Internet works but network does not - Page 4

Springymajig · 17-Jul-2009, 05:50 AM **#46**

Here is a new combofix log with the latest version (by the way, should I be running this on both computers or just this one?)

ComboFix 09-07-14.08 - Jeremy Hay 17/07/2009 20:37.3.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1534 [GMT 12:00]
Running from: c:\my documents\Downloads\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2009-06-17 to 2009-07-17 )))))))))))))))))))))))))))))))
.

2009-07-13 02:42 . 2009-07-13 02:43 -------- d-----w- e:\documents and settings\Jeremy Hay\.SunDownloadManager
2009-07-12 11:04 . 2009-07-12 11:04 -------- d-----w- e:\documents and settings\Jeremy Hay\Application Data\Malwarebytes
2009-07-12 11:04 . 2009-06-16 23:27 38160 ----a-w- e:\windows\system32\drivers\mbamswissarmy.sys
2009-07-12 11:04 . 2009-07-12 11:04 -------- d-----w- e:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-12 11:04 . 2009-06-16 23:27 19096 ----a-w- e:\windows\system32\drivers\mbam.sys
2009-07-12 11:04 . 2009-07-12 11:04 -------- d-----w- e:\program files\Malwarebytes' Anti-Malware
2009-07-09 23:44 . 2009-06-29 05:19 327688 ----a-w- e:\documents and settings\All Users\Application Data\avg8\update\backup\avgldx86.sys
2009-07-09 23:44 . 2009-06-29 05:19 2052376 ----a-w- e:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-07-09 23:44 . 2009-06-29 05:19 906520 ----a-w- e:\documents and settings\All Users\Application Data\avg8\update\backup\avgemc.exe
2009-07-09 23:44 . 2009-06-29 05:19 493336 ----a-w- e:\documents and settings\All Users\Application Data\avg8\update\backup\avgtbapi.dll
2009-07-09 23:44 . 2009-06-29 05:19 3402008 ----a-w- e:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-07-09 23:44 . 2009-06-29 05:19 2167576 ----a-w- e:\documents and settings\All Users\Application Data\avg8\update\backup\avgresf.dll
2009-07-09 23:44 . 2009-06-29 05:19 1204504 ----a-w- e:\documents and settings\All Users\Application Data\avg8\update\backup\avgabout.dll
2009-07-09 23:43 . 2009-06-29 05:19 337176 ----a-w- e:\documents and settings\All Users\Application Data\avg8\update\backup\avglogx.dll
2009-07-09 23:43 . 2009-06-29 05:19 829208 ----a-w- e:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgx.dll
2009-07-09 23:43 . 2009-06-29 05:19 3298072 ----a-w- e:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-07-09 23:42 . 2009-06-29 05:15 1454360 ----a-w- e:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-07-09 23:42 . 2009-06-29 05:15 1085208 ----a-w- e:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2009-07-07 05:54 . 2009-07-11 01:51 -------- d-----w- e:\documents and settings\Jeremy Hay\Application Data\Canon
2009-07-07 03:00 . 2009-07-15 03:57 -------- d-----w- E:\Dane
2009-07-06 21:54 . 2008-04-14 01:11 21504 ----a-w- e:\windows\system32\drivers\hidserv.dll
2009-07-04 23:41 . 2009-07-04 23:41 -------- d-----w- e:\program files\Trend Micro
2009-07-03 00:10 . 2006-01-15 23:45 360288 ----a-w- e:\windows\system32\drivers\ar5523.sys
2009-07-03 00:10 . 2006-01-15 23:45 360288 ----a-w- e:\windows\system32\ar5523.sys
2009-07-03 00:10 . 2005-07-27 09:16 44160 ----a-w- e:\windows\system32\athfmwdl.sys
2009-07-03 00:10 . 2005-07-27 09:15 149392 ----a-w- e:\windows\system32\drivers\ar5523.bin
2009-07-03 00:10 . 2005-07-27 09:15 149392 ----a-w- e:\windows\system32\ar5523.bin
2009-07-02 12:31 . 2009-07-02 12:31 -------- d-----w- e:\documents and settings\Jeremy Hay\Local Settings\Application Data\AVG Security Toolbar
2009-06-30 12:22 . 2009-06-30 12:22 -------- d-----w- e:\windows\usb-audio.deTascam
2009-06-30 10:28 . 2009-06-30 10:28 -------- d-----w- e:\program files\Common Files\Adobe Systems Shared
2009-06-29 23:17 . 2009-07-04 01:56 -------- d-----w- E:\Audition files
2009-06-29 05:19 . 2009-06-29 05:19 832144 ----a-w- e:\documents and settings\All Users\Application Data\avg8\update\backup\AVGToolbarInstall.exe
2009-06-29 05:19 . 2009-06-29 05:19 -------- d-----w- e:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-06-29 05:19 . 2009-06-29 05:19 -------- d-----w- e:\documents and settings\LocalService\Application Data\AVGTOOLBAR
2009-06-27 05:18 . 2004-05-20 20:04 79622 ----a-w- e:\windows\system32\EBPMON24.DLL
2009-06-27 05:18 . 2004-02-17 16:10 98304 ----a-w- e:\windows\system32\E_SAGSET.DLL
2009-06-27 05:18 . 2003-07-16 04:14 31744 ----a-w- e:\windows\system32\E_DCINST.DLL
2009-06-27 05:18 . 2003-05-20 17:27 64000 ----a-w- e:\windows\system32\ECBTEG.DLL
2009-06-27 05:18 . 2000-06-06 16:01 34304 ----a-w- e:\windows\system32\EBPCHP.DLL
2009-06-27 05:18 . 2008-04-13 19:47 25856 -c--a-w- e:\windows\system32\dllcache\usbprint.sys
2009-06-27 05:18 . 2008-04-13 19:47 25856 ----a-w- e:\windows\system32\drivers\usbprint.sys
2009-06-27 05:11 . 2009-06-27 05:11 -------- d-----w- e:\program files\Canon
2009-06-27 05:10 . 2009-06-27 05:10 -------- d-----w- e:\documents and settings\Jeremy Hay\Application Data\ScanSoft
2009-06-27 05:10 . 2009-06-27 05:10 -------- d-----w- e:\documents and settings\All Users\Application Data\SSScanWizard
2009-06-27 05:10 . 2009-06-27 05:10 -------- d-----w- e:\documents and settings\All Users\Application Data\SSScanAppDataDir
2009-06-27 05:10 . 2009-06-27 05:10 -------- d-----w- e:\program files\Common Files\ScanSoft Shared
2009-06-27 05:10 . 2009-06-27 05:10 -------- d-----w- e:\program files\ScanSoft
2009-06-27 05:09 . 2002-05-23 15:04 389180 ----a-w- e:\windows\system32\UCS32P.DLL
2009-06-27 05:09 . 2002-09-27 02:56 69632 ----a-w- e:\windows\system32\CNQU70.DLL
2009-06-27 05:09 . 2002-04-12 08:23 339968 ----a-w- e:\windows\system32\N124UFW.dll
2009-06-27 05:09 . 2009-06-27 05:09 -------- d--h--w- E:\CanoScan
2009-06-27 04:34 . 2004-11-30 04:00 286720 ----a-r- e:\windows\878RMT.exe
2009-06-27 04:34 . 2009-06-27 04:34 -------- d-----w- e:\windows\MyInstall
2009-06-27 04:33 . 2009-06-27 04:33 -------- d-----w- e:\program files\honestech
2009-06-27 04:33 . 2001-05-16 04:54 309616 ----a-w- e:\windows\system32\wmv8dmod.dll
2009-06-27 04:33 . 2001-05-11 00:18 420240 ----a-w- e:\windows\system32\mpg4c32.dll
2009-06-27 04:32 . 2005-01-28 04:00 9216 ----a-r- e:\windows\system32\drivers\BtTuner.sys
2009-06-27 04:32 . 2005-01-28 04:00 8448 ----a-r- e:\windows\system32\drivers\BtXbar.sys
2009-06-27 04:32 . 2005-01-28 04:00 196736 ----a-r- e:\windows\system32\drivers\Bt878.sys
2009-06-27 04:30 . 2009-06-27 04:31 -------- d-----w- e:\windows\MustRead
2009-06-27 04:17 . 2009-06-27 04:17 8 ----a-w- e:\windows\system32\nvModes.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-16 22:25 . 2007-04-17 20:59 -------- d-----w- e:\documents and settings\Jeremy Hay\Application Data\Orbit
2009-07-16 22:24 . 2007-12-14 03:40 -------- d-----w- e:\documents and settings\All Users\Application Data\Google Updater
2009-07-16 22:24 . 2007-12-17 20:56 -------- d-----w- e:\documents and settings\Jeremy Hay\Application Data\WTablet
2009-07-13 03:15 . 2008-10-04 21:50 410984 ----a-w- e:\windows\system32\deploytk.dll
2009-07-09 23:43 . 2008-06-16 21:02 335752 ----a-w- e:\windows\system32\drivers\avgldx86.sys
2009-07-09 04:06 . 2008-02-05 01:27 -------- d-----w- e:\documents and settings\Jeremy Hay\Application Data\dvdcss
2009-07-08 04:49 . 2007-04-20 09:56 12884 --sha-w- e:\windows\system32\KGyGaAvL.sys
2009-07-07 23:07 . 2008-10-22 21:13 -------- d-----w- e:\documents and settings\LocalService\Application Data\WTablet
2009-07-06 21:55 . 2009-07-06 21:55 0 ---ha-w- e:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-07-06 21:55 . 2009-07-06 21:55 0 ---ha-w- e:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-07-03 23:15 . 2009-03-10 12:17 664 ----a-w- e:\windows\system32\d3d9caps.dat
2009-07-03 22:29 . 2007-04-16 04:39 -------- d--h--w- e:\program files\InstallShield Installation Information
2009-06-30 12:10 . 2007-04-16 06:06 26040 ----a-w- e:\documents and settings\Jeremy Hay\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-30 11:33 . 2007-04-16 04:41 -------- d-----w- e:\program files\Common Files\Adobe
2009-06-30 10:29 . 2009-06-30 10:29 -------- d-----w- e:\documents and settings\All Users\Application Data\Adobe Systems
2009-06-30 00:06 . 2008-09-12 04:13 -------- d-----w- e:\program files\Belkin
2009-06-29 05:19 . 2008-06-16 21:02 11952 ----a-w- e:\windows\system32\avgrsstx.dll
2009-06-29 05:19 . 2007-04-23 05:10 27784 ----a-w- e:\windows\system32\drivers\avgmfx86.sys
2009-06-27 05:16 . 2007-04-21 02:14 -------- d-----w- e:\program files\EPSON
2009-06-24 10:33 . 2009-06-14 12:27 -------- d-----w- e:\program files\TP-LINK
2009-06-14 12:39 . 2009-06-14 10:42 146976 ----a-w- e:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-06-14 12:07 . 2009-06-14 12:07 -------- d-----w- e:\program files\PC Drivers HeadQuarters
2009-06-14 12:07 . 2009-06-14 12:07 -------- d-----w- e:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2009-06-14 12:07 . 2007-04-17 09:44 -------- d-----w- e:\documents and settings\Jeremy Hay\Application Data\GetRightToGo
2009-06-14 10:14 . 2009-06-14 10:12 -------- d-----w- e:\documents and settings\All Users\Application Data\Linksys
2009-06-14 10:13 . 2009-06-14 10:13 -------- d-----w- e:\program files\WebEx
2009-06-14 10:12 . 2007-04-28 02:21 -------- d-----w- e:\program files\Java
2009-05-22 13:39 . 2009-05-20 05:49 -------- d-----w- e:\documents and settings\Jeremy Hay\Application Data\.purple
2009-05-22 13:28 . 2009-05-22 13:28 2087 ----a-w- e:\documents and settings\Jeremy Hay\Application Data\.purple\certificates\x509\tls_peers\omega.contacts.msn.com
2009-05-20 05:52 . 2009-05-20 05:52 1065 ----a-w- e:\documents and settings\Jeremy Hay\Application Data\.purple\certificates\x509\tls_peers\gmail.com
2009-05-20 05:49 . 2009-05-20 05:49 2099 ----a-w- e:\documents and settings\Jeremy Hay\Application Data\.purple\certificates\x509\tls_peers\login.live.com
2009-05-20 05:49 . 2009-05-20 05:49 -------- d-----w- e:\documents and settings\Jeremy Hay\Application Data\gtk-2.0
2009-05-20 05:47 . 2009-05-20 05:47 -------- d-----w- e:\program files\Common Files\GTK
2009-05-20 05:11 . 2009-05-20 05:11 -------- d-----w- e:\program files\Microsoft
2009-05-20 05:11 . 2009-05-20 05:11 -------- d-----w- e:\program files\Windows Live SkyDrive
2009-05-20 05:11 . 2008-06-03 22:54 -------- d-----w- e:\program files\Windows Live
2009-05-20 05:09 . 2009-05-20 05:09 -------- d-----w- e:\program files\Common Files\Windows Live
2009-05-08 13:14 . 2009-05-08 13:14 1418120 ----a-w- e:\windows\system32\wdfcoinstaller01005.dll
2009-05-08 13:14 . 2009-05-08 13:14 14736 ----a-w- e:\windows\system32\drivers\nuidfltr.sys
2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- e:\windows\system32\localspl.dll
2009-05-02 22:28 . 2008-06-16 21:02 108552 ----a-w- e:\windows\system32\drivers\avgtdix.sys
2009-04-29 04:56 . 2004-08-04 12:00 827392 ----a-w- e:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 12:00 78336 ----a-w- e:\windows\system32\ieencode.dll
2009-05-01 04:44 . 2008-06-17 23:59 134648 ----a-w- e:\program files\mozilla firefox\components\brwsrcmp.dll
2007-01-23 02:07 . 2007-06-08 07:45 1847296 ----a-w- e:\program files\mozilla firefox\plugins\Seadragon.dll
2007-06-04 03:18 . 2007-04-20 09:56 56 --sh--r- e:\windows\system32\72E1C1C693.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-07-10_00.14.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-16 22:23 . 2009-07-16 22:23 16384 e:\windows\Temp\Perflib_Perfdata_f4.dat
+ 2009-07-13 03:15 . 2009-07-13 03:15 148888 e:\windows\system32\javaws.exe
+ 2009-07-13 03:15 . 2009-07-13 03:15 144792 e:\windows\system32\javaw.exe
+ 2009-07-13 03:15 . 2009-07-13 03:15 144792 e:\windows\system32\java.exe
+ 2009-07-13 03:15 . 2009-07-13 03:15 1563648 e:\windows\Installer\28e6d3.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-14 04:07 1004800 ----a-w- e:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "e:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="e:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="e:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-14 68856]
"MsnMsgr"="e:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"MSMSGS"="e:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Google Update"="e:\documents and settings\Jeremy Hay\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TV Card Remote Control Applet"="e:\windows\878RMT.exe" [2004-11-30 286720]
"WinampAgent"="e:\program files\Winamp\winampa.exe" [2007-05-14 35328]
"UpdReg"="e:\windows\UpdReg.EXE" [2000-05-10 90112]
"QuickTime Task"="e:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"PhilipsSA33XXDM"="e:\program files\Philips\SA33XX\Philips Device Manager\Bin\SA33XXDeviceManager.exe" [2007-08-06 892928]
"Omnipage"="e:\program files\ScanSoft\OmniPageSE\opware32.exe" [2002-06-02 49152]
"NvMediaCenter"="e:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"NvCplDaemon"="e:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"NeroFilterCheck"="e:\windows\system32\NeroCheck.exe" [2001-07-08 155648]
"IntelliPoint"="e:\program files\Microsoft IntelliPoint\ipoint.exe" [2005-12-04 461584]
"googletalk"="e:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"EPSON Stylus C45 Series"="e:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE" [2004-01-13 99840]
"CTSysVol"="e:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-02-15 57344]
"AVG8_TRAY"="e:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-29 1948440]
"AppleSyncNotifier"="e:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-30 111936]
"Adobe Reader Speed Launcher"="e:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"Adobe Acrobat Speed Launcher"="e:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-02-27 38768]
"Acrobat Assistant 8.0"="e:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-02-27 640376]
"SunJavaUpdateSched"="e:\program files\Java\jre6\bin\jusched.exe" [2009-07-13 148888]
"SkyTel"="SkyTel.EXE" - e:\windows\SkyTel.exe [2006-05-16 2879488]
"RTHDCPL"="RTHDCPL.EXE" - e:\windows\RTHDCPL.EXE [2006-11-14 16270848]
"P17Helper"="P17.dll" - e:\windows\system32\P17.dll [2006-03-17 81408]
"nwiz"="nwiz.exe" - e:\windows\system32\nwiz.exe [2009-02-18 1657376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="e:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - e:\windows\system32\narrator.exe [2008-04-14 53760]

e:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma.lnk - e:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
Launchy.lnk - e:\program files\Launchy\Launchy.exe [2007-10-1 274432]
Microsoft Office.lnk - e:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Orbit.lnk - e:\program files\Orbitdownloader\orbitdm.exe [2007-4-18 1690824]
QuickBooks Update Agent.lnk - e:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-4-20 972320]
ScheduleTV.lnk - e:\program files\honestech\honestech TVR\scheduleTV.exe [2009-6-27 307200]
TabUserW.exe.lnk - e:\windows\system32\WTablet\TabUserW.exe [2007-4-17 132656]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-29 05:19 11952 ----a-w- e:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\Program Files\\Orbitdownloader\\orbitnet.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;e:\windows\system32\drivers\avgldx86.sys [17/06/2008 9:02 a.m. 335752]
R1 AvgTdiX;AVG8 Network Redirector;e:\windows\system32\drivers\avgtdix.sys [17/06/2008 9:02 a.m. 108552]
R2 878TVCard;Bt878 TV Card - Video Capture;e:\windows\system32\drivers\Bt878.sys [27/06/2009 4:32 p.m. 196736]
R2 878TVTuner;Bt878 TV Card - TV Tuner;e:\windows\system32\drivers\BtTuner.sys [27/06/2009 4:32 p.m. 9216]
R2 878Xbar;Bt878 TV Card - Crossbar;e:\windows\system32\drivers\BtXbar.sys [27/06/2009 4:32 p.m. 8448]
R2 avg8emc;AVG Free8 E-mail Scanner;e:\progra~1\AVG\AVG8\avgemc.exe [4/07/2008 9:13 a.m. 907032]
R2 avg8wd;AVG8 WatchDog;e:\progra~1\AVG\AVG8\avgwdsvc.exe [4/07/2008 9:12 a.m. 298776]
R3 p17filt;p17filt;e:\windows\system32\drivers\p17filt.sys [20/03/2006 6:34 p.m. 1452032]
S3 TASCAM_US122144;TASCAM USB 2.0 Audio Device driver;e:\windows\system32\drivers\tascusb2.sys [21/05/2009 3:47 p.m. 396192]
S3 TASCAM_US144_MIDI;TASCAM US-144 WDM MIDI Device;e:\windows\system32\drivers\tscusb2m.sys [21/05/2009 3:47 p.m. 10752]
S3 TASCAM_US144_WDM;TASCAM US-144 WDM;e:\windows\system32\drivers\tscusb2a.sys [21/05/2009 3:47 p.m. 19904]
S3 V0090VID;Creative WebCam Vista Plus;e:\windows\system32\drivers\V0090Vid.sys [31/03/2008 8:17 a.m. 138112]
.
Contents of the 'Scheduled Tasks' folder

2009-07-03 e:\windows\Tasks\AppleSoftwareUpdate.job
- e:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 00:34]

2009-07-17 e:\windows\Tasks\Google Software Updater.job
- e:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-12-14 07:28]

2009-07-16 e:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-616249376-725345543-1004Core.job
- e:\documents and settings\Jeremy Hay\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 10:44]

2009-07-17 e:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-616249376-725345543-1004UA.job
- e:\documents and settings\Jeremy Hay\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 10:44]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Download by Orbit - e:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - e:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Append Link Target to Existing PDF - e:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - e:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - e:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - e:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Do&wnload selected by Orbit - e:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - e:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - e:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
TCP: {D86DD133-9159-47B3-B340-588CF0A2828E} = 58.28.4.2,58.28.6.2
FF - ProfilePath - e:\documents and settings\Jeremy Hay\Application Data\Mozilla\Firefox\Profiles\b32aab5b.default\
FF - prefs.js: browser.search.selectedEngine - Dictionary.com
FF - prefs.js: browser.startup.homepage - hxxp://google.com/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1641676&SearchSource=2&q=
FF - component: e:\documents and settings\Jeremy Hay\Application Data\Mozilla\Firefox\Profiles\b32aab5b.default\extensions\piclens@cooliris. com\components\coolirisstub.dll
FF - component: e:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: e:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils 2.dll
FF - component: e:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils 3.dll
FF - component: e:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils 35.dll
FF - component: e:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: e:\documents and settings\Jeremy Hay\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: e:\program files\eMusic Download Manager\plugin\npemusic.dll
FF - plugin: e:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: e:\program files\Mozilla Firefox\plugins\nppsynth.dll
FF - plugin: e:\windows\system32\Photosynth\nppsynth.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-17 20:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
TV Card Remote Control Applet = e:\windows\878RMT.exe?????????????????????????????????????????????????????? ?????????????????????????????????????????????????????6?B~!?B~9???????T???q? @?9????8????@?X???????????????d???9???Bt878 TV Card Remote Control Receiver?@?????????W?SN????:?A~}(@?z????(@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:06,24,62,cd,bf,cf,1c,af,2a,20,02,ed,16,ea,eb,ea,b7,7d,5b,e1,0 9,
bd,5e,7b,c9,72,93,ab,bd,ef,68,e9,2f,36,c1,fb,23,61,94,1a,bc,37,9d,c2,fa,a4, \

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\User Data\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•A~*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscripti ons\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\User Data\LocalSystem\Components\€–€|ÿÿÿÿÀ•€|ù•A~*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscripti ons\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:06,24,62,cd,bf,cf,1c,af,2a,20,02,ed,16,ea,eb,ea,b7,7d,5b,e1,0 9,
bd,5e,7b,c9,72,93,ab,bd,ef,68,e9,2f,36,c1,fb,23,61,94,1a,bc,37,9d,c2,fa,a4, \
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2588)
e:\program files\ScanSoft\OmniPageSE\ophook32.dll
e:\windows\system32\WPDShServiceObj.dll
e:\windows\system32\PortableDeviceTypes.dll
e:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-07-17 20:46
ComboFix-quarantined-files.txt 2009-07-17 08:46
ComboFix2.txt 2009-07-11 00:26
ComboFix3.txt 2009-07-10 00:19

Pre-Run: 116,319,576,064 bytes free
Post-Run: 116,357,439,488 bytes free

277 --- E O F --- 2009-07-06 21:55

**Cookiegal** · 18-Jul-2009, 05:03 PM **#47**

Download OTS.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTS on your desktop.

Close any open browsers.
If your Real protection or Antivirus interferes with OTS, allow it to run.
Open the OTS folder and double-click on OTS.exe to start the program.
In Additional Scans section put a check in Disabled MS Config Items and EventViewer logs
Now click the Run Scan button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file.

Use the Reply button, scroll down to the attachments section and attach the notepad file here.

Springymajig · 24-Jul-2009, 09:03 PM **#48**

Hi, sorry I haven't done this till now, I've been busy.

I hope I did this right, it didn't take a long time to scan at all...

**Cookiegal** · 25-Jul-2009, 04:22 PM **#49**

Start OTS. Copy/Paste the information in the code box below into the pane where it says "Paste fix here" and then click the "Run Fix" button.

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the OK button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new HijackThis log please.

Code:

[Kill All Processes]
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {5C255C8A-E604-49b4-9D64-90988571CECB} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{A057A204-BACC-4D26-9990-79A187E2698E}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
YN -> {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} [HKLM] -> [Reg Error: Value error.]
[Files/Folders - Created Within 30 Days]
NY -> 4 E:\WINDOWS\*.tmp files -> E:\WINDOWS\*.tmp
[Files/Folders - Modified Within 30 Days]
NY -> 4 E:\WINDOWS\System32\*.tmp files -> E:\WINDOWS\System32\*.tmp
[Empty Temp Folders]
[Start Explorer]
[Reboot]

Springymajig · 27-Jul-2009, 06:06 AM **#50**

Here is the log from OTS:

All Processes Killed
[Registry - Safe List]
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{A057A204-BACC-4D26-9990-79A187E2698E} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}\ not found.
Starting removal of ActiveX control {E06E2E99-0AA1-11D4-ABA6-0060082AA75C}
E:\Program Files\WebEx\ieatgpc.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E06E2E99-0AA1-11D4-ABA6-0060082AA75C}\ deleted successfully.
[Files/Folders - Created Within 30 Days]
[Files/Folders - Modified Within 30 Days]
[Empty Temp Folders]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Jeremy Hay
->Temp folder emptied: 1994 bytes
File delete failed. E:\Documents and Settings\Jeremy Hay\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 8713493 bytes
->Java cache emptied: 23265792 bytes
->FireFox cache emptied: 108453917 bytes
->Google Chrome cache emptied: 1116746325 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. E:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 329 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 1198.97 mb

< End of fix log >
OTS by OldTimer - Version 3.0.10.1 fix logfile created on 07272009_210037

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

Springymajig · 27-Jul-2009, 06:07 AM **#51**

Here is the new Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:05:59 p.m., on 27/07/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
E:\Program Files\Java\jre6\bin\jqs.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\Tablet.exe
E:\PROGRA~1\AVG\AVG8\avgemc.exe
E:\WINDOWS\Explorer.EXE
E:\PROGRA~1\AVG\AVG8\avgrsx.exe
E:\PROGRA~1\AVG\AVG8\avgnsx.exe
E:\WINDOWS\system32\WTablet\TabUserW.exe
E:\WINDOWS\system32\Tablet.exe
E:\Program Files\AVG\AVG8\avgcsrvx.exe
E:\WINDOWS\878RMT.exe
E:\Program Files\Winamp\winampa.exe
E:\Program Files\QuickTime\QTTask.exe
E:\Program Files\Philips\SA33XX\Philips Device Manager\Bin\SA33XXDeviceManager.exe
E:\WINDOWS\system32\Rundll32.exe
E:\Program Files\ScanSoft\OmniPageSE\opware32.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Microsoft IntelliPoint\ipoint.exe
E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE
E:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
E:\PROGRA~1\AVG\AVG8\avgtray.exe
E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
E:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe
E:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
E:\Program Files\Java\jre6\bin\jusched.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
E:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
E:\Program Files\Messenger\msmsgs.exe
E:\Program Files\Launchy\Launchy.exe
E:\Program Files\Orbitdownloader\orbitdm.exe
E:\Program Files\honestech\honestech TVR\scheduleTV.exe
E:\Program Files\Orbitdownloader\orbitnet.exe
E:\Documents and Settings\Jeremy Hay\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
E:\Documents and Settings\Jeremy Hay\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - E:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - E:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - E:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - E:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - E:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - E:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - E:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - E:\Program Files\Orbitdownloader\GrabPro.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - E:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - E:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [TV Card Remote Control Applet] E:\WINDOWS\878RMT.exe
O4 - HKLM\..\Run: [WinampAgent] E:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [UpdReg] E:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PhilipsSA33XXDM] E:\Program Files\Philips\SA33XX\Philips Device Manager\Bin\SA33XXDeviceManager.exe OS_STARTUP
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [Omnipage] E:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IntelliPoint] "E:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [googletalk] E:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [EPSON Stylus C45 Series] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB001" /M "Stylus C45"
O4 - HKLM\..\Run: [CTSysVol] E:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [AVG8_TRAY] E:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "E:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "E:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] E:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Update] "E:\Documents and Settings\Jeremy Hay\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Launchy.lnk = E:\Program Files\Launchy\Launchy.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Orbit.lnk = E:\Program Files\Orbitdownloader\orbitdm.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = E:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: ScheduleTV.lnk = E:\Program Files\honestech\honestech TVR\scheduleTV.exe
O4 - Global Startup: TabUserW.exe.lnk = E:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: &Download by Orbit - res://E:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://E:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Append Link Target to Existing PDF - res://E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Do&wnload selected by Orbit - res://E:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://E:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: e:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{D86DD133-9159-47B3-B340-588CF0A2828E}: NameServer = 58.28.4.2,58.28.6.2
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - E:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - E:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - E:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - E:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: TabletService - Wacom Technology, Corp. - E:\WINDOWS\system32\Tablet.exe

--
End of file - 12070 bytes

**Cookiegal** · 27-Jul-2009, 08:45 PM **#52**

Rescan with HijackThis, close all other browser windows, put a check mark beside the following entry and click on Fix Checked.

O4 - HKLM\..\Run: [UpdReg] E:\WINDOWS\UpdReg.EXE

How are things now?

Springymajig · 28-Jul-2009, 05:53 AM **#53**

Hmm yeah that seemed to work... FOR NOW *sigh*

Every fix that's worked so far has been temporary so I'm not holding my breath... I'll get back to you later if it stops working again, if it stays working for a week I'll mark this SOLVED.

*crosses fingers*

JohnWill · 28-Jul-2009, 03:24 PM **#54**

If the malware keeps coming back, you either have more of it hiding, or you're going someplace that keeps infecting the machine.

**Cookiegal** · 28-Jul-2009, 03:41 PM **#55**

Here are some final instructions for you.

Follow these steps to uninstall Combofix and all of its files and components.

Click START then RUN
Now type ComboFix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.

Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on My Computer and click on Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on Start – All Programs – Accessories – System Tools and then select System Restore.

In the System Restore wizard, select Create a restore point and click the Next button.

Type a name for your new restore point then click on Create.

I also recommend downloading SPYWAREBLASTER for added protection.

Read here for info on how to tighten your security.

***

You should trim down your start-ups (these show as the 04 entries in your HijackThis log) as there are too many running. You can research them at these sites and if they aren’t required at start-up then you can uncheck them in msconfig via Start - Run - type msconfig click OK and then click on the start-up tab.

http://www.systemlookup.com/lists.php?list=2
http://www.bleepingcomputer.com/startups/
http://www.windowsstartup.com/wso/index.php

Springymajig · 02-Aug-2009, 02:56 AM **#56**

Hi

I was going to follow those final steps but then... once again, the network failed.

I swear I did nothing on the computer. All I did was turn it on for about 5 minutes to check if the network was running... and it did, then I went back the next day and it stopped again. I know this is way over my head but are you absolutely sure it's not a problem with PC1, cos I've been using that one plenty. This is a hijackthis log from PC1:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:51:18 p.m., on 2/08/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Browser Mouse\mouse32a.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser Mouse\mouse32a.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [LELA] "C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" /minimized
O4 - HKLM\..\Run: [Auto EPSON Stylus C45 Series on BANSHEE] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P39 "Auto EPSON Stylus C45 Series on BANSHEE" /O19 "\\BANSHEE\Printer12" /M "Stylus C45"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{B4B1286C-9B06-4123-9E31-4708C8A10C31}: NameServer = 58.28.4.2,58.28.6.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{EAB8EA4B-49D2-4A38-8F6D-1678F4587027}: NameServer = 58.28.4.2,58.28.6.2
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 8427 bytes

**Cookiegal** · 02-Aug-2009, 02:49 PM **#57**

Go to Start – Run - type msconfig – click OK and click on the startup tab. Uncheck everything there except for your anti-virus program. Then reboot and let me know if the problem persists please.

Tag Cloud
access acer asus bios bsod computer crash dns driver drivers error ethernet excel freeze gaming google hard drive hardware hdmi internet laptop mac malware memory monitor motherboard mouse network printer problem ram registry router server slow software sound svchost.exe trojan usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Search
Search for:

Find the solution to yourcomputer problem!

Find the solution to your
computer problem!