[GordonW]

Hey, nice epiphany.

ComboFix 09-02-04.01 - Gordon Wilder 2009-02-04 23:18:39.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.511.279 [GMT -8:00]
Running from: c:\documents and settings\Gordon Wilder\desktop\combofix.exe
Command switches used :: /killall
AV: AVG *On-access scanning disabled* (Outdated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\regedit.com
c:\windows\system32\open.ico

.
((((((((((((((((((((((((( Files Created from 2009-01-05 to 2009-02-05 )))))))))))))))))))))))))))))))
.

2009-02-04 20:43 . 2007-06-28 23:43 123,602 --a------ c:\windows\system32\nvapps.nvb
2009-02-04 20:34 . 2001-08-23 04:00 13,463,552 --a--c--- c:\windows\system32\dllcache\hwxjpn.dll
2009-02-04 20:33 . 2001-08-23 04:00 10,096,640 --a--c--- c:\windows\system32\dllcache\hwxcht.dll
2009-02-04 20:32 . 2001-05-22 21:15 872,557 --a--c--- c:\windows\system32\dllcache\fp4awel.dll
2009-02-04 20:27 . 2001-08-23 04:00 3,346,432 --a--c--- c:\windows\system32\dllcache\msgr3en.dll
2009-02-04 20:27 . 2001-08-23 04:00 794,686 --a--c--- c:\windows\system32\dllcache\srchui.dll
2009-02-04 20:27 . 2001-08-23 04:00 405,504 --a--c--- c:\windows\system32\dllcache\swflash.ocx
2009-02-04 20:27 . 2001-08-23 04:00 106,562 --a--c--- c:\windows\system32\dllcache\srchctls.dll
2009-02-04 20:27 . 2009-02-04 20:27 749 -rah----- c:\windows\WindowsShell.Manifest
2009-02-04 20:27 . 2009-02-04 20:27 749 -rah----- c:\windows\system32\wuaucpl.cpl.manifest
2009-02-04 20:27 . 2009-02-04 20:27 749 -rah----- c:\windows\system32\sapi.cpl.manifest
2009-02-04 20:27 . 2009-02-04 20:27 749 -rah----- c:\windows\system32\nwc.cpl.manifest
2009-02-04 20:27 . 2009-02-04 20:27 749 -rah----- c:\windows\system32\ncpa.cpl.manifest
2009-02-04 20:27 . 2009-02-04 20:27 488 -rah----- c:\windows\system32\logonui.exe.manifest
2009-02-04 20:25 . 2001-08-23 04:00 1,266,688 --a--c--- c:\windows\system32\dllcache\cimwin32.dll
2009-02-04 20:23 . 2001-08-17 13:59 50,048 --a------ c:\windows\system32\drivers\DMusic.sys
2009-02-04 20:23 . 2001-08-17 14:00 5,632 --a------ c:\windows\system32\drivers\splitter.sys
2009-02-04 20:22 . 2001-08-17 13:51 55,808 --a------ c:\windows\system32\drivers\redbook.sys
2009-02-04 20:20 . 2001-08-17 13:50 181,632 --a------ c:\windows\system32\drivers\rdpdr.sys
2009-02-04 20:20 . 2001-08-17 22:38 37,896 --a------ c:\windows\system32\drivers\termdd.sys
2009-02-04 16:53 . 2009-02-04 16:53 <DIR> d-------- c:\documents and settings\Gordon Wilder\Application Data\AVGTOOLBAR
2009-02-03 21:31 . 2009-02-03 21:31 26,624 --a------ c:\windows\system32\drivers\fsbts.sys
2009-01-28 17:37 . 2009-01-28 17:37 <DIR> d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-05 00:50 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-02-04 00:16 --------- d-----w c:\program files\PokerStars
2009-02-03 03:39 --------- d-----w c:\program files\Full Tilt Poker
2009-01-30 00:21 --------- d-----w c:\program files\SpywareBlaster
2009-01-20 05:00 --------- d-----w c:\program files\SpywareGuard
2008-12-22 19:27 --------- d-----w c:\program files\Google
2008-12-16 02:21 --------- d-----w c:\program files\Java
2008-12-10 03:10 --------- d-----w c:\documents and settings\All Users\Application Data\IM
2008-12-10 03:09 --------- d-----w c:\documents and settings\All Users\Application Data\IncrediMail
2007-04-11 05:26 32 -c--a-r c:\documents and settings\All Users\hash.dat
.

------- Sigcheck -------

2008-04-13 10:53 36608 3bb22519a194418d5fec05d800a19ad0 c:\windows\system32\drivers\ip6fw.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-03 81920]
"ctfmon.exe"="c:\windows\System32\ctfmon.exe" [2001-08-23 13312]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2008-01-22 152872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinIt"="c:\program files\ImageIt\ItRun.EXE" [2003-06-25 434176]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-15 136600]
"tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2007-03-07 1773568]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-28 8466432]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-05-28 570664]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-28 81920]
"nwiz"="nwiz.exe" [2007-06-28 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AudioDeck.lnk - c:\program files\VIA\VIA Sound Player\mixer\AudioDeck_bmp.exe [2005-11-19 466944]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [2009-02-03 26624]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-06-11 282904]
R2 FSHOOK;FSHOOK;c:\windows\system32\drivers\FSHOOK.SYS [2005-11-19 7040]
R3 EUCR;ENE USB Mass Storage;c:\windows\system32\drivers\EUCR6SK.sys [2007-06-22 42240]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys --> c:\windows\System32\Drivers\avgldx86.sys [?]
S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe --> c:\progra~1\AVG\AVG8\avgemc.exe [?]
S2 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys --> c:\windows\System32\Drivers\avgtdix.sys [?]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\documents and settings\Gordon Wilder\Local Settings\Temp\{63F0F3BD-5B45-44E3-AF18-0003C5DD213D}\fsgk.sys --> c:\documents and settings\Gordon Wilder\Local Settings\Temp\{63F0F3BD-5B45-44E3-AF18-0003C5DD213D}\fsgk.sys [?]
S3 iteio;iteio;c:\windows\system32\drivers\Iteio.sys [2005-11-19 3680]
S3 Vsp;Vsp;c:\windows\system32\drivers\VSP.sys [2005-11-19 3351]
.
Contents of the 'Scheduled Tasks' folder

2007-03-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 14:42]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
HKCU-Run-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe
HKLM-Run-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe
SharedTaskScheduler-{A2D9D3F0-8C2A-2A1D-A376-1BECFB10AB72} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
FF - ProfilePath - c:\documents and settings\Gordon Wilder\Application Data\Mozilla\Firefox\Profiles\tc11s4m1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-04 23:25:32
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\.application\bootstrap]
@DACL=(02 0000)
@="bootstrap.application.1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(636)
c:\windows\system32\ODBC32.dll
c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll

- - - - - - - > 'lsass.exe'(692)
c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
c:\windows\System32\dssenh.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\IoctlSvc.exe
c:\windows\system32\WgaTray.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
.
**************************************************************************
.
Completion time: 2009-02-04 23:29:19 - machine was rebooted [Gordon Wilder]
ComboFix-quarantined-files.txt 2009-02-05 07:28:09

Pre-Run: 94,006,427,648 bytes free
Post-Run: 95,396,761,600 bytes free

163 --- E O F --- 2009-01-14 06:12:48

[Advertisements]

Hello GordonW,

Hooray, some progress.

I think at this point you will not have an active anti-virus program on your computer. We will address that after you have carried out the actions in this post. In the meantime please restrict your internet activity to communicating with us.

Moving on then.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
c:\windows\System32\Drivers\avgldx86.sys

FCopy::
C:\Windows\ServicePackFiles\i386\ip6fw.sys | c:\windows\system32\drivers\ip6fw.sys

Folder::
c:\progra~1\AVG

REGLOCK::
[HKEY_LOCAL_MACHINE\software\Classes\.application\bootstrap]

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

Driver::
AVG8
AvgLdx86
AvgTdiX

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Next

If you have and still have Malwarebytes on your machine please update and run. Post the scan report back here.

If you do not have Malwarebytes please download from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

So when you return please post

• ComboFix.txt
• MBBAM report.

[emeraldnzl]

Hello GordonW,

Hooray, some progress.

I think at this point you will not have an active anti-virus program on your computer. We will address that after you have carried out the actions in this post. In the meantime please restrict your internet activity to communicating with us.

Moving on then.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
c:\windows\System32\Drivers\avgldx86.sys

FCopy::
C:\Windows\ServicePackFiles\i386\ip6fw.sys | c:\windows\system32\drivers\ip6fw.sys

Folder::
c:\progra~1\AVG

REGLOCK::
[HKEY_LOCAL_MACHINE\software\Classes\.application\bootstrap]

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

Driver::
AVG8
AvgLdx86
AvgTdiX

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Next

If you have and still have Malwarebytes on your machine please update and run. Post the scan report back here.

If you do not have Malwarebytes please download from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

So when you return please post

• ComboFix.txt
• MBBAM report.

[GordonW]

Ok, I couldn't find another computer to do the Dr Web Curelt thing but here's the new ComboFix log
and I'll be right back with the MBAM log.

ComboFix 09-02-05.01 - Gordon Wilder 2009-02-05 15:13:59.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.511.246 [GMT -8:00]
Running from: c:\documents and settings\Gordon Wilder\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Gordon Wilder\Desktop\CFScript.txt
AV: AVG *On-access scanning disabled* (Outdated)
* Created a new restore point

FILE ::
c:\windows\System32\Drivers\avgldx86.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\progra~1\AVG
c:\progra~1\AVG\AVG8\avgcfgx.dll
c:\progra~1\AVG\AVG8\avgcmgr.exe
c:\progra~1\AVG\AVG8\avgcorex.dll
c:\progra~1\AVG\AVG8\avgcrlpx.dll
c:\progra~1\AVG\AVG8\avgdumpx.exe
c:\progra~1\AVG\AVG8\avginet.dll
c:\progra~1\AVG\AVG8\avglngx.dll
c:\progra~1\AVG\AVG8\avglogx.dll
c:\progra~1\AVG\AVG8\avgscanx.exe
c:\progra~1\AVG\AVG8\avgse.dll
c:\progra~1\AVG\AVG8\avgsrmax.exe
c:\progra~1\AVG\AVG8\avgupd.exe
c:\progra~1\AVG\AVG8\avgwd.dll
c:\progra~1\AVG\AVG8\avgwdsvc.exe
c:\progra~1\AVG\AVG8\avgwdwsc.dll
c:\progra~1\AVG\AVG8\avgxpl.dll
c:\progra~1\AVG\AVG8\dbghelp.dll
c:\progra~1\AVG\AVG8\Firefox\chrome.manifest
c:\progra~1\AVG\AVG8\libsasl.dll
c:\progra~1\AVG\AVG8\saslcrammd5.dll
c:\progra~1\AVG\AVG8\sasldigestmd5.dll
c:\progra~1\AVG\AVG8\sasllogin.dll
c:\progra~1\AVG\AVG8\saslplain.dll
c:\progra~1\AVG\AVG8\setup.cfg
c:\progra~1\AVG\AVG8\ToolbarFF\chrome.manifest
c:\progra~1\AVG\AVG8\updatecomps.cfg

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AVGLDX86
-------\Legacy_AVGTDIX
-------\Service_AvgLdx86
-------\Service_AvgTdiX


((((((((((((((((((((((((( Files Created from 2009-01-05 to 2009-02-05 )))))))))))))))))))))))))))))))
.

2009-02-04 20:43 . 2007-06-28 23:43 123,602 --a------ c:\windows\system32\nvapps.nvb
2009-02-04 20:34 . 2001-08-23 04:00 13,463,552 --a--c--- c:\windows\system32\dllcache\hwxjpn.dll
2009-02-04 20:33 . 2001-08-23 04:00 10,096,640 --a--c--- c:\windows\system32\dllcache\hwxcht.dll
2009-02-04 20:32 . 2001-05-22 21:15 872,557 --a--c--- c:\windows\system32\dllcache\fp4awel.dll
2009-02-04 20:27 . 2001-08-23 04:00 3,346,432 --a--c--- c:\windows\system32\dllcache\msgr3en.dll
2009-02-04 20:27 . 2001-08-23 04:00 794,686 --a--c--- c:\windows\system32\dllcache\srchui.dll
2009-02-04 20:27 . 2001-08-23 04:00 405,504 --a--c--- c:\windows\system32\dllcache\swflash.ocx
2009-02-04 20:27 . 2001-08-23 04:00 106,562 --a--c--- c:\windows\system32\dllcache\srchctls.dll
2009-02-04 20:27 . 2009-02-04 20:27 749 -rah----- c:\windows\WindowsShell.Manifest
2009-02-04 20:27 . 2009-02-04 20:27 749 -rah----- c:\windows\system32\wuaucpl.cpl.manifest
2009-02-04 20:27 . 2009-02-04 20:27 749 -rah----- c:\windows\system32\sapi.cpl.manifest
2009-02-04 20:27 . 2009-02-04 20:27 749 -rah----- c:\windows\system32\nwc.cpl.manifest
2009-02-04 20:27 . 2009-02-04 20:27 749 -rah----- c:\windows\system32\ncpa.cpl.manifest
2009-02-04 20:27 . 2009-02-04 20:27 488 -rah----- c:\windows\system32\logonui.exe.manifest
2009-02-04 20:25 . 2001-08-23 04:00 1,266,688 --a--c--- c:\windows\system32\dllcache\cimwin32.dll
2009-02-04 20:23 . 2001-08-17 13:59 50,048 --a------ c:\windows\system32\drivers\DMusic.sys
2009-02-04 20:23 . 2001-08-17 14:00 5,632 --a------ c:\windows\system32\drivers\splitter.sys
2009-02-04 20:22 . 2001-08-17 13:51 55,808 --a------ c:\windows\system32\drivers\redbook.sys
2009-02-04 20:20 . 2001-08-17 13:50 181,632 --a------ c:\windows\system32\drivers\rdpdr.sys
2009-02-04 20:20 . 2001-08-17 22:38 37,896 --a------ c:\windows\system32\drivers\termdd.sys
2009-02-04 16:53 . 2009-02-04 16:53 <DIR> d-------- c:\documents and settings\Gordon Wilder\Application Data\AVGTOOLBAR
2009-02-03 21:31 . 2009-02-03 21:31 26,624 --a------ c:\windows\system32\drivers\fsbts.sys
2009-01-28 17:37 . 2009-01-28 17:37 <DIR> d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-05 00:50 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-02-04 00:16 --------- d-----w c:\program files\PokerStars
2009-02-03 03:39 --------- d-----w c:\program files\Full Tilt Poker
2009-01-30 00:21 --------- d-----w c:\program files\SpywareBlaster
2009-01-20 05:00 --------- d-----w c:\program files\SpywareGuard
2008-12-22 19:27 --------- d-----w c:\program files\Google
2008-12-16 02:21 --------- d-----w c:\program files\Java
2008-12-10 03:10 --------- d-----w c:\documents and settings\All Users\Application Data\IM
2008-12-10 03:09 --------- d-----w c:\documents and settings\All Users\Application Data\IncrediMail
2007-04-11 05:26 32 -c--a-r c:\documents and settings\All Users\hash.dat
.

------- Sigcheck -------

2008-04-13 10:53 36608 3bb22519a194418d5fec05d800a19ad0 c:\windows\system32\drivers\ip6fw.sys
.
((((((((((((((((((((((((((((( snapshot@2009-02-04_23.27.22.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 04:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2009-02-05 07:16:54 262,144 ----a-w c:\windows\system32\config\systemprofile\ntuser.dat
+ 2009-02-05 23:12:04 262,144 ----a-w c:\windows\system32\config\systemprofile\ntuser.dat
+ 2009-02-05 23:17:54 16,384 ----atw c:\windows\temp\Perflib_Perfdata_78c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-03 81920]
"ctfmon.exe"="c:\windows\System32\ctfmon.exe" [2001-08-23 13312]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2008-01-22 152872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinIt"="c:\program files\ImageIt\ItRun.EXE" [2003-06-25 434176]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-15 136600]
"tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2007-03-07 1773568]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-28 8466432]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-05-28 570664]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-28 81920]
"nwiz"="nwiz.exe" [2007-06-28 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AudioDeck.lnk - c:\program files\VIA\VIA Sound Player\mixer\AudioDeck_bmp.exe [2005-11-19 466944]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [2009-02-03 26624]
R2 FSHOOK;FSHOOK;c:\windows\system32\drivers\FSHOOK.SYS [2005-11-19 7040]
R3 EUCR;ENE USB Mass Storage;c:\windows\system32\drivers\EUCR6SK.sys [2007-06-22 42240]
S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe --> c:\progra~1\AVG\AVG8\avgemc.exe [?]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\documents and settings\Gordon Wilder\Local Settings\Temp\{63F0F3BD-5B45-44E3-AF18-0003C5DD213D}\fsgk.sys --> c:\documents and settings\Gordon Wilder\Local Settings\Temp\{63F0F3BD-5B45-44E3-AF18-0003C5DD213D}\fsgk.sys [?]
S3 iteio;iteio;c:\windows\system32\drivers\Iteio.sys [2005-11-19 3680]
S3 Vsp;Vsp;c:\windows\system32\drivers\VSP.sys [2005-11-19 3351]
.
Contents of the 'Scheduled Tasks' folder

2007-03-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 14:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
FF - ProfilePath - c:\documents and settings\Gordon Wilder\Application Data\Mozilla\Firefox\Profiles\tc11s4m1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-05 15:18:02
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(632)
c:\windows\system32\ODBC32.dll
c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll

- - - - - - - > 'lsass.exe'(688)
c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
c:\windows\System32\dssenh.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WgaTray.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\IoctlSvc.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
.
**************************************************************************
.
Completion time: 2009-02-05 15:21:50 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-05 23:20:47
ComboFix2.txt 2009-02-05 07:29:21

Pre-Run: 95,327,506,432 bytes free
Post-Run: 95,261,974,528 bytes free

WinXP_EN_PRO_BF.EXE
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /noexecute=optin

195 --- E O F --- 2009-01-14 06:12:48

[emeraldnzl]

Hello GordonW,

Don't worry about the Dr Web one.

I would like the Malwarebytes one though if you can run it?

[GordonW]

Good news, no malware.
Also, I wonder if Windows is causing a problem because I'm not able to update it. The CD I used to reinstall wasn't
the original it was a copy.

Malwarebytes' Anti-Malware 1.33
Database version: 1732
Windows 5.1.2600

2/5/2009 3:44:11 PM
mbam-log-2009-02-05 (15-44-11).txt

Scan type: Quick Scan
Objects scanned: 51928
Time elapsed: 3 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[emeraldnzl]

Also, I wonder if Windows is causing a problem because I'm not able to update it.

To reset windows updates

1. Download WUFix.zip and unzip to your desktop.
2. Double-Click WUFix.bat to run fix.
3. You will see a window open and commands processing. When the window closes the fix will have completed.
4. Restart the computer.

This fix will clear the proxy cache, places Windows Update sites in the Trusted Zone, places Windows Update sites in the exception list of IE Popup Blocker, starts all dependent services, registers required DLLS, empties the Windows Update temporary folder (with backup), renames the catroot2 folder, retains update history and Event log, and deletes BITS pending download queue.

Once done, go back to the Windows Update Website (You must use the Microsoft Internet Explorer to do this). Check your history.

Now

If my memory serves me you no-longer have an anti-virus program on your machine.

Here are two good antivirus (these are also free for personal use):

• Avast
• AVIRA

• It is critical to have both a firewall and anti virus to protect your system and to keep them updated.
  
  I know you had ZoneAlarm and it may be that you want to re-install that. Here though are two good firewalls free for personal use that you might like to look at:
  
  
• Comodo Note:Comodo Firewall is no longer available as a stand-alone download and you should choose firewall only during installation.
• PC Tools Firewall Plus

Once you have installed your new anti-virus program please undate it and run a full scan of your machine and post the results back here.

[GordonW]

Well, WUFix.zip worked but the Windows update hadn't yet.

You explained that I need to use MIE. to update, should I delete Firefox to do that? An IE icon is on the Desktop but that doesn't work. I tried to rename the default browser to IE and that don't work.

This is the message I get when I try to use the IE default or the desktop icon:
iesetup.exe - The procedure entry point SHRegGETValueW could not be located in the dynamic link library SHLWAPI.dll.

Also, I went into the Add/Remove program to see what was there in case I needed to remove Firefox but there isn't anything at all in there.

[GordonW]

Actually, maybe I didn't default to the IE browser correctly. It's not the browser I need though, huh?
I need the IE service right?

Edited by GordonW, 05 February 2009 - 08:06 PM.

[emeraldnzl]

No need to remove Firefox.

As far as the extra IE icon, well ComboFix does that and once we have finished that will be reversed.

You could try going to Start > Programs > Internet Explorer and see if you can activate IE that way.

Otherwise I don't think it is too critical at this stage.

My recommendation if you can't get the Windows Update at this point is to install, say, Avast anti-virus program. Not necessary to worry about the Firewall at this stage.

Update Avast and run a full scan. Post the results back here.

[GordonW]

When I go to open Avast, Firefox is still set as the device to open it. I tried it on the desktop and in the files.

[emeraldnzl]

Be sure that your Windows Installer is not disabled or turned off. In Start > Run type gpedit.msc and click OK. The Group Policies window opens. In both Computer Configuration and User Configuration go to Administrative Templates>Windows Components and find Windows Installer. In both places, be sure that it is not disabled or turned off.

[emeraldnzl]

If the actions at last post don't work please do this.

Go to Start > Run > and type in regedit then hit OK

Registry editor will open.

Navigate to (left hand side) HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts and click on FileExts folder. See if there is anything other than (Default)

in there and if so, what is it?

Come back and tell me what is there.

Care do not make any changes.

[GordonW]

What is in File Exts. folder.

Default REG_SZ
Browse for folder height REG_DWORD
Browse for folder width REG_DWORD
Case Sensitive REG_DWORD
Clean Shut Down REG_DWORD
Fault Count REG_DWORD
Fault Time REG_DWORD
File find band hook REG_SZ
Icon underline REG_NONE
Include Sub Folders REG_DWORD
Link REG_BINARY
Logon Username REG_SZ
Search Hidden REG_DWORD
Search Slow files REG_DWORD
Search System Dirs REG_DWORD
Shell State REG_BINARY
Web find band hook REG_SZ

[emeraldnzl]

What is in File Exts. folder.

I guess it is a bit confusing if you haven't done it before.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts

FileExts is the bit on the end of the above Key or path.

When you go to the registry and look up on the left hand side you see a list of headings.

1 Click on Hkey_Curent_User and another list unfolds

2 Scroll down and click on Software and again another list unfolds

3 click on Microsoft and yet again another list unfolds

4 Current version another list

5 Explorer another list

6 now click on FileExts this time don't go any further but look over on the right hand side and write down what you see there:

In normal course it should look something like this:

(Default) REG_SZ (value not set)

but just write down what is there and post back.

It is possible I suppose that you don't find that Key. If so come back and tell me.

[emeraldnzl]

What is in File Exts. folder.

I guess it is a bit confusing if you haven't done it before.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts

FileExts is the bit on the end of the above Key or path.

When you go to the registry and look up on the left hand side you see a list of headings.

1 Click on Hkey_Curent_User and another list unfolds

2 Scroll down and click on Software and again another list unfolds

3 click on Microsoft and yet again another list unfolds

4 Current version another list

5 Explorer another list

6 now click on FileExts this time don't go any further but look over on the right hand side and write down what you see there:

In normal course it should look something like this:

(Default) REG_SZ (value not set)

but just write down what is there and post back.

It is possible I suppose that you don't find that Key. If so come back and tell me.