1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Completely Hijacked

Discussion in 'Virus & Other Malware Removal' started by Monty246, May 5, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. Monty246

    Monty246 Thread Starter

    Joined:
    May 5, 2010
    Messages:
    13
    I have an infection. Thing is though I can't run any of my Malwarebytes, Spybot or AVG to get rid of it. I have no idea what it is either because I can't get on to task manager. All I know is I keep getting the same 'Your computer might be at risk' message and what looks like a web page sometimes pops up with anti virusware on it, says it's coming from windows security centre, but its clearlt not..... Also I get repetitve red crosses and messages (as above) in my taskbar saying security warning.
    It might be something as simple as starting up in safe mode and trying to run my Malwarebytes from there. I don't knbow which F key to press at startup, i've tried F8 but this doesn't seem to work.
    Please help......
    Just found out I can't even do a system restore and I can't run Hijack this either. Something is running my processers memory what sounds like 70-90 % but whatever it is won't let me into task manager.
    Basically its a mess.....Please help!
    Much appreciated.
     
  2. Monty246

    Monty246 Thread Starter

    Joined:
    May 5, 2010
    Messages:
    13
    It appears to be using wscntfy.exe. It will only let me open task manager for about 1 second, enough, after about 20 attempts to see what was running unusually. 30 perc ent seems to be a lot for this programme.
    Also i appear to have lost my safe mode on re boot.
    What a mess......Should I still be on the internet, what I am potentially putting at risk?

    [​IMG][​IMG]
     
  3. RPMcMurphy

    RPMcMurphy Malware Specialist

    Joined:
    Apr 26, 2010
    Messages:
    444
    Hello User and welcome to Tech Support Guy. I’ll be happy to look over your log and help you with your issues. It will be very helpful if you follow these guidelines:

    • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.” Absence of symptoms does not mean your machine is clean!
    • Please do not run any scans or install/uninstall any applications without being directed to do so.
    • Please follow my instructions carefully and in the order they are posted.
    • Any underlined text in my posts indicates a clickable link.
    • You should print any instructions I give you for ease of use and reference.
    • If you have any questions at all, please stop and ask before proceeding.

    [​IMG] Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    Vista and Win7 users need to right click and choose Run as Admin
    You only need to get one of them to run, not all of them.

    http://download.bleepingcomputer.com/grinler/rkill.exe
    http://download.bleepingcomputer.com/grinler/rkill.com
    http://download.bleepingcomputer.com/grinler/rkill.scr
    http://download.bleepingcomputer.com/grinler/rkill.pif

    Note:

    You will likely see a message from this rogue telling you the file is infected. Ignore the message. Leave the message OPEN, do not close the message. Run rkill repeatedly until it's able to do it's job. This may take a few tries. You'll be able to tell rkill has done it's job when your desktop (explorer.exe) cycles off and then on again.

    At this point, you should now be able to run analysis tools.

    Once the tool has run, do NOT reboot the machine, and then try to run DDS and GMER (instructions below).

    [​IMG] Please download DDS by sUBs from one of the following links and save it to your desktop.

    • Disable any script blocking protection (How to Disable your Security Programs)
    • Double click DDS icon to run the tool (may take up to 3 minutes to run)
    • When done, DDS.txt will open.
    • After a few moments, attach.txt will open in a second window.
    • Save both reports to your desktop.
    ---------------------------------------------------
    • Post the contents of the DDS.txt report in your next reply
    • Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD.

    [​IMG] Download GMER Rootkit Scanner from here to your desktop.

    • Double click the exe file. If asked to allow gmer.sys driver to load, please consent .
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.


      [​IMG]
      Click the image to enlarge it
    • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
      • IAT/EAT
      • Drives/Partition other than Systemdrive (typically C:\)
      • Show All (don't miss this one)
    • Then click the Scan button & wait for it to finish.
    • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
    • Save it where you can easily find it, such as your desktop, and post it in reply.

    **Caution**
    Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


    If you have trouble running GEMR:

    • Make sure that your security software is disabled
    • Uncheck the box next to "Files" this time also
    • If you still can't run it, try in the Safe Mode

    Please include the following in your next post:

    • DDS and Attach.txt logs
    • GMER log
     
  4. Monty246

    Monty246 Thread Starter

    Joined:
    May 5, 2010
    Messages:
    13
    Thanks for getting back. I thought i'd fixed it because I did eventually run Malwarebytes and, of course, it did run a message but I managed to run it before whatever it was booted up.
    I'm still concerned about it though as I think it may not all still be off, althogh Malwarebytes did find 6 infected objects and removed themand the messages have stopped popping up now.
    Here's my Hijack this log, which I can now access, hopefully you'll tell me everything's ok...
    Thanks for the time.
     
  5. Monty246

    Monty246 Thread Starter

    Joined:
    May 5, 2010
    Messages:
    13
    Sorry, forgot this....

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 01:52:18, on 07/05/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
    c:\APPS\Powercinema\Kernel\TV\CLSched.exe
    C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
    C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
    c:\APPS\HIDSERVICE\HIDSERVICE.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\Program Files\AVG\AVG8\avgcsrvx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Lexmark P910 Series\ezprint.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\ALCWZRD.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Windows Media Player\WMPNSCFG.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Realtek\USB Wireless LAN Utility\RtWLan.exe
    C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\uk.htm
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://security.symantec.com/default.asp?productid=NIS2004&langid=en-gb&venid=sym
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Shareaza Web Download Hook - {0EEDB912-C5FA-486F-8334-57288578C627} - C:\CreativesFiles\Plugins\RazaWebHook.dll (file missing)
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
    O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark P910 Series\ezprint.exe"
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [LXBYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBYtime.dll,[email protected]
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: REALTEK USB Wireless LAN Utility.lnk = C:\Program Files\Realtek\USB Wireless LAN Utility\RtWLan.exe
    O4 - Global Startup: uninstall.exe
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Download with &Shareaza - res://C:\CreativesFiles\Plugins\RazaWebHook.dll/3000
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
    O15 - Trusted Zone: *.amaena.com
    O15 - Trusted Zone: *.avsystemcare.com
    O15 - Trusted Zone: *.onerateld.com
    O15 - Trusted Zone: *.safetydownload.com
    O15 - Trusted Zone: *.trustedantivirus.com
    O15 - Trusted Zone: *.virusschlacht.com
    O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
    O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
    O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
    O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: lxby_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbycoms.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

    --
    End of file - 9602 bytes
     
  6. RPMcMurphy

    RPMcMurphy Malware Specialist

    Joined:
    Apr 26, 2010
    Messages:
    444
    Hi,

    Unfortunately HijackThis has not been updated in some time and isn't a very good diagnostic tool anymore. Please follow the instructions in my first post to produce DDS and GMER logs for me and I'll be happy to have a look.
     
  7. Monty246

    Monty246 Thread Starter

    Joined:
    May 5, 2010
    Messages:
    13
    Thanks, I'll try this and send you the results....
     
  8. Monty246

    Monty246 Thread Starter

    Joined:
    May 5, 2010
    Messages:
    13
    I got this message when running rkill.
    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.
    Ran as richard on 07/05/2010 at 2:39:01.


    Processes terminated by Rkill or while it was running:


    C:\Documents and Settings\richard\Desktop\rkill.exe


    Rkill completed on 07/05/2010 at 2:39:12.
    This may be a standard message and I'll try and run the other software you have posted as I still dont think things are right, although they're better than they were some processes seem to be running and using more processing power than I think they should.
    I don't seem to get the message flashing up anymore...but it still might be there.
    Thanks for your time.
     
  9. Monty246

    Monty246 Thread Starter

    Joined:
    May 5, 2010
    Messages:
    13
    This is my DDS log.
    Thanks..
    DDS (Ver_10-03-17.01) - NTFSx86
    Run by richard at 2:44:44.40 on 07/05/2010
    Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_18
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.511.64 [GMT 1:00]

    AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    AV: Norton AntiVirus *On-access scanning disabled* (Outdated) {B5510F6F-87E1-47F7-A411-360BC453007C}
    FW: Norton Internet Security *enabled* {825036E0-9F94-4752-8789-8B92454AF49B}

    ============== Running Processes ===============

    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
    c:\APPS\Powercinema\Kernel\TV\CLSched.exe
    C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
    C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
    c:\APPS\HIDSERVICE\HIDSERVICE.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\Program Files\AVG\AVG8\avgcsrvx.exe
    C:\Program Files\Lexmark P910 Series\ezprint.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\ALCWZRD.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Windows Media Player\WMPNSCFG.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Realtek\USB Wireless LAN Utility\RtWLan.exe
    C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
    C:\WINDOWS\explorer.exe
    C:\Documents and Settings\richard\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.bbc.co.uk/
    uSearch Page = hxxp://www.google.com
    uWindow Title = Packard Bell
    uSearch Bar = hxxp://www.google.com/ie
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    mDefault_Page_URL = file://c:\apps\ie\offline\uk.htm
    uInternet Connection Wizard,ShellNext = hxxp://security.symantec.com/default.asp?productid=NIS2004&langid=en-gb&venid=sym
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    uInternet Settings,ProxyOverride = <local>
    uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
    mSearchAssistant = hxxp://www.google.com/ie
    mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
    BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: Shareaza Web Download Hook: {0eedb912-c5fa-486f-8334-57288578c627} - c:\creativesfiles\plugins\RazaWebHook.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
    TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
    TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
    uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    mRun: [<NO NAME>]
    mRun: [EzPrint] "c:\program files\lexmark p910 series\ezprint.exe"
    mRun: [!AVG Anti-Spyware] "c:\program files\grisoft\avg anti-spyware 7.5\avgas.exe" /minimized
    mRun: [AVG7_CC] c:\progra~1\grisoft\avg7\avgcc.exe /STARTUP
    mRun: [LXBYCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXBYtime.dll,[email protected]
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
    mRun: [SoundMan] SOUNDMAN.EXE
    mRun: [AlcWzrd] ALCWZRD.EXE
    mRun: [Alcmtr] ALCMTR.EXE
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    StartupFolder: c:\docume~1\richard\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony\sony picture utility\volumewatcher\SPUVolumeWatcher.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\realte~1.lnk - c:\program files\realtek\usb wireless lan utility\RtWLan.exe
    StartupFolder: c:\documents and settings\all users\start menu\programs\startup\uninstall.exe
    IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
    IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
    IE: Download with &Shareaza - c:\creativesfiles\plugins\RazaWebHook.dll/3000
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
    IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
    Trusted Zone: amaena.com
    Trusted Zone: avsystemcare.com
    Trusted Zone: microsoft.com\www.update
    Trusted Zone: onerateld.com
    Trusted Zone: safetydownload.com
    Trusted Zone: trustedantivirus.com
    Trusted Zone: virusschlacht.com
    DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - hxxp://acs.pandasoftware.com/activescan/as5free/asinst.cab
    DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
    Notify: AtiExtEvent - Ati2evxx.dll
    Notify: avgrsstarter - avgrsstx.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    LSA: Notification Packages = scecli c:\windows\system32\polekove.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\richard\applic~1\mozilla\firefox\profiles\ypt6du9s.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/
    FF - prefs.js: network.proxy.type - 4
    FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
    FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
    FF - plugin: c:\program files\veetle\vlc\npvlc.dll
    FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
    FF - HiddenExtension: XUL Cache: {CDE9718E-05B4-4051-8E69-B7A70997BB75} - c:\documents and settings\richard\local settings\application data\{CDE9718E-05B4-4051-8E69-B7A70997BB75}
    FF - HiddenExtension: XUL Cache: No Registry Reference - c:\program files\mozilla firefox\extensions\{54029170-A695-41F3-BF00-7F9E2F9495F9}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

    ============= SERVICES / DRIVERS ===============

    R0 AVG Anti-Rootkit;AVG Anti-Rootkit;c:\windows\system32\drivers\avgarkt.sys [2007-1-31 5632]
    R1 AvgArCln;Avg Anti-Rootkit Clean Driver;c:\windows\system32\drivers\AvgArCln.sys [2008-2-20 3968]
    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-7-17 335240]
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-2-20 27784]
    R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-7-17 108552]
    R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-12-3 908056]
    R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-12-3 297752]
    R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2009-9-2 38144]
    R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-15 34064]
    R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-3-10 38224]
    S3 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]
    S3 RDID1009;EDIROL UM-1;c:\windows\system32\drivers\Rdwm1009.sys [2010-4-23 79393]
    S3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8187B.sys [2010-1-9 264576]
    S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]

    =============== Created Last 30 ================

    2010-05-05 07:35:23 0 d-----w- c:\program files\Security Task Manager
    2010-05-05 07:22:36 0 d-----w- C:\051f0b034fd8f21008aa5c390521
    2010-05-05 07:22:25 0 d-----w- C:\6404797b75aa223ae12b01c932
    2010-05-05 07:22:22 0 d-----w- C:\314f40bc9f1aaa5e377e
    2010-05-05 07:21:44 0 d-----w- C:\efe9eb09bb47238503ec717118eebd53
    2010-05-05 07:21:36 0 d-----w- C:\6596391cb24a1886789736da5474
    2010-05-05 06:31:17 0 d-----w- C:\efa333d90573223245400a48eb86b356
    2010-05-03 17:24:48 0 d-----w- C:\spoolerlogs
    2010-05-03 15:12:31 54156 ---ha-w- c:\windows\QTFont.qfn
    2010-05-03 15:12:31 1409 ----a-w- c:\windows\QTFont.for
    2010-05-03 08:36:26 3251 ----a-w- c:\windows\system32\wbem\Outlook_01caea9bb7fef3d0.mof
    2010-04-30 07:57:54 8178248 ----a-w- c:\program files\Firefox Setup 3.6.3.exe
    2010-04-23 14:21:13 79393 ----a-w- c:\windows\system32\drivers\Rdwm1009.sys
    2010-04-23 14:21:13 57344 ----a-w- c:\windows\system32\RDCP1009.CPL
    2010-04-23 14:21:13 4088 ----a-w- c:\windows\system32\Rd3t1009.DAT
    2010-04-23 14:21:13 208896 ----a-w- c:\windows\system32\RDDP1009.DAT
    2010-04-23 14:21:13 10886 ----a-w- c:\windows\system32\RdCi1009.dll
    2010-04-23 14:21:13 0 d-----w- c:\program files\RdDrv001
    2010-04-23 14:06:45 460949 ----a-w- c:\program files\UM1_WinXPDrv202.EXE
    2010-04-15 13:28:09 0 d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
    2010-04-15 11:40:35 215920 ----a-w- c:\windows\system32\muweb.dll
    2010-04-15 11:40:35 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
    2010-04-15 11:40:34 274288 ----a-w- c:\windows\system32\mucltui.dll
    2010-04-15 11:36:58 0 d-----w- c:\windows\system32\wbem\Repository
    2010-04-15 11:35:27 0 d-----w- c:\program files\Microsoft Office Outlook Connector
    2010-04-15 09:48:55 0 d-----w- c:\documents and settings\richard\Tracing
    2010-04-15 09:47:02 0 d-----w- c:\program files\Microsoft SQL Server Compact Edition
    2010-04-15 09:39:14 0 d-----w- c:\program files\common files\Windows Live
    2010-04-12 12:26:58 0 d-----w- c:\windows\system32\RTCOM
    2010-04-10 15:09:45 233472 ----a-w- c:\windows\system32\REX Shared Library.dll
    2010-04-10 15:09:42 368640 ----a-w- c:\windows\system32\ReWire.dll

    ==================== Find3M ====================

    2010-04-29 14:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-04-29 14:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-04-23 14:29:28 81920 ----a-w- c:\windows\ALCFDRTM.EXE
    2010-03-10 04:33:41 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll
    2010-03-10 04:33:38 1025024 ------w- c:\windows\system32\dllcache\browseui.dll
    2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
    2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\dllcache\vbscript.dll
    2010-02-26 05:43:57 667136 ----a-w- c:\windows\system32\wininet.dll
    2010-02-26 05:43:57 667136 ----a-w- c:\windows\system32\dllcache\wininet.dll
    2010-02-26 05:43:57 627712 ----a-w- c:\windows\system32\dllcache\urlmon.dll
    2010-02-26 05:43:55 3073024 ----a-w- c:\windows\system32\dllcache\mshtml.dll
    2010-02-26 05:43:54 81920 ----a-w- c:\windows\system32\ieencode.dll
    2010-02-26 05:43:54 81920 ----a-w- c:\windows\system32\dllcache\ieencode.dll
    2010-02-26 05:43:54 251904 ------w- c:\windows\system32\dllcache\iepeers.dll
    2010-02-24 13:11:07 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys
    2010-02-17 08:10:28 2189952 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
    2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-02-16 14:08:49 2146304 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
    2010-02-16 13:25:04 2066816 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
    2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2010-02-16 13:25:04 2024448 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
    2010-02-12 10:03:03 293376 ------w- c:\windows\system32\browserchoice.exe
    2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
    2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc(2).dll
    2010-02-12 04:33:11 100864 ------w- c:\windows\system32\dllcache\6to4svc.dll
    2010-02-11 12:02:15 226880 ------w- c:\windows\system32\dllcache\tcpip6.sys
    2008-12-29 09:48:38 607640 ----a-w- c:\program files\jxpiinstall-6u11-fcs-bin-b90-windows-i586-25_nov_2008.exe
    2008-12-29 09:46:19 4900376 ----a-w- c:\program files\LimeWireWin.exe
    2008-02-06 09:20:00 8705840 ----a-w- c:\program files\winamp552_full_emusic-7plus_en-us.exe
    2006-07-28 09:16:53 37518744 ----a-w- c:\program files\iTunesSetup.exe
    2006-04-02 08:27:09 10546778 ----a-w- c:\program files\boinc_5.2.13_windows_intelx86.exe
    2005-12-21 09:43:49 4622658 ----a-w- c:\program files\eMule0.46c_Installer.exe
    2005-09-25 11:31:10 212849 ----a-w- c:\program files\hijackthis.zip
    2005-05-07 10:22:14 4833824 ----a-w- c:\program files\winamp509_full_emusic-8basic.exe
    2005-04-21 16:38:21 2168896 ----a-w- c:\program files\arlaudio.exe
    2005-03-15 15:11:25 8668528 ----a-w- c:\program files\RealOnePlayerV2GOLD.exe
    2005-03-13 21:47:35 2636408 ----a-w- c:\program files\aawsepersonal.exe
    2000-08-18 18:04:18 2187 ----a-w- c:\program files\bof.nfo

    ============= FINISH: 2:46:37.59 ===============
     
  10. Monty246

    Monty246 Thread Starter

    Joined:
    May 5, 2010
    Messages:
    13
    I have eventually managed to do a system restore. Strangely i had no audio and it wouldn't let me do anything about it. Ok now though, I had to reinstall an older driver. but this was after the system restore so I don't know....
    I can also get Internet explorer up and running now, Firefox was running at 50% and still is, although that could just be my settings for it, but I don't know how to change them.
    Also I'm still suspicious that everythings not ok ....
    Also scvhost is using up a huge amount of memory, about 70-80%, and I have to keep stopping it.
    Thanks for your time.
     
  11. RPMcMurphy

    RPMcMurphy Malware Specialist

    Joined:
    Apr 26, 2010
    Messages:
    444
    You did a System Restore after you ran the DDS report? I just finished with your log and you are still infected. If you want help cleaning the machine you need to stop trying to troubleshoot yourself. I totally understand your frustration, but it really complicates things for me (and adds to the amount of time this will take) when you make changes on your own.

    If you want to continue, I need you to run GMER (instructions in my first post). If you did the System Restore after you produced the DDS report, I'll need you to run that again also as it will be different.

    Please include the following in your next post if you wish to continue:

    • DDS and Attach.txt logs
    • GMER log
     
  12. Monty246

    Monty246 Thread Starter

    Joined:
    May 5, 2010
    Messages:
    13
    Sorry. Yes it is frustrating!
    But here is dds log for my machine as it is now.
    I will post the rootkit log in a minute.
    Thanks for your time...
     
  13. Monty246

    Monty246 Thread Starter

    Joined:
    May 5, 2010
    Messages:
    13
    Oooops!.
    Here it is.
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-03-17.01)

    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume2
    Install Date: 13/03/2005 17:33:23
    System Uptime: 05/07/2010 07:16:16 (-1416 hours ago)

    Motherboard: NEC COMPUTERS INTERNATIONAL | | GA-8I915PM
    Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz | Socket 775 | 2992/200mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 181 GiB total, 64.864 GiB free.
    D: is CDROM ()
    E: is CDROM ()
    F: is Removable
    G: is Removable
    H: is Removable
    I: is Removable
    J: is Removable

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP1208: 05/02/2010 21:28:50 - System Checkpoint
    RP1209: 06/02/2010 22:24:03 - System Checkpoint
    RP1210: 08/02/2010 09:35:08 - System Checkpoint
    RP1211: 10/02/2010 06:22:58 - Software Distribution Service 3.0
    RP1212: 11/02/2010 18:18:11 - System Checkpoint
    RP1213: 13/02/2010 09:58:26 - System Checkpoint
    RP1214: 14/02/2010 14:17:35 - System Checkpoint
    RP1215: 15/02/2010 17:29:11 - System Checkpoint
    RP1216: 16/02/2010 17:52:17 - System Checkpoint
    RP1217: 17/02/2010 20:50:03 - System Checkpoint
    RP1218: 18/02/2010 21:27:32 - System Checkpoint
    RP1219: 19/02/2010 22:27:30 - System Checkpoint
    RP1220: 21/02/2010 14:35:03 - System Checkpoint
    RP1221: 23/02/2010 17:20:58 - System Checkpoint
    RP1222: 24/02/2010 17:32:43 - System Checkpoint
    RP1223: 24/02/2010 17:57:37 - Software Distribution Service 3.0
    RP1224: 25/02/2010 18:10:57 - System Checkpoint
    RP1225: 27/02/2010 11:30:50 - System Checkpoint
    RP1226: 28/02/2010 13:39:09 - System Checkpoint
    RP1227: 02/03/2010 09:48:11 - System Checkpoint
    RP1228: 03/03/2010 14:25:17 - System Checkpoint
    RP1229: 04/03/2010 16:07:58 - System Checkpoint
    RP1230: 05/03/2010 16:16:57 - System Checkpoint
    RP1231: 06/03/2010 16:36:14 - System Checkpoint
    RP1232: 08/03/2010 09:15:42 - System Checkpoint
    RP1233: 09/03/2010 08:39:18 - Avg8 Update
    RP1234: 10/03/2010 20:31:09 - Software Distribution Service 3.0
    RP1235: 13/03/2010 11:04:21 - System Checkpoint
    RP1236: 14/03/2010 12:19:39 - System Checkpoint
    RP1237: 15/03/2010 17:56:58 - System Checkpoint
    RP1238: 16/03/2010 18:20:05 - System Checkpoint
    RP1239: 17/03/2010 18:25:44 - System Checkpoint
    RP1240: 17/03/2010 19:43:58 - Software Distribution Service 3.0
    RP1241: 18/03/2010 20:26:36 - System Checkpoint
    RP1242: 19/03/2010 17:01:56 - Avg8 Update
    RP1243: 19/03/2010 17:04:14 - Avg8 Update
    RP1244: 20/03/2010 17:52:16 - System Checkpoint
    RP1245: 21/03/2010 18:43:45 - System Checkpoint
    RP1246: 22/03/2010 18:54:29 - System Checkpoint
    RP1247: 24/03/2010 16:22:19 - System Checkpoint
    RP1248: 25/03/2010 17:40:00 - System Checkpoint
    RP1249: 26/03/2010 18:26:38 - System Checkpoint
    RP1250: 28/03/2010 09:39:00 - System Checkpoint
    RP1251: 28/03/2010 11:14:57 - Software Distribution Service 3.0
    RP1252: 28/03/2010 11:24:51 - Installed Compatibility Pack for the 2007 Office system
    RP1253: 29/03/2010 11:30:10 - System Checkpoint
    RP1254: 30/03/2010 11:43:50 - System Checkpoint
    RP1255: 31/03/2010 08:45:56 - Software Distribution Service 3.0
    RP1256: 01/04/2010 11:02:14 - System Checkpoint
    RP1257: 02/04/2010 12:49:56 - System Checkpoint
    RP1258: 03/04/2010 14:54:57 - System Checkpoint
    RP1259: 05/04/2010 14:52:01 - System Checkpoint
    RP1260: 06/04/2010 15:19:13 - System Checkpoint
    RP1261: 07/04/2010 15:42:41 - System Checkpoint
    RP1262: 08/04/2010 16:08:58 - System Checkpoint
    RP1263: 10/04/2010 09:46:46 - System Checkpoint
    RP1264: 11/04/2010 17:53:39 - Unsigned driver install
    RP1265: 12/04/2010 18:00:52 - System Checkpoint
    RP1266: 13/04/2010 18:31:14 - System Checkpoint
    RP1267: 14/04/2010 09:08:59 - Software Distribution Service 3.0
    RP1268: 15/04/2010 10:46:48 - Installed Windows XP KB954708.
    RP1269: 15/04/2010 10:47:12 - Installed DirectX
    RP1270: 15/04/2010 12:16:30 - Restore Operation
    RP1271: 15/04/2010 12:33:40 - Restore Operation
    RP1272: 15/04/2010 13:37:11 - Spybot-S&D Spyware removal
    RP1273: 15/04/2010 14:26:14 - Software Distribution Service 3.0
    RP1274: 16/04/2010 14:36:24 - System Checkpoint
    RP1275: 19/04/2010 10:40:47 - System Checkpoint
    RP1276: 19/04/2010 21:59:12 - Software Distribution Service 3.0
    RP1277: 21/04/2010 03:00:45 - Software Distribution Service 3.0
    RP1278: 21/04/2010 03:16:53 - Software Distribution Service 3.0
    RP1279: 22/04/2010 10:30:20 - System Checkpoint
    RP1280: 23/04/2010 11:09:18 - System Checkpoint
    RP1281: 23/04/2010 14:56:31 - Unsigned driver install
    RP1282: 23/04/2010 15:07:42 - Unsigned driver install
    RP1283: 23/04/2010 15:22:23 - Unsigned driver install
    RP1284: 24/04/2010 15:53:05 - System Checkpoint
    RP1285: 25/04/2010 16:58:11 - System Checkpoint
    RP1286: 27/04/2010 09:46:01 - System Checkpoint
    RP1287: 28/04/2010 09:51:37 - System Checkpoint
    RP1288: 29/04/2010 11:46:56 - System Checkpoint
    RP1289: 30/04/2010 12:51:31 - System Checkpoint
    RP1290: 01/05/2010 14:09:18 - System Checkpoint
    RP1291: 03/05/2010 18:59:48 - System Checkpoint
    RP1292: 04/05/2010 19:39:44 - System Checkpoint
    RP1293: 07/05/2010 06:02:27 - Restore Operation
    RP1294: 07/05/2010 06:03:29 - Restore Operation
    RP1295: 07/05/2010 07:13:46 - Restore Operation

    ==== Installed Programs ======================


    AAC Decoder
    ABBYY FineReader 5.0 Sprint
    ACE Mega CoDecS Pack
    Ad-Aware
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Illustrator CS2
    Adobe Reader 7.0
    Adobe Shockwave Player 11
    Adobe SVG Viewer 3.0
    ATI Display Driver
    µTorrent
    AudibleManager
    AudioMulch Interactive Music Studio 1.0
    AutoUpdate
    AVG Anti-Rootkit Free
    AVG Free 8.5
    AVI to VCD/DVD 4.02
    BBC iPlayer Desktop
    Cartes du Ciel
    CDRWIN
    CleanUp!
    Collab
    Compatibility Pack for the 2007 Office system
    Creative Mass Storage Drivers
    Creative System Information
    Creative Zen Nano Plus
    Critical Update for Windows Media Player 11 (KB959772)
    dBpowerAMP Monkeys Audio Codec
    dBpowerAMP Ogg Vorbis Codec
    dBpowerAMP Real Audio Codec
    dBpowerAMP WMA V8 Codec
    DIGOpt
    DIGReqEx
    DivX Codec
    DivX Converter
    DivX Player
    DivX Plus DirectShow Filters
    DivX Plus Web Player
    DivX Version Checker
    dMC Auxiliary Input
    dMC File Selector
    dMC mp3PRO (CLI) Encoder
    dMC Power Pack
    DreamStation DXi
    FaxTools
    FL Studio 5
    FLV Player 1.3.3
    GetDataBack for NTFS
    H.264 Decoder
    High Definition Audio Driver Package - KB835221
    HijackThis 2.0.2
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976002-v5)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Java 2 Runtime Environment, SE v1.4.2_05
    Java Auto Updater
    Java(TM) 6 Update 18
    Lexmark Fax Solutions
    Lexmark P910 Series
    Lexmark X1100 Series
    Logitech Gaming Software
    Macromedia Shockwave Player
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB953297)
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Outlook Connector
    Microsoft Office Professional Edition 2003
    Microsoft Picture It! Express 9
    Microsoft Picture It! Library 9
    Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR)
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Windows Media Video 9 VCM
    Microsoft Works 7.0
    MKV Splitter
    Mozilla Firefox (3.6.3)
    MSN
    MSN Encarta Plus Support Files
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Musition Sampler
    Native Instruments Kontakt Player Sibelius
    Native Instruments Xpress Keyboards v1.0
    neroxml
    Neuratron PhotoScore Lite
    Panda ActiveScan
    Project64 1.6
    QuickTime
    RadLight MPC DirectShow Filter (remove only)
    RealPlayer
    Realtek High Definition Audio Driver
    REALTEK USB Wireless LAN Driver and Utility
    Reason
    Reason 4.0
    ReCycle 1.7
    Security Update for CAPICOM (KB931906)
    Security Update for Step By Step Interactive Training (KB898458)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player 10 (KB911565)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950759)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953838)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956390)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958215)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960714)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB963027)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB981349)
    Sibelius 3
    Sibelius Scorch
    Sonic MyDVD
    Sonic RecordNow!
    Sony ACID Pro 5.0
    Sony Picture Utility
    Sony Sound Forge 8.0
    Sony USB Driver
    SopCast 3.0.0
    SpeedTouch USB Software
    Spybot - Search & Destroy
    Steinberg Cubase SX 1.01
    Steinberg Cubase VST32
    Syncrosoft's License Control
    Tiger Woods PGA TOUR 2005
    TVAnts 1.0
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Update for Windows XP (KB978207)
    Update for Windows XP (KB980182)
    VC80CRTRedist - 8.0.50727.4053
    Veetle TV Player 0.9.7
    VinylStudio
    WaveLab
    WebFldrs XP
    Winamp
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage v1.3.0254.0
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows XP Service Pack 3
    WinRAR archiver
    WordFIX

    ==== Event Viewer Messages From Past Week ========

    07/05/2010 06:25:21, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.
    05/05/2010 05:21:48, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
    05/05/2010 05:21:48, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
    05/05/2010 05:12:41, error: Service Control Manager [7016] - The SmartLinkService service has reported an invalid current state 0.
    03/05/2010 18:24:50, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

    ==== End Of File ===========================
     
  14. Monty246

    Monty246 Thread Starter

    Joined:
    May 5, 2010
    Messages:
    13
    My system seems to have a problem running the rootkit. I cant run it without it crashing.
    Appreciate the help....
     
  15. RPMcMurphy

    RPMcMurphy Malware Specialist

    Joined:
    Apr 26, 2010
    Messages:
    444
    Hello,

    Did you try these steps?

    Also, you only posted one of the DDS logs. I still need a current DDS.txt log.

    Thanks!
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Completely Hijacked
  1. genubi
    Replies:
    0
    Views:
    327
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/921188

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice