TechSpot

[Ramnit- Not curable] Bad Image Error

By jig1980
Dec 19, 2010
  1. Hi Guy's,

    I've noted a few posts with the same error as I have but thought instead of high-jacking other peoples thread I'd ask for help in my own.

    A Bad error message pops up every time I open a new program, whist this isn't stopping the program from running I do have to click the OK button (more than 20 times on occasion) before I can carry on doing what i need to do. Highly annoying!

    Here is the exe-helper log i have just ran.

    exeHelper by Raktor
    Build 20100414
    Run at 12:44:11 on 12/19/10
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Resetting filetype association for .com
    Resetting userinit and shell values...
    Resetting policies...
    --Finished--

    Checked if this had solved the issue before I posted and unfortunaltly it hasn't

    Thank you in advance for your help.

    Jig
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Is there some reason you ran this program? FYI: There are many different reasons for the Bad Image error and what helps one person resolve it may not be appropriate for you.

    If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
     
  3. jig1980

    jig1980 TS Rookie Topic Starter

    Thanks for your reply Bobbye,

    I ran the above program due to reading advise in other threads for what seemed the same problem. Please excuse my ignorance, i believed that there was a standard start point (so to speak) to work from in order to solve these issues.

    I have now followed your instructions and here are the logs you need.

    Malwarebytes' Anti-Malware 1.50
    www.malwarebytes.org

    Database version: 5358

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    19/12/2010 18:15:53
    mbam-log-2010-12-19 (18-15-53).txt

    Scan type: Quick scan
    Objects scanned: 186851
    Time elapsed: 5 minute(s), 8 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 6
    Registry Values Infected: 6
    Registry Data Items Infected: 2
    Folders Infected: 7
    Files Infected: 7

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{A7CDDCDC-BEEB-4685-A062-978F5E07CEEE} (Adware.ShopperReports) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{100EB1FD-D03E-47FD-81F3-EE91287F9465} (Adware.ShopperReports) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1A26F07F-0D60-4835-91CF-1E1766A0EC56} (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C5428486-50A0-4A02-9D20-520B59A9F9B2} (Adware.ShopperReports) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C5428486-50A0-4A02-9D20-520B59A9F9B3} (Adware.ShopperReports) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\ShoppingReport (Adware.ShopperReports) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{C5428486-50A0-4A02-9D20-520B59A9F9B2} (Adware.ShopperReports) -> Value: {C5428486-50A0-4A02-9D20-520B59A9F9B2} -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{C5428486-50A0-4A02-9D20-520B59A9F9B3} (Adware.ShopperReports) -> Value: {C5428486-50A0-4A02-9D20-520B59A9F9B3} -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{C5428486-50A0-4a02-9D20-520B59A9F9B2} (Adware.ShopperReports) -> Value: {C5428486-50A0-4a02-9D20-520B59A9F9B2} -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{C5428486-50A0-4a02-9D20-520B59A9F9B3} (Adware.ShopperReports) -> Value: {C5428486-50A0-4a02-9D20-520B59A9F9B3} -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{DF0524C8-69C7-82F3-8296-68A7560619E4} (Trojan.ZbotR.Gen) -> Value: {DF0524C8-69C7-82F3-8296-68A7560619E4} -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nonep (Trojan.Agent) -> Value: nonep -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    c:\documents and settings\emily scott\application data\shoppingreport (Adware.ShopperReports) -> Quarantined and deleted successfully.
    c:\documents and settings\emily scott\application data\shoppingreport\cs (Adware.ShopperReports) -> Quarantined and deleted successfully.
    c:\documents and settings\emily scott\application data\shoppingreport\cs\db (Adware.ShopperReports) -> Quarantined and deleted successfully.
    c:\documents and settings\emily scott\application data\shoppingreport\cs\dwld (Adware.ShopperReports) -> Quarantined and deleted successfully.
    c:\documents and settings\emily scott\application data\shoppingreport\cs\report (Adware.ShopperReports) -> Quarantined and deleted successfully.
    c:\documents and settings\emily scott\application data\shoppingreport\cs\res1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
    c:\program files\system32 (Backdoor.Bifrose) -> Quarantined and deleted successfully.

    Files Infected:
    c:\documents and settings\emily scott\application data\shoppingreport\cs\Config.xml (Adware.ShopperReports) -> Quarantined and deleted successfully.
    c:\documents and settings\emily scott\application data\shoppingreport\cs\db\Aliases.dbs (Adware.ShopperReports) -> Quarantined and deleted successfully.
    c:\documents and settings\emily scott\application data\shoppingreport\cs\db\Sites.dbs (Adware.ShopperReports) -> Quarantined and deleted successfully.
    c:\documents and settings\emily scott\application data\shoppingreport\cs\dwld\whitelist.xip (Adware.ShopperReports) -> Quarantined and deleted successfully.
    c:\documents and settings\emily scott\application data\shoppingreport\cs\report\aggr_storage.xml (Adware.ShopperReports) -> Quarantined and deleted successfully.
    c:\documents and settings\emily scott\application data\shoppingreport\cs\report\send_storage.xml (Adware.ShopperReports) -> Quarantined and deleted successfully.
    c:\documents and settings\emily scott\application data\shoppingreport\cs\res1\whitelist.dbs (Adware.ShopperReports) -> Quarantined and deleted successfully.



    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2010-12-19 18:28:51
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3160812AS rev.3.ADJ
    Running: po9oquj9.exe; Driver: C:\DOCUME~1\EMILYS~1\LOCALS~1\Temp\awlcypow.sys


    ---- Devices - GMER 1.0.15 ----

    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
    Device \Driver\atapi \Device\Ide\IdePort0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
    Device \Driver\atapi \Device\Ide\IdePort1 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
    Device \Driver\atapi \Device\Ide\IdePort2 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
    Device \Driver\atapi \Device\Ide\IdePort3 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

    AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    ---- EOF - GMER 1.0.15 ----




    DDS (Ver_10-12-12.02) - NTFSx86
    Run by Emily Scott at 18:31:05.70 on 19/12/2010
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1022.342 [GMT 0:00]

    AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    ============== Running Processes ===============

    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    svchost.exe
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    svchost.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\Program Files\AVG\AVG9\avgfws9.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
    C:\WINDOWS\system32\svchost.exe -k HPService
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Kontiki\KService.exe
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\Program Files\TalkTalk\bin\sprtsvc.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe
    C:\Program Files\AVG\AVG9\avgemc.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\stsystra.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\PROGRA~1\AVG\AVG9\avgtray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Dell Support\DSAgnt.exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Program Files\TalkTalk\agent\bin\bcont_nm.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Documents and Settings\Emily Scott\My Documents\Downloads\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.facebook.com/
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uDefault_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=5070124
    mSearch Bar = hxxp://www.google.com/ie
    uInternet Connection Wizard,ShellNext = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=5070124
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mSearchAssistant = hxxp://www.google.com/ie
    uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
    BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
    BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
    BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
    TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
    TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
    TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
    TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
    {555d4d79-4bd2-4094-a395-cfc534424a05}
    EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
    uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [kdx] c:\program files\kontiki\KHost.exe -all
    uRun: [EPSON Stylus SX200 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatiefe.exe /fu "c:\windows\temp\E_S73.tmp" /EF "HKCU"
    mRun: [SigmatelSysTrayApp] stsystra.exe
    mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
    mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
    mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
    mRun: [TalkTalk] "c:\program files\talktalk\bin\sprtcmd.exe" /P TalkTalk
    mRun: [4oD] "c:\program files\kontiki\KHost.exe" -all
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
    mRun: [<NO NAME>]
    mRun: [TaskTray]
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
    IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www3.snapfish.co.uk/SnapfishUKActivia.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
    Notify: avgrsstarter - avgrsstx.dll
    AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\emilys~1\applic~1\mozilla\firefox\profiles\j4rrxsx5.default\
    FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4b11505a&v=6.010.006.004&i=23&tp=ab&iy=&ychte=uk&lng=en-GB&q=
    FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
    FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
    FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
    FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
    FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
    FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
    FF - Ext: AVG Security Toolbar em:version=6.010.006.004 em:displayname=AVG Security Toolbar em:iconURL=chrome://tavgp/skin/logo.ico em:creator=AVG Technologies em:description=AVG Security Toolbar em:homepageURL=http://www.avg.com >: avg@igeared - c:\program files\avg\avg9\toolbar\firefox\avg@igeared
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: British English Dictionary: en-GB@dictionaries.addons.mozilla.org - %profile%\extensions\en-GB@dictionaries.addons.mozilla.org

    ---- FIREFOX POLICIES ----
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false

    ============= SERVICES / DRIVERS ===============

    R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [2009-11-28 25168]
    R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-11-28 52872]
    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-7-22 216400]
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-4-11 29584]
    R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-7-22 243024]
    R2 avg9emc;AVG E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-7-16 921952]
    R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-16 308136]
    R2 avgfws9;AVG Firewall;c:\program files\avg\avg9\avgfws9.exe [2010-7-16 2331544]
    R2 sprtsvc_TalkTalk;SupportSoft Sprocket Service (TalkTalk);c:\program files\talktalk\bin\sprtsvc.exe [2007-10-12 202016]
    R2 tgsrvc_TalkTalk;SupportSoft Repair Service (TalkTalk);c:\program files\common files\supportsoft\bin\tgsrvc.exe [2007-8-2 148768]
    R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-11-28 30104]
    R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSDriver.sys [2009-11-28 122448]
    R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSFilter.sys [2009-11-28 30288]
    R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSShim.sys [2009-11-28 26192]
    S2 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2010-7-16 5897808]
    S2 gupdate1c9ae405065311e;Google Update Service (gupdate1c9ae405065311e);c:\program files\google\update\GoogleUpdate.exe [2009-3-26 133104]
    S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-10-26 517448]
    S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-11-28 30104]
    S3 cpuz132;cpuz132;\??\c:\docume~1\emilys~1\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\emilys~1\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
    S3 iadusb;MT882;c:\windows\system32\drivers\glauiad.sys [2008-1-11 29696]
    S3 jgameenp;jgameenp;\??\c:\docume~1\jws\locals~1\temp\jgameenp.sys --> c:\docume~1\jws\locals~1\temp\jgameenp.sys [?]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]

    =============== Created Last 30 ================

    2010-12-19 18:06:27 -------- d-----w- c:\docume~1\emilys~1\applic~1\Malwarebytes
    2010-12-19 18:05:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-19 18:05:12 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2010-12-19 18:05:06 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-19 18:05:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-12-15 16:18:20 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
    2010-12-15 16:14:52 45568 ------w- c:\windows\system32\dllcache\wab.exe

    ==================== Find3M ====================

    2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-11-06 00:26:58 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
    2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

    ============= FINISH: 18:33:56.04 ===============




    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-12-12.02)

    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume2
    Install Date: 26/01/2007 19:53:37
    System Uptime: 19/12/2010 18:17:26 (0 hours ago)

    Motherboard: Dell Inc | | 0HY175
    Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4200+ | Socket M2 | 2204/1000mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 109 GiB total, 18.433 GiB free.
    D: is FIXED (NTFS) - 37 GiB total, 36.977 GiB free.
    E: is CDROM ()

    ==== Disabled Device Manager Items =============

    Class GUID: {50127DC3-0F36-415E-A6CC-4CB3BE910B65}
    Description: AMD K8 Processor
    Device ID: ACPI\AUTHENTICAMD_-_X86_FAMILY_15_MODEL_75\_0
    Manufacturer: Advanced Micro Devices
    Name: AMD Athlon(tm) 64 X2 Dual Core Processor 4200+
    PNP Device ID: ACPI\AUTHENTICAMD_-_X86_FAMILY_15_MODEL_75\_0
    Service: AmdK8

    Class GUID: {50127DC3-0F36-415E-A6CC-4CB3BE910B65}
    Description: AMD K8 Processor
    Device ID: ACPI\AUTHENTICAMD_-_X86_FAMILY_15_MODEL_75\_1
    Manufacturer: Advanced Micro Devices
    Name: AMD Athlon(tm) 64 X2 Dual Core Processor 4200+
    PNP Device ID: ACPI\AUTHENTICAMD_-_X86_FAMILY_15_MODEL_75\_1
    Service: AmdK8

    ==== System Restore Points ===================

    RP778: 22/09/2010 11:37:47 - System Checkpoint
    RP779: 23/09/2010 12:38:24 - System Checkpoint
    RP780: 24/09/2010 09:47:08 - Avg Update
    RP781: 24/09/2010 09:49:01 - Avg Update
    RP782: 24/09/2010 09:51:36 - Avg Update
    RP783: 25/09/2010 11:14:49 - System Checkpoint
    RP784: 25/09/2010 12:01:51 - Installed Finding Nemo
    RP785: 26/09/2010 20:46:02 - System Checkpoint
    RP786: 28/09/2010 17:09:05 - System Checkpoint
    RP787: 29/09/2010 12:55:22 - Software Distribution Service 3.0
    RP788: 01/10/2010 11:06:59 - System Checkpoint
    RP789: 01/10/2010 22:38:39 - Installed LG Internet Kit
    RP790: 03/10/2010 18:03:42 - System Checkpoint
    RP791: 05/10/2010 09:45:16 - Avg Update
    RP792: 05/10/2010 21:31:13 - Restore Operation
    RP793: 05/10/2010 21:38:19 - Restore Operation
    RP794: 06/10/2010 07:44:08 - Software Distribution Service 3.0
    RP795: 07/10/2010 13:21:36 - System Checkpoint
    RP796: 08/10/2010 13:56:35 - System Checkpoint
    RP797: 09/10/2010 08:36:12 - Restore Operation
    RP798: 09/10/2010 08:52:17 - Restore Operation
    RP799: 09/10/2010 16:06:14 - Installed Windows Media Player 11
    RP800: 09/10/2010 16:09:04 - Installed Windows XP MSCompPackV1.
    RP801: 09/10/2010 16:55:24 - Software Distribution Service 3.0
    RP802: 10/10/2010 18:06:13 - System Checkpoint
    RP803: 12/10/2010 17:19:24 - System Checkpoint
    RP804: 13/10/2010 08:12:43 - Software Distribution Service 3.0
    RP805: 13/10/2010 11:29:19 - Software Distribution Service 3.0
    RP806: 14/10/2010 12:43:56 - System Checkpoint
    RP807: 14/10/2010 17:24:06 - Installed Driver Detective.
    RP808: 17/10/2010 00:45:38 - System Checkpoint
    RP809: 18/10/2010 11:33:27 - System Checkpoint
    RP810: 20/10/2010 12:07:03 - System Checkpoint
    RP811: 22/10/2010 12:54:12 - System Checkpoint
    RP812: 23/10/2010 16:06:42 - System Checkpoint
    RP813: 24/10/2010 20:52:12 - System Checkpoint
    RP814: 26/10/2010 09:59:40 - Avg Update
    RP815: 27/10/2010 09:43:35 - Removed Power Rangers Ninja Storm
    RP816: 27/10/2010 09:43:54 - Installed Power Rangers Ninja Storm
    RP817: 29/10/2010 14:52:46 - System Checkpoint
    RP818: 30/10/2010 15:43:38 - System Checkpoint
    RP819: 31/10/2010 15:34:04 - System Checkpoint
    RP820: 02/11/2010 12:38:55 - System Checkpoint
    RP821: 03/11/2010 17:52:10 - System Checkpoint
    RP822: 05/11/2010 15:01:38 - System Checkpoint
    RP823: 06/11/2010 17:40:10 - System Checkpoint
    RP824: 09/11/2010 13:34:31 - System Checkpoint
    RP825: 10/11/2010 12:04:13 - Avg Update
    RP826: 10/11/2010 12:04:45 - Avg Update
    RP827: 10/11/2010 12:07:46 - Avg Update
    RP828: 11/11/2010 12:12:04 - System Checkpoint
    RP829: 11/11/2010 13:59:56 - Software Distribution Service 3.0
    RP830: 12/11/2010 17:35:29 - System Checkpoint
    RP831: 13/11/2010 18:03:46 - System Checkpoint
    RP832: 15/11/2010 16:40:56 - System Checkpoint
    RP833: 16/11/2010 16:52:33 - System Checkpoint
    RP834: 19/11/2010 11:25:26 - System Checkpoint
    RP835: 20/11/2010 16:49:54 - System Checkpoint
    RP836: 21/11/2010 16:50:44 - System Checkpoint
    RP837: 23/11/2010 12:35:48 - System Checkpoint
    RP838: 24/11/2010 17:33:34 - System Checkpoint
    RP839: 25/11/2010 11:42:28 - Avg Update
    RP840: 25/11/2010 11:44:16 - Avg Update
    RP841: 25/11/2010 11:47:37 - Avg Update
    RP842: 27/11/2010 16:55:23 - System Checkpoint
    RP843: 30/11/2010 17:31:02 - System Checkpoint
    RP844: 01/12/2010 18:29:59 - System Checkpoint
    RP845: 03/12/2010 09:01:07 - System Checkpoint
    RP846: 07/12/2010 16:31:08 - System Checkpoint
    RP847: 08/12/2010 16:42:27 - System Checkpoint
    RP848: 10/12/2010 09:14:39 - System Checkpoint
    RP849: 12/12/2010 16:45:16 - System Checkpoint
    RP850: 13/12/2010 17:49:14 - System Checkpoint
    RP851: 15/12/2010 16:51:43 - System Checkpoint
    RP852: 15/12/2010 21:09:34 - Software Distribution Service 3.0
    RP853: 17/12/2010 13:02:39 - System Checkpoint
    RP854: 17/12/2010 22:09:41 - Software Distribution Service 3.0
    RP855: 19/12/2010 08:36:33 - System Checkpoint

    ==== Installed Programs ======================


    32 Bit HP CIO Components Installer
    4oD
    ABBYY FineReader 6.0 Sprint
    Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
    Adobe Acrobat Reader 3.0
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 8.1.2
    Adobe Reader 8.1.2 Security Update 1 (KB403742)
    Amazon MP3 Downloader 1.0.4
    Ask Toolbar
    Aston.1.9.2
    ATI - Software Uninstall Utility
    ATI Catalyst Control Center
    ATI Display Driver
    AVG 9.0
    Boots F2CD Picture Suite
    Broadcom Management Programs
    BufferChm
    Camera RAW Plug-In for EPSON Creativity Suite
    Cars
    Cars - Radiator Springs Adventures
    Command & Conquer 3
    Copy
    Corel Paint Shop Pro Photo XI
    Creative MediaSource
    Creative Removable Disk Manager
    Creative System Information
    Creative Zen Vision M
    Critical Update for Windows Media Player 11 (KB959772)
    Dell CinePlayer
    Dell Support 3.2.1
    Dell System Restore
    Destinations
    DeviceDiscovery
    Disc2Phone
    Disney's Animated StoryBook 101 Dalmatians
    DJ_AIO_06_F4500_SW_MIN
    Driver Detective
    eMusic Download Manager
    EPSON Attach To Email
    EPSON Easy Photo Print
    EPSON File Manager
    EPSON Scan
    EPSON Scan Assistant
    EPSON Stylus SX200 Series Printer Uninstall
    EPSON Stylus SX200_SX400_TX200_TX400 Manual
    EPSON Web-To-Page
    F4500
    Facebook Plug-In
    ffdshow [rev 1723] [2007-12-24]
    Finding Nemo
    Full Tilt Poker
    GameShadow
    GameSpy Arcade
    Google Earth
    Google Toolbar for Internet Explorer
    Google Update Helper
    Google Updater
    GPBaseService2
    Hardware Helper
    High Definition Audio Driver Package - KB835221
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976002-v5)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    HP Customer Participation Program 13.0
    HP Deskjet 5700 Series
    HP Deskjet F4500 Printer Driver Software 13.0 Rel .6
    HP Imaging Device Functions 13.0
    HP Print Projects 1.0
    HP Solution Center 13.0
    HP Update
    hpPrintProjects
    HPProductAssistant
    HPSSupply
    hpWLPGInstaller
    J2SE Runtime Environment 5.0 Update 6
    Java(TM) 6 Update 17
    KODAK Gallery Upload Software
    Last.fm 1.5.4.24567
    Learn2 Player (Uninstall Only)
    LG Internet Kit
    LG USB Modem Drivers
    LucasArts' Rogue Squadron
    M²Convert for ZEN
    Macromedia Shockwave Player
    Malwarebytes' Anti-Malware
    MarketResearch
    McAfee Security Scan Plus
    McDonald's Dragons
    MCU
    Medal of Honor Allied Assault
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft AutoRoute 2006
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Digital Image 2006*Standard Edition
    Microsoft Digital Image 2006*Standard Edition Editor
    Microsoft Digital Image 2006*Standard Edition Library
    Microsoft Digital Image Library 9 - Blocker
    Microsoft Encarta Standard 2006
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Money
    Microsoft National Language Support Downlevel APIs
    Microsoft Silverlight
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Word 2002
    Microsoft Works
    Microsoft Works Suite 2006 Setup Launcher
    Microsoft Works Suite Add-in for Microsoft Word
    Mozilla Firefox (3.6.13)
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MT882
    Nero 7 Premium
    Network
    Photo Viewer
    PokerStars
    Power Rangers Ninja Storm
    QuickTime
    RealPlayer Basic
    SAMSUNG CDMA Modem Driver Set
    SAMSUNG Mobile Composite Device Software
    Samsung Mobile phone USB driver Software
    SAMSUNG Mobile USB Modem 1.0 Software
    SAMSUNG Mobile USB Modem Software
    Samsung PC Studio 3
    Scan
    Scooby-Doo(TM), Jinx At The Sphinx(TM)
    SearchAssist
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows Media Player 9 (KB917734)
    Security Update for Windows Media Player 9 (KB936782)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950759)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953838)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956390)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958215)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960714)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB963027)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    Shop for HP Supplies
    SolutionCenter
    Sonic Activation Module
    Sonic Update Manager
    SopCast 3.0.3
    Status
    TalkTalk Assist & Go
    Texas Hold'em 3D XP Championship
    thomas
    Thomas New Line
    Tomb Raider - The Last Revelation
    Toolbox
    Toy Story 2 ToyShelf_Cone
    TrayApp
    TVersity Codec Pack 1.2
    TVersity Media Server 1.0.0.11 RC7
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB969497)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    URL Assistant
    VideoLAN VLC media player 0.8.6b
    Viewpoint Media Player
    WebFldrs XP
    WebReg
    Windows Driver Package - (mr7910) Image 06/28/2005 1.3.0.0
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Installer 3.1 (KB893803)
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows XP Service Pack 3
    Works Upgrade
    Yahoo! Toolbar

    ==== Event Viewer Messages From Past Week ========

    19/12/2010 17:51:06, error: Service Control Manager [7034] - The KService service terminated unexpectedly. It has done this 1 time(s).
    19/12/2010 17:50:55, error: Service Control Manager [7034] - The SupportSoft Sprocket Service (TalkTalk) service terminated unexpectedly. It has done this 1 time(s).
    19/12/2010 17:50:55, error: Service Control Manager [7034] - The SupportSoft Repair Service (TalkTalk) service terminated unexpectedly. It has done this 1 time(s).
    19/12/2010 17:50:55, error: Service Control Manager [7034] - The NMIndexingService service terminated unexpectedly. It has done this 1 time(s).
    19/12/2010 17:50:55, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    19/12/2010 17:50:54, error: Service Control Manager [7034] - The Creative Service for CDROM Access service terminated unexpectedly. It has done this 1 time(s).
    19/12/2010 17:50:54, error: Service Control Manager [7034] - The AVG Firewall service terminated unexpectedly. It has done this 1 time(s).
    19/12/2010 17:50:52, error: Service Control Manager [7031] - The AVG WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
    19/12/2010 17:50:49, error: Service Control Manager [7034] - The Ati HotKey Poller service terminated unexpectedly. It has done this 1 time(s).
    19/12/2010 11:19:33, error: Cdrom [11] - The driver detected a controller error on \Device\CdRom0.
    18/12/2010 14:55:46, error: atapi [11] - The driver detected a controller error on \Device\Ide\IdePort1.
    18/12/2010 14:54:07, error: atapi [9] - The device, \Device\Ide\IdePort1, did not respond within the timeout period.
    18/12/2010 08:34:30, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdK8
    18/12/2010 08:34:30, error: Service Control Manager [7022] - The KService service hung on starting.
    18/12/2010 08:33:09, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the TVersityMediaServer service to connect.

    ==== End Of File ===========================
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay. First thing for you to do is decide whether you want McAfee or AVG for the antivirus program. You have both running and multiple AV makes a system more vulnerable, not less. Here are tools to help in the removal> download and use only the tool for the AV you don't want to keep:

    AVG Removal: Note: You may have to reinstall AVG to uninstall it fully
    McAfee Removal
    Please reboot the computer when finished.
    =============================================
    There are some entries that need to be removed and I'd like to run an online virus scan:

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    =====================================
    If you have kept AVG, try disabling it when you're ready to run the following. If Combofix tells you it won't run with AVG on the system, then you will need to uninstall AVG to run the scan:
    Download Combofix to your desktop from one of these locations:
    Link 1
    Link 2
    • Double click combofix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Query- Recovery Console image
      [​IMG]
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes it will open a text window. Please paste that log in your next reply.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
     
  5. jig1980

    jig1980 TS Rookie Topic Starter

    Hi Bobbye,

    Sorry for the delayed reply. Hope you had a good xmas. Here's the logs you requested.

    ESETSmartInstaller@High as downloader log:
    all ok
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6419
    # api_version=3.0.2
    # EOSSerial=433fd17981dbf24fa2fb789ef7e405fd
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-12-31 03:03:28
    # local_time=2010-12-31 03:03:28 (+0000, GMT Standard Time)
    # country="United Kingdom"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 0 0 0 0
    # compatibility_mode=1279 16777215 0 0 0 0 0 0
    # compatibility_mode=2304 16777215 100 0 0 0 0 0
    # compatibility_mode=8192 67108863 100 0 4449 4449 0 0
    # scanned=109654
    # found=28
    # cleaned=0
    # scan_time=3521
    C:\Program Files\AVG\AVG9\Toolbar.old\Firefox\avg@igeared\chrome\content\html\about.htm Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
    C:\Program Files\AVG\AVG9\Toolbar.old\Firefox\avg@igeared\chrome\content\html\bubble_AB.htm Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
    C:\Program Files\AVG\AVG9\Toolbar.old\Firefox\avg@igeared\chrome\content\html\bubble_confirm.htm Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
    C:\Program Files\AVG\AVG9\Toolbar.old\Firefox\avg@igeared\chrome\content\html\bubble_general.htm Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
    C:\Program Files\AVG\AVG9\Toolbar.old\Firefox\avg@igeared\chrome\content\html\bubble_SPupdate.htm Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
    C:\Program Files\AVG\AVG9\Toolbar.old\Firefox\avg@igeared\chrome\content\html\deletehistory_processing.htm Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
    C:\Program Files\AVG\AVG9\Toolbar.old\Firefox\avg@igeared\chrome\content\html\rssreader_advanced.htm Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
    C:\Program Files\AVG\AVG9\Toolbar.old\Firefox\avg@igeared\chrome\content\html\rssreader_config.htm Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
    C:\Program Files\AVG\AVG9\Toolbar.old\Firefox\avg@igeared\chrome\content\html\rssreader_simple.htm Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
    C:\Program Files\AVG\AVG9\Toolbar.old\Firefox\avg@igeared\chrome\content\html\settings_askdialog.htm Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
    C:\Program Files\AVG\AVG9\Toolbar.old\Firefox\avg@igeared\chrome\content\html\settings_checkboxdialog.htm Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
    C:\Program Files\AVG\AVG9\Toolbar.old\Firefox\avg@igeared\chrome\content\html\settings_closedialog.htm Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
    C:\Program Files\AVG\AVG9\Toolbar.old\Firefox\avg@igeared\chrome\content\html\settings_main.htm Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
    C:\Program Files\AVG\AVG9\Toolbar.old\Firefox\avg@igeared\chrome\content\html\tabswelcome.htm Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
    C:\Program Files\AVG\AVG9\Toolbar.old\Firefox\avg@igeared\chrome\content\html\tabswelcome_ie7footer.htm Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
    C:\Program Files\AVG\AVG9\Toolbar.old\Firefox\avg@igeared\chrome\content\html\tabswelcome_ie7header.htm Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
    C:\Program Files\AVG\AVG9\Toolbar.old\Firefox\avg@igeared\chrome\content\html\toolbarprotector_window.htm Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
    C:\Program Files\AVG\AVG9\Toolbar.old\Firefox\avg@igeared\chrome\content\html\updater_processing.htm Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
    C:\Program Files\AVG\AVG9\Toolbar.old\Firefox\avg@igeared\ch_26\chrome\content\html\tabswelcome.htm Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
    C:\Program Files\AVG\AVG9\Toolbar.old\Firefox\avg@igeared\ch_26\chrome\content\html\tabswelcome_ie7header.htm Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
    C:\Program Files\AVG\AVG9\Toolbar.old\Firefox\avg@igeared\ch_41\chrome\content\html\tabswelcome.htm Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
    C:\Program Files\AVG\AVG9\Toolbar.old\Firefox\avg@igeared\ch_41\chrome\content\html\tabswelcome_ie7header.htm Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
    C:\Program Files\AVG\AVG9\Toolbar.old\Firefox\avg@igeared\ch_42\chrome\content\html\tabswelcome.htm Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
    C:\Program Files\AVG\AVG9\Toolbar.old\Firefox\avg@igeared\ch_42\chrome\content\html\tabswelcome_ie7header.htm Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
    C:\Program Files\AVG\AVG9\Toolbar.old\Firefox\avg@igeared\ch_49\chrome\content\html\tabswelcome.htm Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
    C:\Program Files\AVG\AVG9\Toolbar.old\Firefox\avg@igeared\ch_49\chrome\content\html\tabswelcome_ie7header.htm Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
    C:\Program Files\PokerStars\backup\gx\templates\dialog.html Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
    C:\Program Files\PokerStars\gx\templates\dialog.html Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I


    And the Combofix Log

    ComboFix 10-12-31.02 - Emily Scott 01/01/2011 15:03:48.1.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1022.467 [GMT 0:00]
    Running from: c:\documents and settings\Emily Scott\My Documents\Downloads\ComboFix.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    c:\program files\Internet Explorer\complete.dat
    c:\program files\Internet Explorer\dmlconf.dat
    c:\windows\system32\STEC3.sys
    c:\windows\system32\system

    ----- BITS: Possible infected sites -----

    hxxp://assist.talktalk.net
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_STEC3
    -------\Service_STEC3


    ((((((((((((((((((((((((( Files Created from 2010-12-01 to 2011-01-01 )))))))))))))))))))))))))))))))
    .

    2010-12-31 15:38 . 2010-12-31 17:35 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
    2010-12-19 18:06 . 2010-12-19 18:06 -------- d-----w- c:\documents and settings\Emily Scott\Application Data\Malwarebytes
    2010-12-19 18:05 . 2010-12-19 18:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-12-19 18:05 . 2010-11-29 17:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-19 18:05 . 2010-12-19 18:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-12-19 18:05 . 2010-11-29 17:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-15 16:18 . 2010-11-02 15:17 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
    2010-12-15 16:14 . 2010-10-11 14:59 45568 ------w- c:\windows\system32\dllcache\wab.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-11-18 18:12 . 2004-08-10 13:02 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-11-06 00:26 . 2004-08-10 12:51 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-11-06 00:26 . 2004-08-10 12:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-11-06 00:26 . 2004-08-10 12:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-11-03 12:25 . 2004-08-10 12:51 385024 ----a-w- c:\windows\system32\html.iec
    2010-11-02 15:17 . 2004-08-10 12:51 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
    2010-10-28 13:13 . 2004-08-10 12:50 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-26 13:25 . 2004-08-10 12:51 1853312 ----a-w- c:\windows\system32\win32k.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
    2008-09-08 22:08 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-08 279944]

    [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
    [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-08 279944]

    [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
    [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-28 395776]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-01-15 147456]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-20 39408]
    "kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SigmatelSysTrayApp"="stsystra.exe" [2006-08-15 282624]
    "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
    "DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
    "RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2007-01-24 26112]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-01-24 98304]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
    "TalkTalk"="c:\program files\TalkTalk\bin\sprtcmd.exe" [2007-10-12 202016]
    "4oD"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2008-12-08 15:50 54576 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
    "c:\\Program Files\\TalkTalk\\bin\\sprtsvc.exe"=
    "c:\\Program Files\\TalkTalk\\bin\\sprtcmd.exe"=
    "c:\\Program Files\\Kontiki\\KService.exe"=
    "c:\\Documents and Settings\\Jws\\Desktop\\utorrent.exe"=
    "c:\\Program Files\\TalkTalk\\agent\\bin\\bcont.exe"=
    "c:\\Program Files\\TalkTalk\\agent\\bin\\bcont_nm.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
    "c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
    "c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
    "c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=

    R2 sprtsvc_TalkTalk;SupportSoft Sprocket Service (TalkTalk);c:\program files\TalkTalk\bin\sprtsvc.exe [12/10/2007 09:33 202016]
    R2 tgsrvc_TalkTalk;SupportSoft Repair Service (TalkTalk);c:\program files\Common Files\SupportSoft\bin\tgsrvc.exe [02/08/2007 14:42 148768]
    S2 gupdate1c9ae405065311e;Google Update Service (gupdate1c9ae405065311e);c:\program files\Google\Update\GoogleUpdate.exe [26/03/2009 18:25 133104]
    S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe --> c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [?]
    S3 Avgfwdx;Avgfwdx;c:\windows\system32\DRIVERS\avgfwdx.sys --> c:\windows\system32\DRIVERS\avgfwdx.sys [?]
    S3 Avgfwfd;AVG network filter service;c:\windows\system32\DRIVERS\avgfwdx.sys --> c:\windows\system32\DRIVERS\avgfwdx.sys [?]
    S3 iadusb;MT882;c:\windows\system32\drivers\glauiad.sys [11/01/2008 20:06 29696]
    S3 jgameenp;jgameenp;\??\c:\docume~1\Jws\LOCALS~1\Temp\jgameenp.sys --> c:\docume~1\Jws\LOCALS~1\Temp\jgameenp.sys [?]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    HPService REG_MULTI_SZ HPSLPSVC
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contents of the 'Scheduled Tasks' folder

    2011-01-01 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-20 19:14]

    2011-01-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-03-26 18:25]

    2010-12-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-03-26 18:25]

    2011-01-01 c:\windows\Tasks\User_Feed_Synchronization-{493AA78B-28A5-4BF1-A22D-23C6F2656669}.job
    - c:\windows\system32\msfeedssync.exe [2007-08-13 03:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.facebook.com/
    mSearch Bar = hxxp://www.google.com/ie
    uInternet Connection Wizard,ShellNext = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=5070124
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
    Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    FF - ProfilePath - c:\documents and settings\Emily Scott\Application Data\Mozilla\Firefox\Profiles\j4rrxsx5.default\
    FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4b11505a&v=6.010.006.004&i=23&tp=ab&iy=&ychte=uk&lng=en-GB&q=
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: British English Dictionary: en-GB@dictionaries.addons.mozilla.org - %profile%\extensions\en-GB@dictionaries.addons.mozilla.org
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-TaskTray - (no file)
    Notify-avgrsstarter - avgrsstx.dll
    AddRemove-All ATI Software - c:\program files\ATI Technologies\UninstallAll\AtiCimUn.exe
    AddRemove-Boots F2CD Picture Suite - c:\program files\Boots F2CD\Picture Suite\Uninstal.exe
    AddRemove-GameSpy Arcade - c:\progra~1\GAMESP~1\UNWISE.EXE
    AddRemove-InstallShield_{1A5488D7-314D-4CBC-89BF-C5B59510BDBA} - c:\progra~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe
    AddRemove-InstallShield_{20C45B32-5AB6-46A4-94EF-58950CAF05E5} - c:\program files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe
    AddRemove-MT882 - c:\program files\MT882\Adsl\uninstall.exe
    AddRemove-Nero - Burning Rom!UninstallKey - c:\program files\Nero\Nero 7\\nero\uninstall\UNNERO.exe
    AddRemove-PictureItPrem_v11 - c:\program files\Common Files\Microsoft Shared\Picture It!\RmvSuite.exe
    AddRemove-PokerStars - c:\program files\PokerStars\PokerStarsUninstall.exe
    AddRemove-RealPlayer 6.0 - c:\program files\Common Files\Real\Update\\rnuninst.exe
    AddRemove-Scooby-Doo(TM), Jinx At The Sphinx(TM) - c:\program files\The Learning Company\Scooby-Doo(TM)
    AddRemove-StreetPlugin - c:\program files\Learn2.com\StRunner\stuninst.exe
    AddRemove-ViewpointMediaPlayer - c:\program files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe
    AddRemove-{D4C9692E-4EFA-4DA0-8B7F-9439466D9E31} - c:\program files\InstallShield Installation Information\{D4C9692E-4EFA-4DA0-8B7F-9439466D9E31}\setup.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-01-01 15:11
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(1584)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\Ati2evxx.exe
    c:\windows\system32\CTsvcCDA.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Kontiki\KService.exe
    c:\windows\stsystra.exe
    c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
    .
    **************************************************************************
    .
    Completion time: 2011-01-01 15:14:27 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-01-01 15:14

    Pre-Run: 20,969,701,376 bytes free
    Post-Run: 21,565,730,816 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

    - - End Of File - - 4C075F81156D5732A0E7AFDADE77567F
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Sorry to have to start off your New Year like this, but you have an incurable, polymorphic Ramnit malware infection.

    Win32/Ramnit.A is a file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

    With this particular infection, the safest solution and only sure way to remove it effectively is to reformat and reinstall the operating system.

    Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of infection can vary.

    Ramnit is commonly spread via a usb, pen, thumb, jump, flash drive where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote crack or keygen sites. These type of sites are infested with a numerous malware and a major source of system infection.

    In my opinion, Ramnit.A is not effectively curable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.
    Backdoors and What They Mean to You

    Important Note:: If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to to include those used for banking, email, eBay, paypal and any online activities which require a username and password. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity.
    (Text courtesy Broni)

    You will find excellent reformat/reinstall instructions here:
    http://www.tech-101.com/tutorials/356-tutorial-windows-install-repair-xp-vista.html
     
  7. jig1980

    jig1980 TS Rookie Topic Starter

    Thanks for your valued advice Bobbye,

    I now have a nice new shiny and 'Clean' Computer. I ummmmed and arrrred about weather to fully format and re-install the infected PC, but as you said

    "there is no guarantee this infection can be completely removed" .

    And

    "It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed."

    This made up my mind, and i brought a new machine. Needed an ungrade anyway ;0) Many thanks for your help in this matter.

    I have many Photos and word Documents on the old PC with i stuipdly have no back up for. Would these also be infected with the Ramnit virus and therefore infect the new machine if I were to transfer them over via disk or email?

    Really appreciated your help.

    Jig
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    The photos are probably okay, but the Word docs are 'iffy'. I cannot guaranteed the files aren't infected. If you've been using a flash drive, don't put that into the new machine unless you disinfect first- and then I'm not sure if it will touch Ramnit. The best I can do is offer the following tips to help you keep the system clean:

    Tips for added security and safer browsing:
    1. Browser Security Settings: Custom is fine if the user did the settings. Mine are Custom. Default is okay too, but sometimes too restrictive.
      This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features: Make Internet Explorer safer.
    2. Have layered Security:
      • Antivirus Software(only one):Both of the following programs are free and known to be good:
        [o]Avira Free
        [o]Avast Home
      • Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
        [o]Comodo
        [o]Zone Alarm
      • Antispyware: I recommend all of the following:
        [o]Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
      [o]Download ZonedOut and save to your desktop. this replaces IE/Spyad and manages the Zones in Internet explorer. This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
      For IE7 and IE8, Windows 2000 thru Vista. No Windows 7 yet.
      IE/Spyad is not longer being supported. If you have this on your system, you should replace it with the following program. Make sure your IE8 is Up-to-date before adding sites to your restricted zone.
      Known issue: If you have "immunized" your computer with Spybot Search and Destroy, and use ZonedOut to "Remove All" restricted sites - ZonedOut will remove your trusted sites as well. Note that if you remove Spybot Search and Destroys Immunization the problem goes away...
      [o]Replace the Host Files
      MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
      [o]Google Toolbar Get the free google toolbar to help stop pop up windows.
    3. Stay current on updates:
      [o] Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates.
      [o]Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
      [o]Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.
    4. Reset Cookies to prevent Tracking Cookies:
      [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
      [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
      I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
      AdBlock Plus
      Easy List
    5. Do regular Maintenance
      Remove Temporary Internet Files regularly:
      [o]ATF Cleaner by Atribune
      OR
      [o]TFC
      Disable and Enable System Restore:
      [o]See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.
    6. Practice Safe Email Handling
      [o] Don't open email from anyone you don't know.
      [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
      [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.

    And use a Site Advisor:
    The Web of Trust (WOT) add-on is a safe surfing tool for your browser. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.Your online email account – Google Mail, Yahoo! Mail and Hotmail is also protected.

    Every time to do a search and the screen comes up with the sites, they will have the rating light. Green (2 shades), Amber/Yellow Caution, Red> not advised. A few sites haven't been rated and show as a blue flashlight.

    If you want to link to another site from the page you're on to another, WOT will give you an Alert that the site is known for fraudulent entries, unreliable or other and the site won't load. Don't worry- those Alerts don't happen if you still to the green rating.

    Give it a try- http://www.mywot.com/en/download
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.