Solved PC crashes, only runs in safe mode

bewsh · May 17, 2011

Hi,
have a problem that is driving me nuts!

PC networked to a Server running SBS/MS Exchange
Server LAN is networked through a Sonicwall TZ170 firewall into a Netgear Rangemaster to the WAN

PC is XP Pro SP2
hardware is:
MSI K9N Ultra Board
AMD dual 4200+ CPU
2GB DDR2 RAM
3x SATA HDD's
C: running win XP pro SP2 single partition
D:File Dump folders
E:File Dump folders
2 x DVDRW
Graphics - Asus ATI Radeon EAH3650 twin screen set up.
built in Coolermaster case with 550WPSU

AV : runs Symantec Enterprise up to date 24/7

built about 3 years ago it has run fine with occasional issue (I got a horrible virus about two years ago but managed to clear it, had a similar crashing thing which seemed to go away when I cleaned the inside of the case.

About a week ago the PC crashed on me. not restart, just crash, like a switchoff
I restarted and it seemed to work just fine.
(no new hardware or software installed previously and no viruses flagged)

happened again about a day later.
My first guess was too hot. been a while since I cleaned it.
It has a front fan, a rear fan, a PSU fan and a CPU fan with mesh front case and a CPU vent on the side but it was dusty and the CPU fan and cooler was caked in dust.

all cleaned and dusted.
monitored the temps and they never got over 50deg C
cut off in the BIOS is set for 55deg

crashing increased in frequency and occasionally the green power light stayed on even when the machine is off. had to remove the power cord and press reset to clear it.
Thought maybe the CPU had been cooked so took the heatsink off and checked paste etc, smells OK, no obvious issues. bubbles, cracks etc
put it back together, ran for a while then crashing increased to point where now it wont complete normal Boot, crashes at blue win logo and recyles to startup again.
Works fine in safe mode with and without networking. ( I am on it now!!)
never had a BSOD, just a switch off style crash or a reboot cycle from the splash screen.

I pulled the C: drive and put it into an old HP chassis I have, worked fine in normal mode, tried my damdest to crash it by opening multiple apps during final boot etc etc, no problem. flicking from Ap to Ap, multiple Chrome tabs (which is when it started crashing)

refitted it to the coolermaster case but pulled all the unused peripherals (optical and hard drives, all USB except mouse/KB).
I tried to run Acronis to get an image of the C: but it kept forcing a crash.
I pulled two drives out and ran them in the HP box again and managed to get an image copied from C: to D:

I switched the RAM for known good RAM = crashed on restart, safe mode OK

I have tried to get a bootlog but it only shows the safe mode log. even tried a bootlog on normal mode, let it crash and remove the ntbtlog.txt file from the C: drive with ERD commander so safe mode cant overwrite it. It kept crashing ERD.
managed to do it with the C:in the HP chassis but it still shows a Safe boot mode.

C: Drive has been scanned with chkdsk and a drive fitness test, generic one not for the Maxtor HDD, it returned a "Disposition Code 0x72" message but otherwise clean.

have run Symantec full scan = Clean
ran Malwarebytes - two infections, cleaned and quarantined (full log below)

disabled all startup entires in MSConfig = crashed on restart
disabled all (unwanted) services = crashed on restart
uninstalled the graphics card = crashed on restart
reinstalled graphics card and updated the driver = crashed on restart
updated chipset drivers = crashed on restart

have attempted to copy a fresh BIOS driver flash onto a 3.5" floppy but my A: drive wont recognise the discs for some reason!

I cant switch the graphics card out as I dont have a spare compatible one (sold it less than a month ago on eBAY!!)

I have a spare PSU but it is not from a SATA enabled box so I would need IDE/SATA power adapters to run all or any of the drives...I am not convinced it is the power source though.

I posted this in the BSOD forum but was advised to come here and do the 5 step malware scan.

Any help would be great.
thanks

*******************************************************************************************************

logs below
MalwareBytes:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6588

Windows 5.1.2600 Service Pack 2 (Safe Mode)
Internet Explorer 7.0.5730.13

16/05/2011 13:54:12
mbam-log-2011-05-16 (13-54-12).txt

Scan type: Full scan (C:\|D:\|G:\|)
Objects scanned: 348264
Time elapsed: 31 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 20
Files Infected: 323

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{F5F14E7A-F59D-45A0-BDC5-A9F5454F0BCF} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BB05BD70-4605-4829-93FC-AD80D8CC5B66} (Rogue.PerformanceCenter) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
c:\documents and settings\ed.ersg\application data\Zango (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\IESkins (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0 (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostOI (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostOI\dynamic (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostOI\static (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostOL (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostOL\dynamic (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostOL\static (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1 (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\DownLoad (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\dynamic (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\dynamic\tooltipxml (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\dynamic\ustat (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1 (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad (Adware.Zango) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\ed.ersg\start menu\advanced virus remover.lnk (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\config\systemprofile\start menu\Programs\Startup\scandisk.lnk (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\030104_emte10_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\030104_emte11_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\030104_emte12_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\030104_emte13_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\030104_emte14_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\030104_emte19_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\030104_emte20_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\030104_emte21_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\030104_emte9_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\030203lib_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\033102angel_1_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\033102bigluf_1_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\033102bigsmile_1_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\033102birthday_1_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\033102cheers_1_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\033102flo_1_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\033102good_1_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\033102jump_1_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\033102king_1_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\033102lough_1_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\033102luf_1_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\033102smiled_1_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\033102smile_1_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\033102sor_1_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\033102thanx_1_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\033102uhu_1_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\040103ahh_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\040103wow_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\040104_emi2_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\042102_1134_112_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\050103big_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\050103gig_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\050103hm_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\050103nomail_emoti_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\050103norm_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\060104_ema15_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\060104_ema16_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\060104_ema17_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\060104_ema18_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\060104_ema19_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\060104_ema20_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\060104_ema21_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\060104_ema24_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\060104_ema25_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\060104_ema26_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\060104_ema30_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\060104_ema33_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\060104_ema34_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\062802hippi_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\062802jumpie_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\080402argh_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\080402oops_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\080402ouch_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\082502no_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\082502yes_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\110103_boring1_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\110103_confused_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\110103_crying_ugly_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\110103_fantastic_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\110103_feel_better_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\110103_gimme_break_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\110103_heehee_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\110103_hlopaet_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\110103_ign_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\110103_lol_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\110103_no_comment_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\110103_peace_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\110103_smashing_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\110103_talk2thehand_prv.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\avatar.res (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\blocked.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\blocked2.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\block_sm.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\block_sm2.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\block_smli.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\block_smli2.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\btn_add-but.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\btn_back-but.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\btn_left_cut_enabled_1.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\btn_left_enabled_1.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\btn_left_pressed_1.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\btn_middle_enabled_1.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\btn_middle_pressed_1.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\btn_right_cut_enabled_1.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\btn_right_enabled_1.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\btn_right_pressed_1.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\business_promo.htm (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\buttondir.txt (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\components.cdf (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\css2_main.css (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\css2_pagingmodule.css (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\css2_topbuttons.css (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\css_cattree.css (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\css_flashpreview.css (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\cursors.res (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\delete.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\edit_clear_sound.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\edit_fs.htm (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\edit_select.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def-511724-543450.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def-511724-548964.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def-511724-589306.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def-511724-591943.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def-511724-592579.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def-511724-598579.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def-511724-603763.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def-511724-9595.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def-511724-9696.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def-511745-514279.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def-email-backgrounds.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def-email-bcards.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def-email-ecards.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def-email-emoticons.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def-email-estationery.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def-email-funny.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def-email-help.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def-email-images.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def-email-info.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def-email-more.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def-email-my.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def-email-new.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def-email-new2.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def-email-options.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def-email-people.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def-email-photo.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def-email-tell.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def-email-temp.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def-email-text.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def-email-voice.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-def.cdf (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-premium-email-premium.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-t1-bg.res (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\email-temp-bg.res (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\estatationery.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\flashpatch.js (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\flashpreview.htm (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\fs3.htm (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\hotbar_promo.htm (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\icon_checked_1.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\icon_close_1.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\icon_close_pressed_1.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\icon_edit_preview.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\icon_edit_send.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\icon_flash_preview.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\icon_recently_used.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\icon_remove_1.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\icon_remove_pressed_1.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\icon_sand-clock2.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\icon_tell_1.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\icon_tell_pressed_1.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\icon_tree_null.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\icon_unchecked_1.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\icon_unchecked_pressed_1.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\img_barlayout.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\img_barlayout2.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\img_barlayout4.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\img_corner_left.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\img_local_logo.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\js2_basetemplate.js (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\js2_hbgroups.js (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\js2_hbobject3.js (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\js2_hbobjectset3.js (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\js2_hotbarwrapper.js (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\js2_iteratorsandreaders3nf.js (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\js2_pagingmoduleobj3.js (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\js2_texts3.js (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\js2_xmltree3nf.js (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\layout.cdf (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\linkpathlegal.txt (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\n.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\nav_bb_2.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\nav_b_2.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\nav_ff_2.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\nav_f_2.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\progress.res (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\sales_buttons.res (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\searchbtn.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\submit.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\tab_bg.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\tab_bga.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\tab_bgia.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\tab_l.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\tab_la.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\tab_lia.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\tab_r.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\tab_ra.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\tab_ria.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\treedata_animations.xml (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\treedata_backgrounds.xml (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\treedata_ecards.xml (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\treedata_emoticons.xml (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\treedata_notifiers.xml (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\treedata_text.xml (Adware.Zango) -> Quarantined and deleted successfully.

bewsh · May 17, 2011

continued logs:

c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\tree_dots.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\tree_minus.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\tree_plus.gif (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\1\zango_btn.res (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\DownLoad\avatar.xip (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\DownLoad\business_promo.xip (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\DownLoad\buttondir.xip (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\DownLoad\code.xip (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\DownLoad\cursors.xip (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\DownLoad\email-def.xip (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\DownLoad\email-t1-bg.xip (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\DownLoad\email-temp-bg.xip (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\DownLoad\hotbar_promo.xip (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\DownLoad\images.xip (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\DownLoad\layout.xip (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\DownLoad\linkpathlegal.xip (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\DownLoad\localcontent.xip (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\DownLoad\progress.xip (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\DownLoad\sales_buttons.xip (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\DownLoad\treexml.xip (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\HostWD\static\DownLoad\zango_btn.xip (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\dynamic\1284985.sdf (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\dynamic\domains.txt (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\dynamic\tooltipxml\15024 (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\dynamic\tooltipxml\18721 (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\dynamic\tooltipxml\6556 (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\dynamic\tooltipxml\6558 (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\dynamic\tooltipxml\83723 (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\dynamic\ustat\3812.dat (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\avatar.res (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\btntrans.idx (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\btntrans1.dat (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\buttondir.txt (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\components.cdf (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\cursors.res (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\default.cdf (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\default_511745-514279.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\default_bidzc_zt_ie-ca.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\default_bidzc_zt_ie-us.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\default_categorize.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\default_comparison.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\default_explorer-mails.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\default_explorer-people.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\default_favorites.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\default_games.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\default_hide.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\default_hotbarcom.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\default_hotmail.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\default_hsskin.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\default_jemster.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\default_jemsterie.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\default_jemsteruk.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\default_jobsearch.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\default_mails.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\default_mobilesidewalk.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\default_new.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\default_premium.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\default_reun.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\default_ringtones.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\default_searchboxtrapper.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\default_searchfor.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\default_searchgo.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\default_weather.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\default_yellowpages.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\d_icons_buttons_1000.res (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\d_icons_buttons_2000.res (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\d_icons_buttons_3000.res (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\d_icons_buttons_bar.res (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\d_icons_buttons_bbar1.res (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\d_icons_buttons_logos.res (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\d_icons_buttons_other.res (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\d_icons_weather.res (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\editblbuttons.res (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\email-def-511724-548964.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\email-def-511724-9595.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\email-t1-bg.res (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\icons2.res (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\ie_games_icon.res (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\ie_video.res (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\keywords.sdf (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\keywords1.dat (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\layout.cdf (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\linkpathlegal.txt (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\progress.res (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\sales_buttons.res (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\sdfmodifier.xml (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\s_icons_buttons.res (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\t2_bg.res (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\theweb.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\top7.cdf (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\top7_theweb.mnu (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\tsd_bg.res (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\zango_btn.res (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\1\zango_ie_menu.res (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\avatar.xip (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\BtnTrans.xip (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\btntrans1.xip (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\buttondir.xip (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\cursors.xip (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\default.xip (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_1000.xip (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_2000.xip (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_3000.xip (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_bar.xip (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_bbar1.xip (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_logos.xip (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_other.xip (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\d_icons_weather.xip (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\editblbuttons.xip (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\email-t1-bg.xip (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\icons2.xip (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\ie_games_icon.xip (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\ie_video.xip (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\keywords.xip (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\keywords1.xip (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\layout.xip (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\linkpathlegal.xip (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\progress.xip (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\sales_buttons.xip (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\samplegroups2.txt (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\samplegroups2.xip (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\sdfmodifier.xip (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\s_icons_buttons.xip (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\t2_bg.xip (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\top7.xip (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\tsd_bg.xip (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\zango_btn.xip (Adware.Zango) -> Quarantined and deleted successfully.
c:\documents and settings\ed.ersg\application data\Zango\v3.0\Zango\static\DownLoad\zango_ie_menu.xip (Adware.Zango) -> Quarantined and deleted successfully.

*******************************************************************************
GMER log:
the quick scan showed no data in the log so I did a full scan just in case -

I can post that log if it helps but was instructed not to.

Attach.txt:

DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 03/11/2006 14:20:13
System Uptime: 16/05/2011 20:14:40 (13 hours ago)
.
Motherboard: MSI | | MS-7250
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4200+ | CPU 1 | 2211/200mhz
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4200+ | CPU 2 | 2211/mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 149 GiB total, 102.745 GiB free.
D: is FIXED (NTFS) - 298 GiB total, 15.596 GiB free.
E: is CDROM ()
F: is CDROM ()
G: is FIXED (NTFS) - 298 GiB total, 63.112 GiB free.
H: is NetworkDisk (NTFS) - 119 GiB total, 32.889 GiB free.
I: is NetworkDisk (NTFS) - 119 GiB total, 32.889 GiB free.
Y: is NetworkDisk (NTFS) - 119 GiB total, 32.889 GiB free.
Z: is NetworkDisk (NTFS) - 119 GiB total, 32.889 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E96B-E325-11CE-BFC1-08002BE10318}
Description: Logitech PS/2 Keyboard
Device ID: ACPI\PNP0303\4&D6E1DD7&0
Manufacturer: Logitech
Name: Logitech PS/2 Keyboard
PNP Device ID: ACPI\PNP0303\4&D6E1DD7&0
Service: i8042prt
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
2600
2600_Help
2600Trb
32 Bit HP CIO Components Installer
AAC Decoder
Ad-Aware
Adobe Acrobat - Reader 6.0.2 Update
Adobe Acrobat 6.0.1 Standard
Adobe Acrobat and Reader 6.0.3 Update
Adobe Acrobat and Reader 6.0.4 Update
Adobe Acrobat and Reader 6.0.5 Update
Adobe Acrobat and Reader 6.0.6 Update
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop 7.0
Adobe Shockwave Player 11.5
AiO_Scan
AiOSoftware
Apple Mobile Device Support
Apple Software Update
Application Suite
ASUS VGA Driver
Athlon 64 Processor Driver
ATI - Software Uninstall Utility
ATI AVIVO Codecs
ATI Catalyst Control Center
ATI Display Driver
ATI Parental Control & Encoder
µTorrent
AutoUpdate
BadCopy Pro
Bloomberg Excel Tools
Bloomberg PFM Upload Tool for Microsoft Excel
Bloomberg SFD Data Dictionary
Bloomberg, V.06.08.09
BufferChm
CamView 2.0.6
Cards_Calendar_OrderGift_DoMorePlugout
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Localization Chinese Standard
Catalyst Control Center Localization Chinese Traditional
Catalyst Control Center Localization Czech
Catalyst Control Center Localization Danish
Catalyst Control Center Localization Dutch
Catalyst Control Center Localization Finnish
Catalyst Control Center Localization French
Catalyst Control Center Localization German
Catalyst Control Center Localization Greek
Catalyst Control Center Localization Hungarian
Catalyst Control Center Localization Italian
Catalyst Control Center Localization Japanese
Catalyst Control Center Localization Korean
Catalyst Control Center Localization Norwegian
Catalyst Control Center Localization Polish
Catalyst Control Center Localization Portuguese
Catalyst Control Center Localization Russian
Catalyst Control Center Localization Spanish
Catalyst Control Center Localization Swedish
Catalyst Control Center Localization Thai
Catalyst Control Center Localization Turkish
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
Compatibility Pack for the 2007 Office system
Copy
CP_AtenaShokunin1Config
cp_dwShrek2Albums1
cp_dwShrek2Cards1
CPUID CPU-Z 1.57.1
CreativeProjects
CreativeProjectsTemplates
CueTour
CustomerResearchQFolder
Destinations
Director
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
DocProc
DocProcQFolder
DocumentViewer
DVD Decrypter (Remove Only)
EZDetach (remove only)
Fax
Flock (Photobucket Edition) 0.7
Google Chrome
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
Google Updater
H.264 Decoder
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows XP (KB909394)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
HP Extended Capabilities 4.7
HP Image Zone 4.7
HP Photosmart Essential 2.5
HP PSC & OfficeJet 4.7
HP Software Update
HPPhotoSmartDiscLabel_PaperLabel
HPPhotoSmartDiscLabel_PrintOnDisc
HPPhotoSmartDiscLabelContent1
hpphotosmartdisclabelplugin
HPPhotoSmartPhotobookWebPack1
HPProductAssistant
HPSSupply
HPSystemDiagnostics
InstantShare
iTunes
J2SE Runtime Environment 5.0 Update 7
J2SE Runtime Environment 5.0 Update 9
Java Auto Updater
Java(TM) 6 Update 24
Joost (tm) 0.11.0
LinkedIn Outlook Connector
LiveUpdate 3.2 (Symantec Corporation)
Logitech SetPoint
Malwarebytes' Anti-Malware
MarketResearch
MGI VideoWave III (Remove Only)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft ActiveSync
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.5
Microsoft Visual C++ 2005 Redistributable
Microsoft Works 6-9 Converter
MKV Splitter
MobileMe Control Panel
MotionDV STUDIO 5.3E LE for DV
Mozilla Firefox (3.6.16)
MSVC80_x86_v2
MSXML 6.0 Parser
MUSICMATCH® Jukebox
MVCpromo
Nero 7 Premium
Nokia Connectivity Cable Driver
NVIDIA Drivers
NVIDIA WDM Drivers
OCR Software by I.R.I.S. 10.0
Origin Internet Update Utility V1.33
PanoStandAlone
PC Connectivity Solution
PC Inspector File Recovery
PhotoGallery
play2p
ProductContext
PSSWCORE
QuickTime
Reader Rabbit Year 1 Capers on Cloud Nine!(TM)
Readme
Realtek High Definition Audio Driver
Safari
Scan
ScannerCopy
Shop for HP Supplies
SiSoftware Sandra Lite 2011.SP2
Skins
SkinsHP1
Skype Toolbars
Skype™ 4.2
SmartWebPrintingOC
SpeedFan (remove only)
Spy Sweeper
SpywareBlaster 4.0
Symantec Client Security
TasksPlus
TrayApp
Unity Web Player
Unload
Update for Windows XP (KB898461)
VC80CRTRedist - 8.0.50727.762
Video Stream Driver for Panasonic DVC
VideoToolkit01
VLC media player 0.9.9
WebFldrs XP
WebReg
Windows Communication Foundation
Windows Driver Package - AMD System (04/06/2006 1.0.1.0)
Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
Windows Workflow Foundation
WinRAR archiver
XML Paper Specification Shared Components Pack 1.0
Yahoo! Install Manager
Yahoo! Messenger
Zero Assumption Recovery Version 8.4
.
==== Event Viewer Messages From Past Week ========
.
16/05/2011 16:51:45, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}
16/05/2011 12:52:53, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
16/05/2011 12:48:40, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service ntmssvc with arguments "-Service" in order to run the server: {D61A27C6-8F53-11D0-BFA0-00A024151983}
13/05/2011 14:07:24, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
13/05/2011 14:06:05, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
12/05/2011 16:21:44, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
12/05/2011 15:32:16, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdK8 eeCtrl Fips i8042prt SAVRT SAVRTPEL SPBBCDrv SYMTDI
12/05/2011 15:32:11, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
12/05/2011 15:25:36, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK8 eeCtrl Fips i8042prt IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SAVRT SAVRTPEL SPBBCDrv SYMTDI Tcpip
12/05/2011 15:25:36, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
12/05/2011 15:25:36, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/05/2011 15:25:36, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/05/2011 15:25:36, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
12/05/2011 15:25:36, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/05/2011 11:51:35, error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
12/05/2011 11:51:08, error: NETLOGON [5719] - No Domain Controller is available for domain ERSG due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
12/05/2011 10:18:16, error: Service Control Manager [7031] - The Symantec AntiVirus service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.
12/05/2011 10:07:54, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
11/05/2011 17:55:13, error: Service Control Manager [7023] - The hpqcxs08 service terminated with the following error: The system cannot find the file specified.
11/05/2011 17:55:13, error: Service Control Manager [7023] - The HP CUE DeviceDiscovery Service service terminated with the following error: The system cannot find the file specified.
11/05/2011 17:55:13, error: Service Control Manager [7023] - The HID Input Service service terminated with the following error: The system cannot find the file specified.
11/05/2011 17:55:13, error: Service Control Manager [7000] - The nVidia WDM Video Capture (universal) service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
11/05/2011 17:55:13, error: Service Control Manager [7000] - The nVidia WDM A/V Crossbar service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
11/05/2011 13:56:26, error: NetBT [4321] - The name "ERSG :1d" could not be registered on the Interface with IP address 172.16.100.66. The machine with the IP address 172.16.100.10 did not allow the name to be claimed by this machine.
10/05/2011 23:21:49, error: MRxSmb [8003] - The master browser has received a server announcement from the computer ERSGSERVER01 that believes that it is the master browser for the domain on transport NetBT_Tcpip_{6847CC8F-177B-4. The master browser is stopping or an election is being forced.
10/05/2011 11:42:33, error: Service Control Manager [7034] - The WebClient service terminated unexpectedly. It has done this 1 time(s).
10/05/2011 11:42:33, error: Service Control Manager [7034] - The TCP/IP NetBIOS Helper service terminated unexpectedly. It has done this 1 time(s).
10/05/2011 11:42:33, error: Service Control Manager [7031] - The Remote Registry service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.
.
==== End Of File ===========================

DDT.txt:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 03/11/2006 14:20:13
System Uptime: 16/05/2011 20:14:40 (13 hours ago)
.
Motherboard: MSI | | MS-7250
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4200+ | CPU 1 | 2211/200mhz
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4200+ | CPU 2 | 2211/mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 149 GiB total, 102.745 GiB free.
D: is FIXED (NTFS) - 298 GiB total, 15.596 GiB free.
E: is CDROM ()
F: is CDROM ()
G: is FIXED (NTFS) - 298 GiB total, 63.112 GiB free.
H: is NetworkDisk (NTFS) - 119 GiB total, 32.889 GiB free.
I: is NetworkDisk (NTFS) - 119 GiB total, 32.889 GiB free.
Y: is NetworkDisk (NTFS) - 119 GiB total, 32.889 GiB free.
Z: is NetworkDisk (NTFS) - 119 GiB total, 32.889 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E96B-E325-11CE-BFC1-08002BE10318}
Description: Logitech PS/2 Keyboard
Device ID: ACPI\PNP0303\4&D6E1DD7&0
Manufacturer: Logitech
Name: Logitech PS/2 Keyboard
PNP Device ID: ACPI\PNP0303\4&D6E1DD7&0
Service: i8042prt
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
2600
2600_Help
2600Trb
32 Bit HP CIO Components Installer
AAC Decoder
Ad-Aware
Adobe Acrobat - Reader 6.0.2 Update
Adobe Acrobat 6.0.1 Standard
Adobe Acrobat and Reader 6.0.3 Update
Adobe Acrobat and Reader 6.0.4 Update
Adobe Acrobat and Reader 6.0.5 Update
Adobe Acrobat and Reader 6.0.6 Update
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop 7.0
Adobe Shockwave Player 11.5
AiO_Scan
AiOSoftware
Apple Mobile Device Support
Apple Software Update
Application Suite
ASUS VGA Driver
Athlon 64 Processor Driver
ATI - Software Uninstall Utility
ATI AVIVO Codecs
ATI Catalyst Control Center
ATI Display Driver
ATI Parental Control & Encoder
µTorrent
AutoUpdate
BadCopy Pro
Bloomberg Excel Tools
Bloomberg PFM Upload Tool for Microsoft Excel
Bloomberg SFD Data Dictionary
Bloomberg, V.06.08.09
BufferChm
CamView 2.0.6
Cards_Calendar_OrderGift_DoMorePlugout
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Localization Chinese Standard
Catalyst Control Center Localization Chinese Traditional
Catalyst Control Center Localization Czech
Catalyst Control Center Localization Danish
Catalyst Control Center Localization Dutch
Catalyst Control Center Localization Finnish
Catalyst Control Center Localization French
Catalyst Control Center Localization German
Catalyst Control Center Localization Greek
Catalyst Control Center Localization Hungarian
Catalyst Control Center Localization Italian
Catalyst Control Center Localization Japanese
Catalyst Control Center Localization Korean
Catalyst Control Center Localization Norwegian
Catalyst Control Center Localization Polish
Catalyst Control Center Localization Portuguese
Catalyst Control Center Localization Russian
Catalyst Control Center Localization Spanish
Catalyst Control Center Localization Swedish
Catalyst Control Center Localization Thai
Catalyst Control Center Localization Turkish
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
Compatibility Pack for the 2007 Office system
Copy
CP_AtenaShokunin1Config
cp_dwShrek2Albums1
cp_dwShrek2Cards1
CPUID CPU-Z 1.57.1
CreativeProjects
CreativeProjectsTemplates
CueTour
CustomerResearchQFolder
Destinations
Director
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
DocProc
DocProcQFolder
DocumentViewer
DVD Decrypter (Remove Only)
EZDetach (remove only)
Fax
Flock (Photobucket Edition) 0.7
Google Chrome
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
Google Updater
H.264 Decoder
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows XP (KB909394)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
HP Extended Capabilities 4.7
HP Image Zone 4.7
HP Photosmart Essential 2.5
HP PSC & OfficeJet 4.7
HP Software Update
HPPhotoSmartDiscLabel_PaperLabel
HPPhotoSmartDiscLabel_PrintOnDisc
HPPhotoSmartDiscLabelContent1
hpphotosmartdisclabelplugin
HPPhotoSmartPhotobookWebPack1
HPProductAssistant
HPSSupply
HPSystemDiagnostics
InstantShare
iTunes
J2SE Runtime Environment 5.0 Update 7
J2SE Runtime Environment 5.0 Update 9
Java Auto Updater
Java(TM) 6 Update 24
Joost (tm) 0.11.0
LinkedIn Outlook Connector
LiveUpdate 3.2 (Symantec Corporation)
Logitech SetPoint
Malwarebytes' Anti-Malware
MarketResearch
MGI VideoWave III (Remove Only)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft ActiveSync
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.5
Microsoft Visual C++ 2005 Redistributable
Microsoft Works 6-9 Converter
MKV Splitter
MobileMe Control Panel
MotionDV STUDIO 5.3E LE for DV
Mozilla Firefox (3.6.16)
MSVC80_x86_v2
MSXML 6.0 Parser
MUSICMATCH® Jukebox
MVCpromo
Nero 7 Premium
Nokia Connectivity Cable Driver
NVIDIA Drivers
NVIDIA WDM Drivers
OCR Software by I.R.I.S. 10.0
Origin Internet Update Utility V1.33
PanoStandAlone
PC Connectivity Solution
PC Inspector File Recovery
PhotoGallery
play2p
ProductContext
PSSWCORE
QuickTime
Reader Rabbit Year 1 Capers on Cloud Nine!(TM)
Readme
Realtek High Definition Audio Driver
Safari
Scan
ScannerCopy
Shop for HP Supplies
SiSoftware Sandra Lite 2011.SP2
Skins
SkinsHP1
Skype Toolbars
Skype™ 4.2
SmartWebPrintingOC
SpeedFan (remove only)
Spy Sweeper
SpywareBlaster 4.0
Symantec Client Security
TasksPlus
TrayApp
Unity Web Player
Unload
Update for Windows XP (KB898461)
VC80CRTRedist - 8.0.50727.762
Video Stream Driver for Panasonic DVC
VideoToolkit01
VLC media player 0.9.9
WebFldrs XP
WebReg
Windows Communication Foundation
Windows Driver Package - AMD System (04/06/2006 1.0.1.0)
Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
Windows Workflow Foundation
WinRAR archiver
XML Paper Specification Shared Components Pack 1.0
Yahoo! Install Manager
Yahoo! Messenger
Zero Assumption Recovery Version 8.4
.
==== Event Viewer Messages From Past Week ========
.
16/05/2011 16:51:45, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}
16/05/2011 12:52:53, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
16/05/2011 12:48:40, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service ntmssvc with arguments "-Service" in order to run the server: {D61A27C6-8F53-11D0-BFA0-00A024151983}
13/05/2011 14:07:24, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
13/05/2011 14:06:05, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
12/05/2011 16:21:44, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
12/05/2011 15:32:16, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdK8 eeCtrl Fips i8042prt SAVRT SAVRTPEL SPBBCDrv SYMTDI
12/05/2011 15:32:11, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
12/05/2011 15:25:36, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK8 eeCtrl Fips i8042prt IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SAVRT SAVRTPEL SPBBCDrv SYMTDI Tcpip
12/05/2011 15:25:36, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
12/05/2011 15:25:36, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/05/2011 15:25:36, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/05/2011 15:25:36, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
12/05/2011 15:25:36, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/05/2011 11:51:35, error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
12/05/2011 11:51:08, error: NETLOGON [5719] - No Domain Controller is available for domain ERSG due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
12/05/2011 10:18:16, error: Service Control Manager [7031] - The Symantec AntiVirus service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.
12/05/2011 10:07:54, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
11/05/2011 17:55:13, error: Service Control Manager [7023] - The hpqcxs08 service terminated with the following error: The system cannot find the file specified.
11/05/2011 17:55:13, error: Service Control Manager [7023] - The HP CUE DeviceDiscovery Service service terminated with the following error: The system cannot find the file specified.
11/05/2011 17:55:13, error: Service Control Manager [7023] - The HID Input Service service terminated with the following error: The system cannot find the file specified.
11/05/2011 17:55:13, error: Service Control Manager [7000] - The nVidia WDM Video Capture (universal) service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
11/05/2011 17:55:13, error: Service Control Manager [7000] - The nVidia WDM A/V Crossbar service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
11/05/2011 13:56:26, error: NetBT [4321] - The name "ERSG :1d" could not be registered on the Interface with IP address 172.16.100.66. The machine with the IP address 172.16.100.10 did not allow the name to be claimed by this machine.
10/05/2011 23:21:49, error: MRxSmb [8003] - The master browser has received a server announcement from the computer ERSGSERVER01 that believes that it is the master browser for the domain on transport NetBT_Tcpip_{6847CC8F-177B-4. The master browser is stopping or an election is being forced.
10/05/2011 11:42:33, error: Service Control Manager [7034] - The WebClient service terminated unexpectedly. It has done this 1 time(s).
10/05/2011 11:42:33, error: Service Control Manager [7034] - The TCP/IP NetBIOS Helper service terminated unexpectedly. It has done this 1 time(s).
10/05/2011 11:42:33, error: Service Control Manager [7031] - The Remote Registry service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.
.
==== End Of File ===========================

Bobbye · May 17, 2011

Welcome to TechSpot! I think you may have confused the issue with some of the things you did to try and fix the problem! You have numerous rogue malware programs. So any 'alerts' you got most likely weren't actual problems.

1) Boot into Safe Mode

Restart your computer and start pressing the F8 key on your keyboard.
Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

============================================
2) Show Hidden Files and Folders in Windows Vista and Windows 7:

Click on the Start button and select Computer
Press the Alt key on your keyboard and click on Tools
Select Folder Options
Click the View tab and make sure that Show hidden files and folders is selected under Hidden files and folders
Next, uncheck the box next to Hide protected operating system files (Recommended)
Then, uncheck the box next to Hide extensions for known filetypes
Click Apply then click OK

3). Go into Windows Explorer> Windows key + E> Find the Documents & Settings for user ed.ersg> Click on the + sign to the left of Applications Data> Do a right click> Delete on everything for Zango> Exit WE and rehide the files and folders (this is important)

4) See if you can boot into Normal Mode. If you cannot please download Combofix to a flash drive,:connect the flash drive and Run Combofix on the problem computer, in Safe Mode.

5) Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop

===========Start her to connect the flash drive and run Combofix=================

Connect the flash drive and run Combofix in Safe Mode.

Double click combofix.exe & follow the prompts.

ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
===========Omit the Recovery Console Quesry if from Flash Drive===============
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

.Click on Yes, to continue scanning for malware

.If Combofix asks you to update the program, allow

.Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

.Close any open browsers.

.Double click combofix.exe

& follow the prompts to run.

When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
=============================================
Do a search on the compouter for Zango and uninstal if it shows up on Add/Remove Programs as a program. Do a right click> Delete on all other entries.

Let me know how this goes.

bewsh · May 17, 2011

Hi thanks for the reply.
I was directed here by someone on the BSOD/Crashing forum who suggested that it was probably malware related.
I was fairly confident that it was hardware related as the OS runs normally on a different MB/CPU

It was a lengthy first post so I appreciate you may not have read it all but:

1) Boot into Safe Mode
I can only boot in safe mode, no other option

2) Show Hidden Files and Folders in Windows Vista and Windows 7:

Its an XP Pro SP2 OS

3). Go into Windows Explorer> Windows key + E> Find the Documents & Settings for user ed.ersg> Click on the + sign to the left of Applications Data> Do a right click> Delete on everything for Zango> Exit WE and rehide the files and folders (this is important)
Zango and everything associated with it has already been deleted by the malwarebytes run

4) See if you can boot into Normal Mode. If you cannot please download Combofix to a flash drive,:connect the flash drive and Run Combofix on the problem computer, in Safe Mode.

is combofix the next step? It is already downloaded on the desktop and ready to go from the last time I needed it!
is there something in the logs that stands out?

thanks

bewsh · May 18, 2011

OK I followed instructions.
Combofix crashed the PC the first time I ran it but it was fine the 2nd time.

log below:

ComboFix 11-05-17.01 - ed 18/05/2011 10:28:34.3.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.2047.1648 [GMT 1:00]
Running from: \\ERSGServer01\Users\Ed\Downloads\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Client Firewall *Enabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\GoToAssistDownloadHelper.exe
c:\documents and settings\Administrator\WINDOWS
.
.
((((((((((((((((((((((((( Files Created from 2011-04-18 to 2011-05-18 )))))))))))))))))))))))))))))))
.
.
2011-05-16 16:40 . 2011-05-16 16:40 -------- d-----w- C:\test
2011-05-16 16:33 . 2006-08-14 11:09 1428 ----a-w- c:\windows\system32\drivers\nvphy.bin
2011-05-16 16:31 . 2011-05-16 16:31 -------- d-----w- c:\program files\AMD
2011-05-16 16:22 . 2011-05-16 16:34 -------- d-----w- c:\windows\LastGood.Tmp
2011-05-16 16:22 . 2010-11-03 17:15 359016 ----a-w- c:\windows\vncutil.exe
2011-05-16 16:22 . 2010-11-03 17:15 1833576 ----a-w- c:\windows\SkyTel.exe
2011-05-16 16:22 . 2011-04-15 14:48 56936 ----a-w- c:\windows\system32\RtkCoInstXP.dll
2011-05-16 16:22 . 2010-11-03 17:14 129640 ----a-w- c:\windows\RtkAudioService.exe
2011-05-16 16:22 . 2009-11-18 06:17 1395800 ----a-w- c:\windows\system32\drivers\Monfilt.sys
2011-05-16 16:22 . 2009-11-18 06:16 1691480 ----a-w- c:\windows\system32\drivers\Ambfilt.sys
2011-05-16 16:18 . 2006-02-07 14:45 757760 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iKernel.dll
2011-05-16 16:18 . 2006-02-07 14:40 204800 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iuser.dll
2011-05-16 16:18 . 2006-02-07 14:40 69715 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\ctor.dll
2011-05-16 16:18 . 2006-02-07 14:40 274432 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iscript.dll
2011-05-16 16:18 . 2005-11-13 22:19 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\DotNetInstaller.exe
2011-05-16 16:18 . 2011-05-16 16:18 331908 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\setup.dll
2011-05-16 16:18 . 2011-05-16 16:18 200836 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iGdi.dll
2011-05-16 15:51 . 2011-05-16 15:51 -------- d-----w- c:\program files\CPUID
2011-05-16 15:51 . 2010-11-09 14:35 21992 ----a-w- c:\windows\system32\drivers\cpuz135_x32.sys
2011-05-16 12:20 . 2011-05-16 12:20 -------- d-----w- c:\documents and settings\ed.ERSG\Application Data\Malwarebytes
2011-05-16 12:20 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-16 12:20 . 2011-05-16 12:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-05-16 12:20 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-16 12:20 . 2011-05-16 12:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-16 12:08 . 2011-05-16 12:08 -------- d-----w- c:\windows\ServicePackFiles
2011-05-16 12:08 . 2004-07-17 10:40 19528 ----a-w- c:\windows\000001_.tmp
2011-05-16 11:59 . 2011-05-16 11:59 -------- d-----w- c:\program files\ATI
2011-05-12 14:40 . 2011-05-12 14:40 -------- d-----w- c:\program files\SiSoftware
2011-05-12 10:54 . 2011-02-16 16:58 -------- d-----w- c:\documents and settings\ed.ERSG\Application Data\Intel
2011-05-12 10:54 . 2009-02-19 22:06 -------- d-----w- c:\documents and settings\ed.ERSG\Application Data\AVG7
2011-05-12 10:54 . 2011-02-16 16:59 -------- d-----w- c:\documents and settings\ed.ERSG\Application Data\Protector Suite
2011-05-12 10:54 . 2011-02-16 16:59 -------- d-----w- c:\documents and settings\ed.ERSG\Application Data\Sony Corporation
2011-05-12 10:54 . 2010-11-08 16:26 -------- d-sh--w- c:\documents and settings\ed.ERSG\PrivacIE
2011-05-12 10:54 . 2010-11-08 15:56 -------- d-sh--w- c:\documents and settings\ed.ERSG\IETldCache
2011-05-12 10:52 . 2004-08-03 21:31 20992 -c--a-w- c:\windows\system32\dllcache\rtl8139.sys
2011-05-12 10:52 . 2004-08-03 21:31 20992 ----a-w- c:\windows\system32\drivers\RTL8139.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-19 17:19 . 2006-11-04 21:14 6394472 ----a-w- c:\windows\system32\drivers\RtkHDAud.sys
2011-04-14 12:36 . 2006-11-04 21:14 20053608 ----a-w- c:\windows\RTHDCPL.EXE
2011-02-25 18:37 . 2006-11-04 21:13 1284712 ------r- c:\windows\RtlExUpd.dll
2010-02-12 14:40 . 2010-02-12 14:39 18499623 ----a-w- c:\program files\vlc-1.0.5-win32.exe
2009-04-07 09:36 . 2009-04-07 09:36 16742799 ----a-w- c:\program files\vlc-0.9.9-win32.exe
2009-03-24 12:21 . 2009-03-24 12:21 23596840 ----a-w- c:\program files\SkypeSetupFull.exe
2008-12-17 20:06 . 2008-12-17 20:06 26453613 ----a-w- c:\program files\AllToAVI_v4_r5394_Setup.exe
2008-07-17 10:27 . 2008-07-17 10:27 23510720 -c--a-w- c:\program files\dotnetfx.exe
2008-07-17 09:27 . 2008-07-17 09:27 12573347 -c--a-w- c:\program files\helium2008.exe
2008-06-09 12:47 . 2008-06-09 12:47 59782440 -c--a-w- c:\program files\iTunesSetup.exe
2008-03-31 12:36 . 2008-03-31 12:36 2671816 -c--a-w- c:\program files\spywareblastersetup40.exe
2007-11-06 17:34 . 2007-11-06 17:34 128376 -c--a-w- c:\program files\Download_zonetick_3_5_trial_regnow.exe
2007-11-05 11:23 . 2007-11-05 11:23 2748954 -c----w- c:\program files\ST330_Update.exe
2007-09-18 14:03 . 2007-09-18 14:03 5819504 -c--a-w- c:\program files\Firefox Setup 2.0.0.6.exe
2007-07-10 13:54 . 2007-07-10 13:53 119309242 -c--a-w- c:\program files\trvte0608.exe
2006-12-19 16:40 . 2006-12-19 16:40 105930 -c--a-w- c:\program files\setup_ezdetach_4.0.full.exe
2006-12-08 16:19 . 2006-12-08 16:18 239968 -c--a-w- c:\program files\setup_ezdetach.eval.exe
2006-11-20 20:35 . 2006-11-20 20:29 9424808 -c--a-w- c:\program files\Flock_Setup_0_7_8__photobucket.exe
2006-11-20 20:24 . 2006-11-20 20:24 19666504 -c--a-w- c:\program files\QuickTimeInstaller.exe
2006-09-08 09:38 . 2006-11-06 16:39 1828505 -c--a-w- c:\program files\cdtomp3.exe
2006-03-13 17:06 . 2006-11-06 16:39 1183264 -c--a-w- c:\program files\CpWzPr.exe
2005-07-09 11:18 . 2006-11-06 16:39 4364992 -c--a-w- c:\program files\MediaMonkey.exe
2005-06-13 17:33 . 2006-11-06 16:39 325354 -c--a-w- c:\program files\ffdshow-20020617.exe
2005-06-04 10:39 . 2006-11-06 16:39 5772 -c--a-w- c:\program files\sharedaccess.reg
2005-03-25 01:07 . 2006-11-06 16:39 1413120 -c--a-w- c:\program files\WinsockXPFix.exe
2005-03-17 11:30 . 2006-11-06 16:39 527204 -c--a-w- c:\program files\AVIcodec_1.2_b107.exe
2002-08-13 19:42 . 2006-11-06 16:39 186368 -c--a-w- c:\program files\LSPFix.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2011-04-14 20053608]
"SoundMan"="SOUNDMAN.EXE" [2010-11-03 84584]
"AlcWzrd"="ALCWZRD.EXE" [2010-11-03 2815592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisablePersonalDirChange"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= "c:\progra~1\DVDREG~1\DVDShell.dll" [2004-05-17 49152]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^ed.ERSG^Start Menu^Programs^Startup^scandisk.lnk]
path=c:\documents and settings\ed.ERSG\Start Menu\Programs\Startup\scandisk.lnk
backup=c:\windows\pss\scandisk.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2007-05-29 15:33 52840 ----a-w- c:\program files\Common Files\Symantec Shared\ccApp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 12:00 15360 ------w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2006-11-13 13:39 1289000 ----a-w- c:\program files\Microsoft ActiveSync\wcescomm.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
2005-03-10 12:01 28160 ----a-w- c:\windows\KHALMNPR.Exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
2010-12-20 17:08 963976 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-06-01 09:22 7618560 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2006-06-01 09:22 86016 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
2004-02-25 11:53 665088 ----a-w- c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
2007-10-07 19:48 125368 ----a-w- c:\progra~1\SYMANT~1\SYMANT~2\VPTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE"=
"c:\\Program Files\\Symantec\\pcAnywhere\\WINAW32.EXE"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP

xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
.
S0 okajhrk;okajhrk;c:\windows\system32\drivers\jrliy.sys --> c:\windows\system32\drivers\jrliy.sys [?]
S2 gupdate1c9a641f9fedc48;Google Update Service (gupdate1c9a641f9fedc48);c:\program files\Google\Update\GoogleUpdate.exe [16/03/2009 15:17 133104]
S2 SavRoam;SAVRoam;c:\program files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [07/10/2007 20:48 116664]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [16/05/2011 17:22 1691480]
S3 AtiDCM;AtiDCM;\??\c:\documents and settings\ed.ERSG\Local Settings\Temp\atidcmxx.sys --> c:\documents and settings\ed.ERSG\Local Settings\Temp\atidcmxx.sys [?]
S3 EraserUtilDrv11110;EraserUtilDrv11110;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11110.sys [16/05/2011 09:29 105592]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [29/05/2010 13:43 102448]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [16/03/2009 15:17 133104]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [05/06/2010 09:16 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [05/06/2010 09:16 8320]
S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\DRIVERS\rcvpn.sys --> c:\windows\system32\DRIVERS\rcvpn.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 11:34]
.
2011-05-16 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-29 23:27]
.
2011-05-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-16 14:17]
.
2011-05-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-16 14:17]
.
2011-05-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3641825963-764552273-372206336-1140Core.job
- c:\documents and settings\ed.ERSG\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-11 14:44]
.
2011-05-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3641825963-764552273-372206336-1140UA.job
- c:\documents and settings\ed.ERSG\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-11 14:44]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/ig?hl=en&source=iglk
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.co.uk
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D1E1F7ED622A0E5D.dll/cmsidewiki.html
DPF: {C6A03519-BA6F-438E-AF3A-878F11521CA5} - hxxp://172.16.100.20/jpgview.cab
FF - ProfilePath - c:\documents and settings\ed.ERSG\Application Data\Mozilla\Firefox\Profiles\93b4r1jc.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: XULRunner: {7763B99D-F43B-4CC0-8DD3-B3B957D440B3} - c:\documents and settings\ed.ERSG\Local Settings\Application Data\{7763B99D-F43B-4CC0-8DD3-B3B957D440B3}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-Logitech Utility - Logi_MwX.Exe
AddRemove-Adobe Photoshop 7.0 - c:\program files\Adobe\Photoshop 7.0\Uninst.isu
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-18 10:33
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(828)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2011-05-18 10:34:41
ComboFix-quarantined-files.txt 2011-05-18 09:34
ComboFix2.txt 2009-10-20 20:28
ComboFix3.txt 2009-10-20 13:01
.
Pre-Run: 110,883,008,512 bytes free
Post-Run: 111,333,093,376 bytes free
.
- - End Of File - - DF4F86F03D9DADD1F84E563CB9EA90AD

bewsh · May 18, 2011

just tried to boot in normal mode and it is the same as before, cycles to restart on the winlogo screen.

runs in safe mode with networking as before....

any ideas?

bewsh · May 19, 2011

is there anything I can try?
I am really loathed to wipe the disc and reinstall windows especially if it might be a hardware issue

tried to run a video card health check but it also crashed the machine.
I have read that the graphics card drivers can cause this but am hoping to remove malware from the equation first

thanks for your help

Bobbye · May 19, 2011

You may have some malware, but that's not the main problem. You system is in terrible shape! You have setup file for programs downloaded as llong as 5 years ago. Ideally, once a program is installed, the setup file is removed. If it isn't, when regular maintenance is done, they will be removed. So either you never ran the programs or the setups didn't clean up.

Examples of old setups: The numerical sequence before the file name is the size of the file. Don't try deleting these now!

2009-03-24 12:21 23596840 ----a-w- c:\program files\SkypeSetupFull.exe
2008-12-17 20:06 26453613 ----a-w- c:\program files\AllToAVI_v4_r5394_Setup.exe
2008-06-09 12:47 59782440 -c--a-w- c:\program files\iTunesSetup.exe
2008-03-31 12:36 2671816 -c--a-w- c:\program files\spywareblastersetup40.exe
2007-11-06 17:34 128376 -c--a-w- c:\program files\Download_zonetick_3_5_trial_regnow.exe
2007-11-05 11:23 2748954 -c----w- c:\program files\ST330_Update.exe
2007-09-18 14:03 5819504 -c--a-w- c:\program files\Firefox Setup 2.0.0.6.exe
2006-12-19 16:40 105930 -c--a-w- c:\program files\setup_ezdetach_4.0.full.exe
2006-12-08 16:18 239968 -c--a-w- c:\program files\setup_ezdetach.eval.exe
2006-11-20 20:29 9424808 -c--a-w- c:\program files\Flock_Setup_0_7_8__photobucket.exe

You have 6 outdated versions of the Adobe Reader without the current version and at least 2 outdated versions of Java, no current version.

I can help you clean the system up, but it comes with conditions:

You will have to have patience. It is going to take time- yours and mine and I will be helping others with malware.
You must run only what I instruct you to and nothing else. No new installs or updates, no uninstalls unless I direct you to do so.
You need to follow the order I give you- it's for a reason and what follows will depend on what was done previously.
If you have any file sharing programs, uninstall them.
Disable Spysweeper. It's best if it's not 'sweeping' in the background.
Do not use any Registry Cleaner- this would include running CCeaner if you have it. Once we begin working from the logs, I don't want you doing anything that will change them unless I tell you to do so.

The alternative, as I see it is to do a complete reformat and reinstall. But if a hardware problem exists, even that might not work. Right now, the system is overburdened with processes loading and running. In my opinion, unless we remove these processes, the system will continue to crash and will reach the point that it won't reboot at all.

If you have a flash drive- it should be disinfected first- I'd rather you use that to download rather then use the Safe Mode with Networking. Security programs don't start in that mode.

Questions and Comments:
1. Do you have to use the Symantec pcAnywhere for work access? If not, I'd like to stop it.
2. Did you know you are still loading AVG from the Registry?
3. Do you realize that these 2 programs run several years ago were still on the system?
2006-11-06 16:39 1413120 -c--a-w- c:\program files\WinsockXPFix.exe
2002-08-13 19:42 . 2006-11-06 16:39 186368 - c:\program files\LSPFix.exe

From your description, it would appear that you may have hardware issues. I don't handle that. The system can be cleaned up and you can determine how you are at that point.

If you don't want to try and see this through, tell me now so I don't waste the time and can give it to help others.

Let me know.

bewsh · May 19, 2011

Bobbye said:
Questions and Comments:
1. Do you have to use the Symantec pcAnywhere for work access? If not, I'd like to stop it.
2. Did you know you are still loading AVG from the Registry?
3. Do you realize that these 2 programs run several years ago were still on the system?
2006-11-06 16:39 1413120 -c--a-w- c:\program files\WinsockXPFix.exe
2002-08-13 19:42 . 2006-11-06 16:39 186368 - c:\program files\LSPFix.exe

I am definitely up for that.
I know it has been running slowly but in answer to your questions:
1) No, dont use pcAnywhere anymore, wasnt aware it was still running
2) No I didnt, I had removed it from the start up list and thought it was uninstalled
3) No I didnt,

how do I go about cleaning these out then.
I have a clean zip drive. Do you mean to download apps/files and run them from this zip rather than the HDD?

Thanks for your help

Bobbye · May 21, 2011

Are you sure that flash drive is clean? I found a Worm on the system that usually come sthrough a removable drive. About the downloading: When you use Safe Mode with Networking, the security programs don't run so I'm trying to minimize the system exposure. If you download to the flash drive, then run on the problem computer, that is a safer way to do it:

Here is the first step. It would be wise to print this out because ultimately, you will need to check the setup .exe file for the program. If you installed it and don't use it, I'll have you uninstall it and delete the program file. If you never installed from the setup, then there won't be a program to uninstall and the setup will be removed:

The following can be run in Safe Mode. You already have Combofix on the system. Please don't do anything except for this one step. I'll review the log it generates:
===============================================
Please run this Custom CFScript:

[1]. Close any open browsers.
[2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
[3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it: Be sure to scroll down to include ALL lines.

Code:

File:: c:\program files\SkypeSetupFull.exe c:\program files\AllToAVI_v4_r5394_Setup.exe c:\program files\iTunesSetup.exe c:\program files\spywareblastersetup40.exe c:\program files\Download_zonetick_3_5_trial_regnow.exe c:\program files\Firefox Setup 2.0.0.6.exe c:\program files\setup_ezdetach_4.0.full.exe c:\program files\setup_ezdetach.eval.exe c:\program files\Flock_Setup_0_7_8__photobucket.exe c:\program files\vlc-0.9.9-win32.exe c:\windows\system32\dllcache\rtl8139.sys c:\windows\000001_.tmp c:\program files\WinsockXPFix.exe c:\program files\LSPFix.exe c:\program files\cdtomp3.exe c:\program files\CpWzPr.exe c:\program files\MediaMonkey.exe c:\program files\ffdshow-20020617.exe c:\program files\sharedaccess.reg C:\Program Files\Grisoft\AVG 7\AVG7_CC.exe c:\windows\system32\drivers\jrliy.sys c:\windows\system32\DRIVERS\rcvpn.sys Folder:: c:\documents and settings\ed.ERSG\Application Data\AVG7 Registry:: [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "Avg7UpdSvc"=- "Avg7Alrt"=- [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE"=- "c:\\Program Files\\Symantec\\pcAnywhere\\WINAW32.EXE"=- "c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=- Driver:: okajhrk rcvpn

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
Go to Add/Remove Programs and uninstall all of the followinh, if found:
Adobe Acrobat - Reader 6.0.2 Update
Adobe Acrobat 6.0.1 Standard
Adobe Acrobat and Reader 6.0.3 Update
Adobe Acrobat and Reader 6.0.4 Update
Adobe Acrobat and Reader 6.0.5 Update
Adobe Acrobat and Reader 6.0.6 Update
J2SE Runtime Environment 5.0 Update 7
J2SE Runtime Environment 5.0 Update 9

I'll have you get the update the above programs later.

bewsh · May 21, 2011

thanks,

have done all that but I havent run Combofix as I can not turn off Symatec real time scanner.
every process running appears to be windows related and I cant seem to stop it. Is there an easy way?
will it stop Combofix doing its thing and can I delete the programs you list in the meantime?

thanks for your help

bewsh · May 21, 2011

think I managed to turn it off, ran combofix
log below:

ComboFix 11-05-19.02 - ed 21/05/2011 20:04:36.4.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.2047.1649 [GMT 1:00]
Running from: \\ERSGServer01\Users\Ed\Downloads\ComboFix.exe
Command switches used :: \\ERSGServer01\Users\Ed\Downloads\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Client Firewall *Enabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}
.
FILE ::
"c:\program files\AllToAVI_v4_r5394_Setup.exe c:\program files\iTunesSetup.exe c:\program files\spywareblastersetup40.exe c:\program files\Download_zonetick_3_5_trial_regnow.exe"
"c:\program files\cdtomp3.exe"
"c:\program files\CpWzPr.exe"
"c:\program files\ffdshow-20020617.exe"
"c:\program files\Firefox Setup 2.0.0.6.exe c:\program files\setup_ezdetach_4.0.full.exe c:\program files\setup_ezdetach.eval.exe c:\program files\Flock_Setup_0_7_8__photobucket.exe"
"c:\program files\Grisoft\AVG 7\AVG7_CC.exe c:\windows\system32\drivers\jrliy.sys"
"c:\program files\LSPFix.exe"
"c:\program files\MediaMonkey.exe"
"c:\program files\sharedaccess.reg"
"c:\program files\SkypeSetupFull.exe"
"c:\program files\vlc-0.9.9-win32.exe"
"c:\program files\WinsockXPFix.exe"
"c:\windows\000001_.tmp"
"c:\windows\system32\dllcache\rtl8139.sys"
"c:\windows\system32\DRIVERS\rcvpn.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\ed.ERSG\Application Data\AVG7
c:\documents and settings\ed.ERSG\Application Data\AVG7\test-0001.cfg
c:\documents and settings\ed.ERSG\Application Data\AVG7\test-0003.cfg
c:\documents and settings\ed.ERSG\Application Data\AVG7\test-0004.cfg
c:\documents and settings\ed.ERSG\Application Data\AVG7\test-0005.cfg
c:\documents and settings\ed.ERSG\Application Data\AVG7\test-0006.cfg
c:\documents and settings\ed.ERSG\Application Data\AVG7\test-0007.cfg
c:\documents and settings\ed.ERSG\Application Data\AVG7\test-0008.cfg
c:\documents and settings\ed.ERSG\Application Data\AVG7\test-0009.cfg
c:\documents and settings\ed.ERSG\Application Data\AVG7\test-0011.cfg
c:\documents and settings\ed.ERSG\Application Data\AVG7\test-0012.cfg
c:\documents and settings\ed.ERSG\Application Data\AVG7\test-0013.cfg
c:\documents and settings\ed.ERSG\Application Data\AVG7\user-0000.cfg
c:\program files\cdtomp3.exe
c:\program files\CpWzPr.exe
c:\program files\ffdshow-20020617.exe
c:\program files\LSPFix.exe
c:\program files\MediaMonkey.exe
c:\program files\sharedaccess.reg
c:\program files\SkypeSetupFull.exe
c:\program files\vlc-0.9.9-win32.exe
c:\program files\WinsockXPFix.exe
c:\windows\000001_.tmp
c:\windows\system32\dllcache\rtl8139.sys
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_okajhrk
-------\Service_rcvpn
.
.
((((((((((((((((((((((((( Files Created from 2011-04-21 to 2011-05-21 )))))))))))))))))))))))))))))))
.
.
2011-05-16 16:40 . 2011-05-16 16:40 -------- d-----w- C:\test
2011-05-16 16:33 . 2006-08-14 11:09 1428 ----a-w- c:\windows\system32\drivers\nvphy.bin
2011-05-16 16:31 . 2011-05-16 16:31 -------- d-----w- c:\program files\AMD
2011-05-16 16:22 . 2011-05-16 16:34 -------- d-----w- c:\windows\LastGood.Tmp
2011-05-16 16:22 . 2010-11-03 17:15 359016 ----a-w- c:\windows\vncutil.exe
2011-05-16 16:22 . 2010-11-03 17:15 1833576 ----a-w- c:\windows\SkyTel.exe
2011-05-16 16:22 . 2011-04-15 14:48 56936 ----a-w- c:\windows\system32\RtkCoInstXP.dll
2011-05-16 16:22 . 2010-11-03 17:14 129640 ----a-w- c:\windows\RtkAudioService.exe
2011-05-16 16:22 . 2009-11-18 06:17 1395800 ----a-w- c:\windows\system32\drivers\Monfilt.sys
2011-05-16 16:22 . 2009-11-18 06:16 1691480 ----a-w- c:\windows\system32\drivers\Ambfilt.sys
2011-05-16 16:18 . 2006-02-07 14:45 757760 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iKernel.dll
2011-05-16 16:18 . 2006-02-07 14:40 204800 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iuser.dll
2011-05-16 16:18 . 2006-02-07 14:40 69715 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\ctor.dll
2011-05-16 16:18 . 2006-02-07 14:40 274432 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iscript.dll
2011-05-16 16:18 . 2005-11-13 22:19 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\DotNetInstaller.exe
2011-05-16 16:18 . 2011-05-16 16:18 331908 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\setup.dll
2011-05-16 16:18 . 2011-05-16 16:18 200836 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iGdi.dll
2011-05-16 15:51 . 2011-05-16 15:51 -------- d-----w- c:\program files\CPUID
2011-05-16 15:51 . 2010-11-09 14:35 21992 ----a-w- c:\windows\system32\drivers\cpuz135_x32.sys
2011-05-16 12:20 . 2011-05-16 12:20 -------- d-----w- c:\documents and settings\ed.ERSG\Application Data\Malwarebytes
2011-05-16 12:20 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-16 12:20 . 2011-05-16 12:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-05-16 12:20 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-16 12:20 . 2011-05-16 12:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-16 12:08 . 2011-05-16 12:08 -------- d-----w- c:\windows\ServicePackFiles
2011-05-16 11:59 . 2011-05-16 11:59 -------- d-----w- c:\program files\ATI
2011-05-12 14:40 . 2011-05-12 14:40 -------- d-----w- c:\program files\SiSoftware
2011-05-12 10:54 . 2011-02-16 16:58 -------- d-----w- c:\documents and settings\ed.ERSG\Application Data\Intel
2011-05-12 10:54 . 2011-02-16 16:59 -------- d-----w- c:\documents and settings\ed.ERSG\Application Data\Protector Suite
2011-05-12 10:54 . 2011-02-16 16:59 -------- d-----w- c:\documents and settings\ed.ERSG\Application Data\Sony Corporation
2011-05-12 10:54 . 2010-11-08 16:26 -------- d-sh--w- c:\documents and settings\ed.ERSG\PrivacIE
2011-05-12 10:54 . 2010-11-08 15:56 -------- d-sh--w- c:\documents and settings\ed.ERSG\IETldCache
2011-05-12 10:52 . 2004-08-03 21:31 20992 ----a-w- c:\windows\system32\drivers\RTL8139.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-19 17:19 . 2006-11-04 21:14 6394472 ----a-w- c:\windows\system32\drivers\RtkHDAud.sys
2011-04-14 12:36 . 2006-11-04 21:14 20053608 ----a-w- c:\windows\RTHDCPL.EXE
2011-02-25 18:37 . 2006-11-04 21:13 1284712 ------r- c:\windows\RtlExUpd.dll
2010-02-12 14:40 . 2010-02-12 14:39 18499623 ----a-w- c:\program files\vlc-1.0.5-win32.exe
2008-12-17 20:06 . 2008-12-17 20:06 26453613 ----a-w- c:\program files\AllToAVI_v4_r5394_Setup.exe
2008-07-17 10:27 . 2008-07-17 10:27 23510720 -c--a-w- c:\program files\dotnetfx.exe
2008-07-17 09:27 . 2008-07-17 09:27 12573347 -c--a-w- c:\program files\helium2008.exe
2008-06-09 12:47 . 2008-06-09 12:47 59782440 -c--a-w- c:\program files\iTunesSetup.exe
2008-03-31 12:36 . 2008-03-31 12:36 2671816 -c--a-w- c:\program files\spywareblastersetup40.exe
2007-11-06 17:34 . 2007-11-06 17:34 128376 -c--a-w- c:\program files\Download_zonetick_3_5_trial_regnow.exe
2007-11-05 11:23 . 2007-11-05 11:23 2748954 -c----w- c:\program files\ST330_Update.exe
2007-09-18 14:03 . 2007-09-18 14:03 5819504 -c--a-w- c:\program files\Firefox Setup 2.0.0.6.exe
2007-07-10 13:54 . 2007-07-10 13:53 119309242 -c--a-w- c:\program files\trvte0608.exe
2006-12-19 16:40 . 2006-12-19 16:40 105930 -c--a-w- c:\program files\setup_ezdetach_4.0.full.exe
2006-12-08 16:19 . 2006-12-08 16:18 239968 -c--a-w- c:\program files\setup_ezdetach.eval.exe
2006-11-20 20:35 . 2006-11-20 20:29 9424808 -c--a-w- c:\program files\Flock_Setup_0_7_8__photobucket.exe
2006-11-20 20:24 . 2006-11-20 20:24 19666504 -c--a-w- c:\program files\QuickTimeInstaller.exe
2005-03-17 11:30 . 2006-11-06 16:39 527204 -c--a-w- c:\program files\AVIcodec_1.2_b107.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2011-04-14 20053608]
"SoundMan"="SOUNDMAN.EXE" [2010-11-03 84584]
"AlcWzrd"="ALCWZRD.EXE" [2010-11-03 2815592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisablePersonalDirChange"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= "c:\progra~1\DVDREG~1\DVDShell.dll" [2004-05-17 49152]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^ed.ERSG^Start Menu^Programs^Startup^scandisk.lnk]
path=c:\documents and settings\ed.ERSG\Start Menu\Programs\Startup\scandisk.lnk
backup=c:\windows\pss\scandisk.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2007-05-29 15:33 52840 ----a-w- c:\program files\Common Files\Symantec Shared\ccApp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 12:00 15360 ------w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2006-11-13 13:39 1289000 ----a-w- c:\program files\Microsoft ActiveSync\wcescomm.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
2005-03-10 12:01 28160 ----a-w- c:\windows\KHALMNPR.Exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
2010-12-20 17:08 963976 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-06-01 09:22 7618560 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2006-06-01 09:22 86016 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
2004-02-25 11:53 665088 ----a-w- c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
2007-10-07 19:48 125368 ----a-w- c:\progra~1\SYMANT~1\SYMANT~2\VPTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE"=
"c:\\Program Files\\Symantec\\pcAnywhere\\WINAW32.EXE"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP

xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
.
S2 gupdate1c9a641f9fedc48;Google Update Service (gupdate1c9a641f9fedc48);c:\program files\Google\Update\GoogleUpdate.exe [16/03/2009 15:17 133104]
S2 SavRoam;SAVRoam;c:\program files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [07/10/2007 20:48 116664]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [16/05/2011 17:22 1691480]
S3 AtiDCM;AtiDCM;\??\c:\documents and settings\ed.ERSG\Local Settings\Temp\atidcmxx.sys --> c:\documents and settings\ed.ERSG\Local Settings\Temp\atidcmxx.sys [?]
S3 CFcatchme;CFcatchme;\??\c:\docume~1\ED7684~1.ERS\LOCALS~1\Temp\CFcatchme.sys --> c:\docume~1\ED7684~1.ERS\LOCALS~1\Temp\CFcatchme.sys [?]
S3 EraserUtilDrv11110;EraserUtilDrv11110;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11110.sys [16/05/2011 09:29 105592]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [29/05/2010 13:43 102448]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [16/03/2009 15:17 133104]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [05/06/2010 09:16 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [05/06/2010 09:16 8320]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 11:34]
.
2011-05-16 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-29 23:27]
.
2011-05-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-16 14:17]
.
2011-05-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-16 14:17]
.
2011-05-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3641825963-764552273-372206336-1140Core.job
- c:\documents and settings\ed.ERSG\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-11 14:44]
.
2011-05-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3641825963-764552273-372206336-1140UA.job
- c:\documents and settings\ed.ERSG\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-11 14:44]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/ig?hl=en&source=iglk
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.co.uk
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D1E1F7ED622A0E5D.dll/cmsidewiki.html
DPF: {C6A03519-BA6F-438E-AF3A-878F11521CA5} - hxxp://172.16.100.20/jpgview.cab
FF - ProfilePath - c:\documents and settings\ed.ERSG\Application Data\Mozilla\Firefox\Profiles\93b4r1jc.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: XULRunner: {7763B99D-F43B-4CC0-8DD3-B3B957D440B3} - c:\documents and settings\ed.ERSG\Local Settings\Application Data\{7763B99D-F43B-4CC0-8DD3-B3B957D440B3}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-22 00:12
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(824)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2011-05-22 00:16:46 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-21 23:16
ComboFix2.txt 2011-05-18 09:34
ComboFix3.txt 2009-10-20 20:28
ComboFix4.txt 2009-10-20 13:01
.
Pre-Run: 111,315,636,224 bytes free
Post-Run: 111,104,856,064 bytes free
.
- - End Of File - - 8E94F0182C95DFE40E8996DFD9F6B7F0

Bobbye · May 21, 2011

Unfortunately, we were posting at the same time. I was telling you to uninstall the Combofix 2009 version and dowenload the current version. You should not have kept Combofix on the desktop.

There have been some changes in Combofix over the years. What may have been adequate in 2009 isn't in 2011. Did you use the old version?

Additionally, did you 'stack' some of the entries I had in the script? For instance, I had entries like this:

c:\program files\AllToAVI_v4_r5394_Setup.exe
c:\program files\iTunesSetup.exe
c:\program files\spywareblastersetup40.exe
c:\program files\Download_zonetick_3_5_trial_regnow.exe

But they show in the script like this:

FILE ::
"c:\program files\AllToAVI_v4_r5394_Setup.exe c:\program files\iTunesSetup.exe c:\program files\spywareblastersetup40.exe c:\program files\Download_zonetick_3_5_trial_regnow.exe"

The entries in the 2 lines that are 'stacked' didn't get removed.
====================================
This was my post:

But I just noticed that you used the old version tha was already on the desktop:
ComboFix2.txt 2009-10-20 20:28
ComboFix3.txt 2009-10-20 13:01

You will need to uninstall this version: They should not have been left on the desktop after they were run. 2 years for a security program that is looking for and removing malware entries to be kept and used is not appropriate. Combofix, the program, gets updated over the years.
[*] Click START> then RUN
[*] Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there][/list]

Then download this version to the flash drive:
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the flash drive.
Before connecting the flash drive to the problem computer and running Combofix, do the following:

How can I temporarily disable the Symantec Client Firewall?
1. Right-click on the Symantec Client Firewall icon in your system notification area (typically in the lower-right-hand corner of your screen, near the time)
2. Select Disable Symantec Client Firewall from the pop-up menu.
3. You can use this same menu item later to re-enable the firewall.

Connect the flash drive and run Combofix:

Double click combofix.exe & follow the prompts.

ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

.Click on Yes, to continue scanning for malware

.If Combofix asks you to update the program, allow

.Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

.Close any open browsers.

.Double click combofix.exe

& follow the prompts to run.

When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
=============================================

This was my last line:
Don't run the script I left yet. I will review the entries against the newer version of Combofix and add or remove script as needed.

bewsh · May 22, 2011

OK,
I tried every way to turn off Sumantec.
It does not appear in either the system tray or the processes list.
i opened it and turned off all active scans and startup options, restarted and ran Combofix.
It was still running!!

I also tried the remove software process you detailed but cant use control panel ad/remove option in safe mode.

when I removed combofix and the reinstalled it I got a update message for a new version. when it did the update it crashed the machine.

anyway, back in safe mode, new version of combofix
when combofix had finished it tried to upload a file of some description to their webserver cut it times out. there is a file to upload later

log below:

Thanks

ComboFix 11-05-21.03 - ed 22/05/2011 10:29:03.5.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.2047.1650 [GMT 1:00]
Running from: \\ERSGServer01\Users\Ed\Downloads\ComboFix.exe
Command switches used :: \\ERSGServer01\Users\Ed\Downloads\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Client Firewall *Enabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}
.
FILE ::
"c:\program files\AllToAVI_v4_r5394_Setup.exe"
"c:\program files\cdtomp3.exe"
"c:\program files\CpWzPr.exe"
"c:\program files\Download_zonetick_3_5_trial_regnow.exe"
"c:\program files\ffdshow-20020617.exe"
"c:\program files\Firefox Setup 2.0.0.6.exe"
"c:\program files\Flock_Setup_0_7_8__photobucket.exe"
"c:\program files\Grisoft\AVG 7\AVG7_CC.exe"
"c:\program files\iTunesSetup.exe"
"c:\program files\LSPFix.exe"
"c:\program files\MediaMonkey.exe"
"c:\program files\setup_ezdetach.eval.exe"
"c:\program files\setup_ezdetach_4.0.full.exe"
"c:\program files\sharedaccess.reg"
"c:\program files\SkypeSetupFull.exe"
"c:\program files\spywareblastersetup40.exe"
"c:\program files\vlc-0.9.9-win32.exe"
"c:\program files\WinsockXPFix.exe"
"c:\windows\000001_.tmp"
"c:\windows\system32\dllcache\rtl8139.sys"
"c:\windows\system32\drivers\jrliy.sys"
"c:\windows\system32\DRIVERS\rcvpn.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\AllToAVI_v4_r5394_Setup.exe
c:\program files\Download_zonetick_3_5_trial_regnow.exe
c:\program files\Firefox Setup 2.0.0.6.exe
c:\program files\Flock_Setup_0_7_8__photobucket.exe
c:\program files\iTunesSetup.exe
c:\program files\setup_ezdetach.eval.exe
c:\program files\setup_ezdetach_4.0.full.exe
c:\program files\spywareblastersetup40.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-04-22 to 2011-05-22 )))))))))))))))))))))))))))))))
.
.
2011-05-16 16:40 . 2011-05-16 16:40 -------- d-----w- C:\test
2011-05-16 16:33 . 2006-08-14 11:09 1428 ----a-w- c:\windows\system32\drivers\nvphy.bin
2011-05-16 16:31 . 2011-05-16 16:31 -------- d-----w- c:\program files\AMD
2011-05-16 16:22 . 2011-05-16 16:34 -------- d-----w- c:\windows\LastGood.Tmp
2011-05-16 16:22 . 2010-11-03 17:15 359016 ----a-w- c:\windows\vncutil.exe
2011-05-16 16:22 . 2010-11-03 17:15 1833576 ----a-w- c:\windows\SkyTel.exe
2011-05-16 16:22 . 2011-04-15 14:48 56936 ----a-w- c:\windows\system32\RtkCoInstXP.dll
2011-05-16 16:22 . 2010-11-03 17:14 129640 ----a-w- c:\windows\RtkAudioService.exe
2011-05-16 16:22 . 2009-11-18 06:17 1395800 ----a-w- c:\windows\system32\drivers\Monfilt.sys
2011-05-16 16:22 . 2009-11-18 06:16 1691480 ----a-w- c:\windows\system32\drivers\Ambfilt.sys
2011-05-16 16:18 . 2006-02-07 14:45 757760 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iKernel.dll
2011-05-16 16:18 . 2006-02-07 14:40 204800 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iuser.dll
2011-05-16 16:18 . 2006-02-07 14:40 69715 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\ctor.dll
2011-05-16 16:18 . 2006-02-07 14:40 274432 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iscript.dll
2011-05-16 16:18 . 2005-11-13 22:19 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\DotNetInstaller.exe
2011-05-16 16:18 . 2011-05-16 16:18 331908 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\setup.dll
2011-05-16 16:18 . 2011-05-16 16:18 200836 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iGdi.dll
2011-05-16 15:51 . 2011-05-16 15:51 -------- d-----w- c:\program files\CPUID
2011-05-16 15:51 . 2010-11-09 14:35 21992 ----a-w- c:\windows\system32\drivers\cpuz135_x32.sys
2011-05-16 12:20 . 2011-05-16 12:20 -------- d-----w- c:\documents and settings\ed.ERSG\Application Data\Malwarebytes
2011-05-16 12:20 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-16 12:20 . 2011-05-16 12:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-05-16 12:20 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-16 12:20 . 2011-05-16 12:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-16 12:08 . 2011-05-16 12:08 -------- d-----w- c:\windows\ServicePackFiles
2011-05-16 11:59 . 2011-05-16 11:59 -------- d-----w- c:\program files\ATI
2011-05-12 14:40 . 2011-05-12 14:40 -------- d-----w- c:\program files\SiSoftware
2011-05-12 10:54 . 2011-02-16 16:58 -------- d-----w- c:\documents and settings\ed.ERSG\Application Data\Intel
2011-05-12 10:54 . 2011-02-16 16:59 -------- d-----w- c:\documents and settings\ed.ERSG\Application Data\Protector Suite
2011-05-12 10:54 . 2011-02-16 16:59 -------- d-----w- c:\documents and settings\ed.ERSG\Application Data\Sony Corporation
2011-05-12 10:54 . 2010-11-08 16:26 -------- d-sh--w- c:\documents and settings\ed.ERSG\PrivacIE
2011-05-12 10:54 . 2010-11-08 15:56 -------- d-sh--w- c:\documents and settings\ed.ERSG\IETldCache
2011-05-12 10:52 . 2004-08-03 21:31 20992 ----a-w- c:\windows\system32\drivers\RTL8139.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-19 17:19 . 2006-11-04 21:14 6394472 ----a-w- c:\windows\system32\drivers\RtkHDAud.sys
2011-04-14 12:36 . 2006-11-04 21:14 20053608 ----a-w- c:\windows\RTHDCPL.EXE
2011-02-25 18:37 . 2006-11-04 21:13 1284712 ------r- c:\windows\RtlExUpd.dll
2010-02-12 14:40 . 2010-02-12 14:39 18499623 ----a-w- c:\program files\vlc-1.0.5-win32.exe
2008-07-17 10:27 . 2008-07-17 10:27 23510720 -c--a-w- c:\program files\dotnetfx.exe
2008-07-17 09:27 . 2008-07-17 09:27 12573347 -c--a-w- c:\program files\helium2008.exe
2007-11-05 11:23 . 2007-11-05 11:23 2748954 -c----w- c:\program files\ST330_Update.exe
2007-07-10 13:54 . 2007-07-10 13:53 119309242 -c--a-w- c:\program files\trvte0608.exe
2006-11-20 20:24 . 2006-11-20 20:24 19666504 -c--a-w- c:\program files\QuickTimeInstaller.exe
2005-03-17 11:30 . 2006-11-06 16:39 527204 -c--a-w- c:\program files\AVIcodec_1.2_b107.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2011-04-14 20053608]
"SoundMan"="SOUNDMAN.EXE" [2010-11-03 84584]
"AlcWzrd"="ALCWZRD.EXE" [2010-11-03 2815592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisablePersonalDirChange"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= "c:\progra~1\DVDREG~1\DVDShell.dll" [2004-05-17 49152]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^ed.ERSG^Start Menu^Programs^Startup^scandisk.lnk]
path=c:\documents and settings\ed.ERSG\Start Menu\Programs\Startup\scandisk.lnk
backup=c:\windows\pss\scandisk.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2007-05-29 15:33 52840 ----a-w- c:\program files\Common Files\Symantec Shared\ccApp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 12:00 15360 ------w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2006-11-13 13:39 1289000 ----a-w- c:\program files\Microsoft ActiveSync\wcescomm.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
2005-03-10 12:01 28160 ----a-w- c:\windows\KHALMNPR.Exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
2010-12-20 17:08 963976 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-06-01 09:22 7618560 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2006-06-01 09:22 86016 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
2004-02-25 11:53 665088 ----a-w- c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
2007-10-07 19:48 125368 ----a-w- c:\progra~1\SYMANT~1\SYMANT~2\VPTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE"=
"c:\\Program Files\\Symantec\\pcAnywhere\\WINAW32.EXE"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP

xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
.
S2 gupdate1c9a641f9fedc48;Google Update Service (gupdate1c9a641f9fedc48);c:\program files\Google\Update\GoogleUpdate.exe [16/03/2009 15:17 133104]
S2 SavRoam;SAVRoam;c:\program files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [07/10/2007 20:48 116664]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [16/05/2011 17:22 1691480]
S3 AtiDCM;AtiDCM;\??\c:\documents and settings\ed.ERSG\Local Settings\Temp\atidcmxx.sys --> c:\documents and settings\ed.ERSG\Local Settings\Temp\atidcmxx.sys [?]
S3 CFcatchme;CFcatchme;\??\c:\docume~1\ED7684~1.ERS\LOCALS~1\Temp\CFcatchme.sys --> c:\docume~1\ED7684~1.ERS\LOCALS~1\Temp\CFcatchme.sys [?]
S3 EraserUtilDrv11110;EraserUtilDrv11110;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11110.sys [16/05/2011 09:29 105592]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [29/05/2010 13:43 102448]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [16/03/2009 15:17 133104]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [05/06/2010 09:16 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [05/06/2010 09:16 8320]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 11:34]
.
2011-05-16 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-29 23:27]
.
2011-05-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-16 14:17]
.
2011-05-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-16 14:17]
.
2011-05-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3641825963-764552273-372206336-1140Core.job
- c:\documents and settings\ed.ERSG\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-11 14:44]
.
2011-05-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3641825963-764552273-372206336-1140UA.job
- c:\documents and settings\ed.ERSG\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-11 14:44]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/ig?hl=en&source=iglk
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.co.uk
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D1E1F7ED622A0E5D.dll/cmsidewiki.html
DPF: {C6A03519-BA6F-438E-AF3A-878F11521CA5} - hxxp://172.16.100.20/jpgview.cab
FF - ProfilePath - c:\documents and settings\ed.ERSG\Application Data\Mozilla\Firefox\Profiles\93b4r1jc.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: XULRunner: {7763B99D-F43B-4CC0-8DD3-B3B957D440B3} - c:\documents and settings\ed.ERSG\Local Settings\Application Data\{7763B99D-F43B-4CC0-8DD3-B3B957D440B3}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-22 10:42
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(824)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2011-05-22 10:46:39 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-22 09:46
ComboFix2.txt 2011-05-21 23:16
.
Pre-Run: 111,633,244,160 bytes free
Post-Run: 111,510,261,760 bytes free
.
- - End Of File - - D21DEDCF52CD02DC6BB5773B06E71173

Bobbye · May 22, 2011

Follow these instructions for Zango:

What is Zango?

Zango is a entertainment site with free access to videos, music, games, and other downloads. The site is free to all users, but is paid for by advertisements. Visitors are presented with an end user license agreement that they accept before downloading any content.

Zango does display popup advertisements and such to pay for the games and videos. The Zango software includes a search assistant and toolbar

How Do I Remove Zango?
1) Click on Start, Settings, Control Panel
2) Double click on Add/Remove Programs
3) Find "Zango" in the list of installed programs and click on Change/Remove to uninstall it. There may also be a program called Media Gateway, remove it as well.

You'll be presented with the following screen during the uninstall process, you'll want to check either the Zango toolbar or Search Assistant, or both before clicking Next to complete the uninstall.

4) Reboot your Computer and run HijackThis
Download HijackThis http://download.bleepingcomputer.com/hijackthis/HijackThis.zipand save to your desktop.

Extract it to a directory on your hard drive called c:\HijackThis.
Then navigate to that directory and double-click on the hijackthis.exe file.
When started click on the Scan button and then the Save Log button to create a log of your information.
The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log. Save the log

Reopen HijackThis to 'do system scan only.' Check each of the following if present.

C:\Program Files\Zango\zango.exe
C:\Program Files\ZangoToolbar\Bin\4.8.3.0\ZbSrv.exe
O2 - BHO: Zango Search Assistant Helper /fleok=1D8A83A5C5E0117D9CA975760EA83FA5EF80752B94E2DE765D754E2937C3 - {56F1D444-11BF-4879-A12B-79CF0177F038} - c:\program files\zango\zangohook.dll
O2 - BHO: Zango Toolbar - {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - C:\Program Files\ZangoToolbar\Bin\4.8.3.0\ZbHostIE.dll
O3 - Toolbar: Zango Toolbar - {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - C:\Program Files\ZangoToolbar\Bin\4.8.3.0\ZbHostIE.dll
O4 - HKLM\..\Run: [zango] "c:\program files\zango\zango.exe"

Close all Windows except HijackThis and click on "Fix Checked"

Reboot the computer> see if you can access Normal Mode. If you can't, run HijackThis again, save the log and paste in next reply.

Directions & Images courtesy PC Hell .

bewsh · May 22, 2011

it wont let me run the uninstall process from control panel in safe mode, the installer window brings up an error message.
Any ideas?

actually I just checked it Zango isnt in the list of installed apps

Bobbye · May 22, 2011

And the error message is???

Run HijackThis.

bewsh · May 22, 2011

the error message is "windows installer can not be accessed, this can happen if you are in safe mode or installer is not correctly installed, contact support personnel for assistance"

Ihad hijack this already, so I uninstalled, installed a fresh copy from your link in the drive specified.and followed your instructions.
log below, no sign of Zango

I tried to restart but this time instead of the cycle from Windows logo back to POST it just switched off.
When I restarted I saw a quick flash of a DOS window, tiny and minimised so the only glimpse I could see was "C:" with something written beside that, literally a flash, no chance to identify but it hasnt happened before.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 00:02:20, on 23/05/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\ed.ERSG\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\ed.ERSG\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\ed.ERSG\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en&source=iglk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D1E1F7ED622A0E5D.dll/cmsidewiki.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {22945A69-1191-4DCF-9E6F-409BDE94D101} - http://www.solidworks.com/plugins/edrawings/download.cfm?Release=rel
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://mail.aurec.com.au/Remote/msrdp.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
O16 - DPF: {C6A03519-BA6F-438E-AF3A-878F11521CA5} (JpgView Control) - http://172.16.100.20/jpgview.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ERSG.local
O17 - HKLM\Software\..\Telephony: DomainName = ERSG.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ERSG.local
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Update Service (gupdate1c9a641f9fedc48) (gupdate1c9a641f9fedc48) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe

--
End of file - 8359 bytes

bewsh · May 24, 2011

tried to see if it would boot in normal again today.
it doesnt.

anything else I can do to avoid a complete wipe and rebuild?
I dont have the cash for further hardware if that is the problem but hoping it is malware related

thanks again for your help

Bobbye · May 26, 2011

The NameServer Domain name in your logs show ed ERSG The only ID I am finding for this is "The Elections Reform Support Group or ERSG was an forum of donors co-chaired by the United States and the European Union to coordinate the reform of the Palestinian electoral system.[1] ESRG was founded in 2002."

I cannot identify ERSG further. Your docs & settings appear that you may be 'ed' at this domain and I do find an email address for that.
========================================
I'm finishing another list of script to remove more files. While I'm going that, please let me know about the ERSG domain
========================================
About this:

1) Boot into Safe Mode
I can only boot in safe mode, no other option

Some use Boot.ini in the msconfig utility to set SAFEBOOT for startup. The problem with that is the system won't start any other way as long as SafeBoot is checked. So they don't know how to get out of that mode.

So my "Boot into Safe Mode" was given with the Boot.ini function in mind> meaning don't set SafeBoot in Boot.ini- boot into Safe Mode instead, using the F8 key. Understand?
===========================================
Do you know how to run Chkdsk? I think this would help with system problems:

Where to set Error Checking up
You can do the Error Check from Command Prompt:
Start> Run> type in cmd> enter> type in Chkdsk /f/ followed by a reboot. Chkdsk will start in a few seconds-or-
Start> Run> type in cmd> enter> at the blinking C Prompt type in Chkdsk /r

Or Windows Explorer:
Right click on Start> Explore> My Computer> Right click on Local Drive (usually C)> Properties> Tools> Error Check> check both boxes on the screen that comes up> Apply> Close the message and reboot for the Error Checking to start.

The /r switch is for Recovery of readable information in bad sectors Locates bad sectors and recovers readable information (implies /F).
The /f switch is for File Errors to be found and fixed

bewsh · May 26, 2011

ERSG is my domain name (www.ersg.com)
I am Ed

Boot.ini is all greyed out in MSCONFIG
so it is trying to boot normally from scratch, i get safe mode from pressing f8.

Will run chkdsk and get back to you

bewsh · May 26, 2011

well now it is screwed.

I followed the chkdsk instructions and it said it would check volume at next start up, except now it wont startup at all.

I cant get it to go past the driver log page on startup, it just hangs, tried it several times now.
I assume that it is hanging just before the chkdsk can run.

Any ideas?

Bobbye · May 27, 2011

Once you schedule Chkdsk, then reboot, it should start in about 9 seconds.

Try running System File Checker: Have your Windows XP installation CD ready, so that you can it insert it if you are prompted to do so.

Click on Start> Run> type in sfc /scannow (note there is a space between SFC and the forward slash).
Click on OK or press Enter.
Follow any instructions on the screen.
It should close when finished.
Reboot the computer.

====================================
Referring to Boot.ini> when you say it's grayed out, do you mean there is nothing in the box at the top? Please don't make any changes here: my questions are for information only:

Right below the dialog box, there are 4 buttons> Three of the four buttons provided in this window are for editing purposes and are grayed out by default. The Check All Boot Paths button is used to verify that the boot paths in the BOOT.INI file are correct. When you click this button, you’ll either receive an error message you can use for troubleshooting or a window alerting you that the boot paths have been verified.
======================================
The system may just be too corrupted to boot. It has not been well maintained over the years and update haven't been done with earlier versions removed. I think you should be prepared to do a reformat/reinstall.

bewsh · May 31, 2011

Hi,

In answer to above the msconfig top window had all the usual info in it.
the 4 check boxes below where grayed out with now options.

I couldn't run scnnow or chkdsk as it just hung on the driver install page before the winlogo

when i ran the chkdsk and it died at reboot I lost my patience and took it to a shop.
explained I had tried to run diagnostics and excluded various bits of hardware and told them to sort it (they are cheap and only charge £10 to diagnose and as I buy all my components their they are pretty helpful)
they told me the motherboard was the problem.

not convinced I agreed to purchase a new motherboard from them (I did this only on the assumption that if the diagnosis was wrong that I would have some come back on the sale)

having already purchased a new HDD and now a new motherboard I set about rebuilding it.

first I tried to install the image of the old C: onto the new HDD.
I used Acronis to take the image and restore it
It went on OK but then crashed as before cycling at the boot stage

so I wiped the new hard drive (complete format) and reinstalled a fresh copy of Win XP, Office, chrome, Adobe etc updated as many drivers as I could and added it back onto my domain (network of a server and a couple of PC's) it did this successfully but only adds it to the domain on restart.

As it restarted it hangs on the windows logo indefinitely.
If I start in safe mode it stalls momentarily at the mup.sys driver install and then boots as normal (albeit safe normal!)

could this problem be in some way linked to the domain controller or the way it links to my server?
This is effectively a complete fresh install on a new HDD and MB (only common hardware is the RAM, the CPU, the Optical Drives and the case/PSU.

I am at a loss a bit now as short of a new box I am not sure what I can do to eliminate HW/SW as the root cause.

I am running in safe mode with full networking between the sever and the PC, PC and Web. no loss of functionality other than the Video/sound side of safe mode

I tried to run the sfc /scannow command on the old drive and got the message
"Windows File Protection could not initiate a scan of protected system files.
The specific error code is 0x000006ba [The RPC server is unavailable]

driving me nuts!

bewsh · Jun 2, 2011

Hi, Solved this myself yesterday.

as every piece of hardware except the chip has been replaced and re-run and I am convinced it was a hardware issue, I took it back to the shop and asked if he had checked my CPU in another board...he said no.

So I bit the bullet and went for a new dual core AMD CPU, a new MB (cant use mine as the socket is AM2) and got some extra RAM.

Am not convinced there is anything wrong with the MB!

I am tying on my new faster, slicker, reinstalled, twin screen rocket machine!

thanks for all your help.
I just need to figure out why MS Exchange is using a PST file on my PC HD to store messages now!

Solved PC crashes, only runs in safe mode

Posts: 21 +0

Posts: 21 +0

Posts: 16,313 +36

Posts: 21 +0

Posts: 21 +0

Posts: 21 +0

Posts: 21 +0

Posts: 16,313 +36

Posts: 21 +0

Posts: 16,313 +36

Posts: 21 +0

Posts: 21 +0

Posts: 16,313 +36

Posts: 21 +0

Posts: 16,313 +36

Posts: 21 +0

Posts: 16,313 +36

Posts: 21 +0

Posts: 21 +0

Posts: 16,313 +36

Posts: 21 +0

Posts: 21 +0

Posts: 16,313 +36

Posts: 21 +0

Posts: 21 +0

Similar threads