Inactive Virus removal problem logs attached

Status
Not open for further replies.
P

PottymouthNZ

Posts: 8   +0
I have AVG and it flagged a Trojan Virus namely Cryptic.bgz virus, attempted to remove but still shows up.

Ran through 8 step process.

Log from Malwares

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5124

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

16/11/2010 10:19:48 p.m.
mbam-log-2010-11-16 (22-19-48).txt

Scan type: Quick scan
Objects scanned: 198957
Time elapsed: 7 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\U36VRSFLG6 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SSHNAS (Trojan.Renos) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINXP\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

GMER Log
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2010-11-16 22:26:38
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e ST3808110AS rev.3.ADH
Running: i5koibu0.exe; Driver: C:\DOCUME~1\Peter\LOCALS~1\Temp\kwliypog.sys


---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----


Then DDS logs

DDS (Ver_10-11-10.01) - NTFSx86
Run by Peter at 22:40:23.01 on Tue 16/11/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.64.1033.18.2038.1286 [GMT 13:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINXP\system32\svchost -k DcomLaunch
svchost.exe
C:\WINXP\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINXP\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINXP\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINXP\system32\crypserv.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINXP\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINXP\System32\svchost.exe -k HPZ12
C:\WINXP\System32\svchost.exe -k HPZ12
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINXP\system32\svchost.exe -k imgsvc
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v1.05\bin\tcsd_win32.exe
C:\Program Files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\WINXP\system32\wwSecure.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINXP\system32\msiexec.exe
C:\WINXP\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINXP\system32\igfxpers.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINXP\MXOALDR.EXE
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes1\iTunesHelper.exe
C:\Program Files\Mozilla Firefox\firefox.exe

Attach
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-11-10.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 8/06/2008 5:20:33 p.m.
System Uptime: 16/11/2010 10:31:28 p.m. (0 hours ago)

Motherboard: Dell Inc. | | 0PJ149
Processor: Intel(R) Pentium(R) D CPU 2.80GHz | Microprocessor | 2793/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 74 GiB total, 8.752 GiB free.
D: is CDROM (CDFS)
I: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
Description: Nokia 6300
Device ID: ROOT\WPD\0000
Manufacturer: Nokia
Name: Nokia 6300
PNP Device ID: ROOT\WPD\0000
Service: WUDFRd

==== System Restore Points ===================

RP853: 29/08/2010 11:51:35 p.m. - System Checkpoint
RP854: 30/08/2010 10:12:59 p.m. - Removed ESET NOD32 Antivirus
RP855: 31/08/2010 10:30:46 p.m. - System Checkpoint
RP856: 1/09/2010 10:44:41 p.m. - System Checkpoint
RP857: 2/09/2010 11:32:00 p.m. - System Checkpoint
RP858: 3/09/2010 11:44:40 p.m. - System Checkpoint
RP859: 5/09/2010 12:44:40 a.m. - System Checkpoint
RP860: 6/09/2010 1:44:43 a.m. - System Checkpoint
RP861: 7/09/2010 2:44:42 a.m. - System Checkpoint
RP862: 8/09/2010 5:16:13 a.m. - System Checkpoint
RP863: 9/09/2010 5:44:41 a.m. - System Checkpoint
RP864: 9/09/2010 8:02:35 a.m. - Avg8 Update
RP865: 10/09/2010 9:11:33 a.m. - System Checkpoint
RP866: 11/09/2010 9:44:41 a.m. - System Checkpoint
RP867: 12/09/2010 10:44:41 a.m. - System Checkpoint
RP868: 13/09/2010 11:17:10 a.m. - System Checkpoint
RP869: 14/09/2010 1:06:57 p.m. - System Checkpoint
RP870: 15/09/2010 9:38:17 p.m. - System Checkpoint
RP871: 16/09/2010 10:21:53 p.m. - System Checkpoint
RP872: 18/09/2010 12:33:51 p.m. - System Checkpoint
RP873: 19/09/2010 2:48:11 p.m. - System Checkpoint
RP874: 20/09/2010 3:30:09 p.m. - System Checkpoint
RP875: 21/09/2010 3:55:09 p.m. - System Checkpoint
RP876: 21/09/2010 11:56:17 p.m. - Software Distribution Service 3.0
RP877: 22/09/2010 10:37:29 p.m. - Software Distribution Service 3.0
RP878: 23/09/2010 10:52:53 p.m. - System Checkpoint
RP879: 25/09/2010 8:30:08 a.m. - System Checkpoint
RP880: 26/09/2010 8:59:09 a.m. - System Checkpoint
RP881: 27/09/2010 10:34:58 a.m. - System Checkpoint
RP882: 28/09/2010 11:18:38 a.m. - System Checkpoint
RP883: 29/09/2010 12:18:40 p.m. - System Checkpoint
RP884: 30/09/2010 1:18:39 p.m. - System Checkpoint
RP885: 1/10/2010 3:22:47 p.m. - System Checkpoint
RP886: 2/10/2010 4:20:33 p.m. - System Checkpoint
RP887: 3/10/2010 5:20:33 p.m. - System Checkpoint
RP888: 4/10/2010 10:24:20 p.m. - System Checkpoint
RP889: 6/10/2010 9:29:09 p.m. - System Checkpoint
RP890: 7/10/2010 8:12:11 a.m. - Avg8 Update
RP891: 8/10/2010 8:28:55 a.m. - System Checkpoint
RP892: 9/10/2010 10:20:03 a.m. - System Checkpoint
RP893: 10/10/2010 11:03:47 a.m. - System Checkpoint
RP894: 11/10/2010 12:58:31 p.m. - System Checkpoint
RP895: 12/10/2010 1:32:45 p.m. - System Checkpoint
RP896: 13/10/2010 2:48:19 p.m. - System Checkpoint
RP897: 14/10/2010 4:08:33 p.m. - System Checkpoint
RP898: 15/10/2010 4:57:05 p.m. - System Checkpoint
RP899: 16/10/2010 5:17:36 p.m. - System Checkpoint
RP900: 17/10/2010 6:17:36 p.m. - System Checkpoint
RP901: 18/10/2010 6:17:45 p.m. - System Checkpoint
RP902: 19/10/2010 7:00:39 p.m. - System Checkpoint
RP903: 20/10/2010 8:05:10 p.m. - System Checkpoint
RP904: 21/10/2010 10:03:33 p.m. - System Checkpoint
RP905: 23/10/2010 11:44:40 a.m. - System Checkpoint
RP906: 24/10/2010 10:45:43 p.m. - System Checkpoint
RP907: 26/10/2010 12:59:37 p.m. - System Checkpoint
RP908: 27/10/2010 9:47:37 a.m. - Avg8 Update
RP909: 27/10/2010 9:49:16 a.m. - Avg8 Update
RP910: 27/10/2010 9:55:01 p.m. - Software Distribution Service 3.0
RP911: 28/10/2010 4:27:25 p.m. - Software Distribution Service 3.0
RP912: 28/10/2010 4:28:41 p.m. - Installed Java(TM) 6 Update 22
RP913: 29/10/2010 5:47:08 p.m. - System Checkpoint
RP914: 30/10/2010 10:54:08 p.m. - System Checkpoint
RP915: 1/11/2010 12:26:00 p.m. - System Checkpoint
RP916: 2/11/2010 12:29:14 p.m. - System Checkpoint
RP917: 3/11/2010 1:22:21 p.m. - System Checkpoint
RP918: 4/11/2010 2:32:23 p.m. - System Checkpoint
RP919: 5/11/2010 3:23:19 p.m. - System Checkpoint
RP920: 6/11/2010 3:52:37 p.m. - System Checkpoint
RP921: 7/11/2010 4:52:38 p.m. - System Checkpoint
RP922: 9/11/2010 7:48:20 a.m. - System Checkpoint
RP923: 10/11/2010 11:25:17 a.m. - System Checkpoint
RP924: 11/11/2010 12:57:21 p.m. - System Checkpoint
RP925: 12/11/2010 1:35:54 p.m. - System Checkpoint
RP926: 13/11/2010 2:12:49 p.m. - System Checkpoint
RP927: 14/11/2010 2:42:48 p.m. - System Checkpoint
RP928: 14/11/2010 11:58:34 p.m. - Software Distribution Service 3.0
RP929: 16/11/2010 4:24:49 a.m. - System Checkpoint
RP930: 16/11/2010 9:45:00 p.m. - Spyware Terminator - restore point

==== Installed Programs ======================

32 Bit HP CIO Components Installer
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 9.4.0
Adobe Shockwave Player 11.5
AIO_Scan
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AVG Free 8.5
Bonjour
CDDRV_Installer
Chessmaster 10th Edition
Compact Wireless-G USB Adapter
Compatibility Pack for the 2007 Office system
ConvertHelper 2.2
Cordless DUALphone Suite
Crawler Toolbar with Web Security Guard
Diskeeper 2008 Pro Premier
dj_aio_corporate
DJ_AIO_ProductContext
DJ_AIO_Software_min
DVD Decrypter (Remove Only)
DVD Region Killer
EMBASSY Security Center
ESET Online Scanner v3
F4100_Help
ffdshow [rev 1281] [2007-06-12]
Google Earth
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Deskjet All-In-One Driver Software 9.0.A Corporate Edition
Intel(R) Graphics Media Accelerator Driver
iTunes
Java Auto Updater
Java(TM) 6 Update 22
JumpStart Typing
KhalInstallWrapper
Logitech Audio Echo Cancellation Component
Logitech QuickCam
Logitech SetPoint
Logitech® Camera Driver
Malwarebytes' Anti-Malware
Maxtor OneTouch
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.7
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.6.12)
MSVC80_x86
MSVC80_x86_v2
MSVC90_x86
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Multimedia Card Reader
MVision
MYOB Accounting v16
NavRules 2.2.4
Nero Suite
Nokia Connectivity Cable Driver
Nokia Ovi Suite
Nokia Ovi Suite Software Updater
Nokia PC Suite
NTRU Hybrid TSS v1.05
OpenCPN version 1.3.6
OpenSource Flash Video Splitter (remove only)
Ovi Desktop Sync Engine
OviMPlatform
PC Connectivity Solution
PrimoPDF
PrimoPDF Redistribution Package
QuickTime
Radar Training Simulator Mk2
Retrospect 6.0
Safari
Samsung PC Studio 1.0 PIM & File Manager
Scan
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2183461)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982381)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Sentinel System Driver
Skype Toolbars
Skype™ 4.2
Spyware Terminator
STMicroelectronics TPM Software Package
Toolbox
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB898461)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Update for Windows XP (KB978207)
USB Storage Adapter FX (MXO)
WD Diagnostics
WebFldrs XP
WIDCOMM Bluetooth Software
Window Washer
Windows Driver Package - Nokia Modem (06/01/2009 7.01.0.4)
Windows Driver Package - Nokia Modem (10/05/2009 4.2)
Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
XviD MPEG-4 Video Codec

==== Event Viewer Messages From Past Week ========

16/11/2010 9:46:37 p.m., error: Service Control Manager [7034] - The Spyware Terminator Realtime Shield Service service terminated unexpectedly. It has done this 1 time(s).
16/11/2010 9:46:36 p.m., error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
16/11/2010 9:46:35 p.m., error: Service Control Manager [7034] - The Washer Security Access service terminated unexpectedly. It has done this 1 time(s).
16/11/2010 9:46:35 p.m., error: Service Control Manager [7034] - The NTRU Hybrid TSS v1.05 TCSD service terminated unexpectedly. It has done this 1 time(s).
16/11/2010 9:46:35 p.m., error: Service Control Manager [7034] - The AVG8 E-mail Scanner service terminated unexpectedly. It has done this 1 time(s).
16/11/2010 9:46:34 p.m., error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
16/11/2010 9:46:34 p.m., error: Service Control Manager [7034] - The Diskeeper service terminated unexpectedly. It has done this 1 time(s).
16/11/2010 9:46:34 p.m., error: Service Control Manager [7031] - The AVG8 WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
16/11/2010 9:46:33 p.m., error: Service Control Manager [7034] - The Process Monitor service terminated unexpectedly. It has done this 1 time(s).
16/11/2010 9:46:33 p.m., error: Service Control Manager [7034] - The DataSvr service terminated unexpectedly. It has done this 1 time(s).
16/11/2010 9:46:33 p.m., error: Service Control Manager [7034] - The Crypkey License service terminated unexpectedly. It has done this 1 time(s).
16/11/2010 9:46:33 p.m., error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
16/11/2010 9:46:33 p.m., error: Service Control Manager [7031] - The Bluetooth Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
16/11/2010 9:46:33 p.m., error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
16/11/2010 2:56:54 a.m., error: Service Control Manager [7023] - The SSHNAS service terminated with the following error: The specified module could not be found.
16/11/2010 10:32:31 p.m., error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
13/11/2010 7:39:20 p.m., error: Tcpip [4191] - IP could not open the registry key for adapter TCPIP\Parameters\Adapters\NDISWANIP. Interfaces on this adapter will not be initialized.

==== End Of File ===========================

Hope this Helps

Regards

PottymouthNZ
 
Welcome to TechSpot. FYI, AVG will continue to flag an entry even if it's in a location that isn't active. Let's see where it is:

Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner
  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the Active X control to install
  4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  5. Click Start
  6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  7. Click Scan
  8. Wait for the scan to finish
  9. Re-enable your Antivirus software.
  10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
 
Bobbeye, many thanks for looking at this

Eset scan done and log posted
Said it found nothing. Does this mean computer not infected?

I await your reply

Thanks again

PM


ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=e02aa3ec9ff35a4d9288895dcae498b3
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-11-15 05:11:11
# local_time=2010-11-16 06:11:11 (+1200, New Zealand Daylight Time)
# country="New Zealand"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1024 16777175 100 0 77036686 77036686 0 0
# compatibility_mode=5121 16777214 0 3 76962522 76962522 0 0
# compatibility_mode=5889 16764286 0 94 76260240 135391360 0 0
# compatibility_mode=8192 67108863 100 0 1094 1094 0 0
# scanned=142869
# found=0
# cleaned=0
# scan_time=8779
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=e02aa3ec9ff35a4d9288895dcae498b3
# end=stopped
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-11-18 06:50:49
# local_time=2010-11-18 07:50:49 (+1200, New Zealand Daylight Time)
# country="New Zealand"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1024 16777191 100 0 77267385 77267385 0 0
# compatibility_mode=5121 16777214 0 3 77193221 77193221 0 0
# compatibility_mode=5889 16764286 0 94 76490939 135622059 0 0
# compatibility_mode=7937 16777213 100 100 0 619343 0 0
# compatibility_mode=8192 67108863 100 0 231793 231793 0 0
# scanned=6291
# found=0
# cleaned=0
# scan_time=58
ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=53251
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=e02aa3ec9ff35a4d9288895dcae498b3
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-11-18 07:48:55
# local_time=2010-11-18 08:48:55 (+1200, New Zealand Daylight Time)
# country="New Zealand"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1024 16777191 100 0 77267727 77267727 0 0
# compatibility_mode=5121 16777214 0 3 77193563 77193563 0 0
# compatibility_mode=5889 16764286 0 94 76491281 135622401 0 0
# compatibility_mode=7937 16777213 100 100 0 619685 0 0
# compatibility_mode=8192 67108863 100 0 232135 232135 0 0
# scanned=132826
# found=0
# cleaned=0
# scan_time=3202
 
Unfortunately, a clean Eset scan does not mean the entire system is clean. It is mainly a virus scanner. There is a great deal of malware that is described differently. Sometimes a virus scanner can detect one it can't clean , other times, it gets missed entirely. Or it could be a false positive. But my guess is that this name sounds more like a Trojan rather than a virus- there is a difference.

And as I told you "AVG will continue to flag an entry even if it's in a location that isn't active" such as if malware was in a restore point or quarantined by another program. Mbam removed several infections.

I am concerned that you are not using the current version of AVG which is v9 or v10. I note several entries for AVG v8 and the installed list shows AVG v8.5. So I suggest you update to the most current version. If the update doesn't overwrite the older version, you should remove it in Add/Remove Programs in the Control Panel.
=========================================
Please run the following soI can check for any other bad entries:
Please download ComboFix from Here and save to your Desktop.

  • [1]. Do NOT rename Combofix unless instructed.
    [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3].Close any open browsers.
    [4]. Double click combofix.exe & follow the prompts to run.
  • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
    [5]. If Combofix asks you to install Recovery Console, please allow it.
    [6]. If Combofix asks you to update the program, always allow.
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
============================================
Download the HijackThis Installer and save to the desktop:
  1. Double-click on HJTInstall.exe to run the program.
  2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
  3. Accept the license agreement by clicking the "I Accept" button.
  4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
  5. Click "Save log" to save the log file and then the log will open in notepad.
  6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
 
Next step completed

I loaded AVG latest version which 110mb took ages only to find Combofix will not run with avg installed, even after disabling it! Real pain in th butt

so Uninstalled AVG then ran combofix and hijackthis

Combofix log

ComboFix 10-11-19.01 - Peter 20/11/2010 12:58:18.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.64.1033.18.2038.1562 [GMT 13:00]
Running from: c:\documents and settings\Peter\Desktop\ComboFix.exe
FW: AVG Firewall *disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Peter\Recent\Evony-Free_Forever.url
c:\documents and settings\Peter\Recent\Thumbs.db
c:\winxp\jestertb.dll
c:\winxp\system32\AutoRun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SSHNAS


((((((((((((((((((((((((( Files Created from 2010-10-20 to 2010-11-20 )))))))))))))))))))))))))))))))
.

2010-11-19 09:16 . 2010-11-19 09:16 -------- d-----w- c:\documents and settings\Peter\Application Data\AVG10
2010-11-19 09:14 . 2010-11-19 09:14 -------- d--h--w- c:\documents and settings\All Users.WINXP\Application Data\Common Files
2010-11-19 09:13 . 2010-11-19 23:39 -------- d-----w- c:\documents and settings\All Users.WINXP\Application Data\AVG10
2010-11-19 08:42 . 2010-11-19 09:02 -------- d-----w- c:\documents and settings\All Users.WINXP\Application Data\MFAData
2010-11-18 08:29 . 2010-11-18 08:29 -------- d-----w- c:\documents and settings\Peter\Application Data\opencpn
2010-11-16 09:02 . 2010-11-16 09:02 -------- d-----w- c:\documents and settings\Peter\Application Data\Malwarebytes
2010-11-16 09:01 . 2010-04-29 02:39 38224 ----a-w- c:\winxp\system32\drivers\mbamswissarmy.sys
2010-11-16 09:01 . 2010-11-16 09:01 -------- d-----w- c:\documents and settings\All Users.WINXP\Application Data\Malwarebytes
2010-11-16 09:01 . 2010-11-16 09:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-16 09:01 . 2010-04-29 02:39 20952 ----a-w- c:\winxp\system32\drivers\mbam.sys
2010-11-16 08:34 . 2010-11-16 08:34 142592 ----a-w- c:\winxp\system32\drivers\sp_rsdrv2.sys
2010-11-16 08:34 . 2010-11-18 06:54 -------- d-----w- c:\documents and settings\Peter\Application Data\Spyware Terminator
2010-11-16 08:34 . 2010-11-19 08:28 -------- d-----w- c:\documents and settings\All Users.WINXP\Application Data\Spyware Terminator
2010-11-16 08:34 . 2010-11-18 06:54 -------- d-----w- c:\program files\Spyware Terminator
2010-11-15 14:26 . 2010-11-15 14:26 -------- d-----w- c:\program files\ESET
2010-11-05 22:37 . 2010-11-05 22:37 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2010-11-05 22:37 . 2010-11-05 22:37 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2010-10-28 03:27 . 2010-07-16 12:05 1288192 -c----w- c:\winxp\system32\dllcache\ole32.dll
2010-10-26 20:20 . 2010-09-18 06:53 953856 -c----w- c:\winxp\system32\dllcache\mfc40u.dll
2010-10-26 20:20 . 2010-09-18 06:53 974848 -c----w- c:\winxp\system32\dllcache\mfc42.dll
2010-10-26 20:17 . 2010-08-23 16:12 617472 -c----w- c:\winxp\system32\dllcache\comctl32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 06:53 . 2006-02-28 12:00 974848 ----a-w- c:\winxp\system32\mfc42.dll
2010-09-18 06:53 . 2006-02-28 12:00 954368 ----a-w- c:\winxp\system32\mfc40.dll
2010-09-18 06:53 . 2006-02-28 12:00 953856 ----a-w- c:\winxp\system32\mfc40u.dll
2010-09-17 23:23 . 2006-02-28 12:00 974848 ----a-w- c:\winxp\system32\mfc42u.dll
2010-09-14 15:50 . 2010-06-07 09:31 472808 ----a-w- c:\winxp\system32\deployJava1.dll
2010-09-14 13:29 . 2010-03-31 21:14 73728 ----a-w- c:\winxp\system32\javacpl.cpl
2010-09-07 22:17 . 2010-09-07 22:17 94208 ----a-w- c:\winxp\system32\QuickTimeVR.qtx
2010-09-07 22:17 . 2010-09-07 22:17 69632 ----a-w- c:\winxp\system32\QuickTime.qts
2010-09-01 11:51 . 2006-02-28 12:00 285824 ----a-w- c:\winxp\system32\atmfd.dll
2010-08-31 13:42 . 2006-02-28 12:00 1852800 ----a-w- c:\winxp\system32\win32k.sys
2010-08-27 08:02 . 2006-02-28 12:00 119808 ----a-w- c:\winxp\system32\t2embed.dll
2010-08-27 05:57 . 2006-02-28 12:00 99840 ----a-w- c:\winxp\system32\srvsvc.dll
2010-08-26 13:39 . 2006-02-28 12:00 357248 ----a-w- c:\winxp\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-04-16 04:39 5120 ----a-w- c:\winxp\system32\xpsp4res.dll
2010-08-23 16:12 . 2006-02-28 12:00 617472 ----a-w- c:\winxp\system32\comctl32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Window Washer"="c:\program files\Webroot\Washer\wwDisp.exe" [2005-08-08 1109504]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-09-02 13351304]
"SpywareTerminatorUpdate"="c:\program files\Spyware Terminator\SpywareTerminatorUpdate.exe" [2010-11-16 3037696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"igfxtray"="c:\winxp\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\winxp\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\winxp\system32\igfxpers.exe" [2005-10-14 114688]
"MaxtorOneTouch"="c:\progra~1\Maxtor\OneTouch\Utils\OneTouch.exe" [2004-12-21 823296]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]
"MXOBG"="c:\winxp\MXOALDR.EXE" [2006-10-28 94208]
"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2004-09-03 139264]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-03 185896]
"RegKillElbyCheck"="c:\program files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" [2002-11-02 45056]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-28 76304]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-13 248552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-07 421888]
"iTunesHelper"="c:\program files\iTunes1\iTunesHelper.exe" [2010-09-23 421160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\winxp\system32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\All Users.WINXP\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-4-1 568176]
Cordless DUALphone Startup.lnk - c:\program files\Cordless USB Phone\Cordless DUALphone Suite.exe [2006-7-24 625000]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-8-17 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-01 14:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LightMaster\\Radar Training Simulator Mk2\\LMMessages.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Nokia\\Nokia Ovi Suite\\NokiaOviSuite.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Program Files\\Participatory Culture Foundation\\Miro\\Miro_Downloader.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\iTunes1\\iTunes.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Spyware Terminator\\SpywareTerminatorUpdate.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 stmtpm;STM TPM Service;c:\winxp\system32\drivers\stm_tpm.sys [8/06/2008 6:34 p.m. 21504]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\winxp\system32\drivers\sp_rsdrv2.sys [16/11/2010 9:34 p.m. 142592]
R2 sentemul;sentemul;c:\winxp\system32\drivers\SentEmul.sys [16/05/2010 3:56 p.m. 11812]
R3 RegKill;RegKill;c:\winxp\system32\drivers\RegKill.sys [28/11/2002 10:46 a.m. 6400]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/07/2009 3:27 a.m. 133104]
S3 ADM8511;%ADM8511.Service.DispName%;c:\winxp\system32\drivers\ADM8511.SYS [17/08/2001 1:11 p.m. 20160]
S3 SunkFilt6;Alcor Micro Corp - 6360;\??\c:\winxp\System32\Drivers\sunkfilt6.sys --> c:\winxp\System32\Drivers\sunkfilt6.sys [?]
S3 SunkFilt62;Alcor Micro Corp - 6362;c:\winxp\system32\drivers\sunkfilt62.sys [23/07/2004 3:55 p.m. 46536]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-11-06 c:\winxp\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 00:34]

2010-11-20 c:\winxp\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-06 14:27]

2010-11-19 c:\winxp\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-06 14:27]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://news.google.co.nz/nwshp?ie=UTF-8&hl=en&tab=wn
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: {697C63E7-B68E-467B-8AD7-3F5C58A13340} = 202.27.158.40,202.27.156.72
FF - ProfilePath - c:\documents and settings\Peter\Application Data\Mozilla\Firefox\Profiles\4e134232.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://news.google.co.nz/nwshp?hl=en&tab=wn|http://metservice.com/marine/index|....nz/|https://mail.coastguard.org.nz/exchange/
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\iTunes1\Mozilla Plugins\npitunes.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\winxp\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-20 13:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(788)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(7972)
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
c:\program files\Logitech\SetPoint\GameHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\winxp\system32\btmmhook.dll
c:\winxp\system32\WPDShServiceObj.dll
c:\winxp\system32\btncopy.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\winxp\system32\PortableDeviceTypes.dll
c:\winxp\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\winxp\system32\crypserv.exe
c:\program files\Wave Systems Corp\Common\DataServer.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Spyware Terminator\sp_rsser.exe
c:\program files\NTRU Cryptosystems\NTRU Hybrid TSS v1.05\bin\tcsd_win32.exe
c:\program files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
c:\program files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
c:\winxp\system32\wwSecure.exe
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
.
**************************************************************************
.
Completion time: 2010-11-20 13:14:45 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-20 00:14

Pre-Run: 8,371,892,224 bytes free
Post-Run: 8,268,337,152 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINXP
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINXP="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 44F8F4F8C45D4FEE2956784B7C60FC09

Hijackthis log

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:21:36 p.m., on 20/11/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINXP\system32\crypserv.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINXP\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINXP\system32\svchost.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v1.05\bin\tcsd_win32.exe
C:\Program Files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINXP\system32\wwSecure.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINXP\system32\hkcmd.exe
C:\WINXP\system32\igfxpers.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINXP\MXOALDR.EXE
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes1\iTunesHelper.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Cordless USB Phone\Cordless DUALphone Suite.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINXP\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINXP\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINXP\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.co.nz/nwshp?ie=UTF-8&hl=en&tab=wn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINXP\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINXP\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINXP\system32\igfxpers.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [MXOBG] C:\WINXP\MXOALDR.EXE
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RegKillElbyCheck] "C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NokiaMServer] C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes1\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpywareTerminatorUpdate] "C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Cordless DUALphone Startup.lnk = C:\Program Files\Cordless USB Phone\Cordless DUALphone Suite.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\OFFICE~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINXP\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINXP\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{697C63E7-B68E-467B-8AD7-3F5C58A13340}: NameServer = 202.27.158.40,202.27.156.72
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINXP\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINXP\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINXP\SYSTEM32\crypserv.exe
O23 - Service: DataSvr - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Common\DataServer.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: NTRU Hybrid TSS v1.05 TCSD (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v1.05\bin\tcsd_win32.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINXP\system32\wwSecure.exe

--
End of file - 9859 bytes
 
For the next time: FYI: The part of AVG causing the problem is the Resident Shield. Here are the instructions to temporarily disable it:

Please open the AVG Control Center
  • Double-click on the "AVG Resident Shield" component
    Clipboard02-1.jpg
    )
  • Uncheck the "Turn on AVG Resident Shield" checkmark
  • Save the setting.
Then re-enable when finished:
  • Open the AVG Control Center
  • Double-click on the "AVG Resident Shield" component
  • Check the "Turn on AVG Resident Shield" checkmark
  • Save the setting.
===================================
Are you using a driver for SunkFilt62 from Alcor Micro Corp? Did you update it? There are 2 versions: SunkFilt6 and Sunkfilt62 and they are questioned in Combofix
==========================================
Combofix removed >> c:\winxp\system32\AutoRun.inf. This Worm spreads through, Removable storage devices, Email attachments, Infected files and Chat programs. If you have been using a flash drive, we will need to disinfect that.

Other than that, the system is clean and no other changes need to be made.
 
SunkFilt62 from Alcor Micro Corp no idea what this is.

I do use a flash drive but havent used it for some time

Many thanks for you assistance.
 
You're welcome- glad to help.

Let's just remove the oldest of the 2: Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad and copy/paste the text in the code below into it:
Code: 
File::
c:\winxp\System32\Drivers\sunkfilt6.sys
Driver::
SunkFilt6;Alcor Micro Corp - 6360;\??\ --> c:\winxp\System32\Drivers\sunkfilt6.sys [?]
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================
Removing all of the tools we used and the files and folders they created
  • Uninstall ComboFix and all Backups of the files it deleted
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    CF_Uninstall-1.jpg
  • Download OTCleanIt by OldTimer and save it to your Desktop.
  • Double click OTCleanIt.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
  • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
  • Go to Start > All Programs > Accessories > System Tools
  • Click "System Restore".
  • Choose "Create a Restore Point" on the first screen then click "Next".
  • Give the Restore Point a name> click "Create".
  • Go back and follow the path to > System Tools.
    [*]Choose Disc Cleanup
    [*]Click "OK" to select the partition or drive you want.
    [*]Click the "More Options" Tab.
    [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


Empty the Recycle Bin

Let me know if you have any more questions.
 
file removal Combofix log

Bobbeye here is latest log file

ComboFix 10-11-24.01 - Peter 25/11/2010 9:33.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.64.1033.18.2038.1297 [GMT 13:00]
Running from: c:\documents and settings\Peter\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Peter\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: AVG Firewall *disabled* {8decf618-9569-4340-b34a-d78d28969b66}

FILE ::
"c:\winxp\System32\Drivers\sunkfilt6.sys"
.

((((((((((((((((((((((((( Files Created from 2010-10-24 to 2010-11-24 )))))))))))))))))))))))))))))))
.

2010-11-20 01:14 . 2010-09-07 13:52 165584 ----a-w- c:\winxp\system32\drivers\aswSP.sys
2010-11-20 01:14 . 2010-09-07 13:47 17744 ----a-w- c:\winxp\system32\drivers\aswFsBlk.sys
2010-11-20 01:14 . 2010-09-07 13:47 23376 ----a-w- c:\winxp\system32\drivers\aswRdr.sys
2010-11-20 01:14 . 2010-09-07 13:52 46672 ----a-w- c:\winxp\system32\drivers\aswTdi.sys
2010-11-20 01:14 . 2010-09-07 13:47 100176 ----a-w- c:\winxp\system32\drivers\aswmon2.sys
2010-11-20 01:14 . 2010-09-07 13:47 94544 ----a-w- c:\winxp\system32\drivers\aswmon.sys
2010-11-20 01:14 . 2010-09-07 13:46 28880 ----a-w- c:\winxp\system32\drivers\aavmker4.sys
2010-11-20 01:14 . 2010-09-07 14:12 38848 ----a-w- c:\winxp\avastSS.scr
2010-11-20 01:14 . 2010-09-07 14:11 167592 ----a-w- c:\winxp\system32\aswBoot.exe
2010-11-20 01:14 . 2010-11-20 01:14 -------- d-----w- c:\program files\Alwil Software
2010-11-20 01:14 . 2010-11-20 01:14 -------- d-----w- c:\documents and settings\All Users.WINXP\Application Data\Alwil Software
2010-11-20 00:20 . 2010-11-20 00:20 388096 ----a-r- c:\documents and settings\Peter\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-11-20 00:20 . 2010-11-20 00:20 -------- d-----w- c:\program files\Trend Micro
2010-11-19 09:16 . 2010-11-19 09:16 -------- d-----w- c:\documents and settings\Peter\Application Data\AVG10
2010-11-19 09:14 . 2010-11-19 09:14 -------- d--h--w- c:\documents and settings\All Users.WINXP\Application Data\Common Files
2010-11-19 09:13 . 2010-11-19 23:39 -------- d-----w- c:\documents and settings\All Users.WINXP\Application Data\AVG10
2010-11-19 08:42 . 2010-11-19 09:02 -------- d-----w- c:\documents and settings\All Users.WINXP\Application Data\MFAData
2010-11-18 08:29 . 2010-11-18 08:29 -------- d-----w- c:\documents and settings\Peter\Application Data\opencpn
2010-11-16 09:02 . 2010-11-16 09:02 -------- d-----w- c:\documents and settings\Peter\Application Data\Malwarebytes
2010-11-16 09:01 . 2010-04-29 02:39 38224 ----a-w- c:\winxp\system32\drivers\mbamswissarmy.sys
2010-11-16 09:01 . 2010-11-16 09:01 -------- d-----w- c:\documents and settings\All Users.WINXP\Application Data\Malwarebytes
2010-11-16 09:01 . 2010-11-16 09:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-16 09:01 . 2010-04-29 02:39 20952 ----a-w- c:\winxp\system32\drivers\mbam.sys
2010-11-16 08:34 . 2010-11-16 08:34 142592 ----a-w- c:\winxp\system32\drivers\sp_rsdrv2.sys
2010-11-16 08:34 . 2010-11-24 08:13 -------- d-----w- c:\documents and settings\Peter\Application Data\Spyware Terminator
2010-11-16 08:34 . 2010-11-24 12:52 -------- d-----w- c:\documents and settings\All Users.WINXP\Application Data\Spyware Terminator
2010-11-16 08:34 . 2010-11-18 06:54 -------- d-----w- c:\program files\Spyware Terminator
2010-11-15 14:26 . 2010-11-15 14:26 -------- d-----w- c:\program files\ESET
2010-11-05 22:37 . 2010-11-05 22:37 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2010-11-05 22:37 . 2010-11-05 22:37 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2010-10-28 03:27 . 2010-07-16 12:05 1288192 -c----w- c:\winxp\system32\dllcache\ole32.dll
2010-10-26 20:20 . 2010-09-18 06:53 953856 -c----w- c:\winxp\system32\dllcache\mfc40u.dll
2010-10-26 20:20 . 2010-09-18 06:53 974848 -c----w- c:\winxp\system32\dllcache\mfc42.dll
2010-10-26 20:17 . 2010-08-23 16:12 617472 -c----w- c:\winxp\system32\dllcache\comctl32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 06:53 . 2006-02-28 12:00 974848 ----a-w- c:\winxp\system32\mfc42.dll
2010-09-18 06:53 . 2006-02-28 12:00 954368 ----a-w- c:\winxp\system32\mfc40.dll
2010-09-18 06:53 . 2006-02-28 12:00 953856 ----a-w- c:\winxp\system32\mfc40u.dll
2010-09-17 23:23 . 2006-02-28 12:00 974848 ----a-w- c:\winxp\system32\mfc42u.dll
2010-09-14 15:50 . 2010-06-07 09:31 472808 ----a-w- c:\winxp\system32\deployJava1.dll
2010-09-14 13:29 . 2010-03-31 21:14 73728 ----a-w- c:\winxp\system32\javacpl.cpl
2010-09-07 22:17 . 2010-09-07 22:17 94208 ----a-w- c:\winxp\system32\QuickTimeVR.qtx
2010-09-07 22:17 . 2010-09-07 22:17 69632 ----a-w- c:\winxp\system32\QuickTime.qts
2010-09-01 11:51 . 2006-02-28 12:00 285824 ----a-w- c:\winxp\system32\atmfd.dll
2010-08-31 13:42 . 2006-02-28 12:00 1852800 ----a-w- c:\winxp\system32\win32k.sys
2010-08-27 08:02 . 2006-02-28 12:00 119808 ----a-w- c:\winxp\system32\t2embed.dll
2010-08-27 05:57 . 2006-02-28 12:00 99840 ----a-w- c:\winxp\system32\srvsvc.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-11-20_00.11.51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-23 18:41 . 2010-11-23 18:41 16384 c:\winxp\Temp\Perflib_Perfdata_7ec.dat
+ 2010-11-23 18:41 . 2010-11-23 18:41 16384 c:\winxp\Temp\Perflib_Perfdata_4dc.dat
+ 2010-11-20 00:20 . 2010-11-20 00:20 1094656 c:\winxp\Installer\108ded.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Window Washer"="c:\program files\Webroot\Washer\wwDisp.exe" [2005-08-08 1109504]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-09-02 13351304]
"SpywareTerminatorUpdate"="c:\program files\Spyware Terminator\SpywareTerminatorUpdate.exe" [2010-11-16 3037696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"igfxtray"="c:\winxp\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\winxp\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\winxp\system32\igfxpers.exe" [2005-10-14 114688]
"MaxtorOneTouch"="c:\progra~1\Maxtor\OneTouch\Utils\OneTouch.exe" [2004-12-21 823296]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]
"MXOBG"="c:\winxp\MXOALDR.EXE" [2006-10-28 94208]
"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2004-09-03 139264]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-03 185896]
"RegKillElbyCheck"="c:\program files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" [2002-11-02 45056]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-28 76304]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-13 248552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-07 421888]
"iTunesHelper"="c:\program files\iTunes1\iTunesHelper.exe" [2010-09-23 421160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\winxp\system32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\All Users.WINXP\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-4-1 568176]
Cordless DUALphone Startup.lnk - c:\program files\Cordless USB Phone\Cordless DUALphone Suite.exe [2006-7-24 625000]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-8-17 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-01 14:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LightMaster\\Radar Training Simulator Mk2\\LMMessages.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Nokia\\Nokia Ovi Suite\\NokiaOviSuite.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Program Files\\Participatory Culture Foundation\\Miro\\Miro_Downloader.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\iTunes1\\iTunes.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Spyware Terminator\\SpywareTerminatorUpdate.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 stmtpm;STM TPM Service;c:\winxp\system32\drivers\stm_tpm.sys [8/06/2008 6:34 p.m. 21504]
R1 aswSP;aswSP;c:\winxp\system32\drivers\aswSP.sys [20/11/2010 2:14 p.m. 165584]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\winxp\system32\drivers\sp_rsdrv2.sys [16/11/2010 9:34 p.m. 142592]
R2 aswFsBlk;aswFsBlk;c:\winxp\system32\drivers\aswFsBlk.sys [20/11/2010 2:14 p.m. 17744]
R2 sentemul;sentemul;c:\winxp\system32\drivers\SentEmul.sys [16/05/2010 3:56 p.m. 11812]
R3 RegKill;RegKill;c:\winxp\system32\drivers\RegKill.sys [28/11/2002 10:46 a.m. 6400]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/07/2009 3:27 a.m. 133104]
S3 ADM8511;%ADM8511.Service.DispName%;c:\winxp\system32\drivers\ADM8511.SYS [17/08/2001 1:11 p.m. 20160]
S3 SunkFilt6;Alcor Micro Corp - 6360;\??\c:\winxp\System32\Drivers\sunkfilt6.sys --> c:\winxp\System32\Drivers\sunkfilt6.sys [?]
S3 SunkFilt62;Alcor Micro Corp - 6362;c:\winxp\system32\drivers\sunkfilt62.sys [23/07/2004 3:55 p.m. 46536]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-11-06 c:\winxp\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 00:34]

2010-11-24 c:\winxp\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-06 14:27]

2010-11-24 c:\winxp\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-06 14:27]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://news.google.co.nz/nwshp?ie=UTF-8&hl=en&tab=wn
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: {697C63E7-B68E-467B-8AD7-3F5C58A13340} = 202.27.158.40,202.27.156.72
FF - ProfilePath - c:\documents and settings\Peter\Application Data\Mozilla\Firefox\Profiles\4e134232.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://news.google.co.nz/nwshp?hl=en&tab=wn|http://metservice.com/marine/index|....nz/|https://mail.coastguard.org.nz/exchange/
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\iTunes1\Mozilla Plugins\npitunes.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\winxp\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-25 09:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(792)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
c:\winxp\system32\igfxdev.dll

- - - - - - - > 'explorer.exe'(4128)
c:\program files\Logitech\SetPoint\GameHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\winxp\system32\btmmhook.dll
c:\winxp\system32\WPDShServiceObj.dll
c:\winxp\system32\PortableDeviceTypes.dll
c:\winxp\system32\PortableDeviceApi.dll
.
Completion time: 2010-11-25 09:40:03
ComboFix-quarantined-files.txt 2010-11-24 20:40
ComboFix2.txt 2010-11-20 00:14

Pre-Run: 7,544,975,360 bytes free
Post-Run: 7,606,915,072 bytes free

- - End Of File - - 45D347D0D69240A056D582DCB0ED0B8E
 
Before you do the following script, please resolve this:
AV: avast! Antivirus
FW: AVG Firewall

You logs shows AVG 10 running. It also still shows 2010-11-20 c:\program files\Alwil Software and has data files for both programs. You can have one AV program and one Firewall. If these are the free versions, I don't think either of them has both an AV and a FW. Please remove one:

Reboot the computer when through.

Please tell me which one you removed or which you're keeping. I will add any remaining entries for the one removed to the script below: Don't run the script yet Wait until you tell me which or which goes.
==========================================
Hold on script below

Short Custom CFScrip;[b
]

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running ofComboFixx.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:[/b]
Code: 
File::
c:winxpp\System32\Driverssunkfiltt6syss

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsCurrentVersionn\Run]
"Sunkist2k"=-
[HKEY_LOCAL_MACHINE\softwaremicrosoftt\security center]
AntiVirusOverridee"=-
Driver::
SunkFilt66
Save this aCFScriptptxtxt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, draCFScriptpt intComboFixiexexe

When finished, it will produce a log for you at CComboFixitxtxt . Please paste into to your next reply.
====================
 
Did you run the Avast Removal Tool? Please do that, then run a new Combofix scan. Right now, it is full of Avast entries. Then I will redo the script to add any left over entries.

When done, Download HijackThis http://download.bleepingcomputer.com/hijackthis/HijackThis.zipand save to your desktop.
  • Extract it to a directory on your hard drive called c:\HijackThis.
  • Then navigate to that directory and double-click on the hijackthis.exe file.
  • When started click on the Scan button and then the Save Log button to create a log of your information.
  • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
 
Avg !!

I did run the Avast! removal tool, and I have re installed combofix for the scan problem is it will not run with AVG even with all settings disabled/stopped

Message reads
Combofix cannot run when AVG is installed.
This is due to AVG's targeting of Combofix's files/processes. it would be dangerous to continue.

Please uninstall AVG or use another tool

Is there anything else we could use?
 
AVG just isn't making any sense to me! You ran Combofix already! It really doesn't need to be run again. I've already ended this thread when I gave you the cleaning tools removal. Just between the two of us, I wish you have kept Avast instead of AVG!

Please do the HijackThis scan. Don't attempt to rerun any of the other programs again please.
 
Hijackthis Log

Bobbeye
I decided to keep AVG because it found the trojan, so I know it works well.

Here is the log file

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:51:08 a.m., on 1/12/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\WINXP\system32\crypserv.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINXP\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINXP\system32\svchost.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v1.05\bin\tcsd_win32.exe
C:\Program Files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\WINXP\system32\wwSecure.exe
C:\Program Files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINXP\system32\hkcmd.exe
C:\WINXP\system32\igfxpers.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINXP\MXOALDR.EXE
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes1\iTunesHelper.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Cordless USB Phone\Cordless DUALphone Suite.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\Program Files\AVG\AVG10\avgfws.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgchsvx.exe
C:\Program Files\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\AVG\AVG10\avgam.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe
C:\Office 2003\OFFICE11\OUTLOOK.EXE
C:\Office 2003\OFFICE11\WINWORD.EXE
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\Peter\LOCALS~1\Temp\Temporary Directory 1 for HijackThis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.co.nz/nwshp?ie=UTF-8&hl=en&tab=wn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINXP\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINXP\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINXP\system32\igfxpers.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [MXOBG] C:\WINXP\MXOALDR.EXE
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RegKillElbyCheck] "C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NokiaMServer] C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes1\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpywareTerminatorUpdate] "C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Cordless DUALphone Startup.lnk = C:\Program Files\Cordless USB Phone\Cordless DUALphone Suite.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\OFFICE~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINXP\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINXP\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{697C63E7-B68E-467B-8AD7-3F5C58A13340}: NameServer = 202.27.158.40,202.27.156.72
O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINXP\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINXP\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe
O23 - Service: AVG Firewall (avgfws) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgfws.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINXP\SYSTEM32\crypserv.exe
O23 - Service: DataSvr - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Common\DataServer.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: NTRU Hybrid TSS v1.05 TCSD (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v1.05\bin\tcsd_win32.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINXP\system32\wwSecure.exe

--
End of file - 11612 bytes
 
[Ah but do you know what it might have missed?!
QUOTE]I decided to keep AVG because it found the trojan, so I know it works well.[/QUOTE]

I missed this earlier: You logs shows running processes like this:

C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe

Running processes: They would normally display like this:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
Just a few examples.

The only connection to the WINXP is in the Service for Webroot which has:
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINXP\system32\wwSecure.exe

Another example:
This > C:\WINXP\system32\wwSecure.exe would normally dosplay as C:\WINDOWS\system32\wwSecure.exe

Do you have any idea why the Directory is WINXP and not WINDOWS?
 
Closed due to inactivity. If the problem persists and you need the thread reopened, please send me a PM. Threads are closd after 5 days of inactivity.
 
Status
Not open for further replies.

Similar threads

A
Microsoft breaks users' PCs again with latest Windows 11 update
Replies
19
Views
380
trparky
T
A
Windows 10 Enterprise and Education editions will soon enter end of life status
Replies
12
Views
235
Lounds
L
A
Microsoft reflects on 20 years of Windows Patch Tuesday
Replies
10
Views
358
OortCloud
O

Latest posts

Back