Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fire fox/ Internet Explorer opens additonal unwanted window


  • This topic is locked This topic is locked
22 replies to this topic

#1 mark436

mark436

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 11 November 2009 - 11:08 AM

I have a 4 year old dell computer running windows XP

Two days ago zone alarm told me maccsnet.tmp was trying to access my computer I denied this attack. Immediately after another program tried to access my computer (I can not find the name of it from Zone alarm). The computer went very slow then started working again.

Now whenever I turn on my computer and click on either firefox or internet explorer I get the page I want but at the same time an additional page pops up like:-

hxxp://www.2010softwarereports.com/default.aspx?Refer=7S&Keyword=norton+antivirus

hxxp://uk.findstuff.com/home/search/?uvx=W7gIytRTMOymIUNFL8NgpD4ZafA3v1VcCmCPWLgwOtd2P7ShEfrWOVhtk_NZyuXh8rjy6Kq-m_jex1g_2XOzxgQX3D5HknuI0yRyNrGDjpR7tbi3Nz5tJ3eyjZ0IfCsxUDl8m6eKmtrJFuAaCE3y9jyBBNd-tdnOLWqof_TFSVeEwYUEV3v4-xo6H-huISsfQ6QAqJajEBQdd0RO-E0kopG_WzHaEkEaJ7MLCEs4ozVoVuZ5NX-1hC28ze9CjitGcJ5DlCaW6jA*

or one of these plus lots of letters and numbers after the initial name like in the two examples above

pctools.com plus .....
britanniasearch/....
aq.com/....
new-anti-virus-download.com/...
7search.com/...
poolschools.com/...
2010softwarereports.com/...
clickstraffic.com/... (this one it loads quite frequently but the page does not load)
unitedamericaninsurance.com/...

If I open up additional windows then they are fine as no unwanted pages appear.

I have downloaded malware bytes anti malware and already had spybot seach and destroy and AVG Anti virus version 8.5 but none have helped.

I tried to upgrade AVG to version 9 but Zone alarm told me stub.exe was trying to access my computer so I denied it and could not download the upgrade

Also I have noticed that when I turn the computer off I always get the message "ending program please wait" despite all programs that I was aware of being closed.

The computer then says "The program is not responding" so I click end now and the computer shuts down.

I installed the "Hive cleanup service" from microsoft when then helped the computer to close down without the program is not responding messages. HOWEVER when I tried this again the same messages started appearing saying "The program is not responding"

Thanks in advance for your help


DDS (Ver_09-10-26.01) - NTFSx86
Run by Mark Bruce at 15:23:11.89 on 11/11/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.101 [GMT 0:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\TalkTalk\bin\sprtsvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\BandwidthMeter\BandwidthMeter.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Mark Bruce\My Documents\Downloads\RootRepeal.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Documents and Settings\Mark Bruce\My Documents\Downloads\dds(2).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.mytalktalk.co.uk
uSearch Page = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
uDefault_Page_URL = hxxp://www.dell.co.uk/myway
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: UberButton Class: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: YahooTaggedBM Class: {65d886a2-7ca7-479b-bb95-14d1efb7946a} - c:\program files\yahoo!\common\YIeTagBm.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\HOMERunner.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
uRun: [Defence] "c:\documents and settings\all users\defence\smss.exe" -SystemDefence
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [CTSysVol] c:\program files\creative\sound blaster live! 24-bit\surround mixer\CTSysVol.exe /r
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [YBrowser] c:\progra~1\yahoo!\browser\ybrwicon.exe
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [TalkTalk] "c:\program files\talktalk\bin\sprtcmd.exe" /P TalkTalk
mRun: [NWEReboot]
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\markbr~1\startm~1\programs\startup\bandwi~1.lnk - c:\program files\bandwidthmeter\BandwidthMeter.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc1~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpohmr08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: antimalwareguard.com
Trusted Zone: antimalwareguard.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.euro.dell.com/systemprofiler/SysPro.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135028936687
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\markbr~1\applic~1\mozilla\firefox\profiles\74jqglan.default\
FF - prefs.js: browser.startup.homepage - www.bbc.co.uk/news
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\mark bruce\application data\mozilla\firefox\profiles\74jqglan.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\program files\entriq\mediasphere\3.8.2.9\npEntriqMediaMozillaPlugin.dll
FF - plugin: c:\program files\entriq\mediasphere\3.8.2.9\npEntriqVersionCheckMozillaPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPZoneSB.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Internal security: No Registry Reference - c:\program files\mozilla firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);c:\windows\system32\drivers\sfdrv01a.sys [2006-7-5 63352]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-4 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-11-4 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-7-19 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-11-4 297752]
R2 sprtsvc_TalkTalk;SupportSoft Sprocket Service (TalkTalk);c:\program files\talktalk\bin\sprtsvc.exe [2007-10-12 202016]
R2 tgsrvc_TalkTalk;SupportSoft Repair Service (TalkTalk);c:\program files\common files\supportsoft\bin\tgsrvc.exe [2007-8-2 148768]
S3 getPlusHelper;getPlus® Helper;c:\windows\system32\svchost.exe -k getPlusHelper [2005-8-16 14336]
S3 V0260VID;Live! Cam Vista IM;c:\windows\system32\drivers\V0260Vid.sys [2007-3-18 178913]

=============== Created Last 30 ================

2009-11-11 10:56:07 0 d-----w- c:\program files\Cobian Backup 9
2009-11-10 21:50:29 0 d-----w- c:\docume~1\markbr~1\applic~1\AVG8
2009-11-10 21:18:57 0 d-----w- C:\_OTM
2009-11-10 21:00:12 0 d-----w- c:\program files\UPHClean
2009-11-10 20:54:13 0 d-----w- c:\program files\CCleaner
2009-11-10 17:52:28 0 d-----w- c:\program files\Trend Micro
2009-11-10 10:48:10 0 d-----w- c:\docume~1\markbr~1\applic~1\Malwarebytes
2009-11-10 10:48:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-10 10:48:00 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-10 10:48:00 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-10 10:48:00 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-09 21:56:28 0 d-----w- c:\documents and settings\all users\Defence

==================== Find3M ====================

2009-10-22 09:19:04 5939712 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-08-28 10:35:52 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-26 08:00:21 247326 ------w- c:\windows\system32\dllcache\strmdll.dll
2009-08-25 08:22:46 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2008-08-28 16:11:50 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082820080829\index.dat
2008-09-09 22:11:27 3766304 --sha-w- c:\windows\system32\drivers\fidbox.dat

============= FINISH: 15:25:29.37 ===============

Attached Files


Edited by Orange Blossom, 11 November 2009 - 10:30 PM.
Deactivate links. ~ OB


BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 AM

Posted 17 November 2009 - 10:53 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 mark436

mark436
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 17 November 2009 - 01:33 PM

Thanks for responding please note the scan seemed to run ok so I did not disable AVG (free edition anti virus) or zone alarm/ malware bytes or spybot search and destroy.

I will after sending this reply close this computer down and use an alternative computer so as not to affect these results posted below:-

DDS (Ver_09-10-26.01) - NTFSx86
Run by Mark Bruce at 18:16:11.63 on 17/11/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.207 [GMT 0:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\TalkTalk\bin\sprtsvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\BandwidthMeter\BandwidthMeter.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\wscript.exe
C:\Documents and Settings\Mark Bruce\My Documents\Downloads\dds(3).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.mytalktalk.co.uk
uSearch Page = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
uDefault_Page_URL = hxxp://www.dell.co.uk/myway
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: UberButton Class: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: YahooTaggedBM Class: {65d886a2-7ca7-479b-bb95-14d1efb7946a} - c:\program files\yahoo!\common\YIeTagBm.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\HOMERunner.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
uRun: [Defence] "c:\documents and settings\all users\defence\smss.exe" -SystemDefence
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [CTSysVol] c:\program files\creative\sound blaster live! 24-bit\surround mixer\CTSysVol.exe /r
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [YBrowser] c:\progra~1\yahoo!\browser\ybrwicon.exe
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [TalkTalk] "c:\program files\talktalk\bin\sprtcmd.exe" /P TalkTalk
mRun: [NWEReboot]
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\markbr~1\startm~1\programs\startup\bandwi~1.lnk - c:\program files\bandwidthmeter\BandwidthMeter.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc1~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpohmr08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: antimalwareguard.com
Trusted Zone: antimalwareguard.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.euro.dell.com/systemprofiler/SysPro.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135028936687
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\markbr~1\applic~1\mozilla\firefox\profiles\74jqglan.default\
FF - prefs.js: browser.startup.homepage - www.bbc.co.uk/news
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\mark bruce\application data\mozilla\firefox\profiles\74jqglan.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\program files\entriq\mediasphere\3.8.2.9\npEntriqMediaMozillaPlugin.dll
FF - plugin: c:\program files\entriq\mediasphere\3.8.2.9\npEntriqVersionCheckMozillaPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPZoneSB.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Internal security: No Registry Reference - c:\program files\mozilla firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);c:\windows\system32\drivers\sfdrv01a.sys [2006-7-5 63352]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-4 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-11-4 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-7-19 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-11-4 297752]
R2 sprtsvc_TalkTalk;SupportSoft Sprocket Service (TalkTalk);c:\program files\talktalk\bin\sprtsvc.exe [2007-10-12 202016]
R2 tgsrvc_TalkTalk;SupportSoft Repair Service (TalkTalk);c:\program files\common files\supportsoft\bin\tgsrvc.exe [2007-8-2 148768]
S3 getPlusHelper;getPlus® Helper;c:\windows\system32\svchost.exe -k getPlusHelper [2005-8-16 14336]
S3 V0260VID;Live! Cam Vista IM;c:\windows\system32\drivers\V0260Vid.sys [2007-3-18 178913]

=============== Created Last 30 ================

2009-11-11 10:56:07 0 d-----w- c:\program files\Cobian Backup 9
2009-11-10 21:50:29 0 d-----w- c:\docume~1\markbr~1\applic~1\AVG8
2009-11-10 21:18:57 0 d-----w- C:\_OTM
2009-11-10 21:00:12 0 d-----w- c:\program files\UPHClean
2009-11-10 20:54:13 0 d-----w- c:\program files\CCleaner
2009-11-10 17:52:28 0 d-----w- c:\program files\Trend Micro
2009-11-10 10:48:10 0 d-----w- c:\docume~1\markbr~1\applic~1\Malwarebytes
2009-11-10 10:48:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-10 10:48:00 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-10 10:48:00 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-10 10:48:00 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-09 21:56:28 0 d-----w- c:\documents and settings\all users\Defence

==================== Find3M ====================

2009-10-22 09:19:04 5939712 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-08-28 10:35:52 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-26 08:00:21 247326 ------w- c:\windows\system32\dllcache\strmdll.dll
2009-08-25 08:22:46 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2008-08-28 16:11:50 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082820080829\index.dat
2008-09-09 22:11:27 3766304 --sha-w- c:\windows\system32\drivers\fidbox.dat

============= FINISH: 18:19:30.95 ===============
Attached File  Attach.txt   17.29KB   1 downloads

#4 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 AM

Posted 17 November 2009 - 04:03 PM

Hi and welcome to the HijackThis Logs and Virus/Trojan/Spyware/Malware Removal forum,

I am Posted Image and I am here to help you!

I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Please perform all steps in the order received and do not proceed if you need clarification.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please be courteous and appreciative for the assistance provided!

==========

We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy
After you disabled Teatimer, download ResetTeaTimer.exe to your desktop.
Then run ResetTeaTimer.exe.
This will only take a few seconds.

==========

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.

==========

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

==========

RKill by Grinler

Link #1
Link #2
Link #3
Link #4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Download Link #1.
  • Save it to your Desktop.
  • Double click the RKill desktop icon.
    If you are using Vista please right click and run as Admin!
  • A black screen will briefly flash indicating a successful run.
  • If this does not occur please delete that application and download Link #2.
  • Continue process until the tool runs.
  • If the tool does not run from any of the links tell me about it.
==========

Download and run Win32kDiag:Next......


Download and run a batch file (peek.bat):
  • Download peek.bat from the download link below and save it to your Desktop.
  • Double-click peek.bat to run it.A black Command Prompt window will appear shortly: the program is running. If you are using Vista please right click and run as Admin!
  • Once it is finished, copy and paste the entire contents of the Log.txt file it creates as a reply to this post.
==========

Download and Run ComboFix (by sUBs)

You must rename it before saving it.

Posted Image

Posted Image

Please download ComboFix from one of these locations:

Link 1
Link 2

Save thcbytes.exe to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click on thcbytes.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


==========

Again I would like to remind you to make no further changes to your computer unless I direct you to do so. Your computer fix will be based on the current condition of your computer! Any changes might delay my ability to help you.


==========

With your next post please provide:

* Exehelper log
* Win32kDiag.txt
* Log.txt
* Combofix.txt

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#5 mark436

mark436
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 18 November 2009 - 07:36 AM

Please note I am sending my reply in two parts as last time combo fix rebooted my computer (I did save them but then thought I might as well just run everything once again and just copy and paste everything as it is received this way I do not end up giving you any old data)

I've noticed win 32 says:-
WARNING: Could not get backup privileges!

I have unchecked the boxes for spybot and on my avg virus I disabled the resident shield and the update manager but I was unable to find out how to stop it on start up but once it has loaded the shield and update manager is still disabled so I am hoping this is ok.

Also I have the free version of anti malwarebytes anti malware and the free zone alarm do they need to be disabled?

Finally when combo fix was previously running zone alarm detected ping.exe and PEV.cfxxe I allowed those though zone alarm as combo fix I think halted until I gave them permission.

My next email will contain the combo fix log




exeHelper by Raktor
Build 20091021
Run at 08:22:59 on 11/18/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

exeHelper by Raktor
Build 20091021
Run at 12:15:02 on 11/18/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--



Running from: C:\Documents and Settings\Mark Bruce\My Documents\Downloads\Win32kDiag(2).exe

Log file at : C:\Documents and Settings\Mark Bruce\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!



Volume in drive C has no label.
Volume Serial Number is 44B1-0006

Directory of C:\WINDOWS\$NtServicePackUninstall$

10/08/2004 05:00 180,224 scecli.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

10/08/2004 05:00 407,040 netlogon.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

10/08/2004 05:00 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\ERDNT\cache

14/04/2008 00:12 181,248 scecli.dll

Directory of C:\WINDOWS\ERDNT\cache

14/04/2008 00:12 407,040 netlogon.dll

Directory of C:\WINDOWS\ERDNT\cache

14/04/2008 00:11 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

14/04/2008 00:12 181,248 scecli.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

14/04/2008 00:12 407,040 netlogon.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

14/04/2008 00:11 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

14/04/2008 00:12 181,248 scecli.dll

Directory of C:\WINDOWS\system32

14/04/2008 00:12 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

14/04/2008 00:11 56,320 eventlog.dll
3 File(s) 644,608 bytes

Total Files Listed:
12 File(s) 2,576,896 bytes
0 Dir(s) 94,206,828,544 bytes free

#6 mark436

mark436
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 18 November 2009 - 08:02 AM

The combo fix is below please also see my last reply for the other parts(exehelper win32 and log) in case you are reading this first

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.358 [GMT 0:00]
Running from: c:\documents and settings\Mark Bruce\My Documents\Downloads\thcbytes.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((( Files Created from 2009-10-18 to 2009-11-18 )))))))))))))))))))))))))))))))
.

2009-11-18 12:41 . 2008-04-13 18:40 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-11-18 12:41 . 2008-04-13 18:40 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
2009-11-18 09:03 . 2009-11-18 09:09 -------- d-----w- C:\ComboFix
2009-11-18 08:41 . 2009-11-18 08:41 -------- d--h--w- c:\windows\PIF
2009-11-11 10:56 . 2009-11-11 10:57 -------- d-----w- c:\program files\Cobian Backup 9
2009-11-10 21:50 . 2009-11-10 21:50 -------- d-----w- c:\documents and settings\Mark Bruce\Application Data\AVG8
2009-11-10 21:18 . 2009-11-10 21:18 -------- d-----w- C:\_OTM
2009-11-10 21:00 . 2009-11-10 21:00 -------- d-----w- c:\program files\UPHClean
2009-11-10 20:54 . 2009-11-10 20:54 -------- d-----w- c:\program files\CCleaner
2009-11-10 17:52 . 2009-11-10 17:52 -------- d-----w- c:\program files\Trend Micro
2009-11-10 10:48 . 2009-11-10 10:48 -------- d-----w- c:\documents and settings\Mark Bruce\Application Data\Malwarebytes
2009-11-10 10:48 . 2009-09-10 14:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-10 10:48 . 2009-11-10 10:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-10 10:48 . 2009-11-10 10:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-10 10:48 . 2009-09-10 14:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-09 22:03 . 2009-11-09 22:03 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-09 21:56 . 2009-11-09 21:56 -------- d-----w- c:\documents and settings\All Users\Defence

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-18 08:11 . 2008-08-28 16:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-10 09:40 . 2008-08-28 16:36 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-28 07:48 . 2008-11-22 20:37 14918422 ----a-w- c:\windows\Internet Logs\tvDebug.zip
2009-10-21 10:53 . 2009-10-21 10:55 2130944 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2009-10-04 22:14 . 2009-10-04 22:14 22486 ----a-r- c:\documents and settings\Mark Bruce\Application Data\Microsoft\Installer\{A92BE5A9-0BFC-4D09-8DA4-D73AA99932FB}\_40E89C1E288A0A85630CDC.exe
2009-10-04 22:14 . 2009-10-04 22:14 22486 ----a-r- c:\documents and settings\Mark Bruce\Application Data\Microsoft\Installer\{A92BE5A9-0BFC-4D09-8DA4-D73AA99932FB}\_3C6817698EC48A66DE7D0F.exe
2009-10-04 22:14 . 2009-03-21 12:12 -------- d-----w- c:\program files\IE Software Auto
2009-09-11 14:18 . 2005-08-16 04:18 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2005-08-16 04:18 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-03 10:53 . 2009-09-10 14:24 22848 ----a-w- c:\documents and settings\Mark Bruce\Application Data\Mozilla\Firefox\Profiles\74jqglan.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg_bootstrap.exe
2009-09-03 10:53 . 2009-09-10 14:24 30912 ----a-w- c:\documents and settings\Mark Bruce\Application Data\Mozilla\Firefox\Profiles\74jqglan.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2009-09-03 10:53 . 2009-09-10 14:23 19792 ----a-w- c:\documents and settings\Mark Bruce\Application Data\Mozilla\Firefox\Profiles\74jqglan.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2009-08-29 08:08 . 2005-08-16 04:18 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2005-08-16 04:19 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-25 08:22 . 2008-11-04 21:34 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-25 08:22 . 2008-11-04 21:34 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-25 08:22 . 2008-11-04 21:34 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-24 08:09 . 2005-11-23 19:18 37712 ----a-w- c:\documents and settings\Mark Bruce\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-09-09 22:11 . 2008-08-28 15:30 3766304 --sha-w- c:\windows\system32\drivers\fidbox.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\HOMERunner.exe" [2008-05-06 202088]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"Defence"="c:\documents and settings\All Users\Defence\smss.exe" [2009-11-09 24576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2003-12-09 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-11-05 2028312]
"TalkTalk"="c:\program files\TalkTalk\bin\sprtcmd.exe" [2007-10-12 202016]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-13 177472]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"P17Helper"="P17.dll" - c:\windows\system32\P17.dll [2004-06-10 60928]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Mark Bruce\Start Menu\Programs\Startup\
Bandwidth Meter.lnk - c:\program files\BandwidthMeter\BandwidthMeter.exe [2007-12-9 275968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-8-28 24576]
hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-4-9 147456]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-9 28672]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-5-12 65588]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2005-11-28 106560]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-25 08:22 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\TalkTalk\\agent\\bin\\bcont.exe"=
"c:\\Program Files\\Common Files\\supportsoft\\bin\\tgsrvc.exe"=
"c:\\Program Files\\TalkTalk\\agent\\bin\\bcont_nm.exe"=
"c:\\Program Files\\TalkTalk\\bin\\sprtcmd.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);c:\windows\system32\drivers\sfdrv01a.sys [05/07/2006 12:46 63352]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [04/11/2008 21:34 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [04/11/2008 21:34 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [19/07/2009 08:49 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [04/11/2008 21:33 297752]
R2 sprtsvc_TalkTalk;SupportSoft Sprocket Service (TalkTalk);c:\program files\TalkTalk\bin\sprtsvc.exe [12/10/2007 09:33 202016]
R2 tgsrvc_TalkTalk;SupportSoft Repair Service (TalkTalk);c:\program files\Common Files\supportsoft\bin\tgsrvc.exe [02/08/2007 14:42 148768]
S3 getPlusHelper;getPlus® Helper;c:\windows\System32\svchost.exe -k getPlusHelper [16/08/2005 04:18 14336]
S3 V0260VID;Live! Cam Vista IM;c:\windows\system32\drivers\V0260Vid.sys [18/03/2007 20:11 178913]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - CLASSPNP_2
*Deregistered* - CLASSPNP_2
*Deregistered* - mbr
*Deregistered* - PROCEXP113
*Deregistered* - uphcleanhlp

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2009-11-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2006-07-03 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 1200 series272A572217594EBCF1CEE215E352B92AD073FDE4134924032.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 17:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.mytalktalk.co.uk
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Mark Bruce\Application Data\Mozilla\Firefox\Profiles\74jqglan.default\
FF - prefs.js: browser.startup.homepage - www.bbc.co.uk/news
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Mark Bruce\Application Data\Mozilla\Firefox\Profiles\74jqglan.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Entriq\MediaSphere\3.8.2.9\npEntriqMediaMozillaPlugin.dll
FF - plugin: c:\program files\Entriq\MediaSphere\3.8.2.9\npEntriqVersionCheckMozillaPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPZoneSB.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-18 12:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x86F9F4B0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf74d6f28
\Driver\ACPI -> ACPI.sys @ 0xf7369cb8
\Driver\atapi -> 0x86f9f4b0
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1176)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-11-18 12:53
ComboFix-quarantined-files.txt 2009-11-18 12:53
ComboFix2.txt 2009-11-18 09:35

Pre-Run: 94,185,906,176 bytes free
Post-Run: 94,130,900,992 bytes free

- - End Of File - - 5148DA9DC59687BF7B54E9F4C147C3D6

#7 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 AM

Posted 18 November 2009 - 09:50 AM

Good job. :(

Please do not run programs more than once please. If you encounter troubles stop and tell me about it.

I need these Combofix logs.

c:\ComboFix-quarantined-files.txt
c:\ComboFix2.txt
c:\ComboFix.txt

The output of this application below will help you find these logs (plus some other info I need) if they are not at the root of the drive...

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    *combofix*
    *atapi.sys
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

==========

Please download MBR.exe from here ->
http://www2.gmer.net/mbr/mbr.exe

Save the file to your desktop and double click on it.

A new text file will appear on your desktop, created by the tool. Copy and paste that file here, please.

==========

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

==========

2009-11-10 21:18 . 2009-11-10 21:18 -------- d-----w- C:\_OTM

Why have you used this application? What exactly did you do with it.

==========

Are you still getting popups?
How is your computer running?

==========

With your next post please provide:

* Combofix logs
* SystemLook log
* MBR log
* GMER log
* Answer to questions

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#8 mark436

mark436
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 18 November 2009 - 05:26 PM

With regards to your question, what I done with the following:-

2009-11-10 21:18 . 2009-11-10 21:18 -------- d-----w- C:\_OTM

Well I may of done the wrong thing here but... I was looking for a cure to my problems on the internet when I discovered the fooling link:-

http://www.boards.ie/vbulletin/showthread....2651&page=2

Then if you scroll down to comment no. 22 (actor seeks job) you will discover the instructions to use the above (It did not help!)

On my c drive I found this OTM folder when I click on it a new folder entitled "movedfiles" appears when I click on this a tect document appears which I can open with "notepad" and also a RES file appears when I click on this a spybot search and destroy box appears saying "spybot search and destroy-malware nothing found" and "spybot search and destroy heuristic with a white cross in a red circle 11102009 211857.res My Points"

When I first downloaded combo fix it seemed to have solved the problem as the additional pop up screen did not open having said that it can sometimes allow me to open new screens for a few minutes before returning.

However when I rebooted the problem was back!

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 17:03 on 18/11/2009 by Mark Bruce (Administrator - Elevation successful)

========== filefind ==========

Searching for "*combofix*"
C:\ComboFix.txt --a--- 14539 bytes [12:53 18/11/2009] [12:53 18/11/2009] 0BAC8F178A653C3396BDCB6FF461D4AC
C:\Qoobox\ComboFix-quarantined-files.txt --a--- 606 bytes [09:35 18/11/2009] [12:53 18/11/2009] BA066085268FF5816B25E7006A7F9AAF
C:\Qoobox\ComboFix2.txt --a--- 14605 bytes [09:35 18/11/2009] [09:35 18/11/2009] 620991B7B0C1A4149A464BD849BB0357

Searching for "*atapi.sys"
C:\i386\atapi.sys --a--- 95360 bytes [17:44 23/11/2005] [22:59 03/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [15:42 28/08/2008] [22:59 03/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 96512 bytes [09:34 18/11/2009] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\ServicePackFiles\i386\atapi.sys ------ 96512 bytes [07:52 27/08/2008] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\dllcache\atapi.sys --a--- 96512 bytes [12:41 18/11/2009] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys ------ 96512 bytes [12:41 18/11/2009] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys --a--- 96512 bytes [17:41 28/08/2008] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\ReinstallBackups\0010\DriverFiles\i386\atapi.sys --a--- 96512 bytes [17:41 28/08/2008] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674

-=End Of File=-

When I download MBR.exe it says download complete if I double click on it a black box appears then a second later it is gone with no sign of any information. But if after it says download complete I right click and instead of clicking “open” I click on “open containing folder” the file then goes to my documents/folders then I right click and “send to desktop” Then when its on my desk top I double click it and again the black box appears for a second but then vanishes.

I downloaded GMER the scan took just under two hours and then instead of clicking save I clicked ok, can I run it again?

#9 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 AM

Posted 18 November 2009 - 07:05 PM

Yes - re-run Gmer and post a log.

==========

I need you to post these logs too....

C:\ComboFix.txt
C:\Qoobox\ComboFix-quarantined-files.txt
C:\Qoobox\ComboFix2.txt

==========

This log also....

On my c drive I found this OTM folder when I click on it a new folder entitled "movedfiles" appears when I click on this a tect document appears which I can open with "notepad"


Thanks,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#10 mark436

mark436
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 19 November 2009 - 08:16 AM

GMER 1.0.15.15227 - http://www.gmer.net
Rootkit scan 2009-11-18 22:05:05
Windows 5.1.2600 Service Pack 3
Running: 7y46ievg.exe; Driver: C:\DOCUME~1\MARKBR~1\LOCALS~1\Temp\pxtdypoc.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwConnectPort [0xEE66F040]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateFile [0xEE66B930]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateKey [0xEE676A80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreatePort [0xEE66F510]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateProcess [0xEE675870]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateProcessEx [0xEE675AA0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateSection [0xEE678FD0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateWaitablePort [0xEE66F600]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteFile [0xEE66BF20]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteKey [0xEE6776E0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteValueKey [0xEE677440]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDuplicateObject [0xEE675580]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwLoadKey [0xEE6778B0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenFile [0xEE66BD70]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenProcess [0xEE675350]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenThread [0xEE675150]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRenameKey [0xEE678250]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwReplaceKey [0xEE677CB0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRequestWaitReplyPort [0xEE66EC00]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRestoreKey [0xEE678080]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSecureConnectPort [0xEE66F220]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetInformationFile [0xEE66C120]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetValueKey [0xEE677140]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwTerminateProcess [0xEE675CD0]
SSDT \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys ZwUnloadKey [0xEB80B6D0]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2C7C 80504518 12 Bytes [10, F5, 66, EE, 70, 58, 67, ...]
? srescan.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\uphcleanhlp.sys The system cannot find the file specified. !
? C:\DOCUME~1\MARKBR~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

? C:\Documents and Settings\All Users\Defence\smss.exe[1916] image checksum mismatch; number of sections mismatch; time/date stamp mismatch; unknown module: oleaut32.dll

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [EE673CA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [EE6741C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [EE674320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [EE673E10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [EE673E10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [EE673CA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [EE6741C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [EE674320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [EE673CA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [EE673E10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [EE674320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [EE6741C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [EE674320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [EE6741C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [EE673CA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [EE673E10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [EE673CA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [EE6741C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [EE674320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [EE673CA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [EE673E10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [EE674320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [EE6741C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Documents and Settings\All Users\Defence\smss.exe[1916] @ C:\Documents and Settings\All Users\Defence\smss.exe [KERNEL32.dll!GetCurrentProcessId] FFFC4589
IAT C:\Documents and Settings\All Users\Defence\smss.exe[1916] @ C:\Documents and Settings\All Users\Defence\smss.exe [KERNEL32.dll!GetCurrentThreadId] 40759C05
IAT C:\Documents and Settings\All Users\Defence\smss.exe[1916] @ C:\Documents and Settings\All Users\Defence\smss.exe [KERNEL32.dll!GetTickCount] 04EB8300
IAT C:\Documents and Settings\All Users\Defence\smss.exe[1916] @ C:\Documents and Settings\All Users\Defence\smss.exe [KERNEL32.dll!QueryPerformanceCounter] 75A01D01
IAT C:\Documents and Settings\All Users\Defence\smss.exe[1916] @ C:\Documents and Settings\All Users\Defence\smss.exe [KERNEL32.dll!IsDebuggerPresent] ADE80040
IAT C:\Documents and Settings\All Users\Defence\smss.exe[1916] @ C:\Documents and Settings\All Users\Defence\smss.exe [KERNEL32.dll!SetUnhandledExceptionFilter] EB00000C
IAT C:\Documents and Settings\All Users\Defence\smss.exe[1916] @ C:\Documents and Settings\All Users\Defence\smss.exe [KERNEL32.dll!UnhandledExceptionFilter] E8C38B32
IAT C:\Documents and Settings\All Users\Defence\smss.exe[1916] @ C:\Documents and Settings\All Users\Defence\smss.exe [KERNEL32.dll!GetCurrentProcess] FFFFFDB4
IAT C:\Documents and Settings\All Users\Defence\smss.exe[1916] @ C:\Documents and Settings\All Users\Defence\smss.exe [KERNEL32.dll!TerminateProcess] 33FC4589
IAT C:\Documents and Settings\All Users\Defence\smss.exe[1916] @ C:\Documents and Settings\All Users\Defence\smss.exe [KERNEL32.dll!GetStartupInfoA] 59595AC0
IAT C:\Documents and Settings\All Users\Defence\smss.exe[1916] @ C:\Documents and Settings\All Users\Defence\smss.exe [KERNEL32.dll!InterlockedCompareExchange] 68108964
IAT C:\Documents and Settings\All Users\Defence\smss.exe[1916] @ C:\Documents and Settings\All Users\Defence\smss.exe [KERNEL32.dll!Sleep] [0040204B] C:\Documents and Settings\All Users\Defence\smss.exe
IAT C:\Documents and Settings\All Users\Defence\smss.exe[1916] @ C:\Documents and Settings\All Users\Defence\smss.exe [KERNEL32.dll!InterlockedExchange] 70353D80
IAT C:\Documents and Settings\All Users\Defence\smss.exe[1916] @ C:\Documents and Settings\All Users\Defence\smss.exe [KERNEL32.dll!CreateMutexA] 74000040
IAT C:\Documents and Settings\All Users\Defence\smss.exe[1916] @ C:\Documents and Settings\All Users\Defence\smss.exe [KERNEL32.dll!GetModuleFileNameA] 75B4680A
IAT C:\Documents and Settings\All Users\Defence\smss.exe[1916] @ C:\Documents and Settings\All Users\Defence\smss.exe [KERNEL32.dll!FindResourceA] FDE80040
IAT C:\Documents and Settings\All Users\Defence\smss.exe[1916] @ C:\Documents and Settings\All Users\Defence\smss.exe [KERNEL32.dll!SizeofResource] C3FFFFF0
IAT C:\Documents and Settings\All Users\Defence\smss.exe[1916] @ C:\Documents and Settings\All Users\Defence\smss.exe [KERNEL32.dll!LoadResource] 000BBFE9
IAT C:\Documents and Settings\All Users\Defence\smss.exe[1916] @ C:\Documents and Settings\All Users\Defence\smss.exe [KERNEL32.dll!LockResource] 8BE5EB00
IAT C:\Documents and Settings\All Users\Defence\smss.exe[1916] @ C:\Documents and Settings\All Users\Defence\smss.exe [KERNEL32.dll!GetSystemTimeAsFileTime] 5E5FFC45
IAT C:\Documents and Settings\All Users\Defence\smss.exe[1916] @ C:\Documents and Settings\All Users\Defence\smss.exe [KERNEL32.dll!GetVolumeInformationA] 5D59595B
IAT C:\Documents and Settings\All Users\Defence\smss.exe[1916] @ C:\Documents and Settings\All Users\Defence\smss.exe [KERNEL32.dll!ExitProcess] [00408DC3] C:\Documents and Settings\All Users\Defence\smss.exe
IAT C:\Documents and Settings\All Users\Defence\smss.exe[1916] @ C:\Documents and Settings\All Users\Defence\smss.exe [KERNEL32.dll!GetModuleHandleA] 51EC8B55
IAT C:\Documents and Settings\All Users\Defence\smss.exe[1916] @ C:\Documents and Settings\All Users\Defence\smss.exe [KERNEL32.dll!GetProcAddress] 8B575653
IAT C:\Documents and Settings\All Users\Defence\smss.exe[1916] @ C:\Documents and Settings\All Users\Defence\smss.exe [KERNEL32.dll!OpenMutexA] A3C033D8
IAT C:\Documents and Settings\All Users\Defence\smss.exe[1916] @ C:\Documents and Settings\All Users\Defence\smss.exe [USER32.dll!FindWindowA] 75A00529

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\USBSTOR \Device\00000065 86EE5968
Device \Driver\atapi \Device\Ide\IdePort0 86FCBB18
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 86FCBB18
Device \Driver\atapi \Device\Ide\IdePort1 86FCBB18
Device \Driver\atapi \Device\Ide\IdePort2 86FCBB18
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c 86FCBB18
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 86FCBB18
Device \Driver\USBSTOR \Device\00000067 86EE5968
Device \Driver\USBSTOR \Device\00000068 86EE5968
Device \Driver\USBSTOR \Device\00000069 86EE5968
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\USBSTOR \Device\0000006a 86EE5968
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.15 ----

This time it took longer to check about 3 hours

Below is that OTM log 21112009 _211857

All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
No service named BattStatSys was found to stop!
Unable to stop service BattStatSys!
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF2DB.tmp deleted successfully.
->Temp folder emptied: 32768 bytes
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat deleted successfully.
->Temporary Internet Files folder emptied: 32768 bytes

User: All Users

User: Default User
C:\Documents and Settings\Default User\Local Settings\Temp\~DF2DB.tmp deleted successfully.
->Temp folder emptied: 32768 bytes
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini deleted successfully.
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\index.dat deleted successfully.
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\desktop.ini deleted successfully.
->Temporary Internet Files folder emptied: 32902 bytes

User: LocalService
->Temp folder emptied: 0 bytes
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\WW05GWW9\desktop.ini deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KKM0TECJ\desktop.ini deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\6R99V5A6\desktop.ini deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\03F8AC9Y\desktop.ini deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini deleted successfully.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\desktop.ini deleted successfully.
->Temporary Internet Files folder emptied: 33170 bytes
C:\Documents and Settings\LocalService\Local Settings\Application Data\Mozilla\Firefox\Profiles\ay4t786b.default\Cache\0966A9B5d01 deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Application Data\Mozilla\Firefox\Profiles\ay4t786b.default\Cache\0FD44E77d01 deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Application Data\Mozilla\Firefox\Profiles\ay4t786b.default\Cache\413E2DC5d01 deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Application Data\Mozilla\Firefox\Profiles\ay4t786b.default\Cache\41C7B09Dd01 deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Application Data\Mozilla\Firefox\Profiles\ay4t786b.default\Cache\43E35762d01 deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Application Data\Mozilla\Firefox\Profiles\ay4t786b.default\Cache\69DC1C22d01 deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Application Data\Mozilla\Firefox\Profiles\ay4t786b.default\Cache\72EADF3Ed01 deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Application Data\Mozilla\Firefox\Profiles\ay4t786b.default\Cache\73966D8Cd01 deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Application Data\Mozilla\Firefox\Profiles\ay4t786b.default\Cache\779C7326d01 deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Application Data\Mozilla\Firefox\Profiles\ay4t786b.default\Cache\C07191A9d01 deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Application Data\Mozilla\Firefox\Profiles\ay4t786b.default\Cache\DA6BDDC0d01 deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Application Data\Mozilla\Firefox\Profiles\ay4t786b.default\Cache\DAB3AACCd01 deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Application Data\Mozilla\Firefox\Profiles\ay4t786b.default\Cache\E69C9837d01 deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Application Data\Mozilla\Firefox\Profiles\ay4t786b.default\Cache\EAB1B12Fd01 deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Application Data\Mozilla\Firefox\Profiles\ay4t786b.default\Cache\_CACHE_001_ deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Application Data\Mozilla\Firefox\Profiles\ay4t786b.default\Cache\_CACHE_002_ deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Application Data\Mozilla\Firefox\Profiles\ay4t786b.default\Cache\_CACHE_003_ deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Application Data\Mozilla\Firefox\Profiles\ay4t786b.default\Cache\_CACHE_MAP_ deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Application Data\Mozilla\Firefox\Profiles\ay4t786b.default\XPC.mfl deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Application Data\Mozilla\Firefox\Profiles\ay4t786b.default\XUL.mfl deleted successfully.
->FireFox cache emptied: 4126039 bytes

User: Mark Bruce
C:\Documents and Settings\Mark Bruce\Local Settings\Temp\plugtmp-53\plugin-data deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temp\plugtmp-53\plugin-data-1 deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temp\plugtmp-53\plugin-data-2 deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temp\2009_principal_races-1.xls deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temp\2009_principal_races.xls deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temp\3, Woodfield Terrace, Thornwood, EPPING, CM16 6LL.pdf deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temp\39, 164.pdf deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temp\39, 177.pdf deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temp\39, 187.pdf deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temp\39, 188.pdf deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temp\402391230.pdf deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temp\46, Laing Close, ILFORD, IG6 2UF.pdf deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temp\67a, Church Hill, LOUGHTON, IG10 1QP.pdf deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temp\9, Guys Retreat, North End, BUCKHURST HILL, IG9 5QZ.pdf deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temp\Ascot Map.pdf deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temp\AUInst.log deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temp\CFGDE.tmp deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temp\D4079.xls deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temp\energy-efficient-lighting.pdf deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temp\final Mold Summary for tsonga investigation .doc deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temp\IoS_Political_Poll_15_Feb_09.pdf deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temp\MyLoanBook_20090804.csv.xls deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temp\Offer letter3Thornwood Terrace-1.doc deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temp\Offer letter3Thornwood Terrace.doc deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temp\report-1.pdf deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temp\report-2.pdf deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temp\report.pdf deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temp\risk_info_to_lenders.zip deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temp\Risk_Info_to_Lenders20090716.zip deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temp\scan-2.jpg deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temp\scan-3.jpg deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temp\scan.jpg deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temp\scan0001.jpg deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temp\T Cs Residential Lettings-1.doc deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temp\T Cs Residential Lettings.doc deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temp\ViewBill-1.pdf deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temp\ViewBill.pdf deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temp\zopa_market_data-1.zip deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temp\zopa_market_data-2.zip deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temp\zopa_market_data-3.zip deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temp\zopa_market_data.zip deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temp\_is89.exe deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temp\_is8A.exe deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temp\_is8B.exe deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temp\~DF2A0C.tmp deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temp\~DF574D.tmp deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temp\~DFE828.tmp deleted successfully.
->Temp folder emptied: 13850375 bytes
C:\Documents and Settings\Mark Bruce\Local Settings\Temporary Internet Files\Content.IE5\VIM6ZPCK\desktop.ini deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temporary Internet Files\Content.IE5\IFU00P3R\desktop.ini deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temporary Internet Files\Content.IE5\7X4C40OP\desktop.ini deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temporary Internet Files\Content.IE5\5Z0LET12\desktop.ini deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temporary Internet Files\Content.IE5\2NHOQN0O\AjaxDispatcher[1].ashx deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temporary Internet Files\Content.IE5\2NHOQN0O\AjaxDispatcher[2].ashx deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temporary Internet Files\Content.IE5\2NHOQN0O\broker[1].js deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temporary Internet Files\Content.IE5\2NHOQN0O\Consumer_Right-nav-bar_bottom[1].gif deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temporary Internet Files\Content.IE5\2NHOQN0O\default[1].css deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temporary Internet Files\Content.IE5\2NHOQN0O\desktop.ini deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temporary Internet Files\Content.IE5\2NHOQN0O\gsfx_brnd_toolbar_shadow[1].png deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temporary Internet Files\Content.IE5\2NHOQN0O\gss_sticky_panel_outline[1].png deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temporary Internet Files\Content.IE5\2NHOQN0O\kb[1].js deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temporary Internet Files\Content.IE5\2NHOQN0O\kb_disclaimer_bottom_background[1].png deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temporary Internet Files\Content.IE5\2NHOQN0O\search[1].js deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temporary Internet Files\Content.IE5\2NHOQN0O\ss_dd_select1[1].png deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temporary Internet Files\Content.IE5\2NHOQN0O\stickypanel[1].css deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temporary Internet Files\Content.IE5\2NHOQN0O\topnav[1].png deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temporary Internet Files\Content.IE5\2NHOQN0O\uparrow[1].gif deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temporary Internet Files\Content.IE5\index.dat deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Temporary Internet Files\desktop.ini deleted successfully.
->Temporary Internet Files folder emptied: 438712 bytes
->Java cache emptied: 0 bytes
C:\Documents and Settings\Mark Bruce\Local Settings\Application Data\Mozilla\Firefox\Profiles\74jqglan.default\OfflineCache\index.sqlite deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Application Data\Mozilla\Firefox\Profiles\74jqglan.default\Cache\04D5BEA6d01 deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Application Data\Mozilla\Firefox\Profiles\74jqglan.default\Cache\0A23820Cd01 deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Application Data\Mozilla\Firefox\Profiles\74jqglan.default\Cache\2B062369d01 deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Application Data\Mozilla\Firefox\Profiles\74jqglan.default\Cache\2C672E54d01 deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Application Data\Mozilla\Firefox\Profiles\74jqglan.default\Cache\31EAE486d01 deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Application Data\Mozilla\Firefox\Profiles\74jqglan.default\Cache\3A11E882d01 deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Application Data\Mozilla\Firefox\Profiles\74jqglan.default\Cache\3C65AF51d01 deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Application Data\Mozilla\Firefox\Profiles\74jqglan.default\Cache\469811D5d01 deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Application Data\Mozilla\Firefox\Profiles\74jqglan.default\Cache\4C704DEAd01 deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Application Data\Mozilla\Firefox\Profiles\74jqglan.default\Cache\532AF1B9d01 deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Application Data\Mozilla\Firefox\Profiles\74jqglan.default\Cache\54A957B4d01 deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Application Data\Mozilla\Firefox\Profiles\74jqglan.default\Cache\574776FAd01 deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Application Data\Mozilla\Firefox\Profiles\74jqglan.default\Cache\58B4A9C0d01 deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Application Data\Mozilla\Firefox\Profiles\74jqglan.default\Cache\5E1669EDd01 deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Application Data\Mozilla\Firefox\Profiles\74jqglan.default\Cache\616068B8d01 deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Application Data\Mozilla\Firefox\Profiles\74jqglan.default\Cache\61607D58d01 deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Application Data\Mozilla\Firefox\Profiles\74jqglan.default\Cache\6584861Cd01 deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Application Data\Mozilla\Firefox\Profiles\74jqglan.default\Cache\6A179B14d01 deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Application Data\Mozilla\Firefox\Profiles\74jqglan.default\Cache\6C6222F9d01 deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Application Data\Mozilla\Firefox\Profiles\74jqglan.default\Cache\6E8EDE17d01 deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Application Data\Mozilla\Firefox\Profiles\74jqglan.default\Cache\7149A3BCd01 deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Application Data\Mozilla\Firefox\Profiles\74jqglan.default\Cache\79C631ACd01 deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Application Data\Mozilla\Firefox\Profiles\74jqglan.default\Cache\7B38CBC7d01 deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Application Data\Mozilla\Firefox\Profiles\74jqglan.default\Cache\7BCAA781d01 deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Application Data\Mozilla\Firefox\Profiles\74jqglan.default\Cache\80D0F742d01 deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Application Data\Mozilla\Firefox\Profiles\74jqglan.default\Cache\855B219Fd01 deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Application Data\Mozilla\Firefox\Profiles\74jqglan.default\Cache\88F66A17d01 deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Application Data\Mozilla\Firefox\Profiles\74jqglan.default\Cache\9BD8BC0Ed01 deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Application Data\Mozilla\Firefox\Profiles\74jqglan.default\Cache\A9389817d01 deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Application Data\Mozilla\Firefox\Profiles\74jqglan.default\Cache\B04A8431d01 deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Application Data\Mozilla\Firefox\Profiles\74jqglan.default\Cache\B0BD722Ad01 deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Application Data\Mozilla\Firefox\Profiles\74jqglan.default\Cache\B2203646d01 deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Application Data\Mozilla\Firefox\Profiles\74jqglan.default\Cache\B6458E89d01 deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Application Data\Mozilla\Firefox\Profiles\74jqglan.default\Cache\B7A1000Ad01 deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Application Data\Mozilla\Firefox\Profiles\74jqglan.default\Cache\BC8EF547d01 deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Application Data\Mozilla\Firefox\Profiles\74jqglan.default\Cache\C4DB4E7Ed01 deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Application Data\Mozilla\Firefox\Profiles\74jqglan.default\Cache\C7846F2Cd01 deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Application Data\Mozilla\Firefox\Profiles\74jqglan.default\Cache\CC82CEAFd01 deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Application Data\Mozilla\Firefox\Profiles\74jqglan.default\Cache\D264573Cd01 deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Application Data\Mozilla\Firefox\Profiles\74jqglan.default\Cache\DE434031d01 deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Application Data\Mozilla\Firefox\Profiles\74jqglan.default\Cache\F03CB5E6d01 deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Application Data\Mozilla\Firefox\Profiles\74jqglan.default\Cache\FA82A150d01 deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Application Data\Mozilla\Firefox\Profiles\74jqglan.default\Cache\FDBE83D0d01 deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Application Data\Mozilla\Firefox\Profiles\74jqglan.default\Cache\_CACHE_001_ deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Application Data\Mozilla\Firefox\Profiles\74jqglan.default\Cache\_CACHE_002_ deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Application Data\Mozilla\Firefox\Profiles\74jqglan.default\Cache\_CACHE_003_ deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Application Data\Mozilla\Firefox\Profiles\74jqglan.default\Cache\_CACHE_MAP_ deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Application Data\Mozilla\Firefox\Profiles\74jqglan.default\urlclassifier3.sqlite deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Application Data\Mozilla\Firefox\Profiles\74jqglan.default\XPC.mfl deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Application Data\Mozilla\Firefox\Profiles\74jqglan.default\XUL.mfl deleted successfully.
->FireFox cache emptied: 56246424 bytes
C:\Documents and Settings\Mark Bruce\Application Data\Apple Computer\Safari\Bookmarks.plist deleted successfully.
C:\Documents and Settings\Mark Bruce\Application Data\Apple Computer\Safari\LastSession.plist deleted successfully.
C:\Documents and Settings\Mark Bruce\Application Data\Apple Computer\Safari\WebKitPreferences.plist deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Application Data\Apple Computer\Safari\FontsList.plist deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Application Data\Apple Computer\Safari\SafeBrowsing.db deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Application Data\Apple Computer\Safari\WebpageIcons.db deleted successfully.
C:\Documents and Settings\Mark Bruce\Local Settings\Application Data\Apple Computer\Safari\WebpageIcons.db-journal deleted successfully.
->Apple Safari cache emptied: 188464 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\YH3QJVGU\061-4609.English[1].dist deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\YH3QJVGU\061-4828.English[1].dist deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\YH3QJVGU\061-5926.English[1].dist deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\YH3QJVGU\061-6174.English[1].dist deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\YH3QJVGU\061-6235.English[1].dist deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\YH3QJVGU\061-6310.English[1].dist deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\YH3QJVGU\061-6666.English[1].dist deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\YH3QJVGU\061-6719.English[1].dist deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\YH3QJVGU\AppleMobileDeviceSupport[1].msi deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\YH3QJVGU\desktop.ini deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\YH3QJVGU\iTunes[1].msi deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\YH3QJVGU\MobileMe[1].msi deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\YH3QJVGU\QuickTime[1].msi deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\YH3QJVGU\Safari[1].msi deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BGYJWEOF\061-4514.English[1].dist deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BGYJWEOF\061-4608.English[1].dist deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BGYJWEOF\061-4827.English[1].dist deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BGYJWEOF\061-5790.English[1].dist deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BGYJWEOF\061-5844.English[1].dist deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BGYJWEOF\061-5969.English[1].dist deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BGYJWEOF\061-6187.English[1].dist deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BGYJWEOF\061-6202.English[1].dist deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BGYJWEOF\061-6274.English[1].dist deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BGYJWEOF\061-6704.English[1].dist deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BGYJWEOF\AppleMobileDeviceSupport[1].msi deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BGYJWEOF\desktop.ini deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BGYJWEOF\iTunes[1].msi deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BGYJWEOF\Safari[1].msi deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BGYJWEOF\SetupAdmin[1].exe deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\6FSVCHUF\061-3452.English[1].dist deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\6FSVCHUF\061-4512.English[1].dist deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\6FSVCHUF\061-4513.English[1].dist deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\6FSVCHUF\061-4972.English[1].dist deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\6FSVCHUF\061-5850.English[1].dist deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\6FSVCHUF\061-6107.English[1].dist deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\6FSVCHUF\061-6186.English[1].dist deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\6FSVCHUF\061-6193.English[1].dist deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\6FSVCHUF\061-6201.English[1].dist deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\6FSVCHUF\061-6273.English[1].dist deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\6FSVCHUF\061-6684.English[1].dist deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\6FSVCHUF\061-6760.English[1].dist deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\6FSVCHUF\desktop.ini deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\6FSVCHUF\Safari[1].msi deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\6FSVCHUF\SetupAdmin[1].exe deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\27TU3NGA\061-4200.English[1].dist deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\27TU3NGA\061-4249.English[1].dist deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\27TU3NGA\061-4664.English[1].dist deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\27TU3NGA\061-5374.English[1].dist deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\27TU3NGA\061-5849.English[1].dist deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\27TU3NGA\061-6116.English[1].dist deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\27TU3NGA\061-6175.English[1].dist deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\27TU3NGA\061-6236.English[1].dist deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\27TU3NGA\061-6667.English[1].dist deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\27TU3NGA\061-6720.English[1].dist deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\27TU3NGA\AppleMobileDeviceSupport[2].msi deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\27TU3NGA\desktop.ini deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\27TU3NGA\QuickTime[1].msi deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\desktop.ini deleted successfully.
->Temporary Internet Files folder emptied: 262956228 bytes

%systemdrive% .tmp files removed: 0 bytes
C:\WINDOWS\003049_.tmp deleted successfully.
C:\WINDOWS\system.tmp deleted successfully.
C:\WINDOWS\win.tmp deleted successfully.
%systemroot% .tmp files removed: 20454 bytes
C:\WINDOWS\System32\CONFIG.TMP deleted successfully.
C:\WINDOWS\System32\SET1B1.tmp deleted successfully.
C:\WINDOWS\System32\SET1B2.tmp deleted successfully.
C:\WINDOWS\System32\SET1F6.tmp deleted successfully.
C:\WINDOWS\System32\SET1FB.tmp deleted successfully.
%systemroot%\System32 .tmp files removed: 3124241 bytes
C:\WINDOWS\temp\T30DebugLogFile.txt deleted successfully.
C:\WINDOWS\temp\WGAErrLog.txt deleted successfully.
C:\WINDOWS\temp\WGANotify.settings deleted successfully.
C:\WINDOWS\temp\ZLT03331.TMP deleted successfully.
C:\WINDOWS\temp\ZLT05773.TMP deleted successfully.
C:\WINDOWS\temp\ZLT05794.TMP deleted successfully.
File delete failed. C:\WINDOWS\temp\ZLT079ef.TMP scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\ZLT07a0f.TMP scheduled to be deleted on reboot.
Windows Temp folder emptied: 1732 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 325.31 mb


OTM by OldTimer - Version 3.1.0.1 log created on 11102009_211857

Files moved on Reboot...
File C:\WINDOWS\temp\ZLT079ef.TMP not found!
File C:\WINDOWS\temp\ZLT07a0f.TMP not found!

Registry entries deleted on Reboot...



Below is combo fix.txt

ComboFix 09-11-18.06 - Mark Bruce 18/11/2009 12:41.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.358 [GMT 0:00]
Running from: c:\documents and settings\Mark Bruce\My Documents\Downloads\thcbytes.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((( Files Created from 2009-10-18 to 2009-11-18 )))))))))))))))))))))))))))))))
.

2009-11-18 12:41 . 2008-04-13 18:40 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-11-18 12:41 . 2008-04-13 18:40 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
2009-11-18 09:03 . 2009-11-18 09:09 -------- d-----w- C:\ComboFix
2009-11-18 08:41 . 2009-11-18 08:41 -------- d--h--w- c:\windows\PIF
2009-11-11 10:56 . 2009-11-11 10:57 -------- d-----w- c:\program files\Cobian Backup 9
2009-11-10 21:50 . 2009-11-10 21:50 -------- d-----w- c:\documents and settings\Mark Bruce\Application Data\AVG8
2009-11-10 21:18 . 2009-11-10 21:18 -------- d-----w- C:\_OTM
2009-11-10 21:00 . 2009-11-10 21:00 -------- d-----w- c:\program files\UPHClean
2009-11-10 20:54 . 2009-11-10 20:54 -------- d-----w- c:\program files\CCleaner
2009-11-10 17:52 . 2009-11-10 17:52 -------- d-----w- c:\program files\Trend Micro
2009-11-10 10:48 . 2009-11-10 10:48 -------- d-----w- c:\documents and settings\Mark Bruce\Application Data\Malwarebytes
2009-11-10 10:48 . 2009-09-10 14:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-10 10:48 . 2009-11-10 10:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-10 10:48 . 2009-11-10 10:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-10 10:48 . 2009-09-10 14:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-09 22:03 . 2009-11-09 22:03 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-09 21:56 . 2009-11-09 21:56 -------- d-----w- c:\documents and settings\All Users\Defence

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-18 08:11 . 2008-08-28 16:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-10 09:40 . 2008-08-28 16:36 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-28 07:48 . 2008-11-22 20:37 14918422 ----a-w- c:\windows\Internet Logs\tvDebug.zip
2009-10-21 10:53 . 2009-10-21 10:55 2130944 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2009-10-04 22:14 . 2009-10-04 22:14 22486 ----a-r- c:\documents and settings\Mark Bruce\Application Data\Microsoft\Installer\{A92BE5A9-0BFC-4D09-8DA4-D73AA99932FB}\_40E89C1E288A0A85630CDC.exe
2009-10-04 22:14 . 2009-10-04 22:14 22486 ----a-r- c:\documents and settings\Mark Bruce\Application Data\Microsoft\Installer\{A92BE5A9-0BFC-4D09-8DA4-D73AA99932FB}\_3C6817698EC48A66DE7D0F.exe
2009-10-04 22:14 . 2009-03-21 12:12 -------- d-----w- c:\program files\IE Software Auto
2009-09-11 14:18 . 2005-08-16 04:18 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2005-08-16 04:18 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-03 10:53 . 2009-09-10 14:24 22848 ----a-w- c:\documents and settings\Mark Bruce\Application Data\Mozilla\Firefox\Profiles\74jqglan.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg_bootstrap.exe
2009-09-03 10:53 . 2009-09-10 14:24 30912 ----a-w- c:\documents and settings\Mark Bruce\Application Data\Mozilla\Firefox\Profiles\74jqglan.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2009-09-03 10:53 . 2009-09-10 14:23 19792 ----a-w- c:\documents and settings\Mark Bruce\Application Data\Mozilla\Firefox\Profiles\74jqglan.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2009-08-29 08:08 . 2005-08-16 04:18 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2005-08-16 04:19 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-25 08:22 . 2008-11-04 21:34 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-25 08:22 . 2008-11-04 21:34 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-25 08:22 . 2008-11-04 21:34 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-24 08:09 . 2005-11-23 19:18 37712 ----a-w- c:\documents and settings\Mark Bruce\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-09-09 22:11 . 2008-08-28 15:30 3766304 --sha-w- c:\windows\system32\drivers\fidbox.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\HOMERunner.exe" [2008-05-06 202088]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"Defence"="c:\documents and settings\All Users\Defence\smss.exe" [2009-11-09 24576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2003-12-09 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-11-05 2028312]
"TalkTalk"="c:\program files\TalkTalk\bin\sprtcmd.exe" [2007-10-12 202016]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-13 177472]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"P17Helper"="P17.dll" - c:\windows\system32\P17.dll [2004-06-10 60928]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Mark Bruce\Start Menu\Programs\Startup\
Bandwidth Meter.lnk - c:\program files\BandwidthMeter\BandwidthMeter.exe [2007-12-9 275968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-8-28 24576]
hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-4-9 147456]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-9 28672]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-5-12 65588]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2005-11-28 106560]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-25 08:22 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\TalkTalk\\agent\\bin\\bcont.exe"=
"c:\\Program Files\\Common Files\\supportsoft\\bin\\tgsrvc.exe"=
"c:\\Program Files\\TalkTalk\\agent\\bin\\bcont_nm.exe"=
"c:\\Program Files\\TalkTalk\\bin\\sprtcmd.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);c:\windows\system32\drivers\sfdrv01a.sys [05/07/2006 12:46 63352]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [04/11/2008 21:34 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [04/11/2008 21:34 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [19/07/2009 08:49 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [04/11/2008 21:33 297752]
R2 sprtsvc_TalkTalk;SupportSoft Sprocket Service (TalkTalk);c:\program files\TalkTalk\bin\sprtsvc.exe [12/10/2007 09:33 202016]
R2 tgsrvc_TalkTalk;SupportSoft Repair Service (TalkTalk);c:\program files\Common Files\supportsoft\bin\tgsrvc.exe [02/08/2007 14:42 148768]
S3 getPlusHelper;getPlus® Helper;c:\windows\System32\svchost.exe -k getPlusHelper [16/08/2005 04:18 14336]
S3 V0260VID;Live! Cam Vista IM;c:\windows\system32\drivers\V0260Vid.sys [18/03/2007 20:11 178913]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - CLASSPNP_2
*Deregistered* - CLASSPNP_2
*Deregistered* - mbr
*Deregistered* - PROCEXP113
*Deregistered* - uphcleanhlp

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2009-11-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2006-07-03 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 1200 series272A572217594EBCF1CEE215E352B92AD073FDE4134924032.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 17:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.mytalktalk.co.uk
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Mark Bruce\Application Data\Mozilla\Firefox\Profiles\74jqglan.default\
FF - prefs.js: browser.startup.homepage - www.bbc.co.uk/news
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Mark Bruce\Application Data\Mozilla\Firefox\Profiles\74jqglan.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Entriq\MediaSphere\3.8.2.9\npEntriqMediaMozillaPlugin.dll
FF - plugin: c:\program files\Entriq\MediaSphere\3.8.2.9\npEntriqVersionCheckMozillaPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPZoneSB.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-18 12:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x86F9F4B0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf74d6f28
\Driver\ACPI -> ACPI.sys @ 0xf7369cb8
\Driver\atapi -> 0x86f9f4b0
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1176)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-11-18 12:53
ComboFix-quarantined-files.txt 2009-11-18 12:53
ComboFix2.txt 2009-11-18 09:35

Pre-Run: 94,185,906,176 bytes free
Post-Run: 94,130,900,992 bytes free

- - End Of File - - 5148DA9DC59687BF7B54E9F4C147C3D6

combo fix 2 below


HKLM-Run-NWEReboot - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-18 09:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x86F9F4B8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf74d6f28
\Driver\ACPI -> ACPI.sys @ 0xf7369cb8
\Driver\atapi -> 0x86f9f4b8
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
Completion time: 2009-11-18 09:35
ComboFix-quarantined-files.txt 2009-11-18 09:35

Pre-Run: 94,201,708,544 bytes free
Post-Run: 94,192,136,192 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 8D94B72D5093C69450FC0E250B851215

combofix quarantined below:-

2009-11-18 09:34:25 . 2009-11-18 09:34:25 97 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-NWEReboot.reg.dat
2009-11-18 09:30:58 . 2009-11-18 12:48:04 9,093 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-11-18 09:03:28 . 2009-11-18 12:39:54 204 ----a-w- C:\Qoobox\Quarantine\catchme.log
2006-04-25 22:46:52 . 2006-03-21 03:23:12 23,040 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\kb913800.exe.vir
2004-08-03 22:59:44 . 2008-04-13 18:40:30 96,512 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir


Thanks for your help and your very prompt responses

#11 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 AM

Posted 19 November 2009 - 12:28 PM

Very helpful.
Thanks! :(

2004-08-03 22:59:44 . 2008-04-13 18:40:30 96,512 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir

This was the root of the problem! The infection patched a system file.

Right click and delete your current copy of Combofix.

Re-run RKill

Download and Run ComboFix (by sUBs)

You must rename it before saving it.

Posted Image

Posted Image

Please download ComboFix from one of these locations:

Link 1
Link 2

Save thcbytes.exe to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click on thcbytes.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


==========

With your next post please provide:

* Combofix.txt
* How is your computer running?

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#12 mark436

mark436
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 20 November 2009 - 08:11 AM

I used my previous copy of Rkill that I had already downloaded from your earlier replies the black screen appeared "terminating known malware process" lasted a few seconds then disappeared.

I deleted combo fix(renamed thcbytes.exe) from my desktop and then deleted combofix from c:/mydocuments/downloads.

But that might be my problem as when I first click on the link to download combo fix the grey and blue box comes up to save the file but I do not know how I can save the file straight to my desktop instead I save it to c:/my documents/downloads and I then go there and make a shortcut for it to my desktop then when its on the desktop I rename it "thcbytes.exe" and then run it from there.

The problem remains but I suspect it is something I am doing wrong with the above.

Regards Mark

The combofix.txt is below:-

FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-20 12:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x86FCB938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf74d6f28
\Driver\ACPI -> ACPI.sys @ 0xf7369cb8
\Driver\atapi -> 0x86fcb938
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1440)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-11-20 12:25
ComboFix-quarantined-files.txt 2009-11-20 12:25
ComboFix2.txt 2009-11-18 12:53
ComboFix3.txt 2009-11-18 09:35

Pre-Run: 93,999,763,456 bytes free
Post-Run: 93,938,860,032 bytes free

- - End Of File - - 993F7341A36CA56E671543CB2D2235AF

#13 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 AM

Posted 20 November 2009 - 10:57 PM

Hi there,

That Combofix log is incomplete?
Please post the entire log for my review.
c:\combofix.txt The most recent run!!!!!!!!! In its entirety.

I also want to see this file...
C:\Qoobox\ComboFix-quarantined-files.txt 2009-11-20 12:25

==========

To save to anything to your desktop....

When you click to download a window opens. You can choose the location to save the file by simply selecting Desktop on the left hand column. <Your other choices are My Computer, My Network, My Recent Document & My Documents. Click on any of those tabs and your download shall be placed there!>

==========

Please do this..........

Please rerun MBAM.

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
    • Update Malwarebytes' Anti-Malware <--- Important!!
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

==========

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
==========

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under "Extra Registry" please check "Use Safelist" and also check "LOP Check" and "Purity Check" as pictured.Posted Image
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
==========

With your next post please provide:

* Most recent Combofix.txt
* Most recent Qoobox-quarantined.txt
* Did you figure out how to save to a location other than your default "download" folder?
* MBAM log
* DrWeb log
* OTL logs
* How is your computer running?

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#14 mark436

mark436
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 21 November 2009 - 09:06 AM

I am running windows XP using firefox

When I download combo fix I first get that box you printed (I can not copy and paste it)

but its the box with:-

Opening Combofix.exe (in a blue border)

Then in a grey box:-

You have chosen to open
combofix.exe

which is a Application
from http://download.bleepingcomputer.com

Would you like to save this file?

Save File Cancel



I do not seem to be able to get any other options apart form the Save or Cancel

So I click “save file”

When this is done I get a message in the bottom right hand corner saying all downloads complete.

Then I get a small box a bit bigger than the above box saying downloads, showing me all my downloads I can either double left hand click on combo fix or by right clicking I get the following options:-

Open
Open containing folder
Copy download link
Select all
Remove from list

I thought I would query this matter before completing your other tasks (no need to repaste the other tasks as I have them all copied awaiting your instructions regarding the above)

Kind Regards

Mark

#15 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 AM

Posted 21 November 2009 - 09:31 AM

Thanks for the clarification.

Do this...

In Firefox....
  • Tools
  • Options
  • Main
  • Check "Show the downloads window"
  • Check "Always ask me where to save files"
  • Ok
Try to download it again. See if that helps. :(
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users