 2009-11-18 06:17 1395800 ----a-w- c:\windows\system32\drivers\Monfilt.sys
    2011-05-16 16:22 . 2009-11-18 06:16 1691480 ----a-w- c:\windows\system32\drivers\Ambfilt.sys
    2011-05-16 16:18 . 2006-02-07 14:45 757760 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iKernel.dll
    2011-05-16 16:18 . 2006-02-07 14:40 204800 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iuser.dll
    2011-05-16 16:18 . 2006-02-07 14:40 69715 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\ctor.dll
    2011-05-16 16:18 . 2006-02-07 14:40 274432 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iscript.dll
    2011-05-16 16:18 . 2005-11-13 22:19 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\DotNetInstaller.exe
    2011-05-16 16:18 . 2011-05-16 16:18 331908 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\setup.dll
    2011-05-16 16:18 . 2011-05-16 16:18 200836 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iGdi.dll
    2011-05-16 15:51 . 2011-05-16 15:51 -------- d-----w- c:\program files\CPUID
    2011-05-16 15:51 . 2010-11-09 14:35 21992 ----a-w- c:\windows\system32\drivers\cpuz135_x32.sys
    2011-05-16 12:20 . 2011-05-16 12:20 -------- d-----w- c:\documents and settings\ed.ERSG\Application Data\Malwarebytes
    2011-05-16 12:20 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-05-16 12:20 . 2011-05-16 12:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-05-16 12:20 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-05-16 12:20 . 2011-05-16 12:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-05-16 12:08 . 2011-05-16 12:08 -------- d-----w- c:\windows\ServicePackFiles
    2011-05-16 12:08 . 2004-07-17 10:40 19528 ----a-w- c:\windows\000001_.tmp
    2011-05-16 11:59 . 2011-05-16 11:59 -------- d-----w- c:\program files\ATI
    2011-05-12 14:40 . 2011-05-12 14:40 -------- d-----w- c:\program files\SiSoftware
    2011-05-12 10:54 . 2011-02-16 16:58 -------- d-----w- c:\documents and settings\ed.ERSG\Application Data\Intel
    2011-05-12 10:54 . 2009-02-19 22:06 -------- d-----w- c:\documents and settings\ed.ERSG\Application Data\AVG7
    2011-05-12 10:54 . 2011-02-16 16:59 -------- d-----w- c:\documents and settings\ed.ERSG\Application Data\Protector Suite
    2011-05-12 10:54 . 2011-02-16 16:59 -------- d-----w- c:\documents and settings\ed.ERSG\Application Data\Sony Corporation
    2011-05-12 10:54 . 2010-11-08 16:26 -------- d-sh--w- c:\documents and settings\ed.ERSG\PrivacIE
    2011-05-12 10:54 . 2010-11-08 15:56 -------- d-sh--w- c:\documents and settings\ed.ERSG\IETldCache
    2011-05-12 10:52 . 2004-08-03 21:31 20992 -c--a-w- c:\windows\system32\dllcache\rtl8139.sys
    2011-05-12 10:52 . 2004-08-03 21:31 20992 ----a-w- c:\windows\system32\drivers\RTL8139.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-04-19 17:19 . 2006-11-04 21:14 6394472 ----a-w- c:\windows\system32\drivers\RtkHDAud.sys
    2011-04-14 12:36 . 2006-11-04 21:14 20053608 ----a-w- c:\windows\RTHDCPL.EXE
    2011-02-25 18:37 . 2006-11-04 21:13 1284712 ------r- c:\windows\RtlExUpd.dll
    2010-02-12 14:40 . 2010-02-12 14:39 18499623 ----a-w- c:\program files\vlc-1.0.5-win32.exe
    2009-04-07 09:36 . 2009-04-07 09:36 16742799 ----a-w- c:\program files\vlc-0.9.9-win32.exe
    2009-03-24 12:21 . 2009-03-24 12:21 23596840 ----a-w- c:\program files\SkypeSetupFull.exe
    2008-12-17 20:06 . 2008-12-17 20:06 26453613 ----a-w- c:\program files\AllToAVI_v4_r5394_Setup.exe
    2008-07-17 10:27 . 2008-07-17 10:27 23510720 -c--a-w- c:\program files\dotnetfx.exe
    2008-07-17 09:27 . 2008-07-17 09:27 12573347 -c--a-w- c:\program files\helium2008.exe
    2008-06-09 12:47 . 2008-06-09 12:47 59782440 -c--a-w- c:\program files\iTunesSetup.exe
    2008-03-31 12:36 . 2008-03-31 12:36 2671816 -c--a-w- c:\program files\spywareblastersetup40.exe
    2007-11-06 17:34 . 2007-11-06 17:34 128376 -c--a-w- c:\program files\Download_zonetick_3_5_trial_regnow.exe
    2007-11-05 11:23 . 2007-11-05 11:23 2748954 -c----w- c:\program files\ST330_Update.exe
    2007-09-18 14:03 . 2007-09-18 14:03 5819504 -c--a-w- c:\program files\Firefox Setup 2.0.0.6.exe
    2007-07-10 13:54 . 2007-07-10 13:53 119309242 -c--a-w- c:\program files\trvte0608.exe
    2006-12-19 16:40 . 2006-12-19 16:40 105930 -c--a-w- c:\program files\setup_ezdetach_4.0.full.exe
    2006-12-08 16:19 . 2006-12-08 16:18 239968 -c--a-w- c:\program files\setup_ezdetach.eval.exe
    2006-11-20 20:35 . 2006-11-20 20:29 9424808 -c--a-w- c:\program files\Flock_Setup_0_7_8__photobucket.exe
    2006-11-20 20:24 . 2006-11-20 20:24 19666504 -c--a-w- c:\program files\QuickTimeInstaller.exe
    2006-09-08 09:38 . 2006-11-06 16:39 1828505 -c--a-w- c:\program files\cdtomp3.exe
    2006-03-13 17:06 . 2006-11-06 16:39 1183264 -c--a-w- c:\program files\CpWzPr.exe
    2005-07-09 11:18 . 2006-11-06 16:39 4364992 -c--a-w- c:\program files\MediaMonkey.exe
    2005-06-13 17:33 . 2006-11-06 16:39 325354 -c--a-w- c:\program files\ffdshow-20020617.exe
    2005-06-04 10:39 . 2006-11-06 16:39 5772 -c--a-w- c:\program files\sharedaccess.reg
    2005-03-25 01:07 . 2006-11-06 16:39 1413120 -c--a-w- c:\program files\WinsockXPFix.exe
    2005-03-17 11:30 . 2006-11-06 16:39 527204 -c--a-w- c:\program files\AVIcodec_1.2_b107.exe
    2002-08-13 19:42 . 2006-11-06 16:39 186368 -c--a-w- c:\program files\LSPFix.exe
    2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
    2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RTHDCPL"="RTHDCPL.EXE" [2011-04-14 20053608]
    "SoundMan"="SOUNDMAN.EXE" [2010-11-03 84584]
    "AlcWzrd"="ALCWZRD.EXE" [2010-11-03 2815592]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoWelcomeScreen"= 1 (0x1)
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "DisablePersonalDirChange"= 1 (0x1)
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{93994DE8-8239-4655-B1D1-5F4E91300429}"= "c:\progra~1\DVDREG~1\DVDShell.dll" [2004-05-17 49152]
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
    backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^ed.ERSG^Start Menu^Programs^Startup^scandisk.lnk]
    path=c:\documents and settings\ed.ERSG\Start Menu\Programs\Startup\scandisk.lnk
    backup=c:\windows\pss\scandisk.lnkStartup
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
    2007-05-29 15:33 52840 ----a-w- c:\program files\Common Files\Symantec Shared\ccApp.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2004-08-04 12:00 15360 ------w- c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
    2006-11-13 13:39 1289000 ----a-w- c:\program files\Microsoft ActiveSync\wcescomm.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
    2005-03-10 12:01 28160 ----a-w- c:\windows\KHALMNPR.Exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
    2010-12-20 17:08 963976 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2006-06-01 09:22 7618560 ----a-w- c:\windows\system32\nvcpl.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
    2006-06-01 09:22 86016 ----a-w- c:\windows\system32\nvmctray.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
    2004-02-25 11:53 665088 ----a-w- c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
    2007-10-07 19:48 125368 ----a-w- c:\progra~1\SYMANT~1\SYMANT~2\VPTray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "Bonjour Service"=2 (0x2)
    "Avg7UpdSvc"=2 (0x2)
    "Avg7Alrt"=2 (0x2)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\WINDOWS\\system32\\mmc.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
    "c:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"=
    "c:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE"=
    "c:\\Program Files\\Symantec\\pcAnywhere\\WINAW32.EXE"=
    "c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
    "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
    "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
    "c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009
    "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
    .
    S0 okajhrk;okajhrk;c:\windows\system32\drivers\jrliy.sys --> c:\windows\system32\drivers\jrliy.sys [?]
    S2 gupdate1c9a641f9fedc48;Google Update Service (gupdate1c9a641f9fedc48);c:\program files\Google\Update\GoogleUpdate.exe [16/03/2009 15:17 133104]
    S2 SavRoam;SAVRoam;c:\program files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [07/10/2007 20:48 116664]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [16/05/2011 17:22 1691480]
    S3 AtiDCM;AtiDCM;\??\c:\documents and settings\ed.ERSG\Local Settings\Temp\atidcmxx.sys --> c:\documents and settings\ed.ERSG\Local Settings\Temp\atidcmxx.sys [?]
    S3 EraserUtilDrv11110;EraserUtilDrv11110;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11110.sys [16/05/2011 09:29 105592]
    S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [29/05/2010 13:43 102448]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [16/03/2009 15:17 133104]
    S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [05/06/2010 09:16 136704]
    S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [05/06/2010 09:16 8320]
    S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\DRIVERS\rcvpn.sys --> c:\windows\system32\DRIVERS\rcvpn.sys [?]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-05-05 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 11:34]
    .
    2011-05-16 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-29 23:27]
    .
    2011-05-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-03-16 14:17]
    .
    2011-05-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-03-16 14:17]
    .
    2011-05-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3641825963-764552273-372206336-1140Core.job
    - c:\documents and settings\ed.ERSG\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-11 14:44]
    .
    2011-05-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3641825963-764552273-372206336-1140UA.job
    - c:\documents and settings\ed.ERSG\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-11 14:44]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/ig?hl=en&source=iglk
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    mStart Page = hxxp://www.google.co.uk
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D1E1F7ED622A0E5D.dll/cmsidewiki.html
    DPF: {C6A03519-BA6F-438E-AF3A-878F11521CA5} - hxxp://172.16.100.20/jpgview.cab
    FF - ProfilePath - c:\documents and settings\ed.ERSG\Application Data\Mozilla\Firefox\Profiles\93b4r1jc.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
    FF - prefs.js: network.proxy.type - 4
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - Ext: XULRunner: {7763B99D-F43B-4CC0-8DD3-B3B957D440B3} - c:\documents and settings\ed.ERSG\Local Settings\Application Data\{7763B99D-F43B-4CC0-8DD3-B3B957D440B3}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
    .
    - - - - ORPHANS REMOVED - - - -
    .
    MSConfigStartUp-Logitech Utility - Logi_MwX.Exe
    AddRemove-Adobe Photoshop 7.0 - c:\program files\Adobe\Photoshop 7.0\Uninst.isu
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-05-18 10:33
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(828)
    c:\windows\system32\Ati2evxx.dll
    .
    Completion time: 2011-05-18 10:34:41
    ComboFix-quarantined-files.txt 2011-05-18 09:34
    ComboFix2.txt 2009-10-20 20:28
    ComboFix3.txt 2009-10-20 13:01
    .
    Pre-Run: 110,883,008,512 bytes free
    Post-Run: 111,333,093,376 bytes free
    .
    - - End Of File - - DF4F86F03D9DADD1F84E563CB9EA90AD
     
  6. bewsh

    bewsh TS Rookie Topic Starter Posts: 21

    just tried to boot in normal mode and it is the same as before, cycles to restart on the winlogo screen.

    runs in safe mode with networking as before....

    any ideas?
     
  7. bewsh

    bewsh TS Rookie Topic Starter Posts: 21

    is there anything I can try?
    I am really loathed to wipe the disc and reinstall windows especially if it might be a hardware issue

    tried to run a video card health check but it also crashed the machine.
    I have read that the graphics card drivers can cause this but am hoping to remove malware from the equation first

    thanks for your help
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You may have some malware, but that's not the main problem. You system is in terrible shape! You have setup file for programs downloaded as llong as 5 years ago. Ideally, once a program is installed, the setup file is removed. If it isn't, when regular maintenance is done, they will be removed. So either you never ran the programs or the setups didn't clean up.

    Examples of old setups: The numerical sequence before the file name is the size of the file. Don't try deleting these now!
    You have 6 outdated versions of the Adobe Reader without the current version and at least 2 outdated versions of Java, no current version.

    I can help you clean the system up, but it comes with conditions:
    1. You will have to have patience. It is going to take time- yours and mine and I will be helping others with malware.
    2. You must run only what I instruct you to and nothing else. No new installs or updates, no uninstalls unless I direct you to do so.
    3. You need to follow the order I give you- it's for a reason and what follows will depend on what was done previously.
    4. If you have any file sharing programs, uninstall them.
    5. Disable Spysweeper. It's best if it's not 'sweeping' in the background.
    6. Do not use any Registry Cleaner- this would include running CCeaner if you have it. Once we begin working from the logs, I don't want you doing anything that will change them unless I tell you to do so.

    The alternative, as I see it is to do a complete reformat and reinstall. But if a hardware problem exists, even that might not work. Right now, the system is overburdened with processes loading and running. In my opinion, unless we remove these processes, the system will continue to crash and will reach the point that it won't reboot at all.

    If you have a flash drive- it should be disinfected first- I'd rather you use that to download rather then use the Safe Mode with Networking. Security programs don't start in that mode.

    Questions and Comments:
    1. Do you have to use the Symantec pcAnywhere for work access? If not, I'd like to stop it.
    2. Did you know you are still loading AVG from the Registry?
    3. Do you realize that these 2 programs run several years ago were still on the system?
    2006-11-06 16:39 1413120 -c--a-w- c:\program files\WinsockXPFix.exe
    2002-08-13 19:42 . 2006-11-06 16:39 186368 - c:\program files\LSPFix.exe

    From your description, it would appear that you may have hardware issues. I don't handle that. The system can be cleaned up and you can determine how you are at that point.

    If you don't want to try and see this through, tell me now so I don't waste the time and can give it to help others.

    Let me know.
     
  9. bewsh

    bewsh TS Rookie Topic Starter Posts: 21

    I am definitely up for that.
    I know it has been running slowly but in answer to your questions:
    1) No, dont use pcAnywhere anymore, wasnt aware it was still running
    2) No I didnt, I had removed it from the start up list and thought it was uninstalled
    3) No I didnt,

    how do I go about cleaning these out then.
    I have a clean zip drive. Do you mean to download apps/files and run them from this zip rather than the HDD?

    Thanks for your help
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Are you sure that flash drive is clean? I found a Worm on the system that usually come sthrough a removable drive. About the downloading: When you use Safe Mode with Networking, the security programs don't run so I'm trying to minimize the system exposure. If you download to the flash drive, then run on the problem computer, that is a safer way to do it:

    Here is the first step. It would be wise to print this out because ultimately, you will need to check the setup .exe file for the program. If you installed it and don't use it, I'll have you uninstall it and delete the program file. If you never installed from the setup, then there won't be a program to uninstall and the setup will be removed:

    The following can be run in Safe Mode. You already have Combofix on the system. Please don't do anything except for this one step. I'll review the log it generates:
    ===============================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it: Be sure to scroll down to include ALL lines.
    Code:
    File::
    c:\program files\SkypeSetupFull.exe
    c:\program files\AllToAVI_v4_r5394_Setup.exe
    c:\program files\iTunesSetup.exe
    c:\program files\spywareblastersetup40.exe
    c:\program files\Download_zonetick_3_5_trial_regnow.exe
    c:\program files\Firefox Setup 2.0.0.6.exe
    c:\program files\setup_ezdetach_4.0.full.exe
    c:\program files\setup_ezdetach.eval.exe
    c:\program files\Flock_Setup_0_7_8__photobucket.exe
    c:\program files\vlc-0.9.9-win32.exe
    c:\windows\system32\dllcache\rtl8139.sys
    c:\windows\000001_.tmp
    c:\program files\WinsockXPFix.exe
    c:\program files\LSPFix.exe
    c:\program files\cdtomp3.exe
    c:\program files\CpWzPr.exe
    c:\program files\MediaMonkey.exe
    c:\program files\ffdshow-20020617.exe
    c:\program files\sharedaccess.reg
    C:\Program Files\Grisoft\AVG 7\AVG7_CC.exe
    c:\windows\system32\drivers\jrliy.sys
    c:\windows\system32\DRIVERS\rcvpn.sys 
    Folder::
    c:\documents and settings\ed.ERSG\Application Data\AVG7
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "Avg7UpdSvc"=-
    "Avg7Alrt"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE"=-
    "c:\\Program Files\\Symantec\\pcAnywhere\\WINAW32.EXE"=-
    "c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=-
    
    Driver::
    okajhrk 
    rcvpn
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    Go to Add/Remove Programs and uninstall all of the followinh, if found:
    Adobe Acrobat - Reader 6.0.2 Update
    Adobe Acrobat 6.0.1 Standard
    Adobe Acrobat and Reader 6.0.3 Update
    Adobe Acrobat and Reader 6.0.4 Update
    Adobe Acrobat and Reader 6.0.5 Update
    Adobe Acrobat and Reader 6.0.6 Update
    J2SE Runtime Environment 5.0 Update 7
    J2SE Runtime Environment 5.0 Update 9

    I'll have you get the update the above programs later.
     
  11. bewsh

    bewsh TS Rookie Topic Starter Posts: 21

    thanks,

    have done all that but I havent run Combofix as I can not turn off Symatec real time scanner.
    every process running appears to be windows related and I cant seem to stop it. Is there an easy way?
    will it stop Combofix doing its thing and can I delete the programs you list in the meantime?

    thanks for your help
     
  12. bewsh

    bewsh TS Rookie Topic Starter Posts: 21

    think I managed to turn it off, ran combofix
    log below:


    ComboFix 11-05-19.02 - ed 21/05/2011 20:04:36.4.2 - x86 NETWORK
    Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.2047.1649 [GMT 1:00]
    Running from: \\ERSGServer01\Users\Ed\Downloads\ComboFix.exe
    Command switches used :: \\ERSGServer01\Users\Ed\Downloads\CFScript.txt
    AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
    FW: Symantec Client Firewall *Enabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}
    .
    FILE ::
    "c:\program files\AllToAVI_v4_r5394_Setup.exe c:\program files\iTunesSetup.exe c:\program files\spywareblastersetup40.exe c:\program files\Download_zonetick_3_5_trial_regnow.exe"
    "c:\program files\cdtomp3.exe"
    "c:\program files\CpWzPr.exe"
    "c:\program files\ffdshow-20020617.exe"
    "c:\program files\Firefox Setup 2.0.0.6.exe c:\program files\setup_ezdetach_4.0.full.exe c:\program files\setup_ezdetach.eval.exe c:\program files\Flock_Setup_0_7_8__photobucket.exe"
    "c:\program files\Grisoft\AVG 7\AVG7_CC.exe c:\windows\system32\drivers\jrliy.sys"
    "c:\program files\LSPFix.exe"
    "c:\program files\MediaMonkey.exe"
    "c:\program files\sharedaccess.reg"
    "c:\program files\SkypeSetupFull.exe"
    "c:\program files\vlc-0.9.9-win32.exe"
    "c:\program files\WinsockXPFix.exe"
    "c:\windows\000001_.tmp"
    "c:\windows\system32\dllcache\rtl8139.sys"
    "c:\windows\system32\DRIVERS\rcvpn.sys"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\ed.ERSG\Application Data\AVG7
    c:\documents and settings\ed.ERSG\Application Data\AVG7\test-0001.cfg
    c:\documents and settings\ed.ERSG\Application Data\AVG7\test-0003.cfg
    c:\documents and settings\ed.ERSG\Application Data\AVG7\test-0004.cfg
    c:\documents and settings\ed.ERSG\Application Data\AVG7\test-0005.cfg
    c:\documents and settings\ed.ERSG\Application Data\AVG7\test-0006.cfg
    c:\documents and settings\ed.ERSG\Application Data\AVG7\test-0007.cfg
    c:\documents and settings\ed.ERSG\Application Data\AVG7\test-0008.cfg
    c:\documents and settings\ed.ERSG\Application Data\AVG7\test-0009.cfg
    c:\documents and settings\ed.ERSG\Application Data\AVG7\test-0011.cfg
    c:\documents and settings\ed.ERSG\Application Data\AVG7\test-0012.cfg
    c:\documents and settings\ed.ERSG\Application Data\AVG7\test-0013.cfg
    c:\documents and settings\ed.ERSG\Application Data\AVG7\user-0000.cfg
    c:\program files\cdtomp3.exe
    c:\program files\CpWzPr.exe
    c:\program files\ffdshow-20020617.exe
    c:\program files\LSPFix.exe
    c:\program files\MediaMonkey.exe
    c:\program files\sharedaccess.reg
    c:\program files\SkypeSetupFull.exe
    c:\program files\vlc-0.9.9-win32.exe
    c:\program files\WinsockXPFix.exe
    c:\windows\000001_.tmp
    c:\windows\system32\dllcache\rtl8139.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Service_okajhrk
    -------\Service_rcvpn
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-04-21 to 2011-05-21 )))))))))))))))))))))))))))))))
    .
    .
    2011-05-16 16:40 . 2011-05-16 16:40 -------- d-----w- C:\test
    2011-05-16 16:33 . 2006-08-14 11:09 1428 ----a-w- c:\windows\system32\drivers\nvphy.bin
    2011-05-16 16:31 . 2011-05-16 16:31 -------- d-----w- c:\program files\AMD
    2011-05-16 16:22 . 2011-05-16 16:34 -------- d-----w- c:\windows\LastGood.Tmp
    2011-05-16 16:22 . 2010-11-03 17:15 359016 ----a-w- c:\windows\vncutil.exe
    2011-05-16 16:22 . 2010-11-03 17:15 1833576 ----a-w- c:\windows\SkyTel.exe
    2011-05-16 16:22 . 2011-04-15 14:48 56936 ----a-w- c:\windows\system32\RtkCoInstXP.dll
    2011-05-16 16:22 . 2010-11-03 17:14 129640 ----a-w- c:\windows\RtkAudioService.exe
    2011-05-16 16:22 . 2009-11-18 06:17 1395800 ----a-w- c:\windows\system32\drivers\Monfilt.sys
    2011-05-16 16:22 . 2009-11-18 06:16 1691480 ----a-w- c:\windows\system32\drivers\Ambfilt.sys
    2011-05-16 16:18 . 2006-02-07 14:45 757760 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iKernel.dll
    2011-05-16 16:18 . 2006-02-07 14:40 204800 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iuser.dll
    2011-05-16 16:18 . 2006-02-07 14:40 69715 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\ctor.dll
    2011-05-16 16:18 . 2006-02-07 14:40 274432 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iscript.dll
    2011-05-16 16:18 . 2005-11-13 22:19 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\DotNetInstaller.exe
    2011-05-16 16:18 . 2011-05-16 16:18 331908 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\setup.dll
    2011-05-16 16:18 . 2011-05-16 16:18 200836 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iGdi.dll
    2011-05-16 15:51 . 2011-05-16 15:51 -------- d-----w- c:\program files\CPUID
    2011-05-16 15:51 . 2010-11-09 14:35 21992 ----a-w- c:\windows\system32\drivers\cpuz135_x32.sys
    2011-05-16 12:20 . 2011-05-16 12:20 -------- d-----w- c:\documents and settings\ed.ERSG\Application Data\Malwarebytes
    2011-05-16 12:20 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-05-16 12:20 . 2011-05-16 12:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-05-16 12:20 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-05-16 12:20 . 2011-05-16 12:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-05-16 12:08 . 2011-05-16 12:08 -------- d-----w- c:\windows\ServicePackFiles
    2011-05-16 11:59 . 2011-05-16 11:59 -------- d-----w- c:\program files\ATI
    2011-05-12 14:40 . 2011-05-12 14:40 -------- d-----w- c:\program files\SiSoftware
    2011-05-12 10:54 . 2011-02-16 16:58 -------- d-----w- c:\documents and settings\ed.ERSG\Application Data\Intel
    2011-05-12 10:54 . 2011-02-16 16:59 -------- d-----w- c:\documents and settings\ed.ERSG\Application Data\Protector Suite
    2011-05-12 10:54 . 2011-02-16 16:59 -------- d-----w- c:\documents and settings\ed.ERSG\Application Data\Sony Corporation
    2011-05-12 10:54 . 2010-11-08 16:26 -------- d-sh--w- c:\documents and settings\ed.ERSG\PrivacIE
    2011-05-12 10:54 . 2010-11-08 15:56 -------- d-sh--w- c:\documents and settings\ed.ERSG\IETldCache
    2011-05-12 10:52 . 2004-08-03 21:31 20992 ----a-w- c:\windows\system32\drivers\RTL8139.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-04-19 17:19 . 2006-11-04 21:14 6394472 ----a-w- c:\windows\system32\drivers\RtkHDAud.sys
    2011-04-14 12:36 . 2006-11-04 21:14 20053608 ----a-w- c:\windows\RTHDCPL.EXE
    2011-02-25 18:37 . 2006-11-04 21:13 1284712 ------r- c:\windows\RtlExUpd.dll
    2010-02-12 14:40 . 2010-02-12 14:39 18499623 ----a-w- c:\program files\vlc-1.0.5-win32.exe
    2008-12-17 20:06 . 2008-12-17 20:06 26453613 ----a-w- c:\program files\AllToAVI_v4_r5394_Setup.exe
    2008-07-17 10:27 . 2008-07-17 10:27 23510720 -c--a-w- c:\program files\dotnetfx.exe
    2008-07-17 09:27 . 2008-07-17 09:27 12573347 -c--a-w- c:\program files\helium2008.exe
    2008-06-09 12:47 . 2008-06-09 12:47 59782440 -c--a-w- c:\program files\iTunesSetup.exe
    2008-03-31 12:36 . 2008-03-31 12:36 2671816 -c--a-w- c:\program files\spywareblastersetup40.exe
    2007-11-06 17:34 . 2007-11-06 17:34 128376 -c--a-w- c:\program files\Download_zonetick_3_5_trial_regnow.exe
    2007-11-05 11:23 . 2007-11-05 11:23 2748954 -c----w- c:\program files\ST330_Update.exe
    2007-09-18 14:03 . 2007-09-18 14:03 5819504 -c--a-w- c:\program files\Firefox Setup 2.0.0.6.exe
    2007-07-10 13:54 . 2007-07-10 13:53 119309242 -c--a-w- c:\program files\trvte0608.exe
    2006-12-19 16:40 . 2006-12-19 16:40 105930 -c--a-w- c:\program files\setup_ezdetach_4.0.full.exe
    2006-12-08 16:19 . 2006-12-08 16:18 239968 -c--a-w- c:\program files\setup_ezdetach.eval.exe
    2006-11-20 20:35 . 2006-11-20 20:29 9424808 -c--a-w- c:\program files\Flock_Setup_0_7_8__photobucket.exe
    2006-11-20 20:24 . 2006-11-20 20:24 19666504 -c--a-w- c:\program files\QuickTimeInstaller.exe
    2005-03-17 11:30 . 2006-11-06 16:39 527204 -c--a-w- c:\program files\AVIcodec_1.2_b107.exe
    2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
    2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RTHDCPL"="RTHDCPL.EXE" [2011-04-14 20053608]
    "SoundMan"="SOUNDMAN.EXE" [2010-11-03 84584]
    "AlcWzrd"="ALCWZRD.EXE" [2010-11-03 2815592]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoWelcomeScreen"= 1 (0x1)
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "DisablePersonalDirChange"= 1 (0x1)
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{93994DE8-8239-4655-B1D1-5F4E91300429}"= "c:\progra~1\DVDREG~1\DVDShell.dll" [2004-05-17 49152]
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
    backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^ed.ERSG^Start Menu^Programs^Startup^scandisk.lnk]
    path=c:\documents and settings\ed.ERSG\Start Menu\Programs\Startup\scandisk.lnk
    backup=c:\windows\pss\scandisk.lnkStartup
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
    2007-05-29 15:33 52840 ----a-w- c:\program files\Common Files\Symantec Shared\ccApp.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2004-08-04 12:00 15360 ------w- c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
    2006-11-13 13:39 1289000 ----a-w- c:\program files\Microsoft ActiveSync\wcescomm.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
    2005-03-10 12:01 28160 ----a-w- c:\windows\KHALMNPR.Exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
    2010-12-20 17:08 963976 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2006-06-01 09:22 7618560 ----a-w- c:\windows\system32\nvcpl.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
    2006-06-01 09:22 86016 ----a-w- c:\windows\system32\nvmctray.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
    2004-02-25 11:53 665088 ----a-w- c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
    2007-10-07 19:48 125368 ----a-w- c:\progra~1\SYMANT~1\SYMANT~2\VPTray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "Bonjour Service"=2 (0x2)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\WINDOWS\\system32\\mmc.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
    "c:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"=
    "c:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE"=
    "c:\\Program Files\\Symantec\\pcAnywhere\\WINAW32.EXE"=
    "c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
    "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
    "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
    "c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009
    "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
    .
    S2 gupdate1c9a641f9fedc48;Google Update Service (gupdate1c9a641f9fedc48);c:\program files\Google\Update\GoogleUpdate.exe [16/03/2009 15:17 133104]
    S2 SavRoam;SAVRoam;c:\program files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [07/10/2007 20:48 116664]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [16/05/2011 17:22 1691480]
    S3 AtiDCM;AtiDCM;\??\c:\documents and settings\ed.ERSG\Local Settings\Temp\atidcmxx.sys --> c:\documents and settings\ed.ERSG\Local Settings\Temp\atidcmxx.sys [?]
    S3 CFcatchme;CFcatchme;\??\c:\docume~1\ED7684~1.ERS\LOCALS~1\Temp\CFcatchme.sys --> c:\docume~1\ED7684~1.ERS\LOCALS~1\Temp\CFcatchme.sys [?]
    S3 EraserUtilDrv11110;EraserUtilDrv11110;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11110.sys [16/05/2011 09:29 105592]
    S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [29/05/2010 13:43 102448]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [16/03/2009 15:17 133104]
    S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [05/06/2010 09:16 136704]
    S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [05/06/2010 09:16 8320]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-05-05 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 11:34]
    .
    2011-05-16 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-29 23:27]
    .
    2011-05-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-03-16 14:17]
    .
    2011-05-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-03-16 14:17]
    .
    2011-05-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3641825963-764552273-372206336-1140Core.job
    - c:\documents and settings\ed.ERSG\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-11 14:44]
    .
    2011-05-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3641825963-764552273-372206336-1140UA.job
    - c:\documents and settings\ed.ERSG\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-11 14:44]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/ig?hl=en&source=iglk
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    mStart Page = hxxp://www.google.co.uk
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D1E1F7ED622A0E5D.dll/cmsidewiki.html
    DPF: {C6A03519-BA6F-438E-AF3A-878F11521CA5} - hxxp://172.16.100.20/jpgview.cab
    FF - ProfilePath - c:\documents and settings\ed.ERSG\Application Data\Mozilla\Firefox\Profiles\93b4r1jc.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
    FF - prefs.js: network.proxy.type - 4
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - Ext: XULRunner: {7763B99D-F43B-4CC0-8DD3-B3B957D440B3} - c:\documents and settings\ed.ERSG\Local Settings\Application Data\{7763B99D-F43B-4CC0-8DD3-B3B957D440B3}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-05-22 00:12
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(824)
    c:\windows\system32\Ati2evxx.dll
    .
    Completion time: 2011-05-22 00:16:46 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-05-21 23:16
    ComboFix2.txt 2011-05-18 09:34
    ComboFix3.txt 2009-10-20 20:28
    ComboFix4.txt 2009-10-20 13:01
    .
    Pre-Run: 111,315,636,224 bytes free
    Post-Run: 111,104,856,064 bytes free
    .
    - - End Of File - - 8E94F0182C95DFE40E8996DFD9F6B7F0
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Unfortunately, we were posting at the same time. I was telling you to uninstall the Combofix 2009 version and dowenload the current version. You should not have kept Combofix on the desktop.

    There have been some changes in Combofix over the years. What may have been adequate in 2009 isn't in 2011. Did you use the old version?

    Additionally, did you 'stack' some of the entries I had in the script? For instance, I had entries like this:
    But they show in the script like this:
    The entries in the 2 lines that are 'stacked' didn't get removed.
    ====================================
    This was my post:
    This was my last line:
    Don't run the script I left yet. I will review the entries against the newer version of Combofix and add or remove script as needed.
     
  14. bewsh

    bewsh TS Rookie Topic Starter Posts: 21

    OK,
    I tried every way to turn off Sumantec.
    It does not appear in either the system tray or the processes list.
    i opened it and turned off all active scans and startup options, restarted and ran Combofix.
    It was still running!!

    I also tried the remove software process you detailed but cant use control panel ad/remove option in safe mode.

    when I removed combofix and the reinstalled it I got a update message for a new version. when it did the update it crashed the machine.


    anyway, back in safe mode, new version of combofix
    when combofix had finished it tried to upload a file of some description to their webserver cut it times out. there is a file to upload later

    log below:

    Thanks

    ComboFix 11-05-21.03 - ed 22/05/2011 10:29:03.5.2 - x86 NETWORK
    Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.2047.1650 [GMT 1:00]
    Running from: \\ERSGServer01\Users\Ed\Downloads\ComboFix.exe
    Command switches used :: \\ERSGServer01\Users\Ed\Downloads\CFScript.txt
    AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
    FW: Symantec Client Firewall *Enabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}
    .
    FILE ::
    "c:\program files\AllToAVI_v4_r5394_Setup.exe"
    "c:\program files\cdtomp3.exe"
    "c:\program files\CpWzPr.exe"
    "c:\program files\Download_zonetick_3_5_trial_regnow.exe"
    "c:\program files\ffdshow-20020617.exe"
    "c:\program files\Firefox Setup 2.0.0.6.exe"
    "c:\program files\Flock_Setup_0_7_8__photobucket.exe"
    "c:\program files\Grisoft\AVG 7\AVG7_CC.exe"
    "c:\program files\iTunesSetup.exe"
    "c:\program files\LSPFix.exe"
    "c:\program files\MediaMonkey.exe"
    "c:\program files\setup_ezdetach.eval.exe"
    "c:\program files\setup_ezdetach_4.0.full.exe"
    "c:\program files\sharedaccess.reg"
    "c:\program files\SkypeSetupFull.exe"
    "c:\program files\spywareblastersetup40.exe"
    "c:\program files\vlc-0.9.9-win32.exe"
    "c:\program files\WinsockXPFix.exe"
    "c:\windows\000001_.tmp"
    "c:\windows\system32\dllcache\rtl8139.sys"
    "c:\windows\system32\drivers\jrliy.sys"
    "c:\windows\system32\DRIVERS\rcvpn.sys"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files\AllToAVI_v4_r5394_Setup.exe
    c:\program files\Download_zonetick_3_5_trial_regnow.exe
    c:\program files\Firefox Setup 2.0.0.6.exe
    c:\program files\Flock_Setup_0_7_8__photobucket.exe
    c:\program files\iTunesSetup.exe
    c:\program files\setup_ezdetach.eval.exe
    c:\program files\setup_ezdetach_4.0.full.exe
    c:\program files\spywareblastersetup40.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-04-22 to 2011-05-22 )))))))))))))))))))))))))))))))
    .
    .
    2011-05-16 16:40 . 2011-05-16 16:40 -------- d-----w- C:\test
    2011-05-16 16:33 . 2006-08-14 11:09 1428 ----a-w- c:\windows\system32\drivers\nvphy.bin
    2011-05-16 16:31 . 2011-05-16 16:31 -------- d-----w- c:\program files\AMD
    2011-05-16 16:22 . 2011-05-16 16:34 -------- d-----w- c:\windows\LastGood.Tmp
    2011-05-16 16:22 . 2010-11-03 17:15 359016 ----a-w- c:\windows\vncutil.exe
    2011-05-16 16:22 . 2010-11-03 17:15 1833576 ----a-w- c:\windows\SkyTel.exe
    2011-05-16 16:22 . 2011-04-15 14:48 56936 ----a-w- c:\windows\system32\RtkCoInstXP.dll
    2011-05-16 16:22 . 2010-11-03 17:14 129640 ----a-w- c:\windows\RtkAudioService.exe
    2011-05-16 16:22 . 2009-11-18 06:17 1395800 ----a-w- c:\windows\system32\drivers\Monfilt.sys
    2011-05-16 16:22 . 2009-11-18 06:16 1691480 ----a-w- c:\windows\system32\drivers\Ambfilt.sys
    2011-05-16 16:18 . 2006-02-07 14:45 757760 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iKernel.dll
    2011-05-16 16:18 . 2006-02-07 14:40 204800 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iuser.dll
    2011-05-16 16:18 . 2006-02-07 14:40 69715 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\ctor.dll
    2011-05-16 16:18 . 2006-02-07 14:40 274432 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iscript.dll
    2011-05-16 16:18 . 2005-11-13 22:19 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\DotNetInstaller.exe
    2011-05-16 16:18 . 2011-05-16 16:18 331908 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\setup.dll
    2011-05-16 16:18 . 2011-05-16 16:18 200836 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iGdi.dll
    2011-05-16 15:51 . 2011-05-16 15:51 -------- d-----w- c:\program files\CPUID
    2011-05-16 15:51 . 2010-11-09 14:35 21992 ----a-w- c:\windows\system32\drivers\cpuz135_x32.sys
    2011-05-16 12:20 . 2011-05-16 12:20 -------- d-----w- c:\documents and settings\ed.ERSG\Application Data\Malwarebytes
    2011-05-16 12:20 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-05-16 12:20 . 2011-05-16 12:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-05-16 12:20 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-05-16 12:20 . 2011-05-16 12:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-05-16 12:08 . 2011-05-16 12:08 -------- d-----w- c:\windows\ServicePackFiles
    2011-05-16 11:59 . 2011-05-16 11:59 -------- d-----w- c:\program files\ATI
    2011-05-12 14:40 . 2011-05-12 14:40 -------- d-----w- c:\program files\SiSoftware
    2011-05-12 10:54 . 2011-02-16 16:58 -------- d-----w- c:\documents and settings\ed.ERSG\Application Data\Intel
    2011-05-12 10:54 . 2011-02-16 16:59 -------- d-----w- c:\documents and settings\ed.ERSG\Application Data\Protector Suite
    2011-05-12 10:54 . 2011-02-16 16:59 -------- d-----w- c:\documents and settings\ed.ERSG\Application Data\Sony Corporation
    2011-05-12 10:54 . 2010-11-08 16:26 -------- d-sh--w- c:\documents and settings\ed.ERSG\PrivacIE
    2011-05-12 10:54 . 2010-11-08 15:56 -------- d-sh--w- c:\documents and settings\ed.ERSG\IETldCache
    2011-05-12 10:52 . 2004-08-03 21:31 20992 ----a-w- c:\windows\system32\drivers\RTL8139.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-04-19 17:19 . 2006-11-04 21:14 6394472 ----a-w- c:\windows\system32\drivers\RtkHDAud.sys
    2011-04-14 12:36 . 2006-11-04 21:14 20053608 ----a-w- c:\windows\RTHDCPL.EXE
    2011-02-25 18:37 . 2006-11-04 21:13 1284712 ------r- c:\windows\RtlExUpd.dll
    2010-02-12 14:40 . 2010-02-12 14:39 18499623 ----a-w- c:\program files\vlc-1.0.5-win32.exe
    2008-07-17 10:27 . 2008-07-17 10:27 23510720 -c--a-w- c:\program files\dotnetfx.exe
    2008-07-17 09:27 . 2008-07-17 09:27 12573347 -c--a-w- c:\program files\helium2008.exe
    2007-11-05 11:23 . 2007-11-05 11:23 2748954 -c----w- c:\program files\ST330_Update.exe
    2007-07-10 13:54 . 2007-07-10 13:53 119309242 -c--a-w- c:\program files\trvte0608.exe
    2006-11-20 20:24 . 2006-11-20 20:24 19666504 -c--a-w- c:\program files\QuickTimeInstaller.exe
    2005-03-17 11:30 . 2006-11-06 16:39 527204 -c--a-w- c:\program files\AVIcodec_1.2_b107.exe
    2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
    2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RTHDCPL"="RTHDCPL.EXE" [2011-04-14 20053608]
    "SoundMan"="SOUNDMAN.EXE" [2010-11-03 84584]
    "AlcWzrd"="ALCWZRD.EXE" [2010-11-03 2815592]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoWelcomeScreen"= 1 (0x1)
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "DisablePersonalDirChange"= 1 (0x1)
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{93994DE8-8239-4655-B1D1-5F4E91300429}"= "c:\progra~1\DVDREG~1\DVDShell.dll" [2004-05-17 49152]
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
    backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^ed.ERSG^Start Menu^Programs^Startup^scandisk.lnk]
    path=c:\documents and settings\ed.ERSG\Start Menu\Programs\Startup\scandisk.lnk
    backup=c:\windows\pss\scandisk.lnkStartup
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
    2007-05-29 15:33 52840 ----a-w- c:\program files\Common Files\Symantec Shared\ccApp.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2004-08-04 12:00 15360 ------w- c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
    2006-11-13 13:39 1289000 ----a-w- c:\program files\Microsoft ActiveSync\wcescomm.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
    2005-03-10 12:01 28160 ----a-w- c:\windows\KHALMNPR.Exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
    2010-12-20 17:08 963976 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2006-06-01 09:22 7618560 ----a-w- c:\windows\system32\nvcpl.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
    2006-06-01 09:22 86016 ----a-w- c:\windows\system32\nvmctray.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
    2004-02-25 11:53 665088 ----a-w- c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
    2007-10-07 19:48 125368 ----a-w- c:\progra~1\SYMANT~1\SYMANT~2\VPTray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "Bonjour Service"=2 (0x2)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\WINDOWS\\system32\\mmc.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
    "c:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"=
    "c:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE"=
    "c:\\Program Files\\Symantec\\pcAnywhere\\WINAW32.EXE"=
    "c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
    "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
    "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
    "c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009
    "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
    .
    S2 gupdate1c9a641f9fedc48;Google Update Service (gupdate1c9a641f9fedc48);c:\program files\Google\Update\GoogleUpdate.exe [16/03/2009 15:17 133104]
    S2 SavRoam;SAVRoam;c:\program files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [07/10/2007 20:48 116664]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [16/05/2011 17:22 1691480]
    S3 AtiDCM;AtiDCM;\??\c:\documents and settings\ed.ERSG\Local Settings\Temp\atidcmxx.sys --> c:\documents and settings\ed.ERSG\Local Settings\Temp\atidcmxx.sys [?]
    S3 CFcatchme;CFcatchme;\??\c:\docume~1\ED7684~1.ERS\LOCALS~1\Temp\CFcatchme.sys --> c:\docume~1\ED7684~1.ERS\LOCALS~1\Temp\CFcatchme.sys [?]
    S3 EraserUtilDrv11110;EraserUtilDrv11110;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11110.sys [16/05/2011 09:29 105592]
    S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [29/05/2010 13:43 102448]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [16/03/2009 15:17 133104]
    S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [05/06/2010 09:16 136704]
    S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [05/06/2010 09:16 8320]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-05-05 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 11:34]
    .
    2011-05-16 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-29 23:27]
    .
    2011-05-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-03-16 14:17]
    .
    2011-05-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-03-16 14:17]
    .
    2011-05-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3641825963-764552273-372206336-1140Core.job
    - c:\documents and settings\ed.ERSG\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-11 14:44]
    .
    2011-05-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3641825963-764552273-372206336-1140UA.job
    - c:\documents and settings\ed.ERSG\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-11 14:44]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/ig?hl=en&source=iglk
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    mStart Page = hxxp://www.google.co.uk
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D1E1F7ED622A0E5D.dll/cmsidewiki.html
    DPF: {C6A03519-BA6F-438E-AF3A-878F11521CA5} - hxxp://172.16.100.20/jpgview.cab
    FF - ProfilePath - c:\documents and settings\ed.ERSG\Application Data\Mozilla\Firefox\Profiles\93b4r1jc.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
    FF - prefs.js: network.proxy.type - 4
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - Ext: XULRunner: {7763B99D-F43B-4CC0-8DD3-B3B957D440B3} - c:\documents and settings\ed.ERSG\Local Settings\Application Data\{7763B99D-F43B-4CC0-8DD3-B3B957D440B3}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-05-22 10:42
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(824)
    c:\windows\system32\Ati2evxx.dll
    .
    Completion time: 2011-05-22 10:46:39 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-05-22 09:46
    ComboFix2.txt 2011-05-21 23:16
    .
    Pre-Run: 111,633,244,160 bytes free
    Post-Run: 111,510,261,760 bytes free
    .
    - - End Of File - - D21DEDCF52CD02DC6BB5773B06E71173
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Follow these instructions for Zango:

    What is Zango?
    How Do I Remove Zango?
    1) Click on Start, Settings, Control Panel
    2) Double click on Add/Remove Programs
    3) Find "Zango" in the list of installed programs and click on Change/Remove to uninstall it. There may also be a program called Media Gateway, remove it as well.
    [​IMG]
    You'll be presented with the following screen during the uninstall process, you'll want to check either the Zango toolbar or Search Assistant, or both before clicking Next to complete the uninstall.
    [​IMG]
    4) Reboot your Computer and run HijackThis
    Download HijackThis and save to your desktop.
    • Extract it to a directory on your hard drive called c:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log. Save the log

    Reopen HijackThis to 'do system scan only.' Check each of the following if present.

    C:\Program Files\Zango\zango.exe
    C:\Program Files\ZangoToolbar\Bin\4.8.3.0\ZbSrv.exe
    O2 - BHO: Zango Search Assistant Helper /fleok=1D8A83A5C5E0117D9CA975760EA83FA5EF80752B94E2DE765D754E2937C3 - {56F1D444-11BF-4879-A12B-79CF0177F038} - c:\program files\zango\zangohook.dll
    O2 - BHO: Zango Toolbar - {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - C:\Program Files\ZangoToolbar\Bin\4.8.3.0\ZbHostIE.dll
    O3 - Toolbar: Zango Toolbar - {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - C:\Program Files\ZangoToolbar\Bin\4.8.3.0\ZbHostIE.dll
    O4 - HKLM\..\Run: [zango] "c:\program files\zango\zango.exe"


    Close all Windows except HijackThis and click on "Fix Checked"

    Reboot the computer> see if you can access Normal Mode. If you can't, run HijackThis again, save the log and paste in next reply.

    Directions & Images courtesy PC Hell .
     
  16. bewsh

    bewsh TS Rookie Topic Starter Posts: 21

    it wont let me run the uninstall process from control panel in safe mode, the installer window brings up an error message.
    Any ideas?

    actually I just checked it Zango isnt in the list of installed apps
     
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    And the error message is???

    Run HijackThis.
     
  18. bewsh

    bewsh TS Rookie Topic Starter Posts: 21

    the error message is "windows installer can not be accessed, this can happen if you are in safe mode or installer is not correctly installed, contact support personnel for assistance"

    Ihad hijack this already, so I uninstalled, installed a fresh copy from your link in the drive specified.and followed your instructions.
    log below, no sign of Zango

    I tried to restart but this time instead of the cycle from Windows logo back to POST it just switched off.
    When I restarted I saw a quick flash of a DOS window, tiny and minimised so the only glimpse I could see was "C:" with something written beside that, literally a flash, no chance to identify but it hasnt happened before.

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 00:02:20, on 23/05/2011
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0013)
    Boot mode: Safe mode with network support

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Documents and Settings\ed.ERSG\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\ed.ERSG\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\ed.ERSG\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en&source=iglk
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D1E1F7ED622A0E5D.dll/cmsidewiki.html
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\WINDOWS\system32\shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {22945A69-1191-4DCF-9E6F-409BDE94D101} - http://www.solidworks.com/plugins/edrawings/download.cfm?Release=rel
    O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
    O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://mail.aurec.com.au/Remote/msrdp.cab
    O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
    O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
    O16 - DPF: {C6A03519-BA6F-438E-AF3A-878F11521CA5} (JpgView Control) - http://172.16.100.20/jpgview.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ERSG.local
    O17 - HKLM\Software\..\Telephony: DomainName = ERSG.local
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ERSG.local
    O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Google Update Service (gupdate1c9a641f9fedc48) (gupdate1c9a641f9fedc48) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
    O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe

    --
    End of file - 8359 bytes
     
  19. bewsh

    bewsh TS Rookie Topic Starter Posts: 21

    tried to see if it would boot in normal again today.
    it doesnt.

    anything else I can do to avoid a complete wipe and rebuild?
    I dont have the cash for further hardware if that is the problem but hoping it is malware related

    thanks again for your help
     
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The NameServer Domain name in your logs show ed ERSG The only ID I am finding for this is "The Elections Reform Support Group or ERSG was an forum of donors co-chaired by the United States and the European Union to coordinate the reform of the Palestinian electoral system.[1] ESRG was founded in 2002."

    I cannot identify ERSG further. Your docs & settings appear that you may be 'ed' at this domain and I do find an email address for that.
    ========================================
    I'm finishing another list of script to remove more files. While I'm going that, please let me know about the ERSG domain
    ========================================
    About this:
    Some use Boot.ini in the msconfig utility to set SAFEBOOT for startup. The problem with that is the system won't start any other way as long as SafeBoot is checked. So they don't know how to get out of that mode.

    So my "Boot into Safe Mode" was given with the Boot.ini function in mind> meaning don't set SafeBoot in Boot.ini- boot into Safe Mode instead, using the F8 key. Understand?
    ===========================================
    Do you know how to run Chkdsk? I think this would help with system problems:

    Where to set Error Checking up
    You can do the Error Check from Command Prompt:
    Start> Run> type in cmd> enter> type in Chkdsk /f/ followed by a reboot. Chkdsk will start in a few seconds-or-
    Start> Run> type in cmd> enter> at the blinking C Prompt type in Chkdsk /r

    Or Windows Explorer:
    Right click on Start> Explore> My Computer> Right click on Local Drive (usually C)> Properties> Tools> Error Check> check both boxes on the screen that comes up> Apply> Close the message and reboot for the Error Checking to start.

    The /r switch is for Recovery of readable information in bad sectors Locates bad sectors and recovers readable information (implies /F).
    The /f switch is for File Errors to be found and fixed
     
  21. bewsh

    bewsh TS Rookie Topic Starter Posts: 21

    ERSG is my domain name (www.ersg.com)
    I am Ed


    Boot.ini is all greyed out in MSCONFIG
    so it is trying to boot normally from scratch, i get safe mode from pressing f8.

    Will run chkdsk and get back to you
     
  22. bewsh

    bewsh TS Rookie Topic Starter Posts: 21

    well now it is screwed.

    I followed the chkdsk instructions and it said it would check volume at next start up, except now it wont startup at all.

    I cant get it to go past the driver log page on startup, it just hangs, tried it several times now.
    I assume that it is hanging just before the chkdsk can run.

    Any ideas?
     
  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Once you schedule Chkdsk, then reboot, it should start in about 9 seconds.

    Try running System File Checker: Have your Windows XP installation CD ready, so that you can it insert it if you are prompted to do so.
    • Click on Start> Run> type in sfc /scannow (note there is a space between SFC and the forward slash).
    • Click on OK or press Enter.
    • Follow any instructions on the screen.
    • It should close when finished.
    • Reboot the computer.
    ====================================
    Referring to Boot.ini> when you say it's grayed out, do you mean there is nothing in the box at the top? Please don't make any changes here: my questions are for information only:

    [​IMG]

    Right below the dialog box, there are 4 buttons> Three of the four buttons provided in this window are for editing purposes and are grayed out by default. The Check All Boot Paths button is used to verify that the boot paths in the BOOT.INI file are correct. When you click this button, you’ll either receive an error message you can use for troubleshooting or a window alerting you that the boot paths have been verified.
    ======================================
    The system may just be too corrupted to boot. It has not been well maintained over the years and update haven't been done with earlier versions removed. I think you should be prepared to do a reformat/reinstall.
     
  24. bewsh

    bewsh TS Rookie Topic Starter Posts: 21

    Hi,

    In answer to above the msconfig top window had all the usual info in it.
    the 4 check boxes below where grayed out with now options.

    I couldn't run scnnow or chkdsk as it just hung on the driver install page before the winlogo

    when i ran the chkdsk and it died at reboot I lost my patience and took it to a shop.
    explained I had tried to run diagnostics and excluded various bits of hardware and told them to sort it (they are cheap and only charge £10 to diagnose and as I buy all my components their they are pretty helpful)
    they told me the motherboard was the problem.

    not convinced I agreed to purchase a new motherboard from them (I did this only on the assumption that if the diagnosis was wrong that I would have some come back on the sale)

    having already purchased a new HDD and now a new motherboard I set about rebuilding it.

    first I tried to install the image of the old C: onto the new HDD.
    I used Acronis to take the image and restore it
    It went on OK but then crashed as before cycling at the boot stage

    so I wiped the new hard drive (complete format) and reinstalled a fresh copy of Win XP, Office, chrome, Adobe etc updated as many drivers as I could and added it back onto my domain (network of a server and a couple of PC's) it did this successfully but only adds it to the domain on restart.

    As it restarted it hangs on the windows logo indefinitely.
    If I start in safe mode it stalls momentarily at the mup.sys driver install and then boots as normal (albeit safe normal!)

    could this problem be in some way linked to the domain controller or the way it links to my server?
    This is effectively a complete fresh install on a new HDD and MB (only common hardware is the RAM, the CPU, the Optical Drives and the case/PSU.

    I am at a loss a bit now as short of a new box I am not sure what I can do to eliminate HW/SW as the root cause.

    I am running in safe mode with full networking between the sever and the PC, PC and Web. no loss of functionality other than the Video/sound side of safe mode


    I tried to run the sfc /scannow command on the old drive and got the message
    "Windows File Protection could not initiate a scan of protected system files.
    The specific error code is 0x000006ba [The RPC server is unavailable]

    driving me nuts!
     
  25. bewsh

    bewsh TS Rookie Topic Starter Posts: 21

    Hi, Solved this myself yesterday.

    as every piece of hardware except the chip has been replaced and re-run and I am convinced it was a hardware issue, I took it back to the shop and asked if he had checked my CPU in another board...he said no.

    So I bit the bullet and went for a new dual core AMD CPU, a new MB (cant use mine as the socket is AM2) and got some extra RAM.

    Am not convinced there is anything wrong with the MB!

    I am tying on my new faster, slicker, reinstalled, twin screen rocket machine!

    thanks for all your help.
    I just need to figure out why MS Exchange is using a PST file on my PC HD to store messages now!
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...