Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Trojan Horse SHeur3.AQRA


  • This topic is locked This topic is locked
38 replies to this topic

#1 michelle1977

michelle1977

  • Members
  • 129 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:08:20 AM

Posted 03 August 2010 - 12:16 PM

Unfortunately I picked up a virus somewhere sad.gif

I've been here in the past and was assisted with great satisfaction, so I hope that you guys can help me again this time round.

While browsing I received an AVG Resident Shield pop up screen with the notification that my computer has been infected with Trojan Horse Sheur3.AQRA and also that virus Win32/Heur was found. I then ran a full computer scan where lots of infected files were found and removed. Unfortunately that didn't solve it though and now I keep getting the AVG Resident Shield screen with the list of infections.

Here are the results of the scans I did:


DDS (Ver_10-03-17.01) - FAT32x86
Run by Windows XP at 16:56:28.64 on Tue 08/03/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.163 [GMT 2:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINXP\system32\svchost -k DcomLaunch
C:\WINXP\system32\svchost -k rpcss
C:\WINXP\System32\svchost.exe -k netsvcs
C:\WINXP\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINXP\system32\svchost.exe -k NetworkService
C:\WINXP\system32\svchost.exe -k LocalService
C:\WINXP\Explorer.EXE
C:\WINXP\System32\wltrysvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINXP\System32\bcmwltry.exe
C:\WINXP\system32\LEXBCES.EXE
C:\WINXP\system32\spoolsv.exe
C:\WINXP\system32\LEXPPS.EXE
C:\WINXP\system32\svchost.exe -k LocalService
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Acer\eManager\anbmServ.exe
C:\WINXP\system32\Rundll32.exe
C:\WINXP\AGRSMMSG.exe
C:\WINXP\system32\WLTRAY.exe
C:\WINXP\V0230Mon.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\WINXP\system32\ctfmon.exe
C:\Documents and Settings\Windows XP\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINXP\system32\svchost.exe -k imgsvc
C:\WINXP\system32\svchost.exe -k netsvcs
svchost.exe "C:\WINXP\system32\unicodet.exe"
C:\WINXP\System32\alg.exe
C:\Documents and Settings\Windows XP\Desktop\dds.scr
C:\WINXP\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.nl/
uInternet Settings,ProxyServer = 128.59.20.227:3128
mWinlogon: Userinit=c:\winxp\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe
BHO: AutorunsDisabled - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
uRun: [ctfmon.exe] c:\winxp\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\windows xp\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Broadcom Wireless Manager UI] c:\winxp\system32\WLTRAY
mRun: [V0230Mon.exe] c:\winxp\V0230Mon.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [Lexmark X6100 Series] "c:\program files\lexmark x6100 series\lxbfbmgr.exe"
StartupFolder: c:\documents and settings\windows xp\start menu\programs\startup\wwwxbv32.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: lettersets.com\www
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} - hxxp://www.facebook.com/fbplugin/win32/axfbootloader.cab?1265851949921
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1259932181437
DPF: {6F750203-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.ca/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\winxp\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\winxp\system32\rundll32.exe c:\winxp\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\window~1\applic~1\mozilla\firefox\profiles\r8dhtlu0.default\
FF - component: c:\program files\google\google gears\firefox\lib\ff36\gears.dll
FF - plugin: c:\documents and settings\windows xp\application data\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\windows xp\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\windows xp\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\windows xp\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\windows xp\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\winxp\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\winxp\system32\drivers\avgldx86.sys [2010-3-21 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\winxp\system32\drivers\avgmfx86.sys [2010-3-21 29584]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-17 308136]
S0 dbmzfukm;dbmzfukm; [x]
S0 memwn;memwn; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-16 135664]
S2 WmiRpcLocator;Windows Management Instrumentation Driver Extensions WmiRpcLocator;c:\winxp\system32\unicodet.exe srv --> c:\winxp\system32\unicodet.exe srv [?]
S2 WudfSvcHTTPFilter;Windows Driver Foundation - User-mode Driver Framework WudfSvcHTTPFilter;c:\winxp\system32\netmsgc.exe srv --> c:\winxp\system32\netmsgc.exe srv [?]
S3 V0230Vfx;V0230Vfx;c:\winxp\system32\drivers\V0230Vfx.sys [2006-3-24 6272]
S3 V0230VID;Live! Cam Video IM Pro;c:\winxp\system32\drivers\V0230VID.sys [2006-9-29 500480]

=============== Created Last 30 ================

2010-08-02 12:28:12 0 d-----w- c:\program files\Microsoft
2010-07-25 10:17:18 0 d-sh--w- C:\FOUND.023
2010-07-23 18:10:15 100 --s-a-w- c:\winxp\system32\2729286381.dat
2010-07-23 18:09:38 4 ----a-w- c:\docume~1\window~1\applic~1\avdrn.dat
2010-07-22 04:17:44 664 ----a-w- c:\winxp\system32\d3d9caps.dat
2010-07-17 06:12:54 12536 ----a-w- c:\winxp\system32\avgrsstx.dll
2010-07-13 07:32:50 0 d-----w- c:\winxp\system32\wbem\Repository

==================== Find3M ====================

2010-07-17 06:10:14 216400 ----a-w- c:\winxp\system32\drivers\avgldx86.sys
2009-01-24 18:06:40 32768 --sha-w- c:\winxp\system32\config\systemprofile\local settings\history\history.ie5\mshist012009012420090125\index.dat

============= FINISH: 16:59:25.76 ===============



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-03 17:57:20
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\WINDOW~1\LOCALS~1\Temp\uwlyypob.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntdll.dll!NtClose + 6 7C90CFF4 4 Bytes [CC, A9, 15, 00]
.text ntdll.dll!NtDeviceIoControlFile + 6 7C90D284 4 Bytes [D0, A9, 15, 00]
.text ntdll.dll!NtQueryDirectoryFile + 6 7C90D774 4 Bytes [EC, AB, 15, 00]
.text ntdll.dll!NtResumeThread + 6 7C90DB44 4 Bytes [E4, AB, 15, 00]

---- User code sections - GMER 1.0.15 ----

.text C:\WINXP\Explorer.EXE[1672] ntdll.dll!NtClose + 6 7C90CFF4 4 Bytes [CC, A9, 6D, 01]
.text C:\WINXP\Explorer.EXE[1672] ntdll.dll!NtDeviceIoControlFile + 6 7C90D284 4 Bytes [D0, A9, 6D, 01]
.text C:\WINXP\Explorer.EXE[1672] ntdll.dll!NtQueryDirectoryFile + 6 7C90D774 4 Bytes [EC, AB, 6D, 01]
.text C:\WINXP\Explorer.EXE[1672] ntdll.dll!NtResumeThread + 6 7C90DB44 4 Bytes [E4, AB, 6D, 01]
.text C:\Documents and Settings\Windows XP\Desktop\gmer\gmer.exe[3988] ntdll.dll!NtClose + 6 7C90CFF4 4 Bytes [CC, A9, 15, 00]
.text C:\Documents and Settings\Windows XP\Desktop\gmer\gmer.exe[3988] ntdll.dll!NtDeviceIoControlFile + 6 7C90D284 4 Bytes [D0, A9, 15, 00]
.text C:\Documents and Settings\Windows XP\Desktop\gmer\gmer.exe[3988] ntdll.dll!NtQueryDirectoryFile + 6 7C90D774 4 Bytes [EC, AB, 15, 00]
.text C:\Documents and Settings\Windows XP\Desktop\gmer\gmer.exe[3988] ntdll.dll!NtResumeThread + 6 7C90DB44 4 Bytes [E4, AB, 15, 00]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Windows XP\Start Menu\Programs\Startup\ntuser_mssec.exe

---- EOF - GMER 1.0.15 ----


Thanks in advance for your help!

Michelle


Edit 8/4: I also just noticed the following text is being added to all my .htm files:

<script Language=VBScript><!--
DropFileName = "svchost.exe"
WriteData = "4D5A90000300000 etc. etc.

Help! What do I do????

Attached Files


Edited by michelle1977, 04 August 2010 - 07:30 AM.


BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:20 AM

Posted 05 August 2010 - 06:23 PM

Hello, michelle1977 (topic 2).
My name is etavares and I will be helping you with this log.

Here are some guidelines to ensure we are able to get your machine back under your control.
  • Please do not run any unsupervised scans, fixes, etc. We can work against each other and end up in a worse place.
  • Please subscribe to this topic if you have not already done so. Please check back just in case, as the email system can fail at times.
  • Just because your machine is running better does not mean it is completely cleaned. Please wait for the 'all clear' from me to say when we are done.
  • Please reply within 3 days to be fair to other people asking for help.
  • When in doubt, please stop and ask first. There's no harm in asking questions!



Step 1

Next, please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop as etavaresCF.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on etavaresCF.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 michelle1977

michelle1977
  • Topic Starter

  • Members
  • 129 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:08:20 AM

Posted 06 August 2010 - 07:50 AM

Thanks for helping me out again etavares! I shoud be quicker in replying in this topic than in the other one as it's my own PC.

As I mentioned, I bought a new laptop a few days ago, but my old one got infected just before. There are still files on there that I'd like to move to my new PC, but as long as it's infected I'm afraid to touch it and don't want to risk infecting my new PC.

Here's the Combofix log:

ComboFix 10-08-05.06 - Windows XP 08/06/2010 13:46:41.3.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.156 [GMT 2:00]
Running from: c:\documents and settings\Windows XP\Desktop\etavaresCF.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Windows XP\Application Data\avdrn.dat
c:\documents and settings\Windows XP\Start Menu\Programs\Startup\wwwxbv32.exe
c:\documents and settings\Windows XP\System
c:\documents and settings\Windows XP\System\win_qs8.jqx
c:\program files\Internet Explorer\dmlconf.dat
c:\winxp\system32\2729286381.dat

.
((((((((((((((((((((((((( Files Created from 2010-07-06 to 2010-08-06 )))))))))))))))))))))))))))))))
.

2010-08-06 12:06 . 2010-08-06 12:06 32 ----a-w- c:\winxp\system32\2729286381.dat
2010-08-02 12:28 . 2010-08-02 12:28 -------- d-----w- c:\program files\Microsoft
2010-07-30 11:23 . 2010-07-30 11:24 -------- d-----w- c:\program files\FileZilla FTP Client
2010-07-25 10:17 . 2010-07-25 10:17 -------- d-----w- C:\FOUND.023
2010-07-22 04:17 . 2010-07-22 04:17 664 ----a-w- c:\winxp\system32\d3d9caps.dat
2010-07-17 06:12 . 2010-07-17 06:12 12536 ----a-w- c:\winxp\system32\avgrsstx.dll
2010-07-13 07:32 . 2010-07-13 07:32 -------- d-----w- c:\winxp\system32\wbem\Repository
2010-07-13 07:31 . 2010-07-13 07:31 -------- d-----w- c:\documents and settings\Windows XP\Local Settings\Application Data\Mozilla

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-24 04:47 . 2010-07-24 04:47 12 ----a-w- c:\winxp\system32\config\systemprofile\Application Data\vdnxlf.dat
2010-07-23 18:09 . 2010-07-23 18:09 12 ----a-w- c:\documents and settings\NetworkService\Application Data\vdnxlf.dat
2010-07-21 06:16 . 2010-07-21 06:16 4368224 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-07-17 06:13 . 2010-07-17 06:13 216200 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-07-17 06:10 . 2010-03-21 17:18 216400 ----a-w- c:\winxp\system32\drivers\avgldx86.sys
2010-07-17 06:09 . 2010-07-17 06:09 1038688 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-07-17 06:09 . 2010-07-17 06:09 813336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll
2010-07-17 06:09 . 2010-07-17 06:09 624920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2010-07-17 06:09 . 2010-07-17 06:09 1690464 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-07-04 05:14 . 2010-07-04 05:14 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-15 13:08 . 2010-06-15 13:07 0 ----a-w- c:\winxp\nsreg.dat
2010-06-11 14:51 . 2010-06-11 14:51 3055600 ----a-w- c:\documents and settings\Windows XP\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
2010-06-11 14:36 . 2010-06-11 14:36 275952 ----a-w- c:\documents and settings\Windows XP\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-06-02 17:46 . 2010-03-21 17:18 29584 ----a-w- c:\winxp\system32\drivers\avgmfx86.sys
2010-05-08 13:25 . 2010-02-11 07:34 50354 ----a-w- c:\documents and settings\Windows XP\Application Data\Facebook\uninstall.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Windows XP\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-18 136176]
"ctfmon.exe"="c:\winxp\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\winxp\system32\WLTRAY" [X]
"SiSPower"="SiSPower.dll" [2005-02-25 49152]
"AGRSMMSG"="AGRSMMSG.exe" [2004-10-08 88363]
"V0230Mon.exe"="c:\winxp\V0230Mon.exe" [2006-09-06 32768]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-17 2065760]
"Lexmark X6100 Series"="c:\program files\Lexmark X6100 Series\lxbfbmgr.exe" [2003-09-23 57344]

c:\documents and settings\Windows XP\Start Menu\Programs\Startup\
ntuser_mssec.exe [2008-4-13 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-17 06:12 12536 ----a-w- c:\winxp\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Windows XP\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\FileZilla-3.1.2\\filezilla.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\winxp\system32\drivers\avgldx86.sys [3/21/2010 7:18 PM 216400]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/17/2010 8:12 AM 308136]
S0 dbmzfukm;dbmzfukm; [x]
S0 memwn;memwn; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/16/2009 11:21 AM 135664]
S2 WmiRpcLocator;Windows Management Instrumentation Driver Extensions WmiRpcLocator;c:\winxp\system32\unicodet.exe srv --> c:\winxp\system32\unicodet.exe srv [?]
S2 WudfSvcHTTPFilter;Windows Driver Foundation - User-mode Driver Framework WudfSvcHTTPFilter;c:\winxp\system32\netmsgc.exe srv --> c:\winxp\system32\netmsgc.exe srv [?]
S3 V0230Vfx;V0230Vfx;c:\winxp\system32\drivers\V0230Vfx.sys [3/24/2006 1:00 AM 6272]
S3 V0230VID;Live! Cam Video IM Pro;c:\winxp\system32\drivers\V0230VID.sys [9/29/2006 1:01 AM 500480]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2010-01-05 16:00 124928 ----a-w- c:\winxp\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-03-18 c:\winxp\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-16 09:21]

2010-03-18 c:\winxp\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-16 09:21]

2010-07-15 c:\winxp\Tasks\GoogleUpdateTaskUserS-1-5-21-1715567821-1979792683-682003330-1003Core1cb141e20873f60.job
- c:\documents and settings\Windows XP\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-17 07:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.nl/
uInternet Settings,ProxyServer = 128.59.20.227:3128
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: lettersets.com\www
DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} - hxxp://www.facebook.com/fbplugin/win32/axfbootloader.cab?1265851949921
FF - ProfilePath - c:\documents and settings\Windows XP\Application Data\Mozilla\Firefox\Profiles\r8dhtlu0.default\
FF - plugin: c:\documents and settings\Windows XP\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Windows XP\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\Windows XP\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\winxp\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-InstallShield_{827289F5-B44F-4E49-9993-840741585A62} - c:\program files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-06 14:08
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(728)
c:\winxp\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(2808)
c:\winxp\system32\WININET.dll
c:\winxp\system32\IEFRAME.dll
c:\winxp\system32\mshtml.dll
c:\winxp\system32\WPDShServiceObj.dll
c:\winxp\system32\PortableDeviceTypes.dll
c:\winxp\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\winxp\System32\wltrysvc.exe
c:\winxp\System32\bcmwltry.exe
c:\winxp\system32\LEXBCES.EXE
c:\winxp\system32\LEXPPS.EXE
c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
c:\acer\eManager\anbmServ.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\winxp\system32\Rundll32.exe
c:\winxp\AGRSMMSG.exe
c:\winxp\system32\WLTRAY.exe
c:\program files\Lexmark X6100 Series\lxbfbmon.exe
.
**************************************************************************
.
Completion time: 2010-08-06 14:12:39 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-06 12:12
ComboFix2.txt 2010-03-18 11:37

Pre-Run: 1,336,442,880 bytes free
Post-Run: 3,027,075,072 bytes free

- - End Of File - - C26A13989E5F3E939C821F1E4B85F8B9

Hope you can make something of it!

#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:20 AM

Posted 07 August 2010 - 06:50 AM

Hello, michelle1977 (topic 2).

Ok, your DDS log showed windows trying to replace these files. Let's take a look.


Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

c:\program files\movie maker\moviemk.exe
c:\program files\outlook express\msoe.dll
c:\program files\windows media player\mpvis.dll
c:\program files\windows media player\wmplayer.exe
c:\program files\windows nt\accessories\wordpad.exe


Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 michelle1977

michelle1977
  • Topic Starter

  • Members
  • 129 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:08:20 AM

Posted 07 August 2010 - 11:07 AM

Filename: moviemk.exe
Status: Scan finished. 0 out of 19 scanners reported malware.
Scan taken on: Sat 7 Aug 2010 17:59:56 (CET) Permalink

Filename: msoe.dll
Status: Scan finished. 0 out of 19 scanners reported malware.
Scan taken on: Sat 7 Aug 2010 17:14:20 (CET) Permalink

Filename: mpvis.dll
Status: Scan finished. 0 out of 19 scanners reported malware.
Scan taken on: Sat 7 Aug 2010 18:03:02 (CET) Permalink

Filename: wmplayer.exe
Status: Scan finished. 0 out of 19 scanners reported malware.
Scan taken on: Sat 7 Aug 2010 18:04:55 (CET) Permalink

Filename: wordpad.exe
Status: Scan finished. 0 out of 19 scanners reported malware.
Scan taken on: Sat 7 Aug 2010 17:18:33 (CET) Permalink

Some files reported that they had been scanned before, so I chose to scan again.

Nothing found - that's good, right?

#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:20 AM

Posted 07 August 2010 - 11:17 AM

Hello, michelle1977 (topic 2).

Yes, that's good. The logs showed they had been restored by windows. Now, time to move forward.



Step 1

Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
http://www.bleepingcomputer.com/forums/t/336927/infected-with-trojan-horse-sheur3aqra/

Collect::
c:\winxp\system32\config\systemprofile\Application Data\vdnxlf.dat
c:\documents and settings\NetworkService\Application Data\vdnxlf.dat
C:\WINXP\system32\unicodet.exe
c:\documents and settings\Windows XP\Start Menu\Programs\Startup\ntuser_mssec.exe
c:\program files\microsoft\desktoplayer.exe
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\Windows\\system32\\userinit.exe,"
Driver::
dbmzfukm
memwn


Save this as CFScript.txt





Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.



Step 2

Please download MBRCheck by ad_13 and save it to your desktop.

Double-click to run. A window will pop up. If it says 'non-standard' or 'infected' MBR code detected, please type 3 for Exit for now and press Enter.

It will save a logfile on your desktop that starts with MBR, then has the date, etc. Please copy and paste the contents of that log in your reply.



Step 3

Download and run HAMeb_check.exe
Post the contents of the resulting log.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#7 michelle1977

michelle1977
  • Topic Starter

  • Members
  • 129 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:08:20 AM

Posted 08 August 2010 - 03:36 PM

Okay, here goes:

ComboFix 10-08-07.02 - Windows XP 08/08/2010 18:58:10.4.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.115 [GMT 2:00]
Running from: c:\documents and settings\Windows XP\Desktop\etavaresCF.exe
Command switches used :: c:\documents and settings\Windows XP\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

file zipped: c:\documents and settings\NetworkService\Application Data\vdnxlf.dat
file zipped: c:\documents and settings\Windows XP\Start Menu\Programs\Startup\ntuser_mssec.exe
file zipped: c:\winxp\system32\config\systemprofile\Application Data\vdnxlf.dat
file zipped: c:\winxp\system32\unicodet.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\NetworkService\Application Data\vdnxlf.dat
c:\winxp\system32\2729286381.dat
c:\winxp\system32\config\systemprofile\Application Data\vdnxlf.dat
c:\winxp\system32\unicodet.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WUDFSVCHTTPFILTER
-------\Service_dbmzfukm
-------\Service_memwn
-------\Service_WudfSvcHTTPFilter
-------\Legacy_WmiRpcLocator
-------\Service_WmiRpcLocator


((((((((((((((((((((((((( Files Created from 2010-07-08 to 2010-08-08 )))))))))))))))))))))))))))))))
.

2010-08-02 12:28 . 2010-08-02 12:28 -------- d-----w- c:\program files\Microsoft
2010-07-30 11:23 . 2010-07-30 11:24 -------- d-----w- c:\program files\FileZilla FTP Client
2010-07-25 10:17 . 2010-07-25 10:17 -------- d-----w- C:\FOUND.023
2010-07-22 04:17 . 2010-07-22 04:17 664 ----a-w- c:\winxp\system32\d3d9caps.dat
2010-07-21 06:16 . 2010-07-21 06:16 4368224 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-07-17 06:13 . 2010-07-17 06:13 216200 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-07-17 06:12 . 2010-07-17 06:12 12536 ----a-w- c:\winxp\system32\avgrsstx.dll
2010-07-17 06:09 . 2010-07-17 06:09 1038688 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-07-17 06:09 . 2010-07-17 06:09 813336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll
2010-07-17 06:09 . 2010-07-17 06:09 624920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2010-07-17 06:09 . 2010-07-17 06:09 1690464 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-07-13 07:32 . 2010-07-13 07:32 -------- d-----w- c:\winxp\system32\wbem\Repository
2010-07-13 07:31 . 2010-07-13 07:31 -------- d-----w- c:\documents and settings\Windows XP\Local Settings\Application Data\Mozilla

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-17 06:10 . 2010-03-21 17:18 216400 ----a-w- c:\winxp\system32\drivers\avgldx86.sys
2010-07-04 05:14 . 2010-07-04 05:14 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-15 13:08 . 2010-06-15 13:07 0 ----a-w- c:\winxp\nsreg.dat
2010-06-11 14:51 . 2010-06-11 14:51 3055600 ----a-w- c:\documents and settings\Windows XP\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
2010-06-11 14:36 . 2010-06-11 14:36 275952 ----a-w- c:\documents and settings\Windows XP\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-06-02 17:46 . 2010-03-21 17:18 29584 ----a-w- c:\winxp\system32\drivers\avgmfx86.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-08-06_12.06.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-08 20:16 . 2010-08-08 20:16 16384 c:\winxp\Temp\Perflib_Perfdata_70c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Windows XP\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-18 136176]
"ctfmon.exe"="c:\winxp\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\winxp\system32\WLTRAY" [X]
"SiSPower"="SiSPower.dll" [2005-02-25 49152]
"AGRSMMSG"="AGRSMMSG.exe" [2004-10-08 88363]
"V0230Mon.exe"="c:\winxp\V0230Mon.exe" [2006-09-06 32768]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-17 2065760]
"Lexmark X6100 Series"="c:\program files\Lexmark X6100 Series\lxbfbmgr.exe" [2003-09-23 57344]

c:\documents and settings\Windows XP\Start Menu\Programs\Startup\
ntuser_mssec.exe [2008-4-13 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-17 06:12 12536 ----a-w- c:\winxp\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Windows XP\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\FileZilla-3.1.2\\filezilla.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\winxp\system32\drivers\avgldx86.sys [3/21/2010 7:18 PM 216400]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/17/2010 8:12 AM 308136]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/16/2009 11:21 AM 135664]
S3 V0230Vfx;V0230Vfx;c:\winxp\system32\drivers\V0230Vfx.sys [3/24/2006 1:00 AM 6272]
S3 V0230VID;Live! Cam Video IM Pro;c:\winxp\system32\drivers\V0230VID.sys [9/29/2006 1:01 AM 500480]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2010-01-05 16:00 124928 ----a-w- c:\winxp\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-03-18 c:\winxp\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-16 09:21]

2010-03-18 c:\winxp\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-16 09:21]

2010-07-15 c:\winxp\Tasks\GoogleUpdateTaskUserS-1-5-21-1715567821-1979792683-682003330-1003Core1cb141e20873f60.job
- c:\documents and settings\Windows XP\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-17 07:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.nl/
uInternet Settings,ProxyServer = 128.59.20.227:3128
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: lettersets.com\www
DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} - hxxp://www.facebook.com/fbplugin/win32/axfbootloader.cab?1265851949921
FF - ProfilePath - c:\documents and settings\Windows XP\Application Data\Mozilla\Firefox\Profiles\r8dhtlu0.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\winxp\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-08 22:18
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)
c:\winxp\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(3528)
c:\winxp\system32\WININET.dll
c:\winxp\system32\IEFRAME.dll
c:\winxp\system32\mshtml.dll
c:\winxp\system32\WPDShServiceObj.dll
c:\winxp\system32\PortableDeviceTypes.dll
c:\winxp\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\winxp\System32\wltrysvc.exe
c:\winxp\System32\bcmwltry.exe
c:\winxp\system32\LEXBCES.EXE
c:\winxp\system32\LEXPPS.EXE
c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
c:\acer\eManager\anbmServ.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\winxp\system32\wscntfy.exe
c:\winxp\system32\Rundll32.exe
c:\winxp\AGRSMMSG.exe
c:\winxp\system32\WLTRAY.exe
c:\program files\Lexmark X6100 Series\lxbfbmon.exe
.
**************************************************************************
.
Completion time: 2010-08-08 22:22:26 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-08 20:22
ComboFix2.txt 2010-08-06 12:12
ComboFix3.txt 2010-03-18 11:37

Pre-Run: 2,966,224,896 bytes free
Post-Run: 2,880,045,056 bytes free

- - End Of File - - 1BC7D1300A954EB6EF769132F43D2F39
Upload was successful


MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 119):
0x804D7000 \WINXP\system32\ntkrnlpa.exe
0x806D0000 \WINXP\system32\hal.dll
0xF7B64000 \WINXP\system32\KDCOM.DLL
0xF7A74000 \WINXP\system32\BOOTVID.dll
0xF7535000 ACPI.sys
0xF7B66000 \WINXP\system32\DRIVERS\WMILIB.SYS
0xF7524000 pci.sys
0xF7664000 isapnp.sys
0xF7A78000 compbatt.sys
0xF7A7C000 \WINXP\system32\DRIVERS\BATTC.SYS
0xF7C2C000 pciide.sys
0xF78E4000 \WINXP\system32\DRIVERS\PCIIDEX.SYS
0xF7506000 pcmcia.sys
0xF7674000 MountMgr.sys
0xF74E7000 ftdisk.sys
0xF7B68000 dmload.sys
0xF74C1000 dmio.sys
0xF7A80000 ACPIEC.sys
0xF7C2D000 \WINXP\system32\DRIVERS\OPRGHDLR.SYS
0xF78EC000 PartMgr.sys
0xF7684000 VolSnap.sys
0xF74A9000 atapi.sys
0xF7694000 disk.sys
0xF76A4000 \WINXP\system32\DRIVERS\CLASSPNP.SYS
0xF7489000 fltmgr.sys
0xF7477000 sr.sys
0xF76B4000 PxHelp20.sys
0xF7453000 Fastfat.sys
0xF743C000 KSecDD.sys
0xF7429000 WudfPf.sys
0xF73FC000 NDIS.sys
0xF76C4000 SISAGPX.sys
0xF73E2000 Mup.sys
0xF76D4000 gagp30kx.sys
0xF7894000 \SystemRoot\system32\DRIVERS\processr.sys
0xF734A000 \SystemRoot\system32\DRIVERS\sisgrp.sys
0xF7336000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF78A4000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF7A64000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF7A6C000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF78B4000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF78C4000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF78D4000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF7313000 \SystemRoot\system32\DRIVERS\ks.sys
0xF71DC000 \SystemRoot\system32\DRIVERS\AGRSM.sys
0xF7904000 \SystemRoot\System32\Drivers\Modem.SYS
0xF6E15000 \SystemRoot\system32\drivers\ALCXWDM.SYS
0xF6DF1000 \SystemRoot\system32\drivers\portcls.sys
0xF76F4000 \SystemRoot\system32\drivers\drmk.sys
0xF790C000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xF6DCD000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7914000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF791C000 \SystemRoot\system32\DRIVERS\sisnicxp.sys
0xF6D72000 \SystemRoot\system32\DRIVERS\bcmwl5.sys
0xF7B28000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF7B7C000 \SystemRoot\system32\DRIVERS\serscan.sys
0xF7D78000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF7704000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7B2C000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF6D5B000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF7714000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7724000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7924000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF6D22000 \SystemRoot\system32\DRIVERS\psched.sys
0xF7734000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF79AC000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7A14000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF2B91000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF7794000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7BE8000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF2B33000 \SystemRoot\system32\DRIVERS\update.sys
0xF7399000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF77A4000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF6838000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7BEC000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF7BEE000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7DA2000 \SystemRoot\System32\Drivers\Null.SYS
0xF7BF0000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7A3C000 \SystemRoot\System32\drivers\vga.sys
0xF7BF2000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7BF4000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF79D4000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF7A34000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF2BE1000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB5ECD000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB5E74000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB5E4C000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB5E2A000 \SystemRoot\System32\drivers\afd.sys
0xF5B12000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF2BD9000 \SystemRoot\system32\DRIVERS\srvkp.sys
0xB5DFF000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB5D8F000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF5B02000 \SystemRoot\System32\Drivers\Fips.SYS
0xB5D69000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF5AF2000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF794C000 \SystemRoot\System32\Drivers\avgmfx86.sys
0xB5D35000 \SystemRoot\System32\Drivers\avgldx86.sys
0xF5AD2000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB5D1D000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7C12000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF5690000 \SystemRoot\System32\drivers\Dxapi.sys
0xF793C000 \SystemRoot\System32\watchdog.sys
0xBF9C4000 \SystemRoot\System32\drivers\dxg.sys
0xF7D2B000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF9D6000 \SystemRoot\System32\SiSGRV.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xB3F89000 \SystemRoot\system32\DRIVERS\AegisP.sys
0xF6D43000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB3DCC000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xB3BD7000 \SystemRoot\system32\drivers\wdmaud.sys
0xB3D14000 \SystemRoot\system32\drivers\sysaudio.sys
0xB38B0000 \SystemRoot\system32\DRIVERS\srv.sys
0xF4681000 \??\C:\DOCUME~1\WINDOW~1\LOCALS~1\Temp\mbr.sys
0xB3187000 \SystemRoot\System32\Drivers\HTTP.sys
0xF795C000 \??\C:\etavaresCF\catchme.sys
0xF7BA2000 \??\C:\WINXP\system32\Drivers\PROCEXP113.SYS
0xB3134000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINXP\System32\ntdll.dll

Processes (total 46):
0 System Idle Process
4 System
608 C:\WINXP\System32\SMSS.EXE
680 csrss.exe
704 C:\WINXP\System32\winlogon.exe
748 C:\WINXP\System32\services.exe
760 C:\WINXP\System32\lsass.exe
904 C:\WINXP\System32\svchost.exe
1000 svchost.exe
1040 C:\WINXP\System32\svchost.exe
1076 C:\WINXP\System32\svchost.exe
1108 C:\Program Files\AVG\AVG9\avgchsvx.exe
1116 C:\Program Files\AVG\AVG9\avgrsx.exe
1208 svchost.exe
1284 svchost.exe
1440 C:\Program Files\AVG\AVG9\avgcsrvx.exe
1524 C:\WINXP\System32\WLTRYSVC.EXE
1536 C:\WINXP\System32\BCMWLTRY.EXE
1596 C:\WINXP\System32\LEXBCES.EXE
1632 C:\WINXP\System32\LEXPPS.EXE
1648 C:\WINXP\System32\SPOOLSV.EXE
1916 svchost.exe
2040 C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
176 C:\Acer\eManager\anbmServ.exe
1216 C:\Program Files\AVG\AVG9\AVGWDSVC.EXE
1804 C:\Program Files\Java\JRE6\BIN\JQS.EXE
1096 C:\WINXP\System32\svchost.exe
1948 C:\WINXP\System32\svchost.exe
2000 C:\WINXP\System32\svchost.exe
404 C:\Program Files\Google\Update\GoogleUpdate.exe
2560 ALG.EXE
2864 C:\WINXP\System32\wscntfy.exe
3952 C:\WINXP\System32\RUNDLL32.EXE
3960 C:\WINXP\AGRSMMSG.EXE
3968 C:\WINXP\System32\WLTRAY.EXE
4016 C:\WINXP\V0230Mon.exe
4024 C:\Program Files\AVG\AVG9\AVGTRAY.EXE
2128 C:\Program Files\Lexmark X6100 Series\LXBFBMGR.EXE
2152 C:\Documents and Settings\Windows XP\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
2532 C:\Program Files\Lexmark X6100 Series\LXBFBMON.EXE
972 C:\WINXP\System32\CTFMON.EXE
3104 C:\WINXP\System32\svchost.exe
3528 C:\WINXP\EXPLORER.EXE
3212 C:\WINXP\System32\notepad.exe
4072 C:\Program Files\Internet Explorer\IEXPLORE.EXE
3292 C:\Documents and Settings\Windows XP\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (FAT32)

PhysicalDrive0 Model Number: HTS424040M9AT00, Rev: MA2OA71A

Size Device Name MBR Status
--------------------------------------------
37 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!


C:\Documents and Settings\Windows XP\Desktop\HAMeb_check.exe
Sun 08/08/2010 at 22:33:05.28

Account active No
Local Group Memberships

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll was not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~


#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:20 AM

Posted 08 August 2010 - 08:26 PM

Hello, michelle1977 (topic 2).


Trusted Zone Warning

Having trusted sites may not be a good idea. The reason why I say it's not a good idea is because the security settings for the internet is not extremely high and once you put a site in your trusted zone, basically almost anymore or thing, including hackers or other malicious software have full access to that site which can lead to hijacking that site and may even have access to your computer. Are you sure you trust a site to that degree?

It is recommended NOT to have ANY sites in your Trusted Zone unless the site requires it to function properly and you trust it very well. Other than that, it is not necessary for you to add any sites into the trusted zone. If you're not sure, and/or you do not need these in your trusted zone to facilitate access or you did not knowingly permit this access yourself, then please remove those sites from your trusted zone.

They can be accessed in Internet Explorer via Tools>>Internet Options>>Security>>Trusted Zone>>Sites. Remove if there are any there.



Step 1


Do you see this file? You may need to enable "show hidden files" in Folder Options first. I can provide more information on that if you need me to.

c:\documents and settings\Windows XP\Start Menu\Programs\Startup\ntuser_mssec.exe

If you see it, please delete it. Do not run it, just delete it.



Step 2


There is a proxy set up for Columbia University....I assume that's legitmate? I just want to confirm.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#9 michelle1977

michelle1977
  • Topic Starter

  • Members
  • 129 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:08:20 AM

Posted 09 August 2010 - 01:36 AM

Hi etavares,

There was one website in my trusted zone and it was my own (lettersets.com). Not sure why I ever put that in there, but I removed it, so that folder is empty now.

I don't see any files in the c:\documents and settings\Windows XP\Start Menu\Programs\Startup\ folder (I have View All Hidden Files selected).

I know nothing about a proxy for Columbia so I'm assuming that's not legit. I bought this laptop secondhand in Canada 2 years ago but as far as I know everything was set back to its factory settings so it couldn't be stemming from that time.

That sounds scary though, could somebody be accessing my computer that way?

Michelle

#10 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:20 AM

Posted 09 August 2010 - 06:07 PM

Hello, michelle1977 (topic 2).

No, this is likely a legimate proxy, but we'll remove it. Proxys serve many legitimate purposes, but this isn't directing to a known bad server.

Download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  • Copy and Paste the content of the following codebox into the main textfield under "File":
    CODE
    :filefind
    ntuser_mssec.exe
  • Please Confirm everything is copied and Pasted as I have provided above
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan.
  • Please post this log in your next reply.


Note: The log can also be found on your Desktop entitled SystemLook.txt
2nd Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task


etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#11 michelle1977

michelle1977
  • Topic Starter

  • Members
  • 129 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:08:20 AM

Posted 10 August 2010 - 01:30 AM

Here's the result:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 08:16 on 10/08/2010 by Windows XP (Administrator - Elevation successful)

========== filefind ==========

Searching for "ntuser_mssec.exe"
No files found.

-=End Of File=-

Good, right? I remember something with ntuser_ coming up when I did the initial AVG scans after discovering the infection.

Michelle

#12 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:20 AM

Posted 11 August 2010 - 05:56 PM


Probably good...please post an updated DDS log.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#13 michelle1977

michelle1977
  • Topic Starter

  • Members
  • 129 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:08:20 AM

Posted 12 August 2010 - 12:07 PM

Here's the new DDS log:


DDS (Ver_10-03-17.01) - FAT32x86
Run by Windows XP at 18:59:05.21 on Thu 08/12/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.74 [GMT 2:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINXP\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINXP\System32\svchost.exe -k netsvcs
C:\WINXP\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
SVCHOST.EXE
SVCHOST.EXE
C:\WINXP\Explorer.EXE
C:\WINXP\System32\wltrysvc.exe
C:\WINXP\System32\bcmwltry.exe
C:\WINXP\system32\LEXBCES.EXE
C:\WINXP\system32\spoolsv.exe
C:\WINXP\system32\LEXPPS.EXE
SVCHOST.EXE
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINXP\System32\svchost.exe -k HPZ12
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINXP\System32\svchost.exe -k HPZ12
C:\WINXP\system32\svchost.exe -k imgsvc
C:\WINXP\system32\wscntfy.exe
C:\WINXP\system32\Rundll32.exe
C:\WINXP\AGRSMMSG.exe
C:\WINXP\system32\WLTRAY.exe
C:\WINXP\V0230Mon.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Documents and Settings\Windows XP\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\WINXP\system32\ctfmon.exe
C:\WINXP\system32\svchost.exe -k netsvcs
C:\Documents and Settings\Windows XP\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.nl/
uInternet Settings,ProxyServer = 128.59.20.227:3128
BHO: AutorunsDisabled - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
uRun: [Google Update] "c:\documents and settings\windows xp\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\winxp\system32\ctfmon.exe
mRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Broadcom Wireless Manager UI] c:\winxp\system32\WLTRAY
mRun: [V0230Mon.exe] c:\winxp\V0230Mon.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [Lexmark X6100 Series] "c:\program files\lexmark x6100 series\lxbfbmgr.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} - hxxp://www.facebook.com/fbplugin/win32/axfbootloader.cab?1265851949921
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1259932181437
DPF: {6F750203-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.ca/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\winxp\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\winxp\system32\rundll32.exe c:\winxp\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\window~1\applic~1\mozilla\firefox\profiles\r8dhtlu0.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\winxp\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\winxp\system32\drivers\avgldx86.sys [2010-3-21 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\winxp\system32\drivers\avgmfx86.sys [2010-3-21 29584]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-17 308136]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-16 135664]
S3 V0230Vfx;V0230Vfx;c:\winxp\system32\drivers\V0230Vfx.sys [2006-3-24 6272]
S3 V0230VID;Live! Cam Video IM Pro;c:\winxp\system32\drivers\V0230VID.sys [2006-9-29 500480]

=============== Created Last 30 ================

2010-08-06 11:39:55 77312 ----a-w- c:\winxp\MBR.exe
2010-08-06 11:39:55 256512 ----a-w- c:\winxp\PEV.exe
2010-08-06 11:39:55 161792 ----a-w- c:\winxp\SWREG.exe
2010-08-06 11:39:54 98816 ----a-w- c:\winxp\sed.exe
2010-08-02 12:28:12 0 d-----w- c:\program files\Microsoft
2010-07-25 10:17:18 0 d-----w- C:\FOUND.023
2010-07-22 04:17:44 664 ----a-w- c:\winxp\system32\d3d9caps.dat
2010-07-17 06:12:54 12536 ----a-w- c:\winxp\system32\avgrsstx.dll

==================== Find3M ====================

2010-07-17 06:10:14 216400 ----a-w- c:\winxp\system32\drivers\avgldx86.sys
2009-01-24 18:06:40 32768 --sha-w- c:\winxp\system32\config\systemprofile\local settings\history\history.ie5\mshist012009012420090125\index.dat

============= FINISH: 19:00:44.09 ===============


Just our of curiosity, why is there such a long list of Firefox/Mozilla stuff?


Michelle

#14 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:20 AM

Posted 12 August 2010 - 05:41 PM

Hello, michelle1977 (topic 2).

The FF section is long since you've modified your preferences from the default. No worries. Looking better too. How is it running?



Step 1

Next, we need to update Java.
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 21 and save it to your desktop.
  • Scroll down to where it says "JDK 6 Update 21 (JDK or JRE)...allows end-users to run Java applications".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) or Java™ in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u21-windows-i586-p.exe to install the newest version.



Step 2

Your Adobe Reader software is out of date and has known security holes. Please launch it, go to Help --> Check for Updates and let it update the main program if needed. Updates the languages and/or dictionaries is optional.



Step 3

Please pull anything out of the recycle bin that you want to save. Part of this fix will empty temp files, and that does include the recycle bin.

Please download TFC by OldTimer and save it to your desktop.
alternate download link

  • Save any unsaved work. TFC will close ALL open programs including your browser!
  • Double-click on TFC.exe to run it. If you are using Vista or Windows 7, right-click on the file and choose Run As Administrator.
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.




Step 4

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push



Step 5

We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. Select "Use Safelist" under "Extra Registry"
  6. Push the button.
  7. Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#15 michelle1977

michelle1977
  • Topic Starter

  • Members
  • 129 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:08:20 AM

Posted 13 August 2010 - 01:21 PM

Hi etavares,

Unfortunately I only succeeded in doing 2 of the 5 steps.

Step 1 - I wasn't able to update Java. I tried to de-install the old version using the Add/Remove Programs. It gave the following error: "Fatal Error During Installation". I then clicked the .exe file on the desktop to see if it might overwrite the old version, but that gave the error message "The wizard was interrupted before it could be completely installed"

Step 2 - Where do I find the Adobe Reader? It's not in my programs folder under "Adobe". I found the Reader 9.0 folder but am unsure which file to click on. I tried a couple of the .exe files, but for instance got the message "This application has failed to start because AGM.dll was not found".

Step 3 - TFC by OldTimer ran without issues

Step 4 - ESET. When I click the "Online Scanner" button and allow the ActiveX it takes a while and then a small red cross appears in the upper right corner. As if an image cannot be displayed. Nothing happens after that.

Step 5 - OTL results here:

OTL logfile created on: 8/13/2010 5:49:00 PM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\Windows XP\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

446.00 Mb Total Physical Memory | 57.00 Mb Available Physical Memory | 13.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 61.00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINXP | %ProgramFiles% = C:\Program Files
Drive C: | 37.25 Gb Total Space | 2.79 Gb Free Space | 7.49% Space Free | Partition Type: FAT32
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: WINDOWSXP
Current User Name: Windows XP
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/08/13 17:48:32 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Windows XP\Desktop\OTL.exe
PRC - [2010/07/17 08:13:12 | 002,065,760 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgtray.exe
PRC - [2010/07/17 08:12:58 | 000,515,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2010/07/17 08:12:52 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2010/07/17 08:10:14 | 000,723,296 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2010/07/17 08:10:04 | 001,101,152 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2008/04/13 20:12:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINXP\explorer.exe
PRC - [2006/09/14 07:56:06 | 000,102,400 | ---- | M] () -- C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
PRC - [2006/09/07 01:01:00 | 000,032,768 | ---- | M] (Creative Technology Ltd.) -- C:\WINXP\V0230Mon.exe
PRC - [2004/08/16 15:17:20 | 001,287,168 | ---- | M] (OSA Technologies Inc.) -- C:\Acer\eManager\anbmServ.exe
PRC - [2003/09/23 02:20:02 | 000,049,152 | ---- | M] (Lexmark International, Inc.) -- C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
PRC - [2003/09/23 02:01:40 | 000,057,344 | ---- | M] (Lexmark International, Inc.) -- C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe


========== Modules (SafeList) ==========

MOD - [2010/08/13 17:48:32 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Windows XP\Desktop\OTL.exe
MOD - [2008/04/13 20:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINXP\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\WINDOWS\system32\wuauserv.dll -- (wuauserv)
SRV - File not found [On_Demand | Stopped] -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc)
SRV - File not found [Disabled | Stopped] -- C:\WINXP\System32\hidserv.dll -- (HidServ)
SRV - [2010/07/17 08:12:52 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2006/09/14 07:56:06 | 000,102,400 | ---- | M] () [Auto | Running] -- C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor5.0)
SRV - [2004/08/16 15:17:20 | 001,287,168 | ---- | M] (OSA Technologies Inc.) [Auto | Running] -- C:\Acer\eManager\anbmServ.exe -- (anbmService)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINXP\System32\drivers\PalmUSBD.sys -- (PalmUSBD)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\etavaresCF\catchme.sys -- (catchme)
DRV - File not found [Kernel | Auto | Stopped] -- C:\Program Files\CyberLink\PowerDVD\000.fcl -- ({95808DC4-FA4A-4c74-92FE-5B863F82066B})
DRV - [2010/07/17 08:10:14 | 000,216,400 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINXP\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2010/06/02 19:46:30 | 000,029,584 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINXP\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2006/09/29 01:01:00 | 000,500,480 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINXP\system32\drivers\V0230VID.sys -- (V0230VID)
DRV - [2006/03/24 01:00:00 | 000,006,272 | ---- | M] (EyePower Games Pte. Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINXP\system32\drivers\V0230Vfx.sys -- (V0230Vfx)
DRV - [2006/03/20 14:45:52 | 003,960,000 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINXP\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2005/03/02 00:09:02 | 000,240,640 | R--- | M] (Silicon Integrated Systems Corporation) [Kernel | On_Demand | Running] -- C:\WINXP\system32\drivers\sisgrp.sys -- (SiS315)
DRV - [2005/02/25 19:45:32 | 000,013,312 | R--- | M] (Silicon Integrated Systems Corporation) [Kernel | System | Running] -- C:\WINXP\system32\drivers\srvkp.sys -- (SiSkp)
DRV - [2004/12/22 01:32:12 | 000,369,024 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINXP\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2004/11/05 16:43:58 | 000,032,768 | R--- | M] (SiS Corporation) [Kernel | On_Demand | Running] -- C:\WINXP\system32\drivers\sisnicxp.sys -- (SISNICXP)
DRV - [2004/10/08 10:51:08 | 001,270,540 | R--- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINXP\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2004/08/03 22:31:36 | 000,032,768 | ---- | M] (SiS Corporation) [Kernel | On_Demand | Stopped] -- C:\WINXP\system32\drivers\sisnic.sys -- (SISNIC)
DRV - [2003/07/18 09:58:20 | 000,036,992 | R--- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINXP\system32\DRIVERS\SISAGPX.sys -- (SISAGP)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1715567821-1979792683-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINXP\system32\blank.htm
IE - HKU\S-1-5-21-1715567821-1979792683-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-1715567821-1979792683-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
IE - HKU\S-1-5-21-1715567821-1979792683-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1715567821-1979792683-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 128.59.20.227:3128

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {000a9d1c-beef-4f90-9363-039d445309b8}:0.5.36.0

FF - HKLM\software\mozilla\Firefox\extensions\\{000a9d1c-beef-4f90-9363-039d445309b8}: C:\Program Files\Google\Google Gears\Firefox\ [2010/03/08 08:38:12 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/07/20 13:42:16 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/07/20 13:42:18 | 000,000,000 | ---D | M]

[2009/09/25 20:52:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Windows XP\Application Data\Mozilla\Extensions
[2009/09/25 20:52:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Windows XP\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2010/07/20 13:45:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Windows XP\Application Data\Mozilla\Firefox\Profiles\r8dhtlu0.default\extensions
[2010/07/21 09:52:38 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Windows XP\Application Data\Mozilla\Firefox\Profiles\r8dhtlu0.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/07/20 13:42:16 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/08/08 22:16:46 | 000,000,027 | ---- | M]) - C:\WINXP\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll File not found
O2 - BHO: (Google Gears Helper) - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll File not found
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll File not found
O2 - BHO: (no name) - AutorunsDisabled - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - No CLSID value found.
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [Lexmark X6100 Series] C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe (Lexmark International, Inc.)
O4 - HKLM..\Run: [SiSPower] C:\WINXP\System32\SiSPower.dll (Silicon Integrated Systems Corporation)
O4 - HKLM..\Run: [V0230Mon.exe] C:\WINXP\V0230Mon.exe (Creative Technology Ltd.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1715567821-1979792683-682003330-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1715567821-1979792683-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1715567821-1979792683-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1715567821-1979792683-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll File not found
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/C/0...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} http://www.facebook.com/fbplugin/win32/axf...b?1265851949921 (Reg Error: Key error.)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftu...b?1259932181437 (MUWebControl Class)
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} http://www.kodakgallery.ca/downloads/BUM/B..._2/axofupld.cab (Kodak Gallery Easy Upload Manager Class)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.0...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 212.54.35.25 212.54.40.25
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINXP\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINXP\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop WallPaper: C:\Documents and Settings\Windows XP\Desktop\uitnodiging_Lorelei.gif
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Windows XP\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/07/09 23:21:22 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/08/13 17:48:26 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Windows XP\Desktop\OTL.exe
[2010/08/13 16:12:13 | 000,000,000 | -HSD | C] -- C:\Recycled
[2010/08/13 16:10:47 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Windows XP\Desktop\TFC.exe
[2010/08/13 15:41:50 | 016,062,240 | ---- | C] (Sun Microsystems, Inc.) -- C:\Documents and Settings\Windows XP\Desktop\jre-6u21-windows-i586.exe
[2010/08/06 13:39:55 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINXP\SWREG.exe
[2010/08/06 13:39:55 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINXP\NIRCMD.exe
[2010/08/06 13:39:53 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINXP\SWXCACLS.exe
[2010/08/06 13:39:53 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINXP\SWSC.exe
[2010/08/06 13:36:19 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/08/03 16:47:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Windows XP\Desktop\gmer
[2010/08/02 14:28:12 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft
[2010/07/30 13:23:59 | 000,000,000 | ---D | C] -- C:\Program Files\FileZilla FTP Client
[2010/07/25 12:17:18 | 000,000,000 | ---D | C] -- C:\FOUND.023
[2010/07/20 13:42:14 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2010/07/17 08:12:54 | 000,012,536 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINXP\System32\avgrsstx.dll
[1 C:\Documents and Settings\Windows XP\Desktop\*.tmp files -> C:\Documents and Settings\Windows XP\Desktop\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/08/13 17:48:32 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Windows XP\Desktop\OTL.exe
[2010/08/13 16:15:58 | 000,002,206 | ---- | M] () -- C:\WINXP\System32\wpa.dbl
[2010/08/13 16:15:10 | 000,000,006 | -H-- | M] () -- C:\WINXP\tasks\SA.DAT
[2010/08/13 16:15:06 | 000,002,048 | --S- | M] () -- C:\WINXP\bootstat.dat
[2010/08/13 16:13:12 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Windows XP\ntuser.ini
[2010/08/13 16:13:10 | 006,029,312 | ---- | M] () -- C:\Documents and Settings\Windows XP\ntuser.dat
[2010/08/13 16:10:50 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Windows XP\Desktop\TFC.exe
[2010/08/13 15:41:52 | 016,062,240 | ---- | M] (Sun Microsystems, Inc.) -- C:\Documents and Settings\Windows XP\Desktop\jre-6u21-windows-i586.exe
[2010/08/10 08:16:32 | 000,100,908 | ---- | M] () -- C:\Documents and Settings\Windows XP\Desktop\SystemLook.exe
[2010/08/08 22:33:00 | 000,485,896 | ---- | M] () -- C:\Documents and Settings\Windows XP\Desktop\HAMeb_check.exe
[2010/08/08 22:32:04 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\Windows XP\Desktop\MBRCheck.exe
[2010/08/08 22:17:06 | 000,000,227 | ---- | M] () -- C:\WINXP\system.ini
[2010/08/08 18:46:10 | 003,816,974 | R--- | M] () -- C:\Documents and Settings\Windows XP\Desktop\etavaresCF.exe
[2010/08/03 16:40:20 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Windows XP\Desktop\gmer.zip
[2010/08/03 16:38:42 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Windows XP\Desktop\dds.scr
[2010/08/02 15:00:08 | 000,023,040 | ---- | M] () -- C:\Documents and Settings\Windows XP\My Documents\bezwaar parkeerboete.doc
[2010/07/31 08:58:30 | 000,000,638 | ---- | M] () -- C:\WINXP\win.ini
[2010/07/30 13:22:08 | 004,202,005 | ---- | M] () -- C:\Documents and Settings\Windows XP\Desktop\FileZilla_3.3.3_win32-setup.exe
[2010/07/27 20:14:46 | 000,010,839 | ---- | M] () -- C:\Documents and Settings\Windows XP\My Documents\inhoud_hello-kitty_12-12-2009.inc
[2010/07/23 08:17:06 | 001,399,785 | ---- | M] () -- C:\Documents and Settings\Windows XP\Desktop\achtergrond%20leeg.png
[2010/07/22 13:15:46 | 000,071,099 | ---- | M] () -- C:\Documents and Settings\Windows XP\Desktop\hello-kitty-color.gif
[2010/07/22 06:17:46 | 000,000,664 | ---- | M] () -- C:\WINXP\System32\d3d9caps.dat
[2010/07/17 08:12:56 | 000,012,536 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINXP\System32\avgrsstx.dll
[2010/07/17 08:10:14 | 000,216,400 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINXP\System32\drivers\avgldx86.sys
[2010/07/16 16:30:36 | 000,253,747 | ---- | M] () -- C:\Documents and Settings\Windows XP\Desktop\paspoort Henk van der Spek.jpg
[2010/07/16 13:39:12 | 000,000,504 | ---- | M] () -- C:\WINXP\lexstat.ini
[2010/07/15 06:28:06 | 000,000,946 | ---- | M] () -- C:\WINXP\tasks\GoogleUpdateTaskUserS-1-5-21-1715567821-1979792683-682003330-1003Core1cb141e20873f60.job
[1 C:\Documents and Settings\Windows XP\Desktop\*.tmp files -> C:\Documents and Settings\Windows XP\Desktop\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/08/10 08:16:29 | 000,100,908 | ---- | C] () -- C:\Documents and Settings\Windows XP\Desktop\SystemLook.exe
[2010/08/08 22:32:56 | 000,485,896 | ---- | C] () -- C:\Documents and Settings\Windows XP\Desktop\HAMeb_check.exe
[2010/08/08 22:32:02 | 000,080,384 | ---- | C] () -- C:\Documents and Settings\Windows XP\Desktop\MBRCheck.exe
[2010/08/06 13:39:55 | 000,256,512 | ---- | C] () -- C:\WINXP\PEV.exe
[2010/08/06 13:39:55 | 000,077,312 | ---- | C] () -- C:\WINXP\MBR.exe
[2010/08/06 13:39:55 | 000,068,096 | ---- | C] () -- C:\WINXP\zip.exe
[2010/08/06 13:39:54 | 000,098,816 | ---- | C] () -- C:\WINXP\sed.exe
[2010/08/06 13:39:54 | 000,080,412 | ---- | C] () -- C:\WINXP\grep.exe
[2010/08/06 13:30:18 | 003,816,974 | R--- | C] () -- C:\Documents and Settings\Windows XP\Desktop\etavaresCF.exe
[2010/08/03 16:40:17 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Windows XP\Desktop\gmer.zip
[2010/08/03 16:38:57 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Windows XP\Desktop\dds.scr
[2010/08/02 14:52:07 | 000,023,040 | ---- | C] () -- C:\Documents and Settings\Windows XP\My Documents\bezwaar parkeerboete.doc
[2010/07/30 13:23:13 | 004,202,005 | ---- | C] () -- C:\Documents and Settings\Windows XP\Desktop\FileZilla_3.3.3_win32-setup.exe
[2010/07/23 08:22:29 | 001,399,785 | ---- | C] () -- C:\Documents and Settings\Windows XP\Desktop\achtergrond%20leeg.png
[2010/07/22 13:15:51 | 000,071,099 | ---- | C] () -- C:\Documents and Settings\Windows XP\Desktop\hello-kitty-color.gif
[2010/07/22 06:17:44 | 000,000,664 | ---- | C] () -- C:\WINXP\System32\d3d9caps.dat
[2010/07/16 16:30:22 | 000,253,747 | ---- | C] () -- C:\Documents and Settings\Windows XP\Desktop\paspoort Henk van der Spek.jpg
[2010/06/04 13:42:10 | 000,000,504 | ---- | C] () -- C:\WINXP\lexstat.ini
[2010/06/04 13:40:46 | 000,040,960 | ---- | C] () -- C:\WINXP\System32\lxbfvs.dll
[2010/06/04 13:38:56 | 000,000,188 | ---- | C] () -- C:\WINXP\System32\lxbfcoin.ini
[2010/06/04 13:38:32 | 000,077,824 | ---- | C] () -- C:\WINXP\System32\LXBFLCNP.DLL
[2010/06/04 12:26:51 | 000,000,076 | ---- | C] () -- C:\WINXP\System32\SLIM.ini
[2010/06/04 12:25:09 | 000,083,968 | ---- | C] () -- C:\WINXP\System32\hpgt21.dll
[2009/02/24 09:28:01 | 000,000,149 | ---- | C] () -- C:\WINXP\cdplayer.ini
[2009/02/23 19:46:36 | 000,000,000 | ---- | C] () -- C:\WINXP\QuickInstall.INI
[2008/10/03 18:48:19 | 000,000,069 | ---- | C] () -- C:\WINXP\NeroDigital.ini
[2008/09/19 21:53:00 | 000,000,370 | ---- | C] () -- C:\WINXP\ODBC.INI
[2008/07/24 19:55:27 | 000,003,117 | ---- | C] () -- C:\WINXP\RBuilder.ini
[2008/07/12 12:06:10 | 000,000,050 | ---- | C] () -- C:\WINXP\System32\oeminfo.ini
[2008/07/09 23:30:33 | 000,083,997 | ---- | C] () -- C:\WINXP\VGAsetup.ini
[2008/07/09 23:30:25 | 000,100,791 | ---- | C] () -- C:\WINXP\System32\VGAunistlog.ini
[2008/07/09 22:52:53 | 000,135,168 | ---- | C] () -- C:\WINXP\System32\RTLCPAPI.dll
< End of report >


OTL Extras logfile created on: 8/13/2010 5:49:00 PM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\Windows XP\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

446.00 Mb Total Physical Memory | 57.00 Mb Available Physical Memory | 13.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 61.00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINXP | %ProgramFiles% = C:\Program Files
Drive C: | 37.25 Gb Total Space | 2.79 Gb Free Space | 7.49% Space Free | Partition Type: FAT32
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: WINDOWSXP
Current User Name: Windows XP
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Documents and Settings\Windows XP\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe" = C:\Documents and Settings\Windows XP\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe:*:Enabled:Google Talk Plugin -- (Google)
"C:\Program Files\FileZilla-3.1.2\filezilla.exe" = C:\Program Files\FileZilla-3.1.2\filezilla.exe:*:Enabled:FileZilla FTP Client -- (FileZilla Project)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0F7C2E47-089E-4d23-B9F7-39BE00100776}" = Toolbox
"{25569723-DC5A-4467-A639-79535BF01B71}" = Adobe Help Center 2.1
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 13
"{26B878A8-5704-3B64-BDBC-4F0EACA38121}" = Google Talk Plugin
"{2FA41EBB-3F5A-35C3-85D6-51EC72A11FBD}" = Google Gears
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3921A67A-5AB1-4E48-9444-C71814CF3027}" = VCRedistSetup
"{44E5B47F-870E-4E38-A458-8A5FC4DCFECF}" = ImageMixer for HDD Camcorder
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}" = Skype™ 3.8
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{76450AFF-7B15-46BD-BDCF-A5A4E7026675}" = mOrders 4 +
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{80533B67-C407-485D-8B5D-63BB8ED9D878}" = Scan
"{827289F5-B44F-4E49-9993-840741585A62}" = Acer eManager for Notebook
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{9455959E-D588-EFAE-329C-F66CC797F32A}" = Adobe Media Player
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A7B609FB-83D8-4FC3-8477-1BC65ECFE85B}" = Adobe Photoshop Elements 5.0
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1.3
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{c6922d7f-c698-4d9e-9671-8b3de04d1511}" = DJ_AIO_03_F2200_Software_Min
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D3161124-2B4D-478F-901A-D21BCAD72C7E}" = Addit
"{D642E38E-0D24-486C-9A2D-E316DD696F4B}" = Microsoft XML Parser
"{DC226AC9-0314-496C-BE6A-B6A132628466}" = SiSAGP driver
"{ECA1A3B6-898F-4DCE-9F04-714CF3BA126B}" = Adobe Flash Player 10 Plugin
"{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}" = 32 Bit HP CIO Components Installer
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Photoshop Elements 5" = Adobe Photoshop Elements 5.0
"Agere Systems Soft Modem" = Agere Systems AC'97 Modem
"AVG9Uninstall" = AVG Free 9.0
"BIMPLite" = BIMP Lite 1.62
"Broadcom 802.11b Network Adapter" = Broadcom 802.11 Network Adapter
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Creative VF0230" = Creative Live! Cam Video IM Pro Driver (1.01.03.0928)
"DECCHECK" = Microsoft Windows XP Video Decoder Checkup Utility
"Digital Editions" = Adobe Digital Editions
"ENTERPRISE" = Microsoft Office Enterprise 2007
"FileZilla Client" = FileZilla Client 3.3.3
"HijackThis" = HijackThis 2.0.2
"HTMLKit_is1" = HTML-Kit
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"Instant CD & DVD Burner_is1" = Instant CD & DVD Burner
"Lexmark X6100 Series" = Lexmark X6100 Series
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.6)" = Mozilla Firefox (3.6.6)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"OfotoEZUpload" = KODAK EASYSHARE Gallery Upload ActiveX Control
"RealPlayer 6.0" = RealPlayer
"SiS VGA Driver" = SiS VGA Utilities
"SiSLan" = SiS 900 PCI Fast Ethernet Adapter Driver
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1715567821-1979792683-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Adobe Reader for Palm OS" = Adobe Reader for Palm OS, 3.05
"Facebook Plug-In" = Facebook Plug-In

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 8/13/2010 9:33:38 AM | Computer Name = WINDOWSXP | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 8/13/2010 9:33:38 AM | Computer Name = WINDOWSXP | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 8/13/2010 9:33:50 AM | Computer Name = WINDOWSXP | Source = Google Update | ID = 20
Description =

Error - 8/13/2010 9:34:31 AM | Computer Name = WINDOWSXP | Source = Google Update | ID = 20
Description =

Error - 8/13/2010 10:15:16 AM | Computer Name = WINDOWSXP | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 8/13/2010 10:15:16 AM | Computer Name = WINDOWSXP | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 8/13/2010 10:15:16 AM | Computer Name = WINDOWSXP | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 8/13/2010 10:15:16 AM | Computer Name = WINDOWSXP | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 8/13/2010 10:18:42 AM | Computer Name = WINDOWSXP | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 8/13/2010 10:18:42 AM | Computer Name = WINDOWSXP | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

[ OSession Events ]
Error - 2/2/2010 1:42:32 AM | Computer Name = WINDOWSXP | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6514.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 137
seconds with 120 seconds of active time. This session ended with a crash.

Error - 3/5/2010 7:48:05 AM | Computer Name = WINDOWSXP | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6514.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 17757
seconds with 960 seconds of active time. This session ended with a crash.

Error - 3/9/2010 11:23:07 PM | Computer Name = WINDOWSXP | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6514.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 1008
seconds with 60 seconds of active time. This session ended with a crash.

Error - 3/10/2010 7:31:46 AM | Computer Name = WINDOWSXP | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6514.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 2063
seconds with 300 seconds of active time. This session ended with a crash.

Error - 3/23/2010 10:12:34 PM | Computer Name = WINDOWSXP | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6514.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 109
seconds with 0 seconds of active time. This session ended with a crash.

Error - 3/26/2010 2:18:35 AM | Computer Name = WINDOWSXP | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 2866
seconds with 0 seconds of active time. This session ended with a crash.

Error - 6/9/2010 2:53:05 AM | Computer Name = WINDOWSXP | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
12.0.6514.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 680
seconds with 180 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 8/13/2010 9:42:32 AM | Computer Name = WINDOWSXP | Source = Service Control Manager | ID = 7023
Description = The Automatic Updates service terminated with the following error:
%%126

Error - 8/13/2010 9:43:02 AM | Computer Name = WINDOWSXP | Source = DCOM | ID = 10010
Description = The server {E60687F7-01A1-40AA-86AC-DB1CBF673334} did not register
with DCOM within the required timeout.

Error - 8/13/2010 10:11:15 AM | Computer Name = WINDOWSXP | Source = Service Control Manager | ID = 7034
Description = The Broadcom Wireless LAN Tray Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 8/13/2010 10:11:15 AM | Computer Name = WINDOWSXP | Source = Service Control Manager | ID = 7034
Description = The LexBce Server service terminated unexpectedly. It has done this
1 time(s).

Error - 8/13/2010 10:11:15 AM | Computer Name = WINDOWSXP | Source = Service Control Manager | ID = 7034
Description = The Notebook Manager Service service terminated unexpectedly. It
has done this 1 time(s).

Error - 8/13/2010 10:11:15 AM | Computer Name = WINDOWSXP | Source = Service Control Manager | ID = 7034
Description = The Adobe Active File Monitor V5 service terminated unexpectedly.
It has done this 1 time(s).

Error - 8/13/2010 10:11:15 AM | Computer Name = WINDOWSXP | Source = Service Control Manager | ID = 7034
Description = The Java Quick Starter service terminated unexpectedly. It has done
this 1 time(s).

Error - 8/13/2010 10:11:16 AM | Computer Name = WINDOWSXP | Source = Service Control Manager | ID = 7031
Description = The AVG Free WatchDog service terminated unexpectedly. It has done
this 1 time(s). The following corrective action will be taken in 0 milliseconds:
Restart the service.

Error - 8/13/2010 10:15:55 AM | Computer Name = WINDOWSXP | Source = Service Control Manager | ID = 7000
Description = The {95808DC4-FA4A-4c74-92FE-5B863F82066B} service failed to start
due to the following error: %%3

Error - 8/13/2010 10:15:55 AM | Computer Name = WINDOWSXP | Source = Service Control Manager | ID = 7023
Description = The Automatic Updates service terminated with the following error:
%%126


< End of report >


I am not using this laptop right now because I bought a new one, so am avoiding using it until you give me the go ahead that it'll all clear. It's still really slow, but to be honest it's been that way for a few months, but there are no obvious issues anything else is wrong.

Thanks for your help,

Michelle




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users