Malware infection [Solved]

Need a geek? Geeks to Go offers free, quality tech support -- in terms anyone can understand. Volunteers are waiting to help, friendly, technology experts who have knowledge to share, and enjoy helping others. Feel free to browse the site as a guest. However, you must log in to reply to existing topics, or to start a new topic of your own. Other benefits of joining include richer forum features, and removal of all advertising. Learn more in our Welcome Guide Infected? Malware and Spyware Cleaning Guide. What are you waiting for? Click here to join for free today!

> Geeks to Go! » Security » Virus, Spyware and Trojan Removal

2 Pages

1 2 >

Malware infection [Solved]

Options

immac View Member Profile	Sep 10 2009, 08:11 AM Post #1
Member Posts: 11 OS: XP	Hi GeekstoGo, Been looking on the site for about a month now since I decided my malware infection was apparently getting out of hand, and I've been amazed at the info and resources so many have chosen to place here. So a big thank you before I say anything else. OK, down to biz: I have a PC running windows XP, SP3. My browser was Firefox; today I switched to IE8. The computer's been getting increasingly cranky; first problem I had, which I chose to live with, was Windows Media Player stopped working; that was about 18 months ago and have tried lots of remedies, reloading the program, etc, to no avail. Other programs, like Real Player and Quicktime, mostly work. I run CCleaner regularly, and have used it as a Registry fix too. My compu is protected with AVG Free. Next problem I noticed was a reluctance for the computer to load the website I choose on Google. Quite often, about every third time, it would go to one with a similar name instead. It would also run fake scans that were difficult to turn off. More recently, I'd get a window within a minute or two of going online that said "jusched has encountered a problem and has had to close" and offering a send error report. Other programs seem to get this now. I ran various anti-spyware progs that seemed to find infections but the prob continued. SpyBot was downloaded but won't run. Someone recommended an online fix but whenever I opened the company's website it always appeared blank despite the fact that the laptop in the next room could find it in working order. When I boot up, the computer says there is no Firewall every time. So I put one on manually. Also, if I try to update AVG manually, I am told it can't log on to the site. The regular once-a-day auto AVG update seems to work ok. So I've gone thru the Malware and Spyware cleaning process as described on geeks to go. Trouble was found but it still seems like no cure has taken place. Here are the logs: Malwarebytes' Anti-Malware 1.40 Database version: 2551 Windows 5.1.2600 Service Pack 3 10/09/2009 12:06:10 mbam-log-2009-09-10 (12-06-00).txt Scan type: Quick Scan Objects scanned: 100012 Time elapsed: 8 minute(s), 4 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 5 Registry Values Infected: 1 Registry Data Items Infected: 4 Folders Infected: 1 Files Infected: 4 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3aa42713-5c1e-48e2-b432-d8bf420dd31d} (Rogue.AntiVirus2008) -> No action taken. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> No action taken. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux4 (Trojan.JSRedir.H) -> Bad: (C:\WINDOWS\system32\..\dfhu.ryn) Good: (wdmaud.drv) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\sdra64.exe -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> No action taken. Folders Infected: C:\WINDOWS\system32\lowsec (Stolen.data) -> No action taken. Files Infected: C:\WINDOWS\dfhu.ryn (Trojan.JSRedir.H) -> No action taken. C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> No action taken. C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> No action taken. C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> No action taken. OTL logfile created on: 10/09/2009 13:38:38 - Run 1 OTL by OldTimer - Version 3.0.10.7 Folder = C:\Documents and Settings\Ian\Desktop Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000809 \| Country: United Kingdom \| Language: ENG \| Date Format: dd/MM/yyyy 1022.95 Mb Total Physical Memory \| 576.52 Mb Available Physical Memory \| 56.36% Memory free 1.65 Gb Paging File \| 1.29 Gb Available in Paging File \| 78.15% Paging File free Paging file location(s): C:\pagefile.sys 768 1536 [binary data] %SystemDrive% = C: \| %SystemRoot% = C:\WINDOWS \| %ProgramFiles% = C:\Program Files Drive C: \| 74.52 Gb Total Space \| 57.45 Gb Free Space \| 77.09% Space Free \| Partition Type: NTFS D: Drive not present or media not loaded E: Drive not present or media not loaded Drive F: \| 372.52 Gb Total Space \| 345.98 Gb Free Space \| 92.88% Space Free \| Partition Type: FAT32 G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: MR_COMPUTER Current User Name: Ian Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: On Skip Microsoft Files: On File Age = 14 Days Output = Standard Quick Scan ========== Processes (SafeList) ========== PRC - [2009/07/06 09:30:23 \| 01,029,456 \| ---- \| M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe PRC - [2005/12/30 09:15:16 \| 00,036,864 \| ---- \| M] () -- C:\WINDOWS\System32\acs.exe PRC - [2004/10/20 05:47:54 \| 00,098,304 \| ---- \| M] () -- C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe PRC - [2008/06/08 11:26:13 \| 00,282,904 \| ---- \| M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe PRC - [2005/04/06 16:03:28 \| 00,110,592 \| ---- \| M] () -- C:\Program Files\Sitecom\IVT BlueSoleil\BTNtService.exe PRC - [1999/12/13 02:01:00 \| 00,044,032 \| ---- \| M] (Creative Technology Ltd) -- C:\WINDOWS\System32\CTsvcCDA.EXE PRC - [2009/07/25 05:23:10 \| 00,153,376 \| ---- \| M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe PRC - [2003/06/20 00:25:00 \| 00,322,120 \| ---- \| M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE PRC - [2004/10/20 04:40:46 \| 00,118,784 \| ---- \| M] () -- C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe PRC - [2003/07/02 16:40:08 \| 00,045,056 \| ---- \| M] ( ) -- C:\WINDOWS\System32\slserv.exe PRC - [2008/06/08 11:26:14 \| 00,311,576 \| ---- \| M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe PRC - [2002/08/29 13:00:00 \| 00,016,896 \| ---- \| M] (Microsoft Corporation) -- C:\WINDOWS\System32\wbem\unsecapp.exe PRC - [2004/08/04 08:56:57 \| 00,218,112 \| ---- \| M] (Microsoft Corporation) -- C:\WINDOWS\System32\wbem\wmiprvse.exe PRC - [2004/08/04 08:56:57 \| 00,013,824 \| ---- \| M] (Microsoft Corporation) -- C:\WINDOWS\System32\wscntfy.exe PRC - [2007/06/13 11:23:07 \| 01,033,216 \| ---- \| M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE PRC - [2004/05/25 21:10:00 \| 00,339,968 \| ---- \| M] (ATI Technologies, Inc.) -- C:\ATI-CPanel\atiptaxx.exe PRC - [2001/12/13 12:44:40 \| 00,143,360 \| ---- \| M] (Rockstar Software) -- C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe PRC - [2002/09/10 21:26:26 \| 00,368,706 \| ---- \| M] () -- C:\Program Files\BroadJump\Client Foundation\CFD.exe PRC - [2003/12/30 10:40:24 \| 00,380,928 \| ---- \| M] (Motive Communications, Inc.) -- C:\Program Files\ntl\broadband medic\SmartBridge\MotiveSB.exe PRC - [2003/12/31 17:39:04 \| 00,040,960 \| ---- \| M] () -- C:\WINDOWS\vsnpstd.exe PRC - [2005/05/12 00:12:54 \| 00,049,152 \| ---- \| M] (Hewlett-Packard Co.) -- C:\Program Files\HP\HP Software Update\HPWuSchd2.exe PRC - [2007/06/29 06:24:52 \| 00,286,720 \| ---- \| M] (Apple Inc.) -- C:\Program Files\QuickTime\QTTask.exe PRC - [2007/08/15 20:15:24 \| 00,271,672 \| ---- \| M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe PRC - [2007/01/13 12:22:06 \| 00,311,296 \| ---- \| M] (Info Linker Limited) -- C:\Program Files\MSI\MSI.exe PRC - [2008/06/08 11:26:14 \| 01,177,368 \| ---- \| M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgtray.exe PRC - [2009/05/13 11:16:01 \| 00,198,160 \| ---- \| M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe PRC - [2009/07/06 09:30:27 \| 00,520,024 \| ---- \| M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe PRC - [2009/07/25 05:23:12 \| 00,149,280 \| ---- \| M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe PRC - [2003/04/23 01:43:44 \| 00,413,775 \| ---- \| M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE PRC - [2004/10/13 17:24:37 \| 01,694,208 \| ---- \| M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe PRC - [2004/12/02 18:23:34 \| 00,102,400 \| ---- \| M] (Creative Technology Ltd) -- C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe PRC - [2007/05/18 21:01:01 \| 00,068,856 \| ---- \| M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe PRC - [2005/04/05 19:01:36 \| 00,282,624 \| ---- \| M] (FUJI PHOTO FILM CO., LTD.) -- C:\Program Files\FinePixViewer\QuickDCF.exe PRC - [2006/02/14 11:53:48 \| 03,338,296 \| ---- \| M] (Freecom) -- C:\Program Files\Freecom Personal Media Suite\FCPMS.exe PRC - [2001/12/13 12:44:50 \| 00,028,672 \| ---- \| M] (Rockstar Software) -- C:\Program Files\Gearbox Connection Kit\bin\gbConMon.exe PRC - [2001/12/13 12:46:30 \| 00,032,768 \| ---- \| M] (Rockstar Software) -- C:\Program Files\Gearbox Connection Kit\bin\gbTask.exe PRC - [2007/08/15 20:15:16 \| 00,501,048 \| ---- \| M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe PRC - [2009/09/10 13:35:46 \| 00,514,048 \| ---- \| M] (OldTimer Tools) -- C:\Documents and Settings\Ian\Desktop\OTL.exe ========== Win32 Services (SafeList) ========== SRV - [2005/12/30 09:15:16 \| 00,036,864 \| ---- \| M] () -- C:\WINDOWS\System32\acs.exe -- (ACS [Auto \| Running]) SRV - [2004/10/20 05:47:54 \| 00,098,304 \| ---- \| M] () -- C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor [Auto \| Running]) SRV - [2005/09/23 07:28:32 \| 00,029,896 \| ---- \| M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand \| Stopped]) SRV - [2008/06/08 11:26:13 \| 00,282,904 \| ---- \| M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd [Auto \| Running]) SRV - [2005/04/06 16:03:28 \| 00,110,592 \| ---- \| M] () -- C:\Program Files\Sitecom\IVT BlueSoleil\BTNtService.exe -- (BlueSoleil Hid Service [Auto \| Running]) SRV - [2005/09/23 07:28:56 \| 00,066,240 \| ---- \| M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand \| Stopped]) SRV - [1999/12/13 02:01:00 \| 00,044,032 \| ---- \| M] (Creative Technology Ltd) -- C:\WINDOWS\System32\CTsvcCDA.EXE -- (Creative Service for CDROM Access [Auto \| Running]) SRV - [2009/03/23 16:02:18 \| 00,183,280 \| ---- \| M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [Auto \| Stopped]) SRV - [2004/08/04 08:56:44 \| 00,038,912 \| ---- \| M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto \| Running]) SRV - [2004/10/22 03:24:18 \| 00,073,728 \| ---- \| M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT [On_Demand \| Stopped]) SRV - [2007/08/15 20:15:16 \| 00,501,048 \| ---- \| M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand \| Running]) SRV - [2009/07/25 05:23:10 \| 00,153,376 \| ---- \| M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto \| Running]) SRV - [2009/07/06 09:30:23 \| 01,029,456 \| ---- \| M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service [Auto \| Running]) SRV - [2003/06/20 00:25:00 \| 00,322,120 \| ---- \| M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE -- (MDM [Auto \| Running]) SRV - [2003/07/28 13:28:22 \| 00,089,136 \| ---- \| M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand \| Stopped]) SRV - [2004/10/20 04:40:46 \| 00,118,784 \| ---- \| M] () -- C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe -- (PhotoshopElementsDeviceConnect [Auto \| Running]) SRV - [2003/07/02 16:40:08 \| 00,045,056 \| ---- \| M] ( ) -- C:\WINDOWS\System32\slserv.exe -- (SLService [Auto \| Running]) SRV - [2006/10/18 21:05:24 \| 00,913,408 \| ---- \| M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand \| Stopped]) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data] IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1 IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8 IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/home.html IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie IE - URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local> ========== FireFox ========== FF - prefs.js..browser.search.selectedEngine: "Yahoo.co.uk" FF - prefs.js..browser.startup.homepage: "https://login.yahoo.com/config/login_verify2?.intl=us&.src=ym&.done=http%3a%2f%2fus.mc537.mail.yahoo.com%2fmc%2fshowFolder%3ffid%3dInbox%26.rand%3d1930485186" FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}:6.0.13 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}:6.0.15 FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0 FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.0 FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.14 FF - prefs.js..network.proxy.no_proxies_on: "localhost,127.0.0.1" FF - HKLM\software\mozilla\Firefox\extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2009/05/13 11:16:33 \| 00,000,000 \| ---D \| M] FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/04/17 11:21:54 \| 00,000,000 \| ---D \| M] FF - HKLM\software\mozilla\Mozilla Firefox 3.0.14\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/09/10 13:31:25 \| 00,000,000 \| ---D \| M] FF - HKLM\software\mozilla\Mozilla Firefox 3.0.14\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/09/10 13:31:25 \| 00,000,000 \| ---D \| M] [2008/07/02 14:37:05 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Ian\Application Data\mozilla\Extensions [2008/07/02 14:37:05 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Ian\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384} [2009/08/11 09:40:21 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Ian\Application Data\mozilla\Firefox\Profiles\zxfrjelz.default\extensions [2009/09/10 11:07:02 \| 00,000,000 \| ---D \| M] -- C:\Program Files\mozilla firefox\extensions [2009/09/10 13:31:15 \| 00,000,000 \| ---D \| M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [2009/04/17 11:22:10 \| 00,000,000 \| ---D \| M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [2009/08/11 09:06:05 \| 00,000,000 \| ---D \| M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} [2009/09/10 13:31:15 \| 00,023,032 \| ---- \| M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll [2009/09/10 13:31:15 \| 00,134,648 \| ---- \| M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll [2009/07/25 05:23:01 \| 00,411,368 \| ---- \| M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeploytk.dll [2008/06/27 16:03:12 \| 01,446,440 \| ---- \| M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\npLegitCheckPlugin.dll [2009/09/10 13:31:16 \| 00,065,528 \| ---- \| M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll [2009/02/07 11:36:06 \| 00,001,538 \| ---- \| M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml [2009/02/07 11:36:06 \| 00,002,193 \| ---- \| M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml [2009/02/07 11:36:06 \| 00,000,947 \| ---- \| M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml [2009/02/07 11:36:06 \| 00,001,534 \| ---- \| M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml [2009/02/07 11:36:06 \| 00,000,759 \| ---- \| M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml [2009/02/07 11:36:06 \| 00,001,706 \| ---- \| M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml [2009/02/07 11:36:06 \| 00,001,178 \| ---- \| M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml [2009/02/07 11:36:06 \| 00,000,831 \| ---- \| M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml O1 HOSTS File: (822 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts O1 - Hosts: 127.0.0.1 localhost O1 - Hosts: ::1 localhost O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated) O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer) O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.) O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.) O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll (Google Inc.) O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.) O2 - BHO: (MSN Toolbar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll (Microsoft Corp.) O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.) O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.) O3 - HKLM\..\Toolbar: (MSN Toolbar) - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll (Microsoft Corp.) O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.) O3 - HKCU\..\Toolbar\ShellBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.) O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.) O4 - HKLM..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft) O4 - HKLM..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe (ATI Technologies, Inc.) O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.) O4 - HKLM..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe () O4 - HKLM..\Run: [Compaq32 Service Drivers] File not found O4 - HKLM..\Run: [FirstSteps] File not found O4 - HKLM..\Run: [Gearbox] C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe (Rockstar Software) O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe (Hewlett-Packard Co.) O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.) O4 - HKLM..\Run: [Motive SmartBridge] C:\Program Files\ntl\broadband medic\SmartBridge\MotiveSB.exe (Motive Communications, Inc.) O4 - HKLM..\Run: [MSI] C:\Program Files\MSI\MSI.exe (Info Linker Limited) O4 - HKLM..\Run: [NAV_Update] C:\NAV_Update.exe (Fujitsu Siemens Computer) O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe (Ahead Software Gmbh) O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.) O4 - HKLM..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE (FUJI PHOTO FILM CO., LTD.) O4 - HKLM..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe () O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.) O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.) O4 - HKLM..\Run: [Wizard] File not found O4 - HKCU..\Run: [Compaq32 Service Drivers] File not found O4 - HKCU..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe (Creative Technology Ltd) O4 - HKCU..\Run: [H/PC Connection Agent] C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE (Microsoft Corporation) O4 - HKCU..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation) O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.) O4 - HKLM..\RunServices: [Compaq32 Service Drivers] File not found O4 - HKLM..\RunServices: [Gearbox Deferal Check] C:\Program Files\Gearbox Connection Kit\bin\gbdefer.exe (Rockstar Software) O4 - HKCU..\RunServices: [Compaq32 Service Drivers] File not found O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe (FUJI PHOTO FILM CO., LTD.) O4 - Startup: C:\Documents and Settings\Ian\Start Menu\Programs\Startup\Freecom Personal Media Suite.lnk = C:\Program Files\Freecom Personal Media Suite\FCPMS.exe (Freecom) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption = O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext = O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation) O9 - Extra Button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL (Microsoft Corporation) O9 - Extra 'Tools' menuitem : Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL (Microsoft Corporation) O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation) O9 - Extra Button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll (Picasa, Inc.) O9 - Extra 'Tools' menuitem : Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll (Picasa, Inc.) O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation) O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation) O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation) O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone. O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com/qtactivex/qtplugin.cab (QuickTime Object) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/8/b...heckControl.cab (Windows Genuine Advantage Validation Tool) O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\yinsthelper.dll (YInstStarter Class) O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} http://musicstore.connect.com/XSL/mb_us//h...ALStreaming.cab (MALPlaybackCtrl Class) O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} http://office.microsoft.com/officeupdate/content/opuc3.cab (Office Update Installation Engine) O16 - DPF: {4B48D5DF-9021-45F7-A240-60304302A215} http://download.microsoft.com/download/b/d.../WebCleaner.cab (Malicious Software Removal Tool) O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cab (EPUImageControl Class) O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} http://upload.facebook.com/controls/Facebo...otoUploader.cab (Facebook Photo Uploader Control) O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1122670772074 (WUWebControl Class) O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} http://updates.lifescapeinc.com/installers...ll/pinstall.cab (Install Class) O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1135696917671 (MUWebControl Class) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15) O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.) O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} http://www.crucial.com/controls/cpcScanner.cab (Crucial cpcScan) O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object) O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 194.168.4.100 194.168.8.100 O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.) O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\ipp - No CLSID value found O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.) O18 - Protocol\Handler\mctp {d7b95390-b1c5-11d0-b111-0080c712fe82} - C:\Program Files\Microsoft ActiveSync\aatp.dll (Microsoft Corporation) O18 - Protocol\Handler\msdaipp - No CLSID value found O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation) O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation) O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation) O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies) O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation) O18 - Protocol\Filter: - x-sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.) O20 - AppInit_DLLs: (avgrsstx.dll) - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\sdra64.exe) - C:\WINDOWS\System32\sdra64.exe () O20 - Winlogon\Notify\dimsntfy: DllName - %SystemRoot%\System32\dimsntfy.dll - C:\WINDOWS\System32\dimsntfy.dll File not found O24 - Desktop Components:0 (My Current Home Page) - About:Home O31 - SafeBoot: AlternateShell - cmd.exe O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2004/08/10 12:11:08 \| 00,000,000 \| ---- \| M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O34 - HKLM BootExecute: (autocheck) - File not found O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation) O34 - HKLM BootExecute: () - File not found O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe () NetSvcs: 6to4 - Service key not found. File not found NetSvcs: Ias - Service key not found. File not found NetSvcs: Iprip - Service key not found. File not found NetSvcs: Irmon - Service key not found. File not found NetSvcs: NWCWorkstation - Service key not found. File not found NetSvcs: Nwsapagent - Service key not found. File not found NetSvcs: Wmi - C:\WINDOWS\System32\wmi.dll (Microsoft Corporation) NetSvcs: WmdmPmSp - Service key not found. File not found NetSvcs: helpsvc - C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation) ========== Files/Folders - Created Within 14 Days ========== [1 C:\WINDOWS\.tmp files] [2009/09/10 13:35:40 \| 00,514,048 \| ---- \| C] (OldTimer Tools) -- C:\Documents and Settings\Ian\Desktop\OTL.exe [2009/09/10 13:30:29 \| 00,001,888 \| ---- \| C] () -- C:\Documents and Settings\Ian\My Documents\rootrepeal.exe [2009/09/10 12:40:51 \| 00,000,000 \| ---- \| C] () -- C:\Documents and Settings\Ian\Desktop\settings.dat [2009/09/10 12:25:00 \| 00,000,000 \| -H-D \| C] -- C:\WINDOWS\ie8 [2009/09/10 12:23:05 \| 00,000,000 \| ---D \| C] -- C:\Program Files\Microsoft Silverlight [2009/09/10 12:17:58 \| 00,000,000 \| -H-D \| C] -- C:\WINDOWS\msdownld.tmp [2009/09/10 11:15:29 \| 00,000,000 \| ---D \| C] -- C:\Documents and Settings\Ian\Application Data\Malwarebytes [2009/09/10 11:15:24 \| 00,000,704 \| ---- \| C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk [2009/09/10 11:15:17 \| 00,038,160 \| ---- \| C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys [2009/09/10 11:15:15 \| 00,019,096 \| ---- \| C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys [2009/09/10 11:15:15 \| 00,000,000 \| ---D \| C] -- C:\Program Files\Malwarebytes' Anti-Malware [2009/09/10 11:15:15 \| 00,000,000 \| ---D \| C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes [2009/09/10 11:13:34 \| 03,942,048 \| ---- \| C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Ian\Desktop\mbam-setup.exe [2009/09/10 11:07:15 \| 00,000,000 \| ---D \| C] -- C:\WINDOWS\ERDNT [2009/09/10 11:06:43 \| 00,000,619 \| ---- \| C] () -- C:\Documents and Settings\Ian\Desktop\NTREGOPT.lnk [2009/09/10 11:06:42 \| 00,000,600 \| ---- \| C] () -- C:\Documents and Settings\Ian\Desktop\ERUNT.lnk [2009/09/10 11:06:37 \| 00,000,000 \| ---D \| C] -- C:\Program Files\ERUNT [2009/09/10 11:05:21 \| 00,791,393 \| ---- \| C] (Lars Hederer ) -- C:\Documents and Settings\Ian\Desktop\erunt_setup.exe [2009/09/10 11:01:16 \| 00,021,504 \| ---- \| C] (Doug Knox) -- C:\Documents and Settings\Ian\Desktop\SysRestorePoint.exe [2009/09/10 10:46:09 \| 00,272,384 \| ---- \| C] (OldTimer Tools) -- C:\Documents and Settings\Ian\Desktop\TFC.exe [2009/09/08 22:41:10 \| 04,361,329 \| R--- \| C] () -- C:\Documents and Settings\Ian\Desktop\Sound Clips.rar [2009/09/03 19:32:34 \| 00,000,162 \| -H-- \| C] () -- C:\Documents and Settings\Ian\Desktop\~$NYL SEPTEMBER.rtf [2009/09/03 19:31:16 \| 00,391,688 \| ---- \| C] () -- C:\Documents and Settings\Ian\Desktop\VINYL SEPTEMBER.rtf ========== Files - Modified Within 14 Days ========== [1 C:\WINDOWS\.tmp files] [9 C:\Documents and Settings\Ian\My Documents\.tmp files] [2009/09/10 13:35:46 \| 00,514,048 \| ---- \| M] (OldTimer Tools) -- C:\Documents and Settings\Ian\Desktop\OTL.exe [2009/09/10 13:30:29 \| 00,001,888 \| ---- \| M] () -- C:\Documents and Settings\Ian\My Documents\rootrepeal.exe [2009/09/10 12:40:51 \| 00,000,000 \| ---- \| M] () -- C:\Documents and Settings\Ian\Desktop\settings.dat [2009/09/10 12:39:41 \| 00,000,868 \| ---- \| M] () -- C:\WINDOWS\tasks\Google Software Updater.job [2009/09/10 12:34:17 \| 00,054,156 \| -H-- \| M] () -- C:\WINDOWS\QTFont.qfn [2009/09/10 12:32:06 \| 00,001,158 \| ---- \| M] () -- C:\WINDOWS\System32\wpa.dbl [2009/09/10 12:31:17 \| 00,000,006 \| -H-- \| M] () -- C:\WINDOWS\tasks\SA.DAT [2009/09/10 12:31:10 \| 00,002,048 \| --S- \| M] () -- C:\WINDOWS\bootstat.dat [2009/09/10 12:31:09 \| 10,727,13728 \| -HS- \| M] () -- C:\hiberfil.sys [2009/09/10 11:15:24 \| 00,000,704 \| ---- \| M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk [2009/09/10 11:13:57 \| 03,942,048 \| ---- \| M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Ian\Desktop\mbam-setup.exe [2009/09/10 11:06:43 \| 00,000,619 \| ---- \| M] () -- C:\Documents and Settings\Ian\Desktop\NTREGOPT.lnk [2009/09/10 11:06:42 \| 00,000,600 \| ---- \| M] () -- C:\Documents and Settings\Ian\Desktop\ERUNT.lnk [2009/09/10 11:05:27 \| 00,791,393 \| ---- \| M] (Lars Hederer ) -- C:\Documents and Settings\Ian\Desktop\erunt_setup.exe [2009/09/10 11:01:21 \| 00,021,504 \| ---- \| M] (Doug Knox) -- C:\Documents and Settings\Ian\Desktop\SysRestorePoint.exe [2009/09/10 10:46:14 \| 00,272,384 \| ---- \| M] (OldTimer Tools) -- C:\Documents and Settings\Ian\Desktop\TFC.exe [2009/09/08 22:41:10 \| 04,361,329 \| R--- \| M] () -- C:\Documents and Settings\Ian\Desktop\Sound Clips.rar [2009/09/06 13:06:58 \| 04,317,680 \| -H-- \| M] () -- C:\Documents and Settings\Ian\Local Settings\Application Data\IconCache.db [2009/09/03 19:34:09 \| 00,391,688 \| ---- \| M] () -- C:\Documents and Settings\Ian\Desktop\VINYL SEPTEMBER.rtf [2009/09/03 19:32:34 \| 00,000,162 \| -H-- \| M] () -- C:\Documents and Settings\Ian\Desktop\~$NYL SEPTEMBER.rtf [2009/09/03 14:57:05 \| 00,000,284 \| ---- \| M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job [2009/08/31 09:29:16 \| 00,000,472 \| ---- \| M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job ========== LOP Check ========== [2009/09/10 11:15:15 \| 00,000,000 \| RH-D \| M] -- C:\Documents and Settings\All Users\Application Data [2009/06/02 09:27:18 \| 00,000,000 \| -H-D \| M] -- C:\Documents and Settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F} [2005/05/01 19:17:47 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\Ahead [2005/09/26 11:27:09 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\ArcSoft [2007/05/21 10:29:46 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\Bluetooth [2009/03/13 12:50:23 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\MSN6 [2005/07/23 13:28:01 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\OD2 [2004/08/10 12:15:09 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\SBSI [2007/01/10 14:10:51 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\Ulead Systems [2009/09/10 11:15:29 \| 00,000,000 \| RH-D \| M] -- C:\Documents and Settings\Ian\Application Data [2006/06/28 22:36:14 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Ian\Application Data\Ahead [2008/06/18 11:05:09 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Ian\Application Data\Azureus [2007/02/24 14:30:58 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Ian\Application Data\FUJIFILM [2005/12/03 17:38:18 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Ian\Application Data\InterVideo [2009/05/13 11:22:24 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Ian\Application Data\licenses [2005/10/23 16:19:36 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Ian\Application Data\Motive [2009/03/13 12:50:37 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Ian\Application Data\MSN6 [2005/07/23 15:53:19 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Ian\Application Data\OD2 [2009/05/13 11:21:32 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Ian\Application Data\PCMM2009 [2006/04/08 21:15:56 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Ian\Application Data\Steinberg [2005/05/01 19:19:34 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Ian\Application Data\Template [2006/01/22 18:19:50 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Ian\Application Data\Ulead Systems [2006/10/23 22:56:00 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Ian\Application Data\WinPatrol [2009/08/31 09:29:16 \| 00,000,472 \| ---- \| M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job [2009/09/03 14:57:05 \| 00,000,284 \| ---- \| M] () -- C:\WINDOWS\Tasks\AppleSoftwareUpdate.job [2002/08/29 13:00:00 \| 00,000,065 \| RH-- \| M] () -- C:\WINDOWS\Tasks\desktop.ini [2009/09/10 12:39:41 \| 00,000,868 \| ---- \| M] () -- C:\WINDOWS\Tasks\Google Software Updater.job [2009/09/10 12:31:17 \| 00,000,006 \| -H-- \| M] () -- C:\WINDOWS\Tasks\SA.DAT ========== Purity Check ========== ========== Custom Scans ========== < %SYSTEMDRIVE%\*.exe > [2002/11/11 16:16:53 \| 00,020,480 \| ---- \| M] (Fujitsu Siemens Computer) -- C:\fastboot.exe [2003/07/02 07:49:04 \| 00,520,192 \| ---- \| M] (Fujitsu Siemens Computer) -- C:\FirstSteps.exe [2003/03/13 11:37:35 \| 00,032,768 \| ---- \| M] (Fujitsu Siemens Computer) -- C:\NAV_Update.exe < %systemroot%\system32\eventlog.dll > [2004/08/04 08:56:42 \| 00,055,808 \| ---- \| M] (Microsoft Corporation) -- C:\WINDOWS\system32\eventlog.dll < %systemroot%\system32\scecli.dll > [2004/08/04 08:56:44 \| 00,180,224 \| ---- \| M] (Microsoft Corporation) -- C:\WINDOWS\system32\scecli.dll < %systemroot%\netlogon.dll > < %systemroot%\system32\cngaudit.dll > < %systemroot%\system32\sceclt.dll > < %systemroot%\ntelogon.dll > < %systemroot%\system32\logevent.dll > < End of report > ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2009/09/10 12:41 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: dump_atapi.sys Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xB6CD7000 Size: 98304 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xF7DD1000 Size: 8192 File Visible: No Signed: - Status: - Name: rootrepeal[1].sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal[1].sys Address: 0xB562D000 Size: 49152 File Visible: No Signed: - Status: - SSDT ------------------- #: 041 Function Name: NtCreateKey Status: Hooked by "Lbd.sys" at address 0xf78d187e #: 247 Function Name: NtSetValueKey Status: Hooked by "Lbd.sys" at address 0xf78d1bfe ==EOF== I hope this helps. Can anyone tell me what I can do, please? Many thanks for reading, Immac

BHowett View Member Profile	Sep 12 2009, 09:50 AM Post #2
Moderator / Malware Staff Posts: 4,137 From: USA OS: Windows XP professional	Hello and welcome to Geeks To Go! My name is BHowett and I will be helping you to get sorted. If for any reason you do not understand any of the instructions, or are just unsure then please do not guess , simply post back with your question, and we will go through it again. sorry for the delay as you can tell we are quite busy around here. Anyway I can see some malware on your system, however it may not be the cause of all the problems you described. What we will do is get you clean and see what left to take care of. please do the following... re-run Malwarebytes' Anti-Malware, because you didn't have it fix anything. This time be sure to do the following. When the scan is complete, click OK, then Show Results to view the results. Make sure that everything is checked, and click Remove Selected. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Copy&Paste the entire report in your next reply. Extra Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly. =============================================== ComboFix Please download ComboFix from Here or Here * IMPORTANT !!! Save ComboFix.exe to your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs Double click on ComboFix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. Do not mouse-click Combofix's window while it is running. That may cause it to stall.** =============================================== please post both logs in your next reply, and let me know how things are running

immac View Member Profile	Sep 12 2009, 01:59 PM Post #3
Member Posts: 11 OS: XP	Dear BHowett Many many many thanks for all your help. I can't tell you how much I appreciate it. I am sincerely grateful. I ran the two programs you suggested. Somewhat alarmed to note that the combofix took 30 minutes instead of the 10 it suggested, which perhaps menat I was more infested than I expected. Anyhow, here are the logs, with Malware Bites first, which this time I made sure I ran the delete part of the program (d'oh, as Homer Simpson might say): Malwarebytes' Anti-Malware 1.40 Database version: 2551 Windows 5.1.2600 Service Pack 3 12/09/2009 18:17:27 mbam-log-2009-09-12 (18-17-27).txt Scan type: Quick Scan Objects scanned: 107380 Time elapsed: 13 minute(s), 14 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 5 Registry Values Infected: 1 Registry Data Items Infected: 3 Folders Infected: 1 Files Infected: 3 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3aa42713-5c1e-48e2-b432-d8bf420dd31d} (Rogue.AntiVirus2008) -> Quarantined and deleted successfully. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\sdra64.exe -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully. Folders Infected: C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot. Files Infected: C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot. C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot. C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Delete on reboot. Combofix log: ComboFix 09-09-11.05 - Ian 12/09/2009 20:12.2.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.637 [GMT 1:00] Running from: c:\documents and settings\Ian\Desktop\ComboFix.exe AV: AVG Anti-Virus Free On-access scanning disabled (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\recycler\S-1-5-21-1406634023-229574775-3849451615-1003 c:\windows\Installer\17af89.msp c:\windows\Installer\40ce35.msp c:\windows\Installer\5e96d.msp c:\windows\system32\_005899_.tmp.dll c:\windows\system32\_005900_.tmp.dll c:\windows\system32\_005901_.tmp.dll c:\windows\system32\_005902_.tmp.dll c:\windows\system32\_005909_.tmp.dll c:\windows\system32\_005911_.tmp.dll c:\windows\system32\_005912_.tmp.dll c:\windows\system32\_005914_.tmp.dll c:\windows\system32\_005915_.tmp.dll c:\windows\system32\_005918_.tmp.dll c:\windows\system32\_005919_.tmp.dll c:\windows\system32\_005921_.tmp.dll c:\windows\system32\_005922_.tmp.dll c:\windows\system32\_005923_.tmp.dll c:\windows\system32\_005925_.tmp.dll c:\windows\system32\_005928_.tmp.dll c:\windows\system32\_005929_.tmp.dll c:\windows\system32\_005933_.tmp.dll c:\windows\system32\_005934_.tmp.dll c:\windows\system32\_005936_.tmp.dll c:\windows\system32\_005939_.tmp.dll c:\windows\system32\_005941_.tmp.dll c:\windows\system32\_005943_.tmp.dll c:\windows\system32\_005944_.tmp.dll c:\windows\system32\_005945_.tmp.dll c:\windows\system32\_005948_.tmp.dll c:\windows\system32\_005949_.tmp.dll c:\windows\system32\_005950_.tmp.dll c:\windows\system32\_005951_.tmp.dll c:\windows\system32\_005952_.tmp.dll c:\windows\system32\_005957_.tmp.dll c:\windows\system32\_005959_.tmp.dll c:\windows\system32\_005960_.tmp.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_MSDIRECTX ((((((((((((((((((((((((( Files Created from 2009-08-12 to 2009-09-12 ))))))))))))))))))))))))))))))) . 2009-09-10 11:39 . 2009-09-10 11:39 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache 2009-09-10 11:37 . 2009-09-10 11:37 -------- d-sh--w- c:\documents and settings\Ian\IECompatCache 2009-09-10 11:35 . 2009-09-10 11:35 -------- d-sh--w- c:\documents and settings\Ian\PrivacIE 2009-09-10 11:32 . 2009-09-10 11:32 -------- d-sh--w- c:\documents and settings\Ian\IETldCache 2009-09-10 11:32 . 2009-09-10 11:32 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2009-09-10 11:25 . 2009-09-10 11:26 -------- dc-h--w- c:\windows\ie8 2009-09-10 11:23 . 2009-09-12 08:16 -------- d-----w- c:\program files\Microsoft Silverlight 2009-09-10 11:17 . 2009-09-10 11:29 -------- d--h--w- c:\windows\msdownld.tmp 2009-09-10 10:15 . 2009-09-10 10:15 -------- d-----w- c:\documents and settings\Ian\Application Data\Malwarebytes 2009-09-10 10:15 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-09-10 10:15 . 2009-09-10 10:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-09-10 10:15 . 2009-09-10 10:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-09-10 10:15 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-09-10 10:06 . 2009-09-10 10:06 -------- d-----w- c:\program files\ERUNT . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-09-10 15:39 . 2005-07-13 13:18 -------- d-----w- c:\program files\Roots Knotty Roots 2009-09-08 21:26 . 2008-02-22 19:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater 2009-08-11 08:05 . 2006-04-26 19:19 -------- d-----w- c:\program files\Java 2009-07-25 04:23 . 2009-04-17 10:22 411368 ----a-w- c:\windows\system32\deploytk.dll . ------- Sigcheck ------- [7] 2008-04-14 00:11 . 19A799805B24990867B00C120D300C3A . 246272 . . [2001.12.4414.701] . . c:\windows\ServicePackFiles\i386\es.dll [-] 2005-07-26 04:39 . 34BBD9ACC1538818F2C878898C64E793 . 243200 . . [2001.12.4414.308] . . c:\windows\$NtServicePackUninstall$\es.dll [-] 2005-07-26 04:39 . 34BBD9ACC1538818F2C878898C64E793 . 243200 . . [2001.12.4414.308] . . c:\windows\system32\es.dll [-] 2005-07-26 04:20 . 95F5FEA4C6DE2C3F28784D0DCC8F0DD3 . 243200 . . [2001.12.4414.308] . . c:\windows\$hf_mig$\KB902400\SP2QFE\es.dll [7] 2004-08-04 07:56 . ACD36A2DD7D1E9D8A060AA651DC07E63 . 243200 . . [2001.12.4414.258] . . c:\windows\$NtUninstallKB902400$\es.dll [-] 2005-09-01 . 648BF0B4DDE4F7A1156DAE7174D36EFA . 19968 . . [5.1.2600.2751] . . c:\windows\$hf_mig$\KB900725\SP2QFE\linkinfo.dll [-] 2005-09-01 . A1A688EE56CF3BBD24EDEB815D48E9BA . 19968 . . [5.1.2600.2751] . . c:\windows\$NtServicePackUninstall$\linkinfo.dll [-] 2005-09-01 . A1A688EE56CF3BBD24EDEB815D48E9BA . 19968 . . [5.1.2600.2751] . . c:\windows\system32\linkinfo.dll [7] 2004-08-04 . C2BBD044C741EA4292016C36F718D2E4 . 18944 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB900725$\linkinfo.dll [7] 2004-08-04 . C2BBD044C741EA4292016C36F718D2E4 . 18944 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\linkinfo.dll [7] 2008-04-14 . 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE . 198144 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\netman.dll [-] 2005-08-22 . 36739B39267914BA69AD0610A0299732 . 197632 . . [5.1.2600.2743] . . c:\windows\$NtServicePackUninstall$\netman.dll [-] 2005-08-22 . 36739B39267914BA69AD0610A0299732 . 197632 . . [5.1.2600.2743] . . c:\windows\system32\netman.dll [-] 2005-08-22 . 3516D8A18B36784B1005B950B84232E1 . 197632 . . [5.1.2600.2743] . . c:\windows\$hf_mig$\KB905414\SP2QFE\netman.dll [7] 2004-08-04 . DAB9E6C7105D2EF49876FE92C524F565 . 198144 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB905414$\netman.dll [7] 2008-04-14 . 2589FE6015A316C0F5D5112B4DA7B509 . 399360 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\rpcss.dll [-] 2005-07-26 . CE94A2BD25E3E9F4D46A7373FF455C6D . 397824 . . [5.1.2600.2726] . . c:\windows\$NtServicePackUninstall$\rpcss.dll [-] 2005-07-26 . CE94A2BD25E3E9F4D46A7373FF455C6D . 397824 . . [5.1.2600.2726] . . c:\windows\system32\rpcss.dll [-] 2005-07-26 . C369DF215D352B6F3A0B8C3469AA34F8 . 398336 . . [5.1.2600.2726] . . c:\windows\$hf_mig$\KB902400\SP2QFE\rpcss.dll [-] 2005-04-28 . DA383FB39A6F1C445F3AFC94B3EB1248 . 396288 . . [5.1.2600.2665] . . c:\windows\$hf_mig$\KB894391\SP2QFE\rpcss.dll [-] 2005-04-28 . C8061F289E000703E7672916B7FE1571 . 395776 . . [5.1.2600.2665] . . c:\windows\$NtUninstallKB902400$\rpcss.dll [-] 2005-01-14 . 419899803CA479B73B02390318C787C0 . 395776 . . [5.1.2600.2595] . . c:\windows\$hf_mig$\KB873333\SP2GDR\rpcss.dll [-] 2005-01-14 . 419899803CA479B73B02390318C787C0 . 395776 . . [5.1.2600.2595] . . c:\windows\$NtUninstallKB894391$\rpcss.dll [-] 2005-01-14 . 94456045BEB4545B5EBE1DCC85951AFA . 395776 . . [5.1.2600.2595] . . c:\windows\$hf_mig$\KB873333\SP2QFE\rpcss.dll [7] 2004-08-04 . 5C83A4408604F737717AB96371201680 . 395776 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB873333$\rpcss.dll [-] 2004-03-06 . 4EA08A8BBDF8DDEE0F173BB999C153C3 . 263680 . . [5.1.2600.1361] . . c:\windows\$NtUninstallKB873333_0$\rpcss.dll [-] 2003-07-05 . CB95493F46B8113362D8925AD6A5A4FA . 202752 . . [5.1.2600.1243] . . c:\windows\$NtUninstallKB824146$\rpcss.dll [-] 2002-08-29 . 493FCBED180DCACF0B5D4C8C29949CA9 . 260608 . . [5.1.2600.1106] . . c:\windows\$NtUninstallKB823980$\rpcss.dll [7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\spoolsv.exe [-] 2005-06-11 . AD3D9D191AEA7B5445FE1D82FFBB4788 . 57856 . . [5.1.2600.2696] . . c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe [-] 2005-06-10 . DA81EC57ACD4CDC3D4C51CF3D409AF9F . 57856 . . [5.1.2600.2696] . . c:\windows\$hf_mig$\KB896423\SP2GDR\spoolsv.exe [-] 2005-06-10 . DA81EC57ACD4CDC3D4C51CF3D409AF9F . 57856 . . [5.1.2600.2696] . . c:\windows\$NtServicePackUninstall$\spoolsv.exe [-] 2005-06-10 . DA81EC57ACD4CDC3D4C51CF3D409AF9F . 57856 . . [5.1.2600.2696] . . c:\windows\system32\spoolsv.exe [7] 2004-08-04 . 7435B108B935E42EA92CA94F59C8E717 . 57856 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB896423$\spoolsv.exe [-] 2002-08-29 . 9B4155BA58192D4073082B8FC5D42612 . 51200 . . [5.1.2600.0] . . c:\windows\$NtUninstallKB896423_0$\spoolsv.exe [7] 2008-04-14 . 3CB78C17BB664637787C9A1C98F79C38 . 249856 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tapisrv.dll [-] 2005-07-08 . 1418A3A6E76E5A2E3F5E43866E793A8B . 249344 . . [5.1.2600.2716] . . c:\windows\$hf_mig$\KB893756\SP2QFE\tapisrv.dll [-] 2005-07-08 . FB78839B36025AA286A51289ED28B73E . 249344 . . [5.1.2600.2716] . . c:\windows\$hf_mig$\KB893756\SP2GDR\tapisrv.dll [-] 2005-07-08 . FB78839B36025AA286A51289ED28B73E . 249344 . . [5.1.2600.2716] . . c:\windows\$NtServicePackUninstall$\tapisrv.dll [-] 2005-07-08 . FB78839B36025AA286A51289ED28B73E . 249344 . . [5.1.2600.2716] . . c:\windows\system32\tapisrv.dll [7] 2004-08-04 . EB4A4187D74A8EFDCBEA3EA2CB1BDFBD . 246272 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB893756$\tapisrv.dll [-] 2002-08-29 . 9B3A213B6591A79EBABBFB4E4EA0A23E . 233984 . . [5.1.2600.1106] . . c:\windows\$NtUninstallKB893756_0$\tapisrv.dll [7] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\user32.dll [-] 2007-03-08 . 7AA4F6C00405DFC4B70ED4214E7D687B . 578048 . . [5.1.2600.3099] . . c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll [-] 2007-03-08 . B409909F6E2E8A7067076ED748ABF1E7 . 577536 . . [5.1.2600.3099] . . c:\windows\$NtServicePackUninstall$\user32.dll [-] 2007-03-08 . B409909F6E2E8A7067076ED748ABF1E7 . 577536 . . [5.1.2600.3099] . . c:\windows\system32\user32.dll [-] 2005-03-02 . 1800F293BCCC8EDE8A70E12B88D80036 . 577024 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll [-] 2005-03-02 . DE2DB164BBB35DB061AF0997E4499054 . 577024 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2GDR\user32.dll [-] 2005-03-02 . DE2DB164BBB35DB061AF0997E4499054 . 577024 . . [5.1.2600.2622] . . c:\windows\$NtUninstallKB925902$\user32.dll [7] 2004-08-04 . C72661F8552ACE7C5C85E16A3CF505C4 . 577024 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB890859$\user32.dll [-] 2002-08-29 . DD9269230C21EE8FB7FD3FCCC3B1CFCB . 560128 . . [5.1.2600.1106] . . c:\windows\$NtUninstallKB890859_0$\user32.dll [7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe [-] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe [-] 2007-06-13 . 97BD6515465659FF8F3B7BE375B2EA87 . 1033216 . . [6.00.2900.3156] . . c:\windows\explorer.exe [-] 2007-06-13 . 97BD6515465659FF8F3B7BE375B2EA87 . 1033216 . . [6.00.2900.3156] . . c:\windows\$NtServicePackUninstall$\explorer.exe [7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB938828$\explorer.exe [7] 2008-04-14 . 1926899BF9FFE2602B63074971700412 . 135168 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\shsvcs.dll [-] 2006-12-19 . 6815DEF9B810AEFAC107EEAF72DA6F82 . 134656 . . [6.00.2900.3051] . . c:\windows\$NtServicePackUninstall$\shsvcs.dll [-] 2006-12-19 . 6815DEF9B810AEFAC107EEAF72DA6F82 . 134656 . . [6.00.2900.3051] . . c:\windows\system32\shsvcs.dll [-] 2006-12-19 . 53D9184A21C5CBF600D918E51EF3A7E5 . 135168 . . [6.00.2900.3051] . . c:\windows\$hf_mig$\KB928255\SP2QFE\shsvcs.dll [7] 2004-08-04 . E7518DC542D3EBDCB80EDD98462C7821 . 134656 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB928255$\shsvcs.dll [-] 2002-08-29 . 61684089A54936E40F65DA02D47A28AE . 116224 . . [6.00.2800.1106] . . c:\windows\$NtUninstallKB885835_0$\shsvcs.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\WCESCOMM.EXE" [2003-04-23 413775] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208] "Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-18 68856] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATIPTA"="c:\ati-cpanel\atiptaxx.exe" [2004-05-25 339968] "NAV_Update"="C:\NAV_Update.exe" [2003-03-13 32768] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "Gearbox"="c:\program files\Gearbox Connection Kit\bin\confsvr.exe" [2001-12-13 143360] "BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 368706] "Motive SmartBridge"="c:\progra~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe" [2003-12-30 380928] "snpstd"="c:\windows\vsnpstd.exe" [2003-12-31 40960] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152] "REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-08-15 271672] "MSI"="c:\program files\MSI\MSI.exe" [2007-01-13 311296] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-06-08 1177368] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-05-13 198160] "Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-07-06 520024] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360] c:\documents and settings\Ian\Start Menu\Programs\Startup\ Freecom Personal Media Suite.lnk - c:\program files\Freecom Personal Media Suite\FCPMS.exe [2007-5-16 3338296] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-20 113664] Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696] Exif Launcher.lnk - c:\program files\FinePixViewer\QuickDCF.exe [2007-1-13 282624] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WMPNetworkSvc"=3 (0x3) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"= "c:\\Program Files\\Microsoft ActiveSync\\WCESMGR.EXE"= "c:\\Program Files\\Hello\\Hello.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\Program Files\\Sitecom\\IVT BlueSoleil\\BlueSoleil.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/2/2009 9:29 AM 64160] R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/8/2008 11:26 AM 96520] R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [10/20/2004 5:47 AM 98304] R2 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [4/8/2006 9:13 PM 8768] R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/8/2008 11:26 AM 282904] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 8:06 PM 1029456] R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [10/20/2004 4:40 AM 118784] R3 Bonifay;Bonifay;c:\windows\system32\drivers\Bonifay.sys [5/16/2007 8:38 PM 12160] S3 Gonzales;Gonzales;c:\windows\system32\drivers\Gonzales.sys [5/16/2007 8:38 PM 7040] . Contents of the 'Scheduled Tasks' folder 2009-08-31 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 08:30] 2009-09-10 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 12:15] 2009-09-12 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-24 15:02] . . ------- Supplementary Scan ------- . uStart Page = https://login.yahoo.com/config/login_verify2?&.src=ym uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Settings,ProxyOverride = <local> uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\Ian\Application Data\Mozilla\Firefox\Profiles\zxfrjelz.default\ FF - prefs.js: browser.search.selectedEngine - Yahoo.co.uk FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/login_verify2?.intl=us&.src=ym&.done=http%3a%2f%2fus.mc537.mail.yahoo.com%2fmc%2fshowFolder%3ffid%3dInbox%26.rand%3d1930485186 FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - true. - - - - ORPHANS REMOVED - - - - WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file) HKCU-Run-Compaq32 Service Drivers - msconfig32.exe HKCU-RunServices-Compaq32 Service Drivers - msconfig32.exe HKLM-Run-Wizard - (no file) HKLM-Run-FirstSteps - (no file) HKLM-Run-Compaq32 Service Drivers - msconfig32.exe HKU-Default-Run-Compaq32 Service Drivers - msconfig32.exe HKU-Default-RunServices-Compaq32 Service Drivers - msconfig32.exe ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-09-12 20:38 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(3120) c:\progra~1\ntl\BROADB~1\SMARTB~1\SBHook.dll c:\windows\system32\msi.dll c:\windows\system32\ieframe.dll c:\windows\system32\msls31.dll c:\windows\IME\SPGRMR.DLL c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\CTSVCCDA.EXE c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\AVG\AVG8\avgrsx.exe c:\windows\system32\wbem\unsecapp.exe c:\windows\system32\wscntfy.exe c:\program files\Gearbox Connection Kit\bin\gbConMon.exe c:\program files\Gearbox Connection Kit\bin\gbTask.exe c:\program files\iPod\bin\iPodService.exe . ************************************************************************ . Completion time: 2009-09-12 20:46 - machine was rebooted ComboFix-quarantined-files.txt 2009-09-12 19:46 Pre-Run: 61,469,667,328 bytes free Post-Run: 61,457,776,640 bytes free 275 --- E O F --- 2009-09-11 19:37 THANK YOU YET AGAIN Ian (Immac)

BHowett View Member Profile	Sep 12 2009, 04:29 PM Post #4
Moderator / Malware Staff Posts: 4,137 From: USA OS: Windows XP professional	Hello again, how are things running now? lets do the following.... TFC Download TFC to your desktop Open the file and close any other windows. It will close all programs itself when run, make sure to let it run uninterrupted. Click the Start button to begin the process. The program should not take long to finish its job Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean =============================================== Kaspersky WebScanner please go to Kaspersky website and perform an online antivirus scan. Read through the requirements and privacy statement and click on Accept button. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run. When the downloads have finished, click on Settings. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs Archives Mail databases Click on My Computer under Scan. Once the scan is complete, it will display the results. Click on View Scan Report. You will see a list of infected items there. Click on Save Report As.... Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Please post this log in your next reply. and let me know how things are running

immac View Member Profile	Sep 13 2009, 12:51 PM Post #5
Member Posts: 11 OS: XP	Hi again BHowett, Thank you once again for your kind attention to this 'case'. I would have said it was a 'sad case' a couple of postings ago, but I am delighted to report that the computer has been working FASTER than it did when it was new. And that is before the last two procedures you suggested. I ran TFC and Kaspersky as you recommended. Kaspersky didn't find a thing, so far as I can tell. Log here: ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0: scan report Sunday, September 13, 2009 Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Last database update: Sunday, September 13, 2009 16:36:34 Records in database: 2801663 -------------------------------------------------------------------------------- Scan settings: scan using the following database: extended Scan archives: yes Scan e-mail databases: yes Scan area - My Computer: A:\ C:\ D:\ E:\ F:\ Scan statistics: Objects scanned: 89710 Threats found: 0 Infected objects found: 0 Suspicious objects found: 0 Scan duration: 02:20:49 No threats found. Scanned area is clean. Selected area has been scanned. ***** So that looks healthy. Only things of note to have come up is there is no longer a "My Recent documents" in the start menu (I made a document just to make sure there could be but it made no difference); Combofix turned all the words on the icons on the desktop white on black instead of the other way around, not that I care but it just seems odd; and Windows Media Player still refuses to work, it jsut goes "Cannot play this file because of an error" or somesuch whenever I use it. This doesn't really matter, but it would be nice to have it working if possible. Once again I offer sincere thanks to you. You giving your time and knowledge like this is postively heroic in this day and age. Many thanks Best wishes Ian (Immac)

BHowett View Member Profile	Sep 13 2009, 03:02 PM Post #6
Moderator / Malware Staff Posts: 4,137 From: USA OS: Windows XP professional	Hi Ian, I am glad to hear thing are running better QUOTE (immac @ Sep 13 2009, 02:51 PM) Only things of note to have come up is there is no longer a "My Recent documents" in the start menu (I made a document just to make sure there could be but it made no difference) Recent documents are cleaned out by TFC, however it should still work as normal. Play around with it by looking at some already saved document, pictures, etc and see if it is working. QUOTE (immac @ Sep 13 2009, 02:51 PM) combofix turned all the words on the icons on the desktop white on black instead of the other way around, not that I care but it just seems odd; I had that happen to me before, not sure what exactly causes it, but re-running combofix and rebooting your system should put it back the right way. QUOTE (immac @ Sep 13 2009, 02:51 PM) Windows Media Player still refuses to work, it jsut goes "Cannot play this file because of an error" or somesuch whenever I use it. This doesn't really matter, but it would be nice to have it working if possible. I'm not to familiar with the inter-workings of Windows Media Player but does it give you a error code like Error=80040200 or something like that? let me know what you find out

immac View Member Profile	Sep 13 2009, 03:43 PM Post #7
Member Posts: 11 OS: XP	I am laughing out loud because it is so much better, I really appreciate it. Re my remaining queries, I opened a couple of Word documents, made changes, then saved them, but My Recent Documents still doesn't come up as an option. Hmm! I will muse on this a bit and see if it's not a function that just needs turning on. Maybe if I rerun Combofix, that could fix this too? Windows Media player doesn't give me a code, just offers Web help. So I clicked on it, and this is what it claimed: [i]You've encountered error message C00D11B1 while using Windows Media Player. The following information might help you troubleshoot the issue. Cannot play the file Windows Media Player cannot play the file. You might encounter this error message for one of the following reasons: Your sound device, such as a sound card or sound controller, requires an updated driver. To determine if an updated driver is available, see Windows Update at the Microsoft Web site, or see the sound device manufacturer's Web site. Your sound device is not functioning properly. Try using Device Manager to check the status of your sound device. To check the status of your sound device Do one of the following: If you are running Windows XP, click Start, right-click My Computer, and then click Manage. If you are running Windows Vista, click Start, right-click Computer, and then click Manage. In the pane on the left, click Device Manager. In the pane on the right, expand Sound, video and game controllers, and then look for the name of your sound device. Do one of the following: If your sound device is listed but the icon includes a red "X," the device has been disabled. To enable the device, right-click the icon, and then click Enable. If your sound device is not listed, in the pane on the right, expand Other devices. If Multimedia Audio Controller appears in the list, right-click the icon, and then click Update Driver or Update Driver Software. Follow the on-screen instructions to find and install the driver software. If you are not able to find and install the correct driver software, see your computer manufacturer's or sound device manufacturer's Web site for further assistance. You do not have a sound device installed on your computer. Install a sound device, and then try to play the file again. For details, see your computer manufacturer's or sound device manufacturer's Web site. You are trying to play a file on the Internet and the server might be temporarily unavailable or there might be a network issue. Try again later. You are trying to play an MP3 file that contains compressed ID3 headers. The ID3 header is a portion of the file that stores the song's album information (for example, the song name, artist name, album name, and genre). This information is sometimes called a "tag." To fix the problem, make a copy of the file and then use a non-Microsoft ID3 tag editing program to remove or reset the file's ID3 headers. After you remove the ID3 headers, Windows Media Player should be able to play the MP3 file. Attempting to remove ID3 headers might damage the file and make it unplayable. Therefore, always make a copy of the file before you edit it. If this solution does not resolve the problem, the file might be corrupted.[/i] Me again: Now, i haven't tried any of these solutions. I should try them first. But WMP hasn't worked for ages - in fact it was the first indication of trouble - like the canary that dies down a mine. It has offered me various not working diagnoses. However I will try their methods of repair and report back. May your screen never darken, Ian (immac)

BHowett View Member Profile	Sep 13 2009, 04:03 PM Post #8
Moderator / Malware Staff Posts: 4,137 From: USA OS: Windows XP professional	also let me know if running combofix again fixes your desktop. thanks

immac View Member Profile	Sep 15 2009, 03:40 PM Post #9
Member Posts: 11 OS: XP	Hello again BHowett, Thank you again for attention well above and beyond the call of duty. I ran Combofix; it took about a third as long this time around, here is the log: ComboFix 09-09-14.02 - Ian 15/09/2009 8:57.3.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.568 [GMT 1:00] Running from: c:\documents and settings\Ian\Desktop\ComboFix.exe AV: AVG Anti-Virus Free On-access scanning disabled (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2009-08-15 to 2009-09-15 ))))))))))))))))))))))))))))))) . 2009-09-10 11:39 . 2009-09-10 11:39 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache 2009-09-10 11:37 . 2009-09-10 11:37 -------- d-sh--w- c:\documents and settings\Ian\IECompatCache 2009-09-10 11:35 . 2009-09-10 11:35 -------- d-sh--w- c:\documents and settings\Ian\PrivacIE 2009-09-10 11:32 . 2009-09-10 11:32 -------- d-sh--w- c:\documents and settings\Ian\IETldCache 2009-09-10 11:32 . 2009-09-10 11:32 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2009-09-10 11:25 . 2009-09-10 11:26 -------- dc-h--w- c:\windows\ie8 2009-09-10 11:23 . 2009-09-12 08:16 -------- d-----w- c:\program files\Microsoft Silverlight 2009-09-10 10:15 . 2009-09-10 10:15 -------- d-----w- c:\documents and settings\Ian\Application Data\Malwarebytes 2009-09-10 10:15 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-09-10 10:15 . 2009-09-10 10:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-09-10 10:15 . 2009-09-10 10:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-09-10 10:15 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-09-10 10:06 . 2009-09-10 10:06 -------- d-----w- c:\program files\ERUNT . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-09-15 07:28 . 2008-02-22 19:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater 2009-09-12 22:01 . 2005-07-13 13:18 -------- d-----w- c:\program files\Roots Knotty Roots 2009-08-11 08:05 . 2006-04-26 19:19 -------- d-----w- c:\program files\Java 2009-07-25 04:23 . 2009-04-17 10:22 411368 ----a-w- c:\windows\system32\deploytk.dll . ------- Sigcheck ------- [7] 2008-04-14 00:11 . 19A799805B24990867B00C120D300C3A . 246272 . . [2001.12.4414.701] . . c:\windows\ServicePackFiles\i386\es.dll [-] 2005-07-26 04:39 . 34BBD9ACC1538818F2C878898C64E793 . 243200 . . [2001.12.4414.308] . . c:\windows\$NtServicePackUninstall$\es.dll [-] 2005-07-26 04:39 . 34BBD9ACC1538818F2C878898C64E793 . 243200 . . [2001.12.4414.308] . . c:\windows\system32\es.dll [-] 2005-07-26 04:20 . 95F5FEA4C6DE2C3F28784D0DCC8F0DD3 . 243200 . . [2001.12.4414.308] . . c:\windows\$hf_mig$\KB902400\SP2QFE\es.dll [7] 2004-08-04 07:56 . ACD36A2DD7D1E9D8A060AA651DC07E63 . 243200 . . [2001.12.4414.258] . . c:\windows\$NtUninstallKB902400$\es.dll [-] 2005-09-01 . 648BF0B4DDE4F7A1156DAE7174D36EFA . 19968 . . [5.1.2600.2751] . . c:\windows\$hf_mig$\KB900725\SP2QFE\linkinfo.dll [-] 2005-09-01 . A1A688EE56CF3BBD24EDEB815D48E9BA . 19968 . . [5.1.2600.2751] . . c:\windows\$NtServicePackUninstall$\linkinfo.dll [-] 2005-09-01 . A1A688EE56CF3BBD24EDEB815D48E9BA . 19968 . . [5.1.2600.2751] . . c:\windows\system32\linkinfo.dll [7] 2004-08-04 . C2BBD044C741EA4292016C36F718D2E4 . 18944 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB900725$\linkinfo.dll [7] 2004-08-04 . C2BBD044C741EA4292016C36F718D2E4 . 18944 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\linkinfo.dll [7] 2008-04-14 . 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE . 198144 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\netman.dll [-] 2005-08-22 . 36739B39267914BA69AD0610A0299732 . 197632 . . [5.1.2600.2743] . . c:\windows\$NtServicePackUninstall$\netman.dll [-] 2005-08-22 . 36739B39267914BA69AD0610A0299732 . 197632 . . [5.1.2600.2743] . . c:\windows\system32\netman.dll [-] 2005-08-22 . 3516D8A18B36784B1005B950B84232E1 . 197632 . . [5.1.2600.2743] . . c:\windows\$hf_mig$\KB905414\SP2QFE\netman.dll [7] 2004-08-04 . DAB9E6C7105D2EF49876FE92C524F565 . 198144 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB905414$\netman.dll [7] 2008-04-14 . 2589FE6015A316C0F5D5112B4DA7B509 . 399360 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\rpcss.dll [-] 2005-07-26 . CE94A2BD25E3E9F4D46A7373FF455C6D . 397824 . . [5.1.2600.2726] . . c:\windows\$NtServicePackUninstall$\rpcss.dll [-] 2005-07-26 . CE94A2BD25E3E9F4D46A7373FF455C6D . 397824 . . [5.1.2600.2726] . . c:\windows\system32\rpcss.dll [-] 2005-07-26 . C369DF215D352B6F3A0B8C3469AA34F8 . 398336 . . [5.1.2600.2726] . . c:\windows\$hf_mig$\KB902400\SP2QFE\rpcss.dll [-] 2005-04-28 . DA383FB39A6F1C445F3AFC94B3EB1248 . 396288 . . [5.1.2600.2665] . . c:\windows\$hf_mig$\KB894391\SP2QFE\rpcss.dll [-] 2005-04-28 . C8061F289E000703E7672916B7FE1571 . 395776 . . [5.1.2600.2665] . . c:\windows\$NtUninstallKB902400$\rpcss.dll [-] 2005-01-14 . 419899803CA479B73B02390318C787C0 . 395776 . . [5.1.2600.2595] . . c:\windows\$hf_mig$\KB873333\SP2GDR\rpcss.dll [-] 2005-01-14 . 419899803CA479B73B02390318C787C0 . 395776 . . [5.1.2600.2595] . . c:\windows\$NtUninstallKB894391$\rpcss.dll [-] 2005-01-14 . 94456045BEB4545B5EBE1DCC85951AFA . 395776 . . [5.1.2600.2595] . . c:\windows\$hf_mig$\KB873333\SP2QFE\rpcss.dll [7] 2004-08-04 . 5C83A4408604F737717AB96371201680 . 395776 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB873333$\rpcss.dll [-] 2004-03-06 . 4EA08A8BBDF8DDEE0F173BB999C153C3 . 263680 . . [5.1.2600.1361] . . c:\windows\$NtUninstallKB873333_0$\rpcss.dll [-] 2003-07-05 . CB95493F46B8113362D8925AD6A5A4FA . 202752 . . [5.1.2600.1243] . . c:\windows\$NtUninstallKB824146$\rpcss.dll [-] 2002-08-29 . 493FCBED180DCACF0B5D4C8C29949CA9 . 260608 . . [5.1.2600.1106] . . c:\windows\$NtUninstallKB823980$\rpcss.dll [7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\spoolsv.exe [-] 2005-06-11 . AD3D9D191AEA7B5445FE1D82FFBB4788 . 57856 . . [5.1.2600.2696] . . c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe [-] 2005-06-10 . DA81EC57ACD4CDC3D4C51CF3D409AF9F . 57856 . . [5.1.2600.2696] . . c:\windows\$hf_mig$\KB896423\SP2GDR\spoolsv.exe [-] 2005-06-10 . DA81EC57ACD4CDC3D4C51CF3D409AF9F . 57856 . . [5.1.2600.2696] . . c:\windows\$NtServicePackUninstall$\spoolsv.exe [-] 2005-06-10 . DA81EC57ACD4CDC3D4C51CF3D409AF9F . 57856 . . [5.1.2600.2696] . . c:\windows\system32\spoolsv.exe [7] 2004-08-04 . 7435B108B935E42EA92CA94F59C8E717 . 57856 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB896423$\spoolsv.exe [-] 2002-08-29 . 9B4155BA58192D4073082B8FC5D42612 . 51200 . . [5.1.2600.0] . . c:\windows\$NtUninstallKB896423_0$\spoolsv.exe [7] 2008-04-14 . 3CB78C17BB664637787C9A1C98F79C38 . 249856 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tapisrv.dll [-] 2005-07-08 . 1418A3A6E76E5A2E3F5E43866E793A8B . 249344 . . [5.1.2600.2716] . . c:\windows\$hf_mig$\KB893756\SP2QFE\tapisrv.dll [-] 2005-07-08 . FB78839B36025AA286A51289ED28B73E . 249344 . . [5.1.2600.2716] . . c:\windows\$hf_mig$\KB893756\SP2GDR\tapisrv.dll [-] 2005-07-08 . FB78839B36025AA286A51289ED28B73E . 249344 . . [5.1.2600.2716] . . c:\windows\$NtServicePackUninstall$\tapisrv.dll [-] 2005-07-08 . FB78839B36025AA286A51289ED28B73E . 249344 . . [5.1.2600.2716] . . c:\windows\system32\tapisrv.dll [7] 2004-08-04 . EB4A4187D74A8EFDCBEA3EA2CB1BDFBD . 246272 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB893756$\tapisrv.dll [-] 2002-08-29 . 9B3A213B6591A79EBABBFB4E4EA0A23E . 233984 . . [5.1.2600.1106] . . c:\windows\$NtUninstallKB893756_0$\tapisrv.dll [7] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\user32.dll [-] 2007-03-08 . 7AA4F6C00405DFC4B70ED4214E7D687B . 578048 . . [5.1.2600.3099] . . c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll [-] 2007-03-08 . B409909F6E2E8A7067076ED748ABF1E7 . 577536 . . [5.1.2600.3099] . . c:\windows\$NtServicePackUninstall$\user32.dll [-] 2007-03-08 . B409909F6E2E8A7067076ED748ABF1E7 . 577536 . . [5.1.2600.3099] . . c:\windows\system32\user32.dll [-] 2005-03-02 . 1800F293BCCC8EDE8A70E12B88D80036 . 577024 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll [-] 2005-03-02 . DE2DB164BBB35DB061AF0997E4499054 . 577024 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2GDR\user32.dll [-] 2005-03-02 . DE2DB164BBB35DB061AF0997E4499054 . 577024 . . [5.1.2600.2622] . . c:\windows\$NtUninstallKB925902$\user32.dll [7] 2004-08-04 . C72661F8552ACE7C5C85E16A3CF505C4 . 577024 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB890859$\user32.dll [-] 2002-08-29 . DD9269230C21EE8FB7FD3FCCC3B1CFCB . 560128 . . [5.1.2600.1106] . . c:\windows\$NtUninstallKB890859_0$\user32.dll [7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe [-] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe [-] 2007-06-13 . 97BD6515465659FF8F3B7BE375B2EA87 . 1033216 . . [6.00.2900.3156] . . c:\windows\explorer.exe [-] 2007-06-13 . 97BD6515465659FF8F3B7BE375B2EA87 . 1033216 . . [6.00.2900.3156] . . c:\windows\$NtServicePackUninstall$\explorer.exe [7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB938828$\explorer.exe [7] 2008-04-14 . 1926899BF9FFE2602B63074971700412 . 135168 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\shsvcs.dll [-] 2006-12-19 . 6815DEF9B810AEFAC107EEAF72DA6F82 . 134656 . . [6.00.2900.3051] . . c:\windows\$NtServicePackUninstall$\shsvcs.dll [-] 2006-12-19 . 6815DEF9B810AEFAC107EEAF72DA6F82 . 134656 . . [6.00.2900.3051] . . c:\windows\system32\shsvcs.dll [-] 2006-12-19 . 53D9184A21C5CBF600D918E51EF3A7E5 . 135168 . . [6.00.2900.3051] . . c:\windows\$hf_mig$\KB928255\SP2QFE\shsvcs.dll [7] 2004-08-04 . E7518DC542D3EBDCB80EDD98462C7821 . 134656 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB928255$\shsvcs.dll [-] 2002-08-29 . 61684089A54936E40F65DA02D47A28AE . 116224 . . [6.00.2800.1106] . . c:\windows\$NtUninstallKB885835_0$\shsvcs.dll . ((((((((((((((((((((((((((((( SnapShot@2009-09-12_19.39.46 ))))))))))))))))))))))))))))))))))))))))) . + 2008-04-03 08:39 . 2009-09-13 18:59 88589 c:\windows\system32\Macromed\Flash\uninstall_activeX.exe + 2009-07-18 03:12 . 2009-07-18 03:12 257440 c:\windows\system32\Macromed\Flash\FlashUtil10c.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\WCESCOMM.EXE" [2003-04-23 413775] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208] "Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-18 68856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATIPTA"="c:\ati-cpanel\atiptaxx.exe" [2004-05-25 339968] "NAV_Update"="C:\NAV_Update.exe" [2003-03-13 32768] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "Gearbox"="c:\program files\Gearbox Connection Kit\bin\confsvr.exe" [2001-12-13 143360] "BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 368706] "Motive SmartBridge"="c:\progra~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe" [2003-12-30 380928] "snpstd"="c:\windows\vsnpstd.exe" [2003-12-31 40960] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152] "REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-08-15 271672] "MSI"="c:\program files\MSI\MSI.exe" [2007-01-13 311296] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-06-08 1177368] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-05-13 198160] "Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-07-06 520024] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360] c:\documents and settings\Ian\Start Menu\Programs\Startup\ Freecom Personal Media Suite.lnk - c:\program files\Freecom Personal Media Suite\FCPMS.exe [2007-5-16 3338296] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-20 113664] Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696] Exif Launcher.lnk - c:\program files\FinePixViewer\QuickDCF.exe [2007-1-13 282624] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WMPNetworkSvc"=3 (0x3) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"= "c:\\Program Files\\Microsoft ActiveSync\\WCESMGR.EXE"= "c:\\Program Files\\Hello\\Hello.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\Program Files\\Sitecom\\IVT BlueSoleil\\BlueSoleil.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/2/2009 9:29 AM 64160] R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/8/2008 11:26 AM 96520] R2 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [4/8/2006 9:13 PM 8768] R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/8/2008 11:26 AM 282904] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 8:06 PM 1029456] R3 Bonifay;Bonifay;c:\windows\system32\drivers\Bonifay.sys [5/16/2007 8:38 PM 12160] S2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [10/20/2004 5:47 AM 98304] S2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [10/20/2004 4:40 AM 118784] S3 Gonzales;Gonzales;c:\windows\system32\drivers\Gonzales.sys [5/16/2007 8:38 PM 7040] . Contents of the 'Scheduled Tasks' folder 2009-08-31 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 08:30] 2009-09-10 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 12:15] 2009-09-15 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-24 15:02] . . ------- Supplementary Scan ------- . uStart Page = https://login.yahoo.com/config/login_verify2?&.src=ym uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Settings,ProxyOverride = <local> uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\Ian\Application Data\Mozilla\Firefox\Profiles\zxfrjelz.default\ FF - prefs.js: browser.search.selectedEngine - Yahoo.co.uk FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/login_verify2?.intl=us&.src=ym&.done=http%3a%2f%2fus.mc537.mail.yahoo.com%2fmc%2fshowFolder%3ffid%3dInbox%26.rand%3d1930485186 FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - true. - - - - ORPHANS REMOVED - - - - AddRemove-BroadJump Client Foundation - c:\windows\IsUninst.exe -fc:\program files\BroadJump\Client Foundation\Uninst.isu -cc:\program files\BroadJump\Client Foundation\RmvBJCFD.dll AddRemove-Windows CE Services - c:\windows\ISUNINST.EXE -fc:\program files\Microsoft ActiveSync\DeIsL1.isu ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-09-15 09:04 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}] @Denied: (A 2) (Everyone) @="IFlashBroker3" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(732) c:\windows\system32\avgrsstx.dll - - - - - - - > 'explorer.exe'(3748) c:\progra~1\ntl\BROADB~1\SMARTB~1\SBHook.dll c:\windows\system32\ieframe.dll c:\windows\system32\msls31.dll c:\windows\system32\msi.dll c:\windows\IME\SPGRMR.DLL c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2009-09-15 9:07 ComboFix-quarantined-files.txt 2009-09-15 08:07 ComboFix2.txt 2009-09-12 19:46 Pre-Run: 61,357,826,048 bytes free Post-Run: 61,451,493,376 bytes free 239 --- E O F --- 2009-09-11 19:37 *Me again: the desktop icon's titles are still black. I don't much care, it's just curious. Also still don't have "My recent documents" in the start menu, which is a little bit more of a nuisance but not intolerable by any means. I opened a few documents but the option does not exist, apparently! The computer is still running beautifully so far as I can tell. Windows media player isn't. I can't find a new driver for my soundcard as Microsoft suggest, in fact they are probably all older than my computer itself. I had another look at the error message at the top of it, it says error C00D11B1. But there is, under 'technical details', an error number that claims to be "original error message". It is 80040154 and next to it, probably totally unhelpfully, it says "class not registered". Does this mean anything? Probably not! Thank you yet again for all your help. I hope you are having a great day, sincerely, Ian

BHowett View Member Profile	Sep 15 2009, 04:12 PM Post #10
Moderator / Malware Staff Posts: 4,137 From: USA OS: Windows XP professional	Hi immac, Please see the following links, to see if that help with your windows media player issues: C00D11B1 80040154 QUOTE the desktop icon's titles are still black. I don't much care, it's just curious. Also still don't have "My recent documents" in the start menu, which is a little bit more of a nuisance but not intolerable by any means. I opened a few documents but the option does not exist, apparently! Are you sure "My recent documents" was working before we ran combofix? The subsequent of combofix should of fixed the icon titles, I will have to run this by my peers, and see what we can come up with. Let me know if those links are of any help

immac View Member Profile	Sep 16 2009, 02:02 AM Post #11
Member Posts: 11 OS: XP	Hello again BHowett, I hope all is well. Re WMP: I tried those links - one offers the same solutions as the one my computer managed to find - about the soundcard maybe needing an updated driver. The other one looked more promising, saying I may need an update of DirectX (whatever that is) but the link is broken and it just takes you to Microsoft's own games page (at first I thought it was a malware redirect!!). So no progress on that front thus far. Maybe I should try downlading a new version of WMP. Regarding the other issue, that of My Recent Documents, it was one of the few things that was working before! However, I can live without it so it really is not that much of a problem. Thank you as ever, sincerely Ian

BHowett View Member Profile	Sep 16 2009, 07:31 AM Post #12
Moderator / Malware Staff Posts: 4,137 From: USA OS: Windows XP professional	Hi immac, For the icon title problem do the following: Open System Properties in Control Panel Click on the Advanced tab Click Settings in the Performance section Check the Use drop shadows for icon labels on the desktop option Click Ok Then for the My recent documents problem try the following: Go to Start > Control Panel > then open Task Bar + Start Menu Click on Start Menu tab Click on customize Click on advanced Then make sure list my recently opened documents is checked Let me know how that turns out�. I�m still working on the media player problem, but uninstall and reinstall is an option if we can�t figure it out.

immac View Member Profile	Sep 16 2009, 03:03 PM Post #13
Member Posts: 11 OS: XP	Hi again, Wow are you quick! Thank you. The My Recent Documents is now fixed as you said it could be, which I am really glad about. The icons being black with white type didn't work but I am considering that particular difficulty closed. It really doesn't matter. Re Windows Media Player (or rather, Windows Media Won't Player), I have remembered something. When it first happened, I looked on the web and saw something that suggested it was an issue with Quartz.dll. I have no idea if that is correct, what Quartz.dll does or if I have it or not. But that was supposedly an issue, I just don't know why. I hope you are having a good day Best wishes and sincere thanks Ian

BHowett View Member Profile	Sep 17 2009, 09:06 AM Post #14
Moderator / Malware Staff Posts: 4,137 From: USA OS: Windows XP professional	Hi immac, quartz.dll is a library with functions for DirectShow, a part of DirectX. Lets try unregistering then reregistering it: Click START then RUN Now type regsvr32 /u quartz.dll in the runbox and click OK. Note the space between the 2 and the /u, it needs to be there. Click START then RUN Now type regsvr32 quartz.dll in the runbox and click OK. after that you should get the following pop up, just click OK if this don't work I might have to send you over to the techs since you are clean of malware. let me know if that works for you... and on another note, I know you don't think the Icon titles are a problem anymore, but I really don't like to leave someones system different then when I started so lets try a couple more things to fix it before I send you over to the techs have you rebooted your system since you noticed the icons? if not try it now and see if that changes anything. then try the following: 1. Click Start, and then click Control Panel. 2. Double-click Display, click the Desktop tab, and then click Customize Desktop. 3. Select Restore Defaults 1. Click Start, and then click Control Panel. 2. Double-click Display, click the Desktop tab, and then click Customize Desktop. then click the web tab, then under the web pages to display on your desktop if it has "security" you uncheck this and delete let me know if any of that helps

immac View Member Profile	Sep 19 2009, 04:41 AM Post #15
Member Posts: 11 OS: XP	Dear BHowett I hope all is well. Apologies for taking a little time to get back to you, it's been an exceptionally busy week. Three cheers for making me Malware free!!! And a huge round of applause for having Windows Media Player working again! The first time for well over a year I guess. Now, the strange things is, I used your instructions for fixing quartz.dll and it wouldn't unregister. It just gave me an error message. Which made me thing... hmm, maybe it is already unregistered, so I just used your second quartz.dll instruction, and voila! It worked like magic. And WMP is fully functional. I had seriously given up. Why can't Microsoft telll me how to do this stuff when it isn't working instead of giving those dumb error codes that lead nowhere? I guess that is the $64,000 question... anyway, I am very grateful that somebody can tell me what to do... YOU. Re the desktop fun(!), I wan't able to find the security check box you mentioned and restore defaults didn't seem to make a difference. But really, honestly, truly, I am happy with it the way it is so please consider this particular case closed. One last dumb question: my printer is showing as "offline" in the control panel? How do I make it online and work again? Many thanks as ever Ian

« Next Oldest · Virus, Spyware and Trojan Removal · Next Newest »

2 Pages

1 2 >

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Topic Title	Replies / Views	Topic Information
Virus, Spyware and Trojan Removal Unsure if I have a malware infection [Solved] 123	32 / 755	24th March 2009 - 06:29 PM Caffeine_Powered started - last by SpySentinel
Virus, Spyware and Trojan Removal Recovering from virus and malware infection [Solved] 12	15 / 472	23rd April 2009 - 08:54 PM NuttySquirrel started - last by andrewuk
Virus, Spyware and Trojan Removal Koobface/other malware infection [Solved] 12	20 / 504	12th August 2009 - 07:16 AM Onearmy started - last by Rorschach112
Virus, Spyware and Trojan Removal Cant Run .exe files on Vista (Malware Infection) [Solved] 12	18 / 700	11th October 2009 - 03:17 PM jhedrixz started - last by Transience