Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help

Possible Virus/Trojan

This is a discussion on Possible Virus/Trojan within the Virus/Trojan/Spyware Help forums, part of the Tech Support Forum category. Hi, You have previously helped me with a problem on a different computer to this one. The main problems are


Reply
 
Thread Tools Search this Thread
Old 08-18-2013, 12:03 PM   #1
Registered Member
 
SimonAJ's Avatar
 
Join Date: Dec 2011
Posts: 98
OS: XP



Hi,

You have previously helped me with a problem on a different computer to this one.

The main problems are as follows.

System seems to be preventing any use of a firewall programme from opening (have used the standard windows version and the AVG firewall).

No ability to access security updates from Windows (I am aware that tech support has ceased for XP but feel there could be a few still not used)

The pc crashes to a black screen intermittently (unless using in Safe Mode).

a full start up takes around 10-15 mins to be fully functioning and is painfully slow in running browsers.

I have attached the DDS log and the GMER file as requested.

Thanks in advance

Si

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.25.2
Run by Admin at 20:07:58 on 2013-08-16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.569 [GMT 1:00]
.
AV: AVG AntiVirus Free Edition 2013 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ================
.
\??\C:\PROGRA~1\AVG\AVG2013\avgrsx.exe
\??\C:\Program Files\AVG\AVG2013\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG2013\avgidsagent.exe
C:\Program Files\AVG\AVG2013\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Documents and Settings\All Users\Application Data\BrowserProtect\2.6.1519.190\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserProtect.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Documents and Settings\All Users\Application Data\BrowserProtect\2.6.1519.190\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserProtect.exe
C:\Program Files\AVG\AVG2013\avgnsx.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Ralink\Common\RaRegistry.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\ltmsg.exe
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.5.0\ToolbarUpdater.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\AVG\AVG2013\avgui.exe
C:\Program Files\AVG Secure Search\vprot.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.5.0\loggingserver.exe
C:\Documents and Settings\Admin\Application Data\Yontoo\YontooDesktop.exe
C:\Documents and Settings\Admin\Application Data\Spotify\Data\SpotifyWebHelper.exe
C:\Program Files\NETGEAR GA311 Adapter\GA311.exe
C:\Program Files\McAfee Security Scan\3.0.287\SSScheduler.exe
C:\Program Files\Ralink\Common\RaUI.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - c:\program files\avg secure search\15.5.0.2\AVG Secure Search_toolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: Yontoo: {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - c:\program files\yontoo\YontooIEClient.dll
TB: <No Name>: {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - LocalServer32 - <no file>
TB: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - c:\program files\avg secure search\15.5.0.2\AVG Secure Search_toolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - <orphaned>
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\admin\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [PeerGuardian] c:\program files\peerguardian2\pg2.exe
uRun: [GoogleChromeAutoLaunch_D529F91419EC9DBBC89DA7F1A46E6701] "c:\documents and settings\admin\local settings\application data\google\chrome\application\chrome.exe" --no-startup-window
uRun: [Yontoo Desktop] "c:\documents and settings\admin\application data\yontoo\YontooDesktop.exe"
uRun: [Spotify Web Helper] "c:\documents and settings\admin\application data\spotify\data\SpotifyWebHelper.exe"
uRun: [Spotify] "c:\documents and settings\admin\application data\spotify\Spotify.exe" /uri spotify:autostart
uRun: [Sony PC Companion] "c:\program files\sony ericsson\sony ericsson pc companion\PCCompanion.exe" /Background
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [AdaptecDirectCD] "c:\program files\adaptec\easy cd creator 5\directcd\DirectCD.exe"
mRun: [WorksFUD] c:\program files\microsoft works\wkfud.exe
mRun: [Microsoft Works Portfolio] c:\program files\microsoft works\WksSb.exe /AllUsers
mRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe
mRun: [LTWinModem1] ltmsg.exe 9
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [AVG_UI] "c:\program files\avg\avg2013\avgui.exe" /TRAYONLY
mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ga311s~1.lnk - c:\program files\netgear ga311 adapter\GA311.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\3.0.287\SSScheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ralink~1.lnk - c:\program files\ralink\common\RaUI.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{2CE0B38A-A7CD-4084-80A8-C7005D1BDE99} : DHCPNameServer = 192.168.1.254
TCP: Interfaces\{54147F9D-BED8-43F5-8420-1B181166C2F2} : DHCPNameServer = 192.168.1.254
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\15.5.0\ViProtocol.dll
AppInit_DLLs= c:\docume~1\alluse~1\applic~1\browse~1\261519~1.190\{c16c1~1\browse~1.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2013-08-16 13:55:27 -------- d-----w- c:\windows\pss
2013-08-16 13:04:41 -------- d-----w- c:\windows\system32\MRT
2013-08-14 10:42:09 -------- d-----w- c:\windows\system32\%systemroo?%
2013-08-14 10:42:09 -------- d-----w- c:\windows\sys?em
2013-08-09 20:49:18 -------- d-----w- c:\windows\system32\%progr?mfiles%
2013-07-24 20:56:18 163328 ----a-w- c:\windows\system32\FlashPlayerUpdateService.exe
.
==================== Find3M ====================
.
2013-08-16 12:57:26 37664 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
2013-07-15 21:00:01 4188160 ----a-w- c:\program files\GUT51.tmp
2013-06-28 10:30:05 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-06-28 10:29:19 144896 ----a-w- c:\windows\system32\javacpl.cpl
2013-06-28 10:29:13 867240 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-06-28 10:29:11 789416 ----a-w- c:\windows\system32\deployJava1.dll
2013-06-07 22:55:44 385024 ------w- c:\windows\system32\html.iec
2013-06-07 21:56:06 920064 ----a-w- c:\windows\system32\wininet.dll
2013-06-07 21:56:06 43520 ------w- c:\windows\system32\licmgr10.dll
2013-06-07 21:56:05 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-06-05 12:01:34 692104 -c--a-w- c:\windows\system32\FlashPlayerApp.exe
2013-06-05 12:01:33 71048 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-04 07:23:02 562688 ----a-w- c:\windows\system32\qedit.dll
2013-06-04 01:40:45 1876736 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 20:10:15.00 ===============
Attached Files
File Type: txt dds.txt (9.4 KB, 18 views)
File Type: txt attach.txt (17.7 KB, 20 views)
File Type: txt GMER.txt (405.3 KB, 19 views)

__________________
SimonAJ is offline   Reply With Quote
Old 08-21-2013, 08:40 AM   #2
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 26,492
OS: XP SP3; Win7 32/64-bit



Hello and Welcome to TSF.

If you haven't already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

If there are any personal files, pics, etc. on your computer you cannot live without, back them up now just as a precaution.

Emergency Backup Procedure - Tech Support Forum

------------------------------------------------------

Please download ComboFix and Save it to your Desktop.

**Note: It is important that it is saved directly to your desktop**

Disable all antivirus and antispyware programs. Get help here

Double-click ComboFix.exe and follow the prompts to run it.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  • With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
  • It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Recovery Console is installed, this blue window will appear:


  • Please click Yes to continue scanning for malware.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done.
  • ComboFix may reboot your machine. This is normal. For some infections, it may do this multiple times.
  • When the tool is finished, it will produce a log for you.

Please post that log, C:\ComboFix.txt, in your next reply.

Please re-enable your antivirus before posting the ComboFix.txt log.

------------------------------------------------------

__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline   Reply With Quote
Old 08-22-2013, 08:28 AM   #3
Registered Member
 
SimonAJ's Avatar
 
Join Date: Dec 2011
Posts: 98
OS: XP



Hi Chemist,

Sorry to be back in touch so soon, I hope that you are well.

I have had quite a bit of trouble getting the Combofix log, the system has been crashing to the black screen frequently.

As you will see from the report it detected AVG running, I am not sure why because this was run in Safe Mode and as far as I am aware these types of programmes don't run in safe mode?

I hope that the attached may give you some help with regards to the "problem".

kind regards

Si

ComboFix 13-08-21.01 - Admin 22/08/2013 15:02:21.2.1 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.674 [GMT 1:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
AV: AVG AntiVirus Free Edition 2013 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Admin\Local Settings\Application Data\Google\Chrome\User Data\Default\bProtector Web Data
c:\documents and settings\Admin\Local Settings\Application Data\Google\Chrome\User Data\Default\bProtectorPreferences
c:\documents and settings\All Users\Application Data\DirectCDUserName.txt
.
.
((((((((((((((((((((((((( Files Created from 2013-07-22 to 2013-08-22 )))))))))))))))))))))))))))))))
.
.
2013-08-22 12:44 . 2013-08-22 12:44 -------- d-----w-temroot% c:\windows\system32\%SSTEM~1
2013-08-21 17:29 . 2013-08-21 17:29 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2013-08-16 13:04 . 2013-08-16 13:31 -------- d-----w- c:\windows\system32\MRT
2013-08-14 10:42 . 2013-08-14 10:42 -------- d-----w-m c:\windows\SYSEM~1
2013-08-09 20:49 . 2013-08-09 20:49 -------- d-----w-files% c:\windows\system32\%PROGR~1
2013-07-24 20:56 . 2013-07-24 20:56 163328 ----a-w- c:\windows\system32\FlashPlayerUpdateService.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-08-16 12:57 . 2013-07-08 20:36 37664 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
2013-07-26 02:47 . 2001-08-18 12:00 920064 ----a-w- c:\windows\system32\wininet.dll
2013-07-26 02:47 . 2001-08-18 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2013-07-26 02:47 . 2001-08-18 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-07-25 15:52 . 2010-12-18 14:33 385024 ------w- c:\windows\system32\html.iec
2013-07-15 21:00 . 2013-07-15 21:00 4188160 ----a-w- c:\program files\GUT51.tmp
2013-07-10 10:37 . 2001-08-18 12:00 406016 ----a-w- c:\windows\system32\usp10.dll
2013-07-04 02:59 . 2001-08-18 12:00 2193536 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-07-04 02:08 . 2001-08-17 13:48 2070144 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-06-28 10:30 . 2013-06-28 10:32 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-06-28 10:29 . 2013-06-28 10:33 144896 ----a-w- c:\windows\system32\javacpl.cpl
2013-06-28 10:29 . 2012-10-27 09:28 867240 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-06-28 10:29 . 2011-09-12 18:16 789416 ----a-w- c:\windows\system32\deployJava1.dll
2013-06-05 12:01 . 2012-10-28 17:07 692104 -c--a-w- c:\windows\system32\FlashPlayerApp.exe
2013-06-05 12:01 . 2012-01-15 17:31 71048 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-04 07:23 . 2001-08-18 12:00 562688 ----a-w- c:\windows\system32\qedit.dll
2013-06-04 01:40 . 2001-08-18 12:00 1876736 ----a-w- c:\windows\system32\win32k.sys
2013-05-28 01:59 . 2001-08-18 12:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2013-05-28 00:41 . 2010-12-19 09:54 6144 ----a-w- c:\windows\system32\xpsp4res.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2013-08-16 12:57 3122864 ----a-w- c:\program files\AVG Secure Search\15.5.0.2\AVG Secure Search_toolbar.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2007-06-02 1457152]
"Yontoo Desktop"="c:\documents and settings\Admin\Application Data\Yontoo\YontooDesktop.exe" [2013-05-01 42784]
"Spotify Web Helper"="c:\documents and settings\Admin\Application Data\Spotify\Data\SpotifyWebHelper.exe" [2013-07-09 1104384]
"Spotify"="c:\documents and settings\Admin\Application Data\Spotify\Spotify.exe" [2013-07-09 4640768]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-07-13 17420464]
"GoogleChromeAutoLaunch_D529F91419EC9DBBC89DA7F1A46E6701"="c:\documents and settings\Admin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" [2013-07-25 846288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LTWinModem1"="ltmsg.exe 9" [X]
"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2000-07-13 24576]
"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2000-07-13 311350]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-07-13 28739]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-21 59720]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]
"nwiz"="nwiz.exe" [2003-10-06 741376]
"AVG_UI"="c:\program files\AVG\AVG2013\avgui.exe" [2012-12-11 3147384]
"vProt"="c:\program files\AVG Secure Search\vprot.exe" [2013-08-16 2314416]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-05-31 152392]
"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-09-04 655360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
GA311 Smart Wizard Utility.lnk - c:\program files\NETGEAR GA311 Adapter\GA311.exe [2003-12-25 270336]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\3.0.287\SSScheduler.exe [2012-9-11 271808]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE -b -l [2001-2-13 83360]
Ralink Wireless Utility.lnk - c:\program files\Ralink\Common\RaUI.exe -s [2011-3-13 1672480]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe /startup [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2013\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Documents and Settings\\Admin\\Application Data\\Spotify\\spotify.exe"=
"c:\\Documents and Settings\\Admin_2\\Local Settings\\Temp\\7zS5223\\HPDiagnosticCoreUI.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AVG\\AVG2013\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2013\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2013\\avgmfapx.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [15/10/2012 03:48 55776]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [21/09/2012 03:46 177376]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [14/09/2012 03:05 35552]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [21/09/2012 03:46 164832]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [08/07/2013 21:36 37664]
S1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [22/10/2012 13:02 179936]
S1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [21/09/2012 03:45 19936]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [02/10/2012 03:30 159712]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2013\avgidsagent.exe [15/11/2012 23:34 5814904]
S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2013\avgwdsvc.exe [22/10/2012 13:05 196664]
S2 BrowserProtect;BrowserProtect;c:\documents and settings\All Users\Application Data\BrowserProtect\2.6.1519.190\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserProtect.exe [05/08/2013 22:15 2847696]
S2 LANPkt;Realtek LANPkt Protocol;c:\windows\system32\drivers\LANPkt.sys [25/12/2003 20:53 8440]
S2 Scutum50;Scutum50 NDIS Protocol Driver;c:\windows\system32\drivers\Scutum50.sys [13/03/2011 14:07 19072]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [13/07/2012 15:14 160944]
S2 vToolbarUpdater15.5.0;vToolbarUpdater15.5.0;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\15.5.0\ToolbarUpdater.exe [16/08/2013 13:58 1643184]
S2 Yontoo Desktop Updater;Yontoo Desktop Updater;c:\program files\Yontoo\Y2Desktop.Updater.exe [06/05/2013 11:02 23552]
S3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [25/12/2003 20:53 11237]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\3.0.287\McCHSvc.exe [11/09/2012 17:12 234776]
S3 Sony PC Companion;Sony PC Companion;c:\program files\Sony\Sony PC Companion\PCCService.exe [12/09/2011 19:06 155320]
.
Contents of the 'Scheduled Tasks' folder
.
2013-08-14 c:\windows\Tasks\At1.job
- c:\program files\HP\HP Deskjet 3050A J611 series\Bin\HPCustPartic.exe [2011-06-08 18:06]
.
2013-08-06 c:\windows\Tasks\At2.job
- c:\program files\HP\HP Deskjet 3050A J611 series\Bin\HPCustPartic.exe [2011-06-08 18:06]
.
2013-08-14 c:\windows\Tasks\At3.job
- c:\program files\HP\HP Deskjet 3050A J611 series\Bin\HPCustPartic.exe [2011-06-08 18:06]
.
2013-08-17 c:\windows\Tasks\At4.job
- c:\program files\HP\HP Deskjet 3050A J611 series\Bin\HPCustPartic.exe [2011-06-08 18:06]
.
2013-08-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-11-02 13:29]
.
2013-08-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-11-02 13:29]
.
2013-08-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1085031214-616249376-839522115-1004Core.job
- c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-03-13 13:20]
.
2013-08-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1085031214-616249376-839522115-1004UA.job
- c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-03-13 13:20]
.
2013-08-21 c:\windows\Tasks\HP Photo Creations Messager.job
- c:\documents and settings\All Users\Application Data\HP Photo Creations\MessageCheck.exe [2011-02-15 10:11]
.
2013-08-20 c:\windows\Tasks\Registry Optimizer_DEFAULT.job
- c:\program files\WinZip Registry Optimizer\Winzipro.exe [2013-03-28 11:07]
.
2013-07-10 c:\windows\Tasks\Registry Optimizer_UPDATES.job
- c:\program files\WinZip Registry Optimizer\Winzipro.exe [2013-03-28 11:07]
.
2013-08-22 c:\windows\Tasks\User_Feed_Synchronization-{69E81E86-979C-4168-80E0-A6E9792D13DD}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 04:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\15.5.0\ViProtocol.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Sony PC Companion - c:\program files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe
HKLM-Run-WinampAgent - c:\program files\Winamp\winampa.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2013-08-22 15:16
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(780)
c:\windows\system32\l3codecx.acm
.
Completion time: 2013-08-22 15:20:18
ComboFix-quarantined-files.txt 2013-08-22 14:20
.
Pre-Run: 5,957,984,256 bytes free
Post-Run: 5,933,944,832 bytes free
.
- - End Of File - - 6EB34D386BB8B175664A9F349773DB67
8F558EB6672622401DA993E1E865C861
Attached Files
File Type: txt log.txt (14.3 KB, 15 views)
__________________
SimonAJ is offline   Reply With Quote
Old 08-22-2013, 04:05 PM   #4
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 26,492
OS: XP SP3; Win7 32/64-bit



Hello Si. I am well, thanks. Hope you are as well.

No need to attach logs going forward. Just copy/paste them directly into the Reply to Thread window. Thanks.

------------------------------------------------------

Please uninstall the following via Start->(or Computer)->Control Panel->Add or Remove Programs if it still exists:

BrowserProtect<<Please read this

Please delete the following Folder if it still exists:

C:\Program Files\BrowserProtect

------------------------------------------------------

Go to Start > Run and copy/paste the following into the Run box and click OK:

cmd /c rd /s/q "c:\documents and settings\All Users\Application Data\BrowserProtect"

A DOS window will open and close again, this is normal.

------------------------------------------------------

WinZip Registry Optimizer

We do not recommend the use of registry cleaners. Our colleague miekiemoes has an excellent writeup here

We suggest uninstalling them via Add or Remove Programs in your Control Panel.

------------------------------------------------------

It appears you ran ComboFix twice. I need to see the first log.

Go to Start > Run and copy/paste the following into the Run box and click OK:

C:\Qoobox\ComboFix2.txt

A text file should open. Please post the contents of that file in your next reply.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline   Reply With Quote
Old 08-23-2013, 04:27 AM   #5
Registered Member
 
SimonAJ's Avatar
 
Join Date: Dec 2011
Posts: 98
OS: XP



Hi Chemist,

I have successfully removed the two programs using the method you suggested.

With regard to the Combofix log I have pasted the info into the run box and is has not come up with anything (the message that pops up says windows can not find it).

I await your next instruction.

Si
__________________
SimonAJ is offline   Reply With Quote
Old 08-23-2013, 04:57 AM   #6
Registered Member
 
SimonAJ's Avatar
 
Join Date: Dec 2011
Posts: 98
OS: XP



Further to earlier message I have started the pc in Normal Mode and while it still takes an age to start up the Windows Firewall is now on and seems to be operational once again.
__________________
SimonAJ is offline   Reply With Quote
Old 08-23-2013, 05:34 AM   #7
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 26,492
OS: XP SP3; Win7 32/64-bit



Hello again, Si.

Please download AdwCleaner from here and save it to your desktop.
  • Run AdwCleaner and select Delete
  • Once done it will ask to reboot, please allow the reboot.
  • On reboot, a log will be produced. It can also be found at C:\AdwCleaner[S#].txt
  • Please copy/paste the contents of the log in your next reply.
------------------------------------------------------

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it. (Vista/Win7 users, right-click > Run as Administrator)
  • Copy/paste the contents of the following codebox into the main textfield:
    Code:
    :dir
    sys?em /s
    %systemroo?% /s
    progr?mfiles /s
  • Click the Look button to start the scan.
  • Please be patient, as it may take a while.
  • When finished, a Notepad file will open with the results of the scan. Please post this log in your next reply.
    If it is too big to post, please attach it to your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

------------------------------------------------------

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the Internet Services option remains checked.
  • Check all the other boxes.
  • Click Scan.
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log in your next reply.
------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline   Reply With Quote
Old 08-23-2013, 07:32 AM   #8
Registered Member
 
SimonAJ's Avatar
 
Join Date: Dec 2011
Posts: 98
OS: XP



Hi Chemist,

Please find as follows the reports as requested :-

# AdwCleaner v3.000 - Report created 23/08/2013 at 13:56:11
# Updated 20/08/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Admin - ELLA
# Running from : C:\Documents and Settings\Admin\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

[#] Service Deleted : Yontoo Desktop Updater

***** [ Files / Folders ] *****

Folder Deleted : C:\Documents and Settings\All Users\Application Data\APN
Folder Deleted : C:\Documents and Settings\All Users\Application Data\AVG Secure Search
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Babylon
Folder Deleted : C:\Program Files\AVG Secure Search
Folder Deleted : C:\Program Files\Conduit
Folder Deleted : C:\Program Files\TornTV.com
Folder Deleted : C:\Program Files\Yontoo
Folder Deleted : C:\Program Files\Common Files\AVG Secure Search
Folder Deleted : C:\Documents and Settings\Admin\Local Settings\Application Data\APN
Folder Deleted : C:\Documents and Settings\Admin\Local Settings\Application Data\AVG Secure Search
Folder Deleted : C:\Documents and Settings\Admin\Local Settings\Application Data\Conduit
Folder Deleted : C:\Documents and Settings\Admin\Local Settings\Application Data\PackageAware
Folder Deleted : C:\Documents and Settings\Admin\Application Data\AVG Secure Search
Folder Deleted : C:\Documents and Settings\Admin\Application Data\Babylon
Folder Deleted : C:\Documents and Settings\Admin\Application Data\file scout
Folder Deleted : C:\Documents and Settings\Admin\Application Data\OpenCandy
Folder Deleted : C:\Documents and Settings\Admin\Application Data\Yontoo
Folder Deleted : C:\Documents and Settings\Admin\Start Menu\Programs\TornTV.com
Folder Deleted : C:\Documents and Settings\Spud\Local Settings\Application Data\Conduit
Folder Deleted : C:\Documents and Settings\Spud\Local Settings\Application Data\ConduitEngine
Folder Deleted : C:\Documents and Settings\Spud\Application Data\delta
[!] Folder Deleted : C:\Documents and Settings\Admin_2\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\bejbohlohkkgompgecdcbbglkpjfjgdj
File Deleted : C:\WINDOWS\system32\conduitEngine.tmp
File Deleted : C:\Documents and Settings\Admin_2\Local Settings\Application Data\Google\Chrome\User Data\Default\bProtector Web Data
File Deleted : C:\Documents and Settings\Admin_2\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\hxxp_search.conduit.com_0.localstorage
File Deleted : C:\Documents and Settings\Admin_2\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\hxxp_search.conduit.com_0.localstorage-journal

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\niapdbllcanepiiimjjndipklodoedlc
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\bejbohlohkkgompgecdcbbglkpjfjgdj
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ViProtocol.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\YontooIEClient.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.BrowserWndAPI
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.BrowserWndAPI.1
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.PugiObj
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.PugiObj.1
Key Deleted : HKLM\SOFTWARE\Classes\Conduit.Engine
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\viprotocol
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE.1
Key Deleted : HKLM\SOFTWARE\Classes\YontooIEClient.Api
Key Deleted : HKLM\SOFTWARE\Classes\YontooIEClient.Api.1
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\BrowserProtect
Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [Yontoo Desktop]
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [vProt]
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin
Key Deleted : HKCU\Software\5cedfd8b06aef48
Key Deleted : HKLM\SOFTWARE\5cedfd8b06aef48
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{1FDFF5A2-7BB1-48E1-8081-7236812B12B2}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{933B95E2-E7B7-4AD9-B952-7AC336682AE3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{94496571-6AC5-4836-82D5-D46260C44B17}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{99066096-8989-4612-841F-621A01D54AD7}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E1164984-B567-47BD-A7FF-240C2594404A}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FE9271F2-6EFD-44B0-A826-84C829536E93}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{13ABD093-D46F-40DF-A608-47E162EC799D}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{74FB6AFD-DD77-4CEB-83BD-AB2B63E63C93}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{25CEE8EC-5730-41BC-8B58-22DDC8AB8C20}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{82E1477C-B154-48D3-9891-33D83C26BCD3}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{C1AF5FA5-852C-4C90-812E-A7F75E011D87}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C6FDD0C3-266A-4DC3-B459-28C697C44CDC}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40B7-AC73-056A5EBA4A7E}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43B7-BEA3-87217BDA7406}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{EEE7E0A3-AE64-4DC8-84D1-F5D7BAF2DB0C}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{95B7759C-8C7F-4BF1-B163-73684A933233}]
Key Deleted : HKCU\Software\1ClickDownload
Key Deleted : HKCU\Software\AVG Secure Search
Key Deleted : HKCU\Software\BabylonToolbar
Key Deleted : HKCU\Software\Conduit
[#] Key Deleted : HKCU\Software\DataMngr_Toolbar
Key Deleted : HKCU\Software\Headlight
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKLM\Software\AVG Secure Search
Key Deleted : HKLM\Software\AVG Security Toolbar
Key Deleted : HKLM\Software\Babylon
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1ClickDownload
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\1ClickDownload
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\conduitEngine
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Winamp Toolbar

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls [bProtectTabs]

-\\ Mozilla Firefox v

[ File : C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\[ofr2][opt]rs0\prefs.js ]


-\\ Google Chrome v

[ File : C:\Documents and Settings\Admin\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]

Deleted : homepage
Deleted : urls_to_restore_on_startup

[ File : C:\Documents and Settings\Admin_2\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]

Deleted : homepage
Deleted : urls_to_restore_on_startup

*************************

AdwCleaner[R0].txt - [10852 octets] - [23/08/2013 13:53:39]
AdwCleaner[S0].txt - [10840 octets] - [23/08/2013 13:56:11]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [10901 octets] ##########

SystemLook 30.07.11 by jpshortstuff
Log created at 14:29 on 23/08/2013 by Admin
Administrator - Elevation successful

========== dir ==========

sys?em - Unable to find folder.

%systemroo?% - Unable to find folder.

progr?mfiles - Unable to find folder.

-= EOF =-

Farbar Service Scanner Version: 18-08-2013
Ran by Admin (administrator) on 23-08-2013 at 14:20:48
Running from "C:\Documents and Settings\Admin\Desktop"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Network
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.

BITS Service is not running. Checking service configuration:
The start type of BITS service is set to Demand. The default start type is Auto.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.

EventSystem Service is not running. Checking service configuration:
The start type of EventSystem service is OK.
The ImagePath of EventSystem: "C:\WINDOWS\System32\svchost.exe -k netsvcs".
The ServiceDll of EventSystem: "C:\WINDOWS\System32\es.dll".


Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Avgtdix(10) Gpc(3) IPSec(5) LANPkt(8) NetBT(6) PSched(7) Tcpip(4)
0x0A00000005000000010000000200000003000000040000000A00000006000000070000000800000009000000
IpSec Tag value is correct.

**** End of log ****
__________________
SimonAJ is offline   Reply With Quote
Old 08-23-2013, 08:10 AM   #9
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 26,492
OS: XP SP3; Win7 32/64-bit



Hello again, Si.

Go Start > Run and type services.msc then press Enter.

Scroll down to and double-click BITS

Make sure Startup type is set to 'Automatic', if not already, then 'Start' the service > OK.

Repeat for Security Center, Automatic Updates, and COM+ Event System

Exit Services. Reboot your computer. Can you update now?

------------------------------------------------------

Disable your antivirus and antispyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix.

Open Notepad and copy/paste all the text in the codebox below into Notepad:

Code:
File::
c:\windows\Tasks\Registry Optimizer_DEFAULT.job
c:\windows\Tasks\Registry Optimizer_UPDATES.job

DDS::
uInternet Connection Wizard,ShellNext = iexplore

DirLook::
2013-08-22 12:44 . 2013-08-22 12:44 -------- d-----w-temroot% c:\windows\system32\%SSTEM~1
2013-08-14 10:42 . 2013-08-14 10:42 -------- d-----w-m c:\windows\SYSEM~1
2013-08-09 20:49 . 2013-08-09 20:49 -------- d-----w-files% c:\windows\system32\%PROGR~1

ClearJavaCache::

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"=-

Driver::
BrowserProtect
Yontoo Desktop Updater
Save this Notepad file as CFScript.txt to your Desktop and then close the file.





Referring to the picture above, drag CFScript onto ComboFix.

If you are prompted to update ComboFix and have an internet connection, please choose Yes

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please post that log, C:\ComboFix.txt, in your next reply.

Please re-enable your antivirus before posting the ComboFix.txt log.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline   Reply With Quote
Old 08-24-2013, 06:25 AM   #10
Registered Member
 
SimonAJ's Avatar
 
Join Date: Dec 2011
Posts: 98
OS: XP



Hi Chemist,

I have carried out successfully the first task. I now get Firewall up automatically but unfortunately no signs of Updates at this time.

In terms of running the Combofix with the data in the notepad I have had a few problems doing this, a screenshot of what happens during both attempts is attached.

I also read that AVG can cause conflicts with Combofix so removed AVG competely to see if this would help, it has not made any difference.

I have downloaded Microsoft Security Essentials on reccomendation from a friend of mine.

Apologies if doing this may have set us back in any way.

On start up, I sometimes get a message saying that Windows recovered from a serious problem (which was not happening before).

Am beginning to lose the will to live with this PC at the moment!

All the best

Si
Attached Files
File Type: doc Doc1.doc (647.0 KB, 17 views)
File Type: doc Doc2.doc (71.5 KB, 7 views)
__________________
SimonAJ is offline   Reply With Quote
Old 08-24-2013, 07:06 AM   #11
Registered Member
 
SimonAJ's Avatar
 
Join Date: Dec 2011
Posts: 98
OS: XP



A miracle?

just thought i would try to run combofix without avg on the pc and it seems to be running now.

i hope to be attaching the report shortly!
__________________
SimonAJ is offline   Reply With Quote
Old 08-24-2013, 07:23 AM   #12
Registered Member
 
SimonAJ's Avatar
 
Join Date: Dec 2011
Posts: 98
OS: XP



Hi Chemist,

As hoped from my previous message I have had success in running Combofix with your previous info pasted into notepad etc.

It has to be said that since removing AVG and installing the Windows Security programme, performance has significantly improved.

With regard to the crashing to a black screen, this seems to have changed to the screen going black for a few seconds and then coming back on (which is certainly progress from where we were).

The report is as below


ComboFix 13-08-22.01 - Admin 24/08/2013 13:54:36.3.1 - x86
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
* Created a new restore point
.
FILE ::
"c:\windows\Tasks\Registry Optimizer_DEFAULT.job"
"c:\windows\Tasks\Registry Optimizer_UPDATES.job"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\DirectCDUserName.txt
c:\windows\sstem3~1
.
.
((((((((((((((((((((((((( Files Created from 2013-07-24 to 2013-08-24 )))))))))))))))))))))))))))))))
.
.
2013-08-24 12:29 . 2013-08-05 23:28 7166848 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0AE2478F-5158-4732-B36B-5F5384645408}\mpengine.dll
2013-08-24 12:11 . 2013-05-02 01:06 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-08-24 12:05 . 2013-08-24 12:06 -------- d-----w- c:\program files\Microsoft Security Client
2013-08-24 11:42 . 2013-08-24 11:42 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Avg2013
2013-08-23 12:53 . 2013-08-23 13:15 -------- d-----w- C:\AdwCleaner
2013-08-22 12:44 . 2013-08-22 12:44 -------- d-----w-temroot% c:\windows\system32\%SSTEM~1
2013-08-21 17:29 . 2013-08-21 17:29 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2013-08-16 13:04 . 2013-08-16 13:31 -------- d-----w- c:\windows\system32\MRT
2013-08-14 10:42 . 2013-08-14 10:42 -------- d-----w-m c:\windows\SYSEM~1
2013-08-09 20:49 . 2013-08-09 20:49 -------- d-----w-files% c:\windows\system32\%PROGR~1
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-08-16 12:57 . 2013-07-08 20:36 37664 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
2013-07-26 02:47 . 2001-08-18 12:00 920064 ----a-w- c:\windows\system32\wininet.dll
2013-07-26 02:47 . 2001-08-18 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2013-07-26 02:47 . 2001-08-18 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-07-25 15:52 . 2010-12-18 14:33 385024 ------w- c:\windows\system32\html.iec
2013-07-24 20:56 . 2013-07-24 20:56 163328 ----a-w- c:\windows\system32\FlashPlayerUpdateService.exe
2013-07-15 21:00 . 2013-07-15 21:00 4188160 ----a-w- c:\program files\GUT51.tmp
2013-07-10 10:37 . 2001-08-18 12:00 406016 ----a-w- c:\windows\system32\usp10.dll
2013-07-04 02:59 . 2001-08-18 12:00 2193536 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-07-04 02:08 . 2001-08-17 13:48 2070144 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-06-28 10:30 . 2013-06-28 10:32 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-06-28 10:29 . 2013-06-28 10:33 144896 ----a-w- c:\windows\system32\javacpl.cpl
2013-06-28 10:29 . 2012-10-27 09:28 867240 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-06-28 10:29 . 2011-09-12 18:16 789416 ----a-w- c:\windows\system32\deployJava1.dll
2013-06-18 20:50 . 2013-06-18 20:50 211560 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2013-06-05 12:01 . 2012-10-28 17:07 692104 -c--a-w- c:\windows\system32\FlashPlayerApp.exe
2013-06-05 12:01 . 2012-01-15 17:31 71048 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-04 07:23 . 2001-08-18 12:00 562688 ----a-w- c:\windows\system32\qedit.dll
2013-06-04 01:40 . 2001-08-18 12:00 1876736 ----a-w- c:\windows\system32\win32k.sys
2013-05-28 01:59 . 2001-08-18 12:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2013-05-28 00:41 . 2010-12-19 09:54 6144 ----a-w- c:\windows\system32\xpsp4res.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2007-06-02 1457152]
"Spotify Web Helper"="c:\documents and settings\Admin\Application Data\Spotify\Data\SpotifyWebHelper.exe" [2013-07-09 1104384]
"Spotify"="c:\documents and settings\Admin\Application Data\Spotify\Spotify.exe" [2013-07-09 4640768]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-07-13 17420464]
"GoogleChromeAutoLaunch_D529F91419EC9DBBC89DA7F1A46E6701"="c:\documents and settings\Admin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" [2013-07-25 846288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LTWinModem1"="ltmsg.exe 9" [X]
"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2000-07-13 24576]
"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2000-07-13 311350]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-07-13 28739]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-21 59720]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]
"nwiz"="nwiz.exe" [2003-10-06 741376]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-05-31 152392]
"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-09-04 655360]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-07-18 995184]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
GA311 Smart Wizard Utility.lnk - c:\program files\NETGEAR GA311 Adapter\GA311.exe [2003-12-25 270336]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\3.0.287\SSScheduler.exe [2012-9-11 271808]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE -b -l [2001-2-13 83360]
Ralink Wireless Utility.lnk - c:\program files\Ralink\Common\RaUI.exe -s [2011-3-13 1672480]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe /startup [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Documents and Settings\\Admin\\Application Data\\Spotify\\spotify.exe"=
"c:\\Documents and Settings\\Admin_2\\Local Settings\\Temp\\7zS5223\\HPDiagnosticCoreUI.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [08/07/2013 21:36 37664]
R2 LANPkt;Realtek LANPkt Protocol;c:\windows\system32\drivers\LANPkt.sys [25/12/2003 20:53 8440]
R2 Scutum50;Scutum50 NDIS Protocol Driver;c:\windows\system32\drivers\Scutum50.sys [13/03/2011 14:07 19072]
R3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [25/12/2003 20:53 11237]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [13/07/2012 15:14 160944]
S2 vToolbarUpdater15.5.0;vToolbarUpdater15.5.0;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\15.5.0\ToolbarUpdater.exe --> c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\15.5.0\ToolbarUpdater.exe [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\3.0.287\McCHSvc.exe [11/09/2012 17:12 234776]
S3 Sony PC Companion;Sony PC Companion;c:\program files\Sony\Sony PC Companion\PCCService.exe [12/09/2011 19:06 155320]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - PGFILTER
.
Contents of the 'Scheduled Tasks' folder
.
2013-08-14 c:\windows\Tasks\At1.job
- c:\program files\HP\HP Deskjet 3050A J611 series\Bin\HPCustPartic.exe [2011-06-08 18:06]
.
2013-08-06 c:\windows\Tasks\At2.job
- c:\program files\HP\HP Deskjet 3050A J611 series\Bin\HPCustPartic.exe [2011-06-08 18:06]
.
2013-08-14 c:\windows\Tasks\At3.job
- c:\program files\HP\HP Deskjet 3050A J611 series\Bin\HPCustPartic.exe [2011-06-08 18:06]
.
2013-08-17 c:\windows\Tasks\At4.job
- c:\program files\HP\HP Deskjet 3050A J611 series\Bin\HPCustPartic.exe [2011-06-08 18:06]
.
2013-08-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-11-02 13:29]
.
2013-08-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-11-02 13:29]
.
2013-08-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1085031214-616249376-839522115-1004Core.job
- c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-03-13 13:20]
.
2013-08-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1085031214-616249376-839522115-1004UA.job
- c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-03-13 13:20]
.
2013-08-24 c:\windows\Tasks\HP Photo Creations Messager.job
- c:\documents and settings\All Users\Application Data\HP Photo Creations\MessageCheck.exe [2011-02-15 10:11]
.
2013-08-24 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2013-07-18 15:49]
.
2013-08-24 c:\windows\Tasks\MpIdleTask.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2013-07-18 15:49]
.
2013-08-24 c:\windows\Tasks\User_Feed_Synchronization-{69E81E86-979C-4168-80E0-A6E9792D13DD}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 04:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2013-08-24 14:10
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2013-08-24 14:13:55
ComboFix-quarantined-files.txt 2013-08-24 13:13
ComboFix2.txt 2013-08-22 14:20
.
Pre-Run: 7,214,219,264 bytes free
Post-Run: 7,263,170,560 bytes free
.
- - End Of File - - 16B9E4125252A753CE238DC795BBBA29
8F558EB6672622401DA993E1E865C861
__________________
SimonAJ is offline   Reply With Quote
Old 08-24-2013, 04:14 PM   #13
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 26,492
OS: XP SP3; Win7 32/64-bit



Hello again, Si.

Please download AVG Remover and Save it to your Desktop.
  • Close all programs and double-click avgremover.exe then click Run
  • In Vista/Win7, right-click and choose 'Run as administrator'.
  • Follow the on-screen instructions.
  • Reboot your computer if not prompted already.
  • Then delete avgremover.exe from your desktop.
------------------------------------------------------
  • Double-click SystemLook.exe to run it. (Vista/Win7 users, right-click > Run as Administrator)
  • Copy/paste the contents of the following codebox into the main textfield:
    Code:
    :dir
    c:\windows\system32 /w%SSTEM*
    c:\windows /wSYSEM*
    c:\windows\system32 /w%PROGR*
    c:\windows /nofiles
  • Click the Look button to start the scan.
  • Please be patient, as it may take a while.
  • When finished, a Notepad file will open with the results of the scan. Please post this log in your next reply.
    If it is too big to post, please attach it to your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

------------------------------------------------------
  • Run Farbar Service Scanner again.
  • Make sure the Internet Services option remains checked.
  • Check all the other boxes.
  • Click Scan.
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log in your next reply.
------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline   Reply With Quote
Old 08-25-2013, 04:47 AM   #14
Registered Member
 
SimonAJ's Avatar
 
Join Date: Dec 2011
Posts: 98
OS: XP



Hi Chemist,

I have run the avg remover tool successfully.

I am running the pc in safe mode mostly at the moment as when I started in Normal this morning it was not allowing Security Essentials to run for some reason.

Start up still remains very slow too.

Please find as below the two log files (System Look and Farbar)

All the best

Si

SystemLook 30.07.11 by jpshortstuff
Log created at 11:39 on 25/08/2013 by Admin
Administrator - Elevation successful

========== dir ==========

c:\windows\system32 - Parameters: "/w%SSTEM*"

c:\windows\system32\%sѹstemroot% - Parameters: "(none)"

---Files---
None found.

---Folders---
system32 d------ [12:44 22/08/2013]

c:\windows - Parameters: "/wSYSEM*"

c:\windows\sysѴem - Parameters: "(none)"

---Files---
None found.

---Folders---
None found.

c:\windows\system32 - Parameters: "/w%PROGR*"

c:\windows\system32\%progrѡmfiles% - Parameters: "(none)"

---Files---
None found.

---Folders---
internet explorer d------ [20:49 09/08/2013]

c:\windows - Parameters: "/nofiles"


---Folders---
$968930Uinstall_KB968930$ d--h-c- [14:21 19/12/2010]
$hf_mig$ d--h--- [09:41 19/12/2010]
$NtServicePackUninstall$ d--h-c- [14:25 18/12/2010]
$NtUninstallbasecsp$ d--h-c- [14:17 19/12/2010]
$NtUninstallKB2079403$ d--h-c- [12:31 19/12/2010]
$NtUninstallKB2115168$ d--h-c- [12:34 19/12/2010]
$NtUninstallKB2121546$ d--h-c- [12:31 19/12/2010]
$NtUninstallKB2141007$ d--h-c- [15:34 19/12/2010]
$NtUninstallKB2229593$ d--h-c- [12:32 19/12/2010]
$NtUninstallKB2259922$ d--h-c- [12:34 19/12/2010]
$NtUninstallKB2286198$ d--h-c- [12:29 19/12/2010]
$NtUninstallKB2296011$ d--h-c- [12:34 19/12/2010]
$NtUninstallKB2296199$ d--h-c- [12:33 19/12/2010]
$NtUninstallKB2345886$ d--h-c- [15:54 19/12/2010]
$NtUninstallKB2347290$ d--h-c- [12:32 19/12/2010]
$NtUninstallKB2360937$ d--h-c- [10:23 19/12/2010]
$NtUninstallKB2378111_WM9$ d--h-c- [12:33 19/12/2010]
$NtUninstallKB2387149$ d--h-c- [12:35 19/12/2010]
$NtUninstallKB2393802$ d--h-c- [06:16 28/06/2011]
$NtUninstallKB2412687$ d--h-c- [07:03 28/06/2011]
$NtUninstallKB2419632$ d--h-c- [06:40 28/06/2011]
$NtUninstallKB2423089$ d--h-c- [10:23 19/12/2010]
$NtUninstallKB2436673$ d--h-c- [12:30 19/12/2010]
$NtUninstallKB2440591$ d--h-c- [10:46 19/12/2010]
$NtUninstallKB2443105$ d--h-c- [12:33 19/12/2010]
$NtUninstallKB2443685$ d--h-c- [10:25 19/12/2010]
$NtUninstallKB2467659$ d--h-c- [10:24 19/12/2010]
$NtUninstallKB2476490$ d--h-c- [07:21 28/06/2011]
$NtUninstallKB2476687$ d--h-c- [06:42 28/06/2011]
$NtUninstallKB2478960$ d--h-c- [06:17 28/06/2011]
$NtUninstallKB2478971$ d--h-c- [07:37 28/06/2011]
$NtUninstallKB2479943$ d--h-c- [07:37 28/06/2011]
$NtUninstallKB2481109$ d--h-c- [07:25 28/06/2011]
$NtUninstallKB2483185$ d--h-c- [07:19 28/06/2011]
$NtUninstallKB2485663$ d--h-c- [07:24 28/06/2011]
$NtUninstallKB2503665$ d--h-c- [07:20 28/06/2011]
$NtUninstallKB2506212$ d--h-c- [06:31 28/06/2011]
$NtUninstallKB2506223$ d--h-c- [07:21 28/06/2011]
$NtUninstallKB2507618$ d--h-c- [06:42 28/06/2011]
$NtUninstallKB2507938$ d--h-c- [22:11 31/08/2011]
$NtUninstallKB2508272$ d--h-c- [06:54 28/06/2011]
$NtUninstallKB2508429$ d--h-c- [06:39 28/06/2011]
$NtUninstallKB2509553$ d--h-c- [06:19 28/06/2011]
$NtUninstallKB2510581$ d--h-c- [17:49 22/11/2011]
$NtUninstallKB2524375$ d--h-c- [07:19 28/06/2011]
$NtUninstallKB2535512$ d--h-c- [07:04 28/06/2011]
$NtUninstallKB2536276$ d--h-c- [06:54 28/06/2011]
$NtUninstallKB2536276-v2$ d--h-c- [17:52 22/11/2011]
$NtUninstallKB2541763$ d--h-c- [21:42 31/08/2011]
$NtUninstallKB2544521$ d--h-c- [16:57 22/11/2011]
$NtUninstallKB2544893$ d--h-c- [06:22 28/06/2011]
$NtUninstallKB2544893-v2$ d--h-c- [10:27 01/12/2012]
$NtUninstallKB2555917$ d--h-c- [21:39 31/08/2011]
$NtUninstallKB2562937$ d--h-c- [16:57 22/11/2011]
$NtUninstallKB2564958$ d--h-c- [18:06 22/11/2011]
$NtUninstallKB2566454$ d--h-c- [16:57 22/11/2011]
$NtUninstallKB2567053$ d--h-c- [17:49 22/11/2011]
$NtUninstallKB2567680$ d--h-c- [18:07 22/11/2011]
$NtUninstallKB2570222$ d--h-c- [17:48 22/11/2011]
$NtUninstallKB2570791$ d--h-c- [18:19 22/11/2011]
$NtUninstallKB2570947$ d--h-c- [17:48 22/11/2011]
$NtUninstallKB2584146$ d--h-c- [10:05 01/12/2012]
$NtUninstallKB2585542$ d--h-c- [10:27 01/12/2012]
$NtUninstallKB2586448$ d--h-c- [17:30 22/11/2011]
$NtUninstallKB2592799$ d--h-c- [17:49 22/11/2011]
$NtUninstallKB2598479$ d--h-c- [10:26 01/12/2012]
$NtUninstallKB2603381$ d--h-c- [10:13 01/12/2012]
$NtUninstallKB2618451$ d--h-c- [10:12 01/12/2012]
$NtUninstallKB2619339$ d--h-c- [10:12 01/12/2012]
$NtUninstallKB2620712$ d--h-c- [10:05 01/12/2012]
$NtUninstallKB2624667$ d--h-c- [10:24 01/12/2012]
$NtUninstallKB2631813$ d--h-c- [10:26 01/12/2012]
$NtUninstallKB2633171$ d--h-c- [10:03 01/12/2012]
$NtUninstallKB2633952$ d--h-c- [10:12 01/12/2012]
$NtUninstallKB2641690$ d--h-c- [10:25 01/12/2012]
$NtUninstallKB2646524$ d--h-c- [10:27 01/12/2012]
$NtUninstallKB2653956$ d--h-c- [03:31 15/12/2012]
$NtUninstallKB2655992$ d--h-c- [04:12 15/12/2012]
$NtUninstallKB2659262$ d--h-c- [04:59 15/12/2012]
$NtUninstallKB2660465$ d--h-c- [09:50 04/12/2012]
$NtUninstallKB2661254-v2$ d--h-c- [03:26 15/12/2012]
$NtUninstallKB2661637$ d--h-c- [12:14 01/12/2012]
$NtUninstallKB2676562$ d--h-c- [03:24 15/12/2012]
$NtUninstallKB2686509$ d--h-c- [04:01 15/12/2012]
$NtUninstallKB2691442$ d--h-c- [04:45 15/12/2012]
$NtUninstallKB2698365$ d--h-c- [03:31 15/12/2012]
$NtUninstallKB2705219-v2$ d--h-c- [03:30 15/12/2012]
$NtUninstallKB2712808$ d--h-c- [04:59 15/12/2012]
$NtUninstallKB2719985$ d--h-c- [03:46 15/12/2012]
$NtUninstallKB2723135-v2$ d--h-c- [03:29 15/12/2012]
$NtUninstallKB2724197$ d--h-c- [04:01 15/12/2012]
$NtUninstallKB2727528$ d--h-c- [03:29 15/12/2012]
$NtUninstallKB2736233$ d--h-c- [04:01 15/12/2012]
$NtUninstallKB2749655$ d--h-c- [03:31 15/12/2012]
$NtUninstallKB2753842$ d--h-c- [03:47 15/12/2012]
$NtUninstallKB2753842-v2$ d--h-c- [03:01 21/12/2012]
$NtUninstallKB2757638$ d--h-c- [09:50 20/01/2013]
$NtUninstallKB2758857$ d--h-c- [04:47 15/12/2012]
$NtUninstallKB2770660$ d--h-c- [03:46 15/12/2012]
$NtUninstallKB2778344$ d--h-c- [08:24 14/02/2013]
$NtUninstallKB2779030$ d--h-c- [04:47 15/12/2012]
$NtUninstallKB2779562$ d--h-c- [04:13 15/12/2012]
$NtUninstallKB2780091$ d--h-c- [08:17 14/02/2013]
$NtUninstallKB2799494$ d--h-c- [08:21 14/02/2013]
$NtUninstallKB2802968$ d--h-c- [08:19 14/02/2013]
$NtUninstallKB2807986$ d--h-c- [07:44 22/03/2013]
$NtUninstallKB2808735$ d--h-c- [15:57 11/04/2013]
$NtUninstallKB2813170$ d--h-c- [15:48 11/04/2013]
$NtUninstallKB2813345$ d--h-c- [15:49 11/04/2013]
$NtUninstallKB2820197$ d--h-c- [09:41 16/05/2013]
$NtUninstallKB2820917$ d--h-c- [15:56 11/04/2013]
$NtUninstallKB2829361$ d--h-c- [09:21 16/05/2013]
$NtUninstallKB2834886$ d--h-c- [14:29 23/07/2013]
$NtUninstallKB2834904_WM11$ d--h-c- [14:50 23/07/2013]
$NtUninstallKB2839229$ d--h-c- [17:09 13/06/2013]
$NtUninstallKB2845187$ d--h-c- [14:20 23/07/2013]
$NtUninstallKB2849470$ d--h-c- [14:31 20/08/2013]
$NtUninstallKB2850851$ d--h-c- [14:25 23/07/2013]
$NtUninstallKB2850869$ d--h-c- [14:39 20/08/2013]
$NtUninstallKB2859537$ d--h-c- [14:39 20/08/2013]
$NtUninstallKB2863058$ d--h-c- [14:35 20/08/2013]
$NtUninstallKB898461$ d--h-c- [09:41 19/12/2010]
$NtUninstallKB915800-v4$ d--h-c- [14:15 19/12/2010]
$NtUninstallKB923561$ d--h-c- [10:24 19/12/2010]
$NtUninstallKB929399$ d--h-c- [16:14 19/12/2010]
$NtUninstallKB939683$ d--h-c- [16:14 19/12/2010]
$NtUninstallKB940157$ d--h-c- [14:16 19/12/2010]
$NtUninstallKB941569$ d--h-c- [16:13 19/12/2010]
$NtUninstallKB942288-v3$ d--h-c- [17:05 28/10/2012]
$NtUninstallKB946648$ d--h-c- [12:35 19/12/2010]
$NtUninstallKB950762$ d--h-c- [10:46 19/12/2010]
$NtUninstallKB950974$ d--h-c- [12:32 19/12/2010]
$NtUninstallKB951376-v2$ d--h-c- [12:35 19/12/2010]
$NtUninstallKB951748$ d--h-c- [12:29 19/12/2010]
$NtUninstallKB951978$ d--h-c- [12:33 19/12/2010]
$NtUninstallKB952004$ d--h-c- [12:31 19/12/2010]
$NtUninstallKB952069_WM9$ d--h-c- [10:45 19/12/2010]
$NtUninstallKB952287$ d--h-c- [10:46 19/12/2010]
$NtUninstallKB952954$ d--h-c- [12:35 19/12/2010]
$NtUninstallKB954154_WM11$ d--h-c- [16:14 19/12/2010]
$NtUninstallKB954155_WM9$ d--h-c- [10:46 19/12/2010]
$NtUninstallKB954708$ d--h-c- [15:47 13/03/2011]
$NtUninstallKB955759$ d--h-c- [12:33 19/12/2010]
$NtUninstallKB956572$ d--h-c- [10:25 19/12/2010]
$NtUninstallKB956744$ d--h-c- [10:25 19/12/2010]
$NtUninstallKB956802$ d--h-c- [12:28 19/12/2010]
$NtUninstallKB956803$ d--h-c- [12:34 19/12/2010]
$NtUninstallKB956844$ d--h-c- [10:46 19/12/2010]
$NtUninstallKB958644$ d--h-c- [10:24 19/12/2010]
$NtUninstallKB958869$ d--h-c- [12:34 19/12/2010]
$NtUninstallKB959426$ d--h-c- [12:35 19/12/2010]
$NtUninstallKB960803$ d--h-c- [12:28 19/12/2010]
$NtUninstallKB960859$ d--h-c- [12:34 19/12/2010]
$NtUninstallKB961118$ d--h-c- [15:53 19/12/2010]
$NtUninstallKB961501$ d--h-c- [12:32 19/12/2010]
$NtUninstallKB961503$ d--h-c- [07:25 28/06/2011]
$NtUninstallKB963093$ d--h-c- [16:17 19/12/2010]
$NtUninstallKB967715$ d--h-c- [12:30 19/12/2010]
$NtUninstallKB968389$ d--h-c- [12:28 19/12/2010]
$NtUninstallKB968930$ d------ [14:21 19/12/2010]
$NtUninstallKB969059$ d--h-c- [12:33 19/12/2010]
$NtUninstallKB970430$ d--h-c- [15:54 19/12/2010]
$NtUninstallKB971029$ d--h-c- [06:38 28/06/2011]
$NtUninstallKB971513$ d--h-c- [14:17 19/12/2010]
$NtUninstallKB971657$ d--h-c- [12:32 19/12/2010]
$NtUninstallKB971737$ d--h-c- [15:38 19/12/2010]
$NtUninstallKB971961$ d--h-c- [10:23 19/12/2010]
$NtUninstallKB972270$ d--h-c- [10:46 19/12/2010]
$NtUninstallKB973507$ d--h-c- [12:31 19/12/2010]
$NtUninstallKB973540_WM9$ d--h-c- [12:30 19/12/2010]
$NtUninstallKB973687$ d--h-c- [10:24 19/12/2010]
$NtUninstallKB973815$ d--h-c- [12:28 19/12/2010]
$NtUninstallKB973869$ d--h-c- [10:25 19/12/2010]
$NtUninstallKB973904$ d--h-c- [10:45 19/12/2010]
$NtUninstallKB974112$ d--h-c- [12:32 19/12/2010]
$NtUninstallKB974318$ d--h-c- [12:33 19/12/2010]
$NtUninstallKB974392$ d--h-c- [12:30 19/12/2010]
$NtUninstallKB974571$ d--h-c- [12:31 19/12/2010]
$NtUninstallKB975025$ d--h-c- [12:31 19/12/2010]
$NtUninstallKB975467$ d--h-c- [12:28 19/12/2010]
$NtUninstallKB975558_WM8$ d--h-c- [12:33 19/12/2010]
$NtUninstallKB975560$ d--h-c- [12:31 19/12/2010]
$NtUninstallKB975562$ d--h-c- [12:28 19/12/2010]
$NtUninstallKB975713$ d--h-c- [12:32 19/12/2010]
$NtUninstallKB977816$ d--h-c- [12:30 19/12/2010]
$NtUninstallKB977914$ d--h-c- [12:29 19/12/2010]
$NtUninstallKB978037$ d--h-c- [12:32 19/12/2010]
$NtUninstallKB978338$ d--h-c- [12:32 19/12/2010]
$NtUninstallKB978542$ d--h-c- [12:29 19/12/2010]
$NtUninstallKB978601$ d--h-c- [10:24 19/12/2010]
$NtUninstallKB978695_WM9$ d--h-c- [10:46 19/12/2010]
$NtUninstallKB978706$ d--h-c- [12:29 19/12/2010]
$NtUninstallKB979309$ d--h-c- [10:24 19/12/2010]
$NtUninstallKB979482$ d--h-c- [12:29 19/12/2010]
$NtUninstallKB979687$ d--h-c- [12:31 19/12/2010]
$NtUninstallKB980195$ d--h-c- [12:34 19/12/2010]
$NtUninstallKB980232$ d--h-c- [12:34 19/12/2010]
$NtUninstallKB980436$ d--h-c- [12:30 19/12/2010]
$NtUninstallKB981322$ d--h-c- [12:30 19/12/2010]
$NtUninstallKB981852$ d--h-c- [10:46 19/12/2010]
$NtUninstallKB981997$ d--h-c- [10:24 19/12/2010]
$NtUninstallKB982132$ d--h-c- [12:32 19/12/2010]
$NtUninstallKB982214$ d--h-c- [12:34 19/12/2010]
$NtUninstallKB982665$ d--h-c- [12:28 19/12/2010]
$NtUninstallMSCompPackV1$ d--h-c- [14:15 19/12/2010]
$NtUninstallWdf01007$ d--h-c- [22:04 19/12/2011]
$NtUninstallWdf01009$ d--h-c- [17:29 28/10/2012]
$NtUninstallwinusb0100$ d--h-c- [22:05 19/12/2011]
$NtUninstallwinusb0200$ d--h-c- [17:30 28/10/2012]
$NtUninstallWMFDist11$ d--h-c- [14:13 19/12/2010]
$NtUninstallwmp11$ d--h-c- [14:14 19/12/2010]
$NtUninstallWudf01000$ d--h-c- [14:13 19/12/2010]
addins d------ [13:40 18/12/2010]
AppPatch d------ [13:40 18/12/2010]
assembly dr--s-- [09:11 19/12/2010]
CD95F661A5C444F5A6AAECDD91C240D6.TMP d------ [16:08 10/04/2013]
Config d------ [13:40 18/12/2010]
Connection Wizard d------ [13:40 18/12/2010]
Cursors d------ [13:40 18/12/2010]
Debug d------ [13:40 18/12/2010]
Downloaded Program Files d---s-- [13:55 18/12/2010]
Driver Cache d------ [13:40 18/12/2010]
EHome d------ [14:25 18/12/2010]
erdnt d------ [16:29 21/08/2013]
Fonts dr--s-- [13:40 18/12/2010]
Help d------ [13:40 18/12/2010]
Hewlett-Packard d------ [15:17 27/11/2012]
ie8 d--h-c- [11:22 19/12/2010]
ie8updates d------ [11:25 19/12/2010]
ime d------ [13:40 18/12/2010]
inf d--h--- [13:40 18/12/2010]
Installer d--hs-- [14:02 18/12/2010]
java d------ [13:40 18/12/2010]
l2schemas d------ [15:10 18/12/2010]
Logs d------ [11:52 04/11/2011]
Media d------ [13:40 18/12/2010]
Microsoft.NET d------ [09:10 19/12/2010]
Minidump d------ [16:59 21/08/2013]
msagent d------ [13:40 18/12/2010]
msapps d------ [13:40 18/12/2010]
mui d------ [13:40 18/12/2010]
network diagnostic d------ [15:05 18/12/2010]
nview d------ [12:30 19/12/2010]
Offline Web Pages dr----- [13:55 18/12/2010]
OPTIONS d------ [09:32 19/12/2010]
PCHEALTH d------ [13:54 18/12/2010]
peernet d------ [14:33 18/12/2010]
Prefetch d------ [08:49 19/12/2010]
provisioning d------ [14:33 18/12/2010]
pss d------ [13:55 16/08/2013]
Registration d------ [13:53 18/12/2010]
repair d------ [13:40 18/12/2010]
Resources d------ [13:40 18/12/2010]
security d------ [13:40 18/12/2010]
ServicePackFiles d------ [14:31 18/12/2010]
ShellNew d------ [14:19 18/12/2010]
SoftwareDistribution d------ [14:47 18/12/2010]
srchasst d------ [13:55 18/12/2010]
Sun d------ [11:52 29/10/2012]
SxsCaPendDel d------ [06:22 28/06/2011]
system d------ [13:40 18/12/2010]
system32 d------ [13:40 18/12/2010]
sysѴem d------ [10:42 14/08/2013]
Tasks d---s-- [13:54 18/12/2010]
temp d------ [14:20 22/08/2013]
twain_32 d------ [13:40 18/12/2010]
WBEM d------ [11:24 19/12/2010]
Web dr----- [13:40 18/12/2010]
WinSxS d------ [13:40 18/12/2010]

-= EOF =-

Farbar Service Scanner Version: 18-08-2013
Ran by Admin (administrator) on 25-08-2013 at 11:41:42
Running from "C:\Documents and Settings\Admin\Desktop\Virus Removal"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Network
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.

BITS Service is not running. Checking service configuration:
The start type of BITS service is set to Demand. The default start type is Auto.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.

EventSystem Service is not running. Checking service configuration:
The start type of EventSystem service is set to Auto. The default start type is 3.
The ImagePath of EventSystem: "C:\WINDOWS\System32\svchost.exe -k netsvcs".
The ServiceDll of EventSystem: "C:\WINDOWS\System32\es.dll".


Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(3) IPSec(5) LANPkt(8) NetBT(6) PSched(7) Tcpip(4)
0x0A00000005000000010000000200000003000000040000000A00000006000000070000000800000009000000
IpSec Tag value is correct.

**** End of log ****
__________________
SimonAJ is offline   Reply With Quote
Old 08-25-2013, 03:47 PM   #15
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 26,492
OS: XP SP3; Win7 32/64-bit



Hello again, Si.

Go Start > Run and type services.msc then press Enter.

Scroll down to and double-click Remote Procedure Call (RPC)

Make sure Startup type is set to 'Automatic', if not already, then 'Start' the service.

Repeat for BITS, Security Center, Automatic Updates, and COM+ Event System

Exit Services. Reboot your computer. Can you update now?

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline   Reply With Quote
Old 08-26-2013, 06:49 AM   #16
Registered Member
 
SimonAJ's Avatar
 
Join Date: Dec 2011
Posts: 98
OS: XP



Hi Chemist,

Have tried the services.msc task, in Normal mode it says "MMC cannot open the file etc. This has worked previously.

When trying it in Safe Mode it does come up but says that certain functions can not be performed in safe mode.

Have tried going to the Microsoft website to manually download any updates and again this proves fruitless and does not allow it to happen.

Since I installed the Microsoft Essentials programme (it worked fine the first couple of times I started up) it does not start and I can not get it running either way (getting error code 0x80040154).

On a positive note the firewall is up and running as is the function to download security updates (although of course it doesnt do anything).

Sorry I haven't successfully managed to carry out any of these tasks as requested.

I look forward to any ideas you can suggest.

All the best

Si
__________________
SimonAJ is offline   Reply With Quote
Old 08-26-2013, 08:02 AM   #17
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 26,492
OS: XP SP3; Win7 32/64-bit



Hello again, Si. Go Start > Run and copy/paste regsvr32 C:\Windows\system32\msxml3.dll into the Run box > OK.

Wait until Windows confirms that the dll has been registered successfully.

Navigate to C:\Documents and Settings\Admin\Application Data\Microsoft\MMC

Rename services to services_old

Now try the previous instructions. Any joy?

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline   Reply With Quote
Old 08-26-2013, 12:47 PM   #18
Registered Member
 
SimonAJ's Avatar
 
Join Date: Dec 2011
Posts: 98
OS: XP



hello, I have carried out the last task given. Ironically, when I started up the pc to do it the security essentials started up! Good news, have been able to check for updates but it doesn't want to download (the malicious software removal tool is what it finds)So, we seem to have partial progress. I really appreciate your patience on this.
__________________
SimonAJ is offline   Reply With Quote
Old 08-26-2013, 02:16 PM   #19
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 26,492
OS: XP SP3; Win7 32/64-bit



Hello again, Si.
  • Run Farbar Service Scanner again.
  • Make sure the Internet Services option remains checked.
  • Check all the other boxes.
  • Click Scan.
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log in your next reply.
------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline   Reply With Quote
Old 08-26-2013, 03:13 PM   #20
Registered Member
 
SimonAJ's Avatar
 
Join Date: Dec 2011
Posts: 98
OS: XP



Hi,

I have run Farbar once more as requested.

The report is below.

Since you mentioned specifically about checking all options on the scan menu I thought it would be sensible to mention that "RpcSs and PlugPlay" is not checkable like all of the other options.

This has been common on the other occasions too, apologies if I should have mentioned this sooner and hope that it may of some use.

kind regards

Si
Farbar Service Scanner Version: 18-08-2013
Ran by Admin (administrator) on 26-08-2013 at 22:09:21
Running from "C:\Documents and Settings\Admin\Desktop"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Attempt to access Yahoo.com returned error: Yahoo.com is offline


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(3) IPSec(5) LANPkt(8) NetBT(6) PSched(7) Tcpip(4)
0x0A00000005000000010000000200000003000000040000000A00000006000000070000000800000009000000
IpSec Tag value is correct.

**** End of log ****

__________________
SimonAJ is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
Suspected virus/trojan.
Lately, I've been having internet issues, issues I don't usually have. The programs that use the internet have been quite sluggish, but the other family computers are completely fine. It used to be livable, but now its gotten to slow and its random when it starts to slow down. I suspect that theres...
omgheart Resolved HJT Threads 16 03-19-2012 08:00 PM
Laptop Virus/Trojan Lock
I was browsing the internet as I normally would (for various information), when I clicked on a link to a site that looked normal/safe. I didn't download anything or manage to see anything that it said. As soon as I opened that site, my screen went black for a couple of seconds then a white screen...
CJHook Resolved HJT Threads 15 01-22-2012 02:22 PM
browser redirects and win upd blocked
Hi Guys, I have had a nasty virus on my PC for a few days. The symptoms include - no browsers will navigate to windows update - Firefox is redirecting to ad sites (such as stopzilla). - Generic Host Process intermittently crashing I have tried malware bytes and it did clean up some...
JCTJennings Resolved HJT Threads 44 04-25-2011 09:15 AM
Task Scheduler virus/trojan
Hi, I have been fighting this issue for days now and cannot seem to truly get rid of this infection. The system is running Windows XP SP3. The symptoms are: 1) Microsoft Security Essentials is turned off 2) Many services including Security Center are disabled 3) Internet Explorer does not...
smayo44 Resolved HJT Threads 8 03-19-2011 04:47 PM
Virus/Trojan has KO'ed my computer. Please help!
Hello everyone, So my computer has been infected with a wicked, wicked virus/trojan and I'm lost on how to go about things. Let me fill you guys in on the history. Yesterday, I decided that I wanted to watch Inception with the misses. Unfortunately, because she's Japanese, I needed to grab...
therascaldude Resolved HJT Threads 7 01-16-2011 01:21 PM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2


All times are GMT -7. The time now is 07:40 PM.


Copyright 2001 - 2014, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts