Inactive I have the Win32/Zbot.g

[Demonwing]

I have no idea what to do about it, so some help would be greatly appreciated

Thanks in advance

~DW

 

[Bobbye]

Welcome to TechSpot! I'll help with the malware.

My Guidelines: please read and follow:

• Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
• Read my instructions carefully. If you don't understand or have a problem, ask me.
• If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
• Follow the order of the tasks I give you. Order is crucial in cleaning process.
• File sharing programs should be uninstalled or disabled during the cleaning process..
• Observe these:
  [o] Don't use any other cleaning programs or scans while I'm helping you.
  [o] Don't use a Registry cleaner or make any changes in the Registry.
  [o] Don't download and install new programs- except those I give you.
• Please let me know if there is any change in the system.

If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
=====================================
Would it be correct to say the you have AVG and it warned about this infection/ Hopefully we can find the entries starting off with the following:

Please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

When you have finished, leave the logs for review in your next reply .
NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
============================================
When you have finished with the above, please run this online virus scan:

• Hold down Control and click on the following link to open ESET OnlineScan in a new window.
  ESETOnlineScan
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
  [o] Double click on the
  
  on your desktop.
• Check 'Yes I accept terms of use.'
• Click Start button
• Accept any security warnings from your browser.
  
  
• Uncheck 'Remove found threats'
• Check 'Scan archives/
• Leave remaining settings as is.
• Press the Start button.
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
• When the scan completes, press List of found threats
• Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
• Push the Back button
• Push Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.

Include the Eset log if there is one.

 

[Demonwing]

Ahh your a life saver, i've got to pop to the shop but I'll go through that sa soon as I get back!

Thanks again!

 

[Bobbye]

You're welcome. Post when you can.

 

[Demonwing]

Yeah I tried the preliminary ones but can';t get either link for GMer to work :s

 

[Bobbye]

You can skip GMER for now. Please go on with the rest of the steps.

 

[Demonwing]

Well I can't get GMER or DDS to download from those links but here's the Malwarebytes log at least:
Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7696

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/09/2011 23:45:46
mbam-log-2011-09-10 (23-45-46).txt

Scan type: Quick scan
Objects scanned: 154298
Time elapsed: 27 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
e:\Desktop\Stuff!!\adobe_photoshop_cs3\Shfolder.dll (Malware.Packer.Gen) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MraNnbgu (Trojan.Agent) -> Value: MraNnbgu -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
e:\Desktop\Stuff!!\adobe_photoshop_cs3\Shfolder.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\local settings\application data\ellbdxwe\mrannbgu.exe (Trojan.Agent) -> Delete on reboot.
c:\documents and settings\administrator\start menu\programs\startup\mrannbgu.exe (Trojan.Agent) -> Delete on reboot.
c:\documents and settings\administrator\local settings\temp\eaxipdibotumqvds.exe (Trojan.Agent) -> Quarantined and deleted successfully.

 

[Bobbye]

The DDS link is good. It has a file extension that is sometimes blocked

Please download this file: xp_scr_fix.

Unpack (unzip) the file onto your desktop and double-click it. You will be asked if you wish to merge the file with you registry, say Yes.

You should then be able to run DDS.scr.

It's the .scr file extension cauing the problem.

 

[Demonwing]

huh. I tried that and it still just opens as a blank page and nothing happens?

Sorry for been a pain >.< lol

 

[Bobbye]

Did you run the Eset scan yet? Log?

I'll have you go back to DDS after I see this log.

 

[Demonwing]

Hmm I'm getting blank pages for that as well?

 

[Bobbye]

Is there any message on the blank page anywhere?
Does it say Done on the bottom left of the screen?
Are you able to connect using other links- such as one of the Bookmarks
=======================================
Please reboot your computer into Safe Mode by doing the following:

• Restart the computer and start tapping the F8 key right after the logo loads
• Select the [Safe Mode[/b] option when the Windows Advanced in Options menu appears.

-------------------------
Then run exeHelper

Please download exeHelper to your desktop.

• Double-click on [/b]exeHelper.com[/b] to run the fix.
• A black window should pop up, press any key to close once the fix is completed.
• Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
  Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

 

[Demonwing]

Well I've got ESET working here and Ive got it running now but it's taking a looong time lol, I should have the results up later.

 

[Bobbye]

Okay, post when ready.

 

[Demonwing]

C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\1\798d9401-7b2c972d a variant of Java/Agent.DM trojan
C:\Documents and Settings\Administrator\My Documents\Downloads\BestSpywareScanner_Setup.exe multiple threats
C:\Documents and Settings\Administrator\My Documents\main formating programmes winrared\Nero.v.8.3.6.0.rar Win32/Toolbar.AskSBar application
C:\Qoobox\Quarantine\C\Program Files\Best Spyware Scanner\BestSpywareScanner.exe.vir a variant of Win32/Adware.SpywareCease application
C:\Qoobox\Quarantine\C\Program Files\Best Spyware Scanner\RkHitApi.dll.vir a variant of Win32/Adware.SpywareCease.AA application
C:\Qoobox\Quarantine\C\WINXP\system32\drivers\RKHit.sys.vir Win32/Adware.SpywareCease application
E:\Desktop\Stuff!!\FFSetup220.exe Win32/Adware.ADON application
E:\Desktop\Stuff!!\Setups\XoftspySE\xoftspyse.4.22.0.12.patch-icu.zip probably a variant of Win32/Agent.ISNEPRR trojan

 

[Bobbye]

Is the E drive a flash drive? You may have a flash drive infection. These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.
You have folders named E:\Desktop\Stuff!! that has malware.

Please disinfect all movable drives

1. Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
2. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
   Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
3. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
4. Wait until it has finished scanning and then exit the program.
5. Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
=================
Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  

  :Files 
  C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\1\798d9401-7b2c972d 
  C:\Documents and Settings\Administrator\My Documents\Downloads\BestSpywareScanner_Setup.exe 
  C:\Documents and Settings\Administrator\My Documents\main formating programmes winrared\Nero.v.8.3.6.0.rar 
  E:\Desktop\Stuff!!\FFSetup220.exe 
  E:\Desktop\Stuff!!\Setups\XoftspySE\xoftspyse.4.22.0.12.patch-icu.zip 
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
=======================================
Please do not download any more antispyware programs unless I instruct you to. Looks like you tried [Best Spyware Scanner'- is came with malware. Same with XOfSpy.
======================================
There is also malware in the Java cache so it needs to be cleared:
To clear the Java Plug-in cache:

• 
  [1]. Click Start > Control Panel.
  [2]. Double-click the Java icon in the control panel.
  
  The Java Control Panel appears.
  
  
  
  [3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
  
  
  
  [4] Click Delete Files.The Delete Temporary Files dialog box appears.
  
  
  
  [5]. Click OK on Delete Temporary Files window.
  Note: This deletes all the Downloaded Applications and Applets from the cache.
  [6]. Click Apply> OK on Temporary Files Settings window.

Images courtesy java.com
====================================
It appears that you have or had Combofix on the system. 3 entries in Eset are in the Qoobox. That is where Combofix sends the files it quarantines. Right now I have no information on your system, so I'd like you to proceed as follows:

1.Uninstall ComboFix and all Backups of the files it deleted

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

========================================
2. Please download and run the tool below named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 3 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

• Rkill.com
• Rkill.scr
• Rkill.exe
  
• Double-click on the Rkill desktop icon to run the tool.
• If using Vista or Windows 7 right-click on it and choose Run As Administrator.
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
• If not, delete the file, then download and use the one provided in Link 2.
• If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
• Do not reboot until instructed.
• If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run then try to immediately run the following>>>>.

Please download exeHelper by Raktor and save it to your desktop.

• Double-click on exeHelper.com or exeHelper.scr to run the fix tool.
• A black window should pop up, press any key to close once the fix is completed.
• A log file called exehelperlog.txt will be created and should open at the end of the scan)
• A copy of that log will also be saved in the directory where you ran exeHelper.com
• Copy and paste the contents of exehelperlog.txt in your next reply.

Note: If the window shows a message that says "Error deleting file", please re-run the tool again before posting a log and then post the two logs together (they both will be in the one file).
=========================================
After running the above, please download and run DDS:

• Download DDS by sUBs and save it to your desktop.
  
  After downloading the tool, disconnect from the internet and disable all antivirus protection.
• Double click on the DDS icon, allow it to run.
• A small box will open, with an explanation about the tool. No input is needed, the scan is running.
• Notepad will open with the results, click no to the Optional_Scan
• Follow the instructions that pop up for posting the results.
• When done, DDS will open two (2) logs: Please paste both in your next reply.
  [o]DDS.txt
  [o]Attach.txt
• Close the program window, and delete the program from your desktop.
• Enable your Antivirus protection and reconnect to the internet.

Please note: You may have to disable any script protection running if the scan fails to run.

Leave the logs in your next reply: The combination of RKill/ere. helper and the 2 logs from DDS.

 

[Demonwing]

All processes killed
========== FILES ==========
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\1\798d9401-7b2c972d moved successfully.
C:\Documents and Settings\Administrator\My Documents\Downloads\BestSpywareScanner_Setup.exe moved successfully.
C:\Documents and Settings\Administrator\My Documents\main formating programmes winrared\Nero.v.8.3.6.0.rar moved successfully.
E:\Desktop\Stuff!!\FFSetup220.exe moved successfully.
E:\Desktop\Stuff!!\Setups\XoftspySE\xoftspyse.4.22.0.12.patch-icu.zip moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 516303830 bytes
->Temporary Internet Files folder emptied: 3755569 bytes
->Java cache emptied: 737 bytes
->FireFox cache emptied: 192029762 bytes
->Flash cache emptied: 8780 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1630838 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 633646 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 72373457 bytes

Total Files Cleaned = 750.00 mb


OTM by OldTimer - Version 3.1.18.0 log created on 09272011_174353

Files moved on Reboot...

Registry entries deleted on Reboot...

exeHelper by Raktor
Build 20100414
Run at 17:57:25 on 09/27/11
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.0.0
Run by Administrator at 18:04:45 on 2011-09-27
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.557 [GMT 1:00]
.
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINXP\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINXP\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINXP\System32\wltrysvc.exe
C:\WINXP\System32\bcmwltry.exe
C:\WINXP\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINXP\system32\IoctlSvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINXP\notepad.exe
C:\WINXP\system32\hkcmd.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINXP\system32\wltray.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\WINXP\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINXP\explorer.exe
C:\WINXP\system32\notepad.exe
C:\WINXP\system32\notepad.exe
.
============== Pseudo HJT Report ===============
.
mStart Page = about:blank
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\winxp\system32\ctfmon.exe
mRun: [IgfxTray] c:\winxp\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\winxp\system32\hkcmd.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [wltray.exe] c:\winxp\system32\wltray.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
dRun: [CTFMON.EXE] c:\winxp\system32\CTFMON.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\winxp\system32\wpdshserviceobj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\boiifzig.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npjp2.dll
.
============= SERVICES / DRIVERS ===============
.
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\winxp\system32\drivers\avgldx86.sys [2011-9-6 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\winxp\system32\drivers\avgmfx86.sys [2011-9-6 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\winxp\system32\drivers\avgtdix.sys [2011-9-6 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-10-12 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-10-12 74480]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2011-9-6 297752]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-8-9 366640]
R3 MBAMProtector;MBAMProtector;c:\winxp\system32\drivers\mbam.sys [2011-8-9 22712]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-10-12 7408]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\winxp\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 esgiguard;esgiguard;c:\program files\enigma software group\spyhunter\esgiguard.sys [2011-5-6 13904]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\winxp\system32\drivers\mbamswissarmy.sys [2011-8-9 41272]
S3 Micorsoft Windows Service;Micorsoft Windows Service;\??\c:\docume~1\admini~1\locals~1\temp\tgbunxxv.sys --> c:\docume~1\admini~1\locals~1\temp\tgbunxxv.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\winxp\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-09-27 16:43:53 -------- d-----w- C:\_OTM
2011-09-24 20:49:39 -------- d-----w- c:\program files\AviSynth 2.5
2011-09-24 18:17:08 -------- d-----w- c:\program files\MiniTheatre
2011-09-22 12:19:49 -------- d-----w- c:\program files\ESET
2011-09-18 11:38:17 -------- d-----w- C:\spoolerlogs
2011-09-07 23:32:52 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Adobe
2011-09-06 18:25:09 11952 ----a-w- c:\winxp\system32\avgrsstx.dll
2011-09-06 18:25:07 108552 ----a-w- c:\winxp\system32\drivers\avgtdix.sys
2011-09-06 18:24:57 335240 ----a-w- c:\winxp\system32\drivers\avgldx86.sys
2011-09-06 18:24:51 -------- d-----w- c:\winxp\system32\drivers\Avg
2011-09-06 18:24:49 -------- d-----w- c:\documents and settings\all users\application data\AVG Security Toolbar
2011-09-03 18:53:12 -------- d-----w- C:\$AVG8.VAULT$
2011-09-03 17:32:23 -------- d-----w- c:\program files\AVG
2011-09-03 17:32:19 -------- d-----w- c:\documents and settings\all users\application data\avg8
2011-09-03 17:01:22 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2011-09-03 17:00:56 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2011-09-03 16:09:00 -------- d-sha-r- C:\cmdcons
2011-09-03 16:07:14 98816 ----a-w- c:\winxp\sed.exe
2011-09-03 16:07:14 518144 ----a-w- c:\winxp\SWREG.exe
2011-09-03 16:07:14 256000 ----a-w- c:\winxp\PEV.exe
2011-09-03 16:07:14 208896 ----a-w- c:\winxp\MBR.exe
2011-09-03 16:05:26 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Sun
2011-09-03 06:18:22 544656 ----a-w- c:\winxp\system32\deployJava1.dll
2011-09-03 01:30:54 -------- d-----w- c:\winxp\system32\LogFiles
2011-09-02 15:53:02 110080 ----a-r- c:\documents and settings\administrator\application data\microsoft\installer\{820c0eeb-9b12-4ad5-b39d-d15ed1dbdd06}\IconF7A21AF7.exe
2011-09-02 15:53:02 110080 ----a-r- c:\documents and settings\administrator\application data\microsoft\installer\{820c0eeb-9b12-4ad5-b39d-d15ed1dbdd06}\IconD7F16134.exe
2011-09-02 15:53:02 110080 ----a-r- c:\documents and settings\administrator\application data\microsoft\installer\{820c0eeb-9b12-4ad5-b39d-d15ed1dbdd06}\IconCF33A0CE.exe
2011-09-02 15:51:57 -------- d-----w- C:\sh4ldr
2011-09-02 15:51:57 -------- d-----w- c:\program files\Enigma Software Group
2011-09-02 05:11:17 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
2011-09-02 02:55:01 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-09-02 02:54:24 65024 ----a-r- c:\documents and settings\administrator\application data\microsoft\installer\{cddcbbf1-2703-46bc-938b-bcc81a1eeaaa}\IconCDDCBBF15.exe
2011-09-02 02:54:24 5120 ----a-r- c:\documents and settings\administrator\application data\microsoft\installer\{cddcbbf1-2703-46bc-938b-bcc81a1eeaaa}\IconCDDCBBF16.exe
2011-09-02 02:54:24 18944 ----a-r- c:\documents and settings\administrator\application data\microsoft\installer\{cddcbbf1-2703-46bc-938b-bcc81a1eeaaa}\IconCDDCBBF13.exe
2011-09-02 02:52:21 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-09-02 02:52:21 -------- d-----w- c:\documents and settings\administrator\application data\SUPERAntiSpyware.com
2011-09-02 02:48:14 -------- d-----w- c:\program files\common files\Wise Installation Wizard
2011-09-02 01:24:29 -------- d-----w- c:\documents and settings\administrator\local settings\application data\NPE
2011-09-02 01:24:27 -------- d-----w- c:\documents and settings\all users\application data\Norton
2011-09-01 22:03:54 404640 ----a-w- c:\winxp\system32\FlashPlayerCPLApp.cpl
2011-09-01 21:31:54 134104 ------w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-09-01 21:31:53 16856 ------w- c:\program files\mozilla firefox\plugin-container.exe
2011-09-01 21:31:52 924632 ------w- c:\program files\mozilla firefox\firefox.exe
2011-09-01 21:31:52 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-09-01 21:31:52 785368 ------w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-09-01 21:31:52 719832 ------w- c:\program files\mozilla firefox\mozcpp19.dll
2011-09-01 21:31:52 478168 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-09-01 21:31:52 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-09-01 21:31:52 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-09-01 21:31:52 1846232 ------w- c:\program files\mozilla firefox\mozjs.dll
2011-09-01 21:31:52 15832 ------w- c:\program files\mozilla firefox\mozalloc.dll
2011-09-01 19:28:46 -------- d-----w- c:\documents and settings\administrator\local settings\application data\ellbdxwe
2011-09-01 17:27:45 17801 ----a-w- c:\winxp\system32\drivers\AegisP.sys
2011-09-01 17:25:48 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\DotNetInstaller.exe
2011-09-01 17:25:45 163972 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iGdi.dll
2011-09-01 17:25:42 282756 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\setup.dll
2011-09-01 16:00:51 -------- d-----w- c:\documents and settings\all users\application data\PC Drivers HeadQuarters Inc
2011-09-01 15:49:59 -------- d-----w- c:\documents and settings\administrator\application data\GetRightToGo
.
==================== Find3M ====================
.
2011-09-03 06:17:32 128000 ----a-w- c:\winxp\system32\javacpl.cpl
2011-07-06 18:52:42 41272 ----a-w- c:\winxp\system32\drivers\mbamswissarmy.sys
2011-07-06 18:52:42 22712 ----a-w- c:\winxp\system32\drivers\mbam.sys
.
============= FINISH: 18:05:36.07 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 09/08/2011 03:41:26
System Uptime: 27/09/2011 17:45:46 (1 hours ago)
.
Motherboard: Dell Computer Corp. | | 0G1548
Processor: Intel(R) Celeron(R) CPU 2.40GHz | Microprocessor | 2392/400mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 37 GiB total, 18.721 GiB free.
D: is CDROM (CDFS)
E: is FIXED (NTFS) - 149 GiB total, 14.88 GiB free.
F: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: BT Voyager 1055 Laptop Adapter
Device ID: USB\VID_1690&PID_0715\0016E3A1C813
Manufacturer: BT
Name: BT Voyager 1055 Laptop Adapter
PNP Device ID: USB\VID_1690&PID_0715\0016E3A1C813
Service: USB_RNDIS
.
Class GUID: {4D36E96D-E325-11CE-BFC1-08002BE10318}
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_14F1&DEV_2702&SUBSYS_8D881043&REV_01\4&3B1CAF2B&0&28F0
Manufacturer:
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_14F1&DEV_2702&SUBSYS_8D881043&REV_01\4&3B1CAF2B&0&28F0
Service:
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Broadcom 440x 10/100 Integrated Controller
Device ID: PCI\VEN_14E4&DEV_4401&SUBSYS_81271028&REV_01\4&3B1CAF2B&0&48F0
Manufacturer: Broadcom
Name: Broadcom 440x 10/100 Integrated Controller
PNP Device ID: PCI\VEN_14E4&DEV_4401&SUBSYS_81271028&REV_01\4&3B1CAF2B&0&48F0
Service: bcm4sbxp
.
==== System Restore Points ===================
.
RP42: 11/09/2011 07:03:33 - System Checkpoint
RP43: 12/09/2011 07:57:43 - System Checkpoint
RP44: 13/09/2011 08:15:18 - System Checkpoint
RP45: 14/09/2011 09:15:26 - System Checkpoint
RP46: 16/09/2011 06:50:53 - System Checkpoint
RP47: 16/09/2011 16:43:37 - Update to an unsigned driver
RP48: 18/09/2011 05:37:09 - System Checkpoint
RP49: 18/09/2011 16:31:19 - Avg8 Update
RP50: 18/09/2011 16:48:21 - Avg8 Update
RP51: 20/09/2011 00:21:23 - System Checkpoint
RP52: 21/09/2011 04:41:12 - System Checkpoint
RP53: 22/09/2011 04:49:42 - System Checkpoint
RP54: 23/09/2011 06:29:25 - System Checkpoint
RP55: 24/09/2011 19:17:01 - Installed MiniCoder
RP56: 25/09/2011 19:26:48 - System Checkpoint
RP57: 26/09/2011 19:39:59 - System Checkpoint
.
==== Installed Programs ======================
.
.
Adobe Flash Player 10 Plugin
Adventure Maker v4.5.2 (build1)
AllToAVI v4 r5394
AVG Free 8.5
AviSynth 2.5
Blender
BT Voyager Wireless Utility
ESET Online Scanner v3
FormatFactory 2.20
Intel(R) Extreme Graphics Driver
Java Auto Updater
Java(TM) 6 Update 7
Java(TM) 7
JDownloader
Malwarebytes' Anti-Malware version 1.51.1.1800
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
MiniCoder
Mozilla Firefox 6.0.2 (x86 en-US)
MSXML 6.0 Parser (KB925673)
Nero 8
neroxml
Registry Mechanic 8.0
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB980195)
SpyHunter
SUPERAntiSpyware Free Edition
Update for Microsoft Windows (KB971513)
Update for Windows XP (KB2467659)
Update for Windows XP (KB898461)
VCRedistSetup
VLC media player 1.1.11
WebFldrs XP
Windows Communication Foundation
Windows Presentation Foundation
Windows Workflow Foundation
WinRAR 4.00 (32-bit)
XML Paper Specification Shared Components Pack 1.0
yWriter5
.
==== Event Viewer Messages From Past Week ========
.
27/09/2011 17:48:33, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
27/09/2011 17:48:33, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
27/09/2011 17:43:59, error: Service Control Manager [7034] - The NMIndexingService service terminated unexpectedly. It has done this 1 time(s).
27/09/2011 17:43:57, error: Service Control Manager [7034] - The PLFlash DeviceIoControl Service service terminated unexpectedly. It has done this 1 time(s).
27/09/2011 17:43:57, error: Service Control Manager [7034] - The Nero BackItUp Scheduler 3 service terminated unexpectedly. It has done this 1 time(s).
27/09/2011 17:43:55, error: Service Control Manager [7034] - The MBAMService service terminated unexpectedly. It has done this 1 time(s).
27/09/2011 17:43:55, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
27/09/2011 17:43:55, error: Service Control Manager [7034] - The Broadcom Wireless LAN Tray Service service terminated unexpectedly. It has done this 1 time(s).
27/09/2011 17:43:55, error: Service Control Manager [7031] - The AVG Free8 WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
21/09/2011 14:13:44, error: Service Control Manager [7023] - The Automatic Updates service terminated with the following error: The specified module could not be found.
20/09/2011 19:43:37, error: W32Time [34] - The time service has detected that the system time needs to be changed by +86515 seconds. The time service will not change the system time by more than +54000 seconds. Verify that your time and time zone are correct, and that the time source time.windows.com (ntp.m|0x1|192.168.1.66:123->65.55.59.52:123) is working properly.
.
==== End Of File ===========================

 

[Bobbye]

Okay then! Took a while but finally got it! There are entries I will need to remove- did you gather some scans on the internet to try and resolve the problem?

I'd like you to run Combofix. It won't run with AVG on the system and AVG left no way to disable it, so you will have to remove it temporarily. I note that you still have AVG v8.5. If you do put it back on the system when we are through, you might want to get the current v2011.
===================================
Download AppRemover and save to the desktop

1. Double click the setup on the desktop> click Next
2. Select “Remove Security Application”
3. Let scan finish to determine security apps
4. A screen like below will appear:
   
   
5. Click on Next after choice has been made
6. Check the AVG program you want to uninstall
7. After uninstall shows complete, follow online prompts to Exit the program.

Temporary AV: Use one:
Avira-AntiVir-Personal-Free-Antivirus
Avast Free Version
=============================
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

--------------------------------------
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop

• Double click combofix.exe & follow the prompts.
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
• Once installed, you should see a blue screen prompt that says:
  The Recovery Console was successfully installed.
• .Click on Yes, to continue scanning for malware
• .If Combofix asks you to update the program, allow
• .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• .Close any open browsers.
• .Double click combofix.exe
  
  & follow the prompts to run.
• When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.

Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
=======================================
Comments:
1: From OTM> Total Files Cleaned = 750.00 mb That a lot of files you don't need running on the system. You might want to consider doing routine maintenance on the system more ofter.

2. Advise you remove Registry Mechanic. We don't recommend that anyone use a registry cleaner.

3: You should get the Java v6u27 update rather than Java 7 is still being tested.

 

[Demonwing]

Hey, I don't know if you will need me to start again or something. I only just got back online, lost the internet for (quite) awhile there, and I don't think I finished doing this.

 

[Bobbye]

Sorry- thread should have been closed and marked 'Inactive.' Please start a new thread, describe current problems run new scans If you would like us to check the system for malware, please follow these steps: Preliminary Virus and Malware Removal.

NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

When you have finished, leave the logs for review in your next reply .
NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
===============================================
Either Broni or I will pick the new thread up. The scans in this thread a too far out pf date- you will have to start over.