Everest63

Hi,

The family laptop was very slow to boot and once at the desktop apps took a very long time to open. Then, Blue Screen STOP ERROR. Ran MalWareBytes in Safe Mode to remove over 260 infections. Most were in the Registry. Trojan Vundo was one and another was called MyWebSearch. I can provide the MalWareBytes log if needed.

-Andy

DDS (Ver_09-06-26.01) - NTFSx86
Run by Andrew at 2256.69 on Thu 07/09/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.752 [GMT -4:00]

AV: avast! antivirus 4.8.1335 [VPS 090709-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Apoint\Apoint.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Andrew\Desktop\dds.scr

============== Pseudo HJT Report ===============

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [PRONoMgr.exe] c:\program files\intel\ncs\proset\PRONoMgr.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1246029836928
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1246038860259
Notify: AtiExtEvent - Ati2evxx.dll
Notify: Sebring - c:\windows\system32\LgNotify.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\andrew\applic~1\mozilla\firefox\profiles\3f2dk4km.default\
FF - prefs.js: browser.search.selectedEngine - MyWebSearch
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZNfox000&fl=0&ptb=Xip6MeZFKcF058iUh8wnjw&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor=
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-6-26 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-6-26 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-6-26 138680]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-6-26 24652]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-6-26 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-6-26 352920]

=============== Created Last 30 ================

2009-07-09 20:51 <DIR> --d----- c:\docume~1\andrew\applic~1\Malwarebytes
2009-07-09 20:50 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-09 20:50 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-09 20:50 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-09 20:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-07 21:44 <DIR> --d----- c:\windows\system32\Adobe
2009-07-01 16:30 <DIR> --d----- c:\program files\LWW
2009-06-26 18:26 268,648 a------- c:\windows\system32\mucltui.dll
2009-06-26 18:26 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-06-26 18:23 12,160 ac------ c:\windows\system32\dllcache\mouhid.sys
2009-06-26 18:23 12,160 a------- c:\windows\system32\drivers\mouhid.sys
2009-06-26 18:23 10,368 ac------ c:\windows\system32\dllcache\hidusb.sys
2009-06-26 18:23 10,368 a------- c:\windows\system32\drivers\hidusb.sys
2009-06-26 14:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Viewpoint
2009-06-26 14:58 <DIR> --d----- c:\program files\Viewpoint
2009-06-26 14:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\acccore
2009-06-26 14:58 <DIR> --d----- c:\program files\common files\AOL
2009-06-26 14:57 <DIR> --d----- c:\program files\AIM6
2009-06-26 14:57 454 a---h--- C:\IPH.PH
2009-06-26 14:10 <DIR> --d----- c:\windows\ie8updates
2009-06-26 14:08 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-06-26 14:08 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-06-26 14:08 1,985,024 -c------ c:\windows\system32\dllcache\iertutil.dll
2009-06-26 14:08 11,064,832 -c------ c:\windows\system32\dllcache\ieframe.dll
2009-06-26 13:52 376 a------- c:\windows\ODBC.INI
2009-06-26 13:52 28,040 a------- c:\windows\system32\mdimon.dll
2009-06-26 13:51 <DIR> --d----- c:\program files\Microsoft ActiveSync
2009-06-26 13:51 <DIR> --d----- c:\windows\SHELLNEW
2009-06-26 13:44 <DIR> --dsh--- c:\documents and settings\andrew\IECompatCache
2009-06-26 13:44 <DIR> --dsh--- c:\documents and settings\andrew\PrivacIE
2009-06-26 13:42 <DIR> --dsh--- c:\documents and settings\andrew\IETldCache
2009-06-26 13:31 <DIR> -cd-h--- c:\windows\ie8
2009-06-26 13:11 81,920 -c------ c:\windows\system32\dllcache\ieencode.dll
2009-06-26 13:11 81,920 -------- c:\windows\system32\ieencode.dll
2009-06-26 13:10 585,216 -c------ c:\windows\system32\dllcache\rpcrt4.dll
2009-06-26 13:10 1,847,168 -c------ c:\windows\system32\dllcache\win32k.sys
2009-06-26 13:10 345,600 -c------ c:\windows\system32\dllcache\localspl.dll
2009-06-26 13:08 1,288,192 -c------ c:\windows\system32\dllcache\quartz.dll
2009-06-26 13:08 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-06-26 13:08 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-06-26 13:08 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-06-26 13:08 8,461,312 -c------ c:\windows\system32\dllcache\shell32.dll
2009-06-26 13:07 144,896 -c------ c:\windows\system32\dllcache\schannel.dll
2009-06-26 13:07 333,952 -c------ c:\windows\system32\dllcache\srv.sys
2009-06-26 13:05 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-06-26 13:05 203,136 -c------ c:\windows\system32\dllcache\rmcast.sys
2009-06-26 12:09 <DIR> --d----- c:\windows\ServicePackFiles
2009-06-26 12:09 294,912 -c------ c:\windows\system32\dllcache\dlimport.exe
2009-06-26 12:05 19,569 a------- c:\windows\002891_.tmp
2009-06-26 11:27 26,144 a------- c:\windows\system32\spupdsvc.exe
2009-06-26 11:27 <DIR> --d----- c:\windows\system32\PreInstall
2009-06-26 11:24 31,768 a------- c:\windows\system32\wucltui.dll.mui
2009-06-26 11:24 18,456 a------- c:\windows\system32\wuaueng.dll.mui
2009-06-26 11:24 23,576 a------- c:\windows\system32\wuaucpl.cpl.mui
2009-06-26 11:24 23,576 a------- c:\windows\system32\wuapi.dll.mui
2009-06-26 11:24 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-06-26 11:23 <DIR> --dsh--- c:\documents and settings\andrew\UserData
2009-06-26 11:21 1,063,936 a------- c:\windows\system32\drivers\HSF_DP.sys
2009-06-26 11:21 631,680 a------- c:\windows\system32\drivers\HSF_CNXT.sys
2009-06-26 11:21 400,553 a------- c:\windows\system32\drivers\del5422.cty
2009-06-26 11:21 189,056 a------- c:\windows\system32\drivers\HSFHWICH.sys
2009-06-26 11:21 90,112 a------- c:\windows\system32\mdmxsdk.dll
2009-06-26 11:21 27,765 a------- c:\windows\system32\HSFCI006.dll
2009-06-26 11:21 11,043 a------- c:\windows\system32\drivers\mdmxsdk.sys
2009-06-26 11:21 <DIR> --d----- c:\program files\CONEXANT
2009-06-26 11:17 94,600 a------- c:\windows\system32\drivers\Apfiltr.sys
2009-06-26 11:17 87,805 a------- c:\windows\system32\Vxdif.dll
2009-06-26 11:17 <DIR> --d----- c:\program files\Apoint
2009-06-26 11:16 <DIR> --d----- c:\program files\SigmaTel
2009-06-26 11:15 <DIR> --d-h--- c:\documents and settings\andrew\WLANProfiles
2009-06-26 11:14 14,037 a------- c:\windows\system32\drivers\mdc8021x.sys
2009-06-26 11:14 <DIR> --d----- c:\windows\system32\LogFiles
2009-06-26 11:14 966,656 a------- c:\windows\system32\W70MLRES.DLL
2009-06-26 11:14 966,656 a------- c:\windows\system32\W20MLRES.DLL
2009-06-26 11:13 2,477,952 a------- c:\windows\system32\drivers\w70n51.sys
2009-06-26 11:13 315,392 a------- c:\windows\system32\W20NCPA.dll
2009-06-26 11:13 32,768 a------- c:\windows\system32\w70n5msg.dll
2009-06-26 11:12 175,360 ac------ c:\windows\system32\dllcache\b57xp32.sys
2009-06-26 11:12 175,360 a----r-- c:\windows\system32\drivers\b57xp32.sys
2009-06-26 11:12 <DIR> --d----- c:\program files\Broadcom
2009-06-26 11:10 20,579 a------- c:\windows\system32\drivers\ozscr.sys
2009-06-26 11:10 7,236 a------- c:\windows\system32\drivers\OZSCRXP.CAT
2009-06-26 11:10 2,274 a------- c:\windows\system32\drivers\OZSCRXP.INF
2009-06-26 11:08 <DIR> --d----- c:\program files\ATI Technologies
2009-06-26 11:04 <DIR> --d----- c:\windows\system32\ReinstallBackups
2009-06-26 11:01 5 -------- c:\windows\system32\DELL_LAT_D600.MRK
2009-06-26 11:01 666 a------- c:\windows\speed.reg
2009-06-26 11:01 <DIR> --d----- c:\program files\Dell Computer Corporation
2009-06-26 11:01 53,248 a------- c:\windows\system32\DellSys.dll
2009-06-26 11:01 <DIR> --d----- c:\program files\Dell
2009-06-26 11:00 446,464 a----r-- c:\windows\system32\hhactivex.dll
2009-06-26 11:00 645,616 a------- c:\windows\system32\MSCOMCT2.OCX
2009-06-26 11:00 414,944 a------- c:\windows\system32\COMCT332.OCX
2009-06-26 11:00 176,128 a------- c:\windows\system32\RcdScan.dll
2009-06-26 11:00 328,480 a------- c:\windows\system32\ssa3d30.ocx
2009-06-26 11:00 171,967 a------- c:\windows\system32\Odbcjet.hlp
2009-06-26 11:00 7,348 a------- c:\windows\system32\Odbcjet.cnt
2009-06-26 11:00 89,360 a------- c:\windows\system32\VB5DB.DLL
2009-06-26 11:00 17,153 a------- c:\windows\system32\drivers\omci.sys
2009-06-26 10:58 <DIR> --d----- c:\documents and settings\Andrew
2009-06-26 10:57 <DIR> --ds---- c:\windows\system32\Microsoft
2009-06-26 10:57 8,192 a------- c:\windows\REGLOCS.OLD
2009-06-26 10:56 28,288 ac------ c:\windows\system32\dllcache\xjis.nls
2009-06-26 10:56 156,672 ac------ c:\windows\system32\dllcache\winzm.ime
2009-06-26 10:56 156,672 ac------ c:\windows\system32\dllcache\winsp.ime
2009-06-26 10:56 156,672 ac------ c:\windows\system32\dllcache\winpy.ime
2009-06-26 10:56 72,704 ac------ c:\windows\system32\dllcache\wingb.ime
2009-06-26 10:56 65,536 ac------ c:\windows\system32\dllcache\winime.ime
2009-06-26 10:54 22,016 ac------ c:\windows\system32\dllcache\logscrpt.dll
2009-06-26 10:53 195,618 ac------ c:\windows\system32\dllcache\c_10002.nls
2009-06-26 10:51 <DIR> --dsh--- c:\documents and settings\all users\DRM
2009-06-26 10:51 <DIR> --ds---- c:\windows\Downloaded Program Files
2009-06-26 10:51 <DIR> --d--r-- c:\windows\Offline Web Pages
2009-06-26 10:51 488 a---hr-- c:\windows\system32\WindowsLogon.manifest
2009-06-26 10:51 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2009-06-26 10:51 749 a---hr-- c:\windows\WindowsShell.Manifest
2009-06-26 10:51 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest
2009-06-26 10:51 749 a---hr-- c:\windows\system32\sapi.cpl.manifest
2009-06-26 10:51 749 a---hr-- c:\windows\system32\nwc.cpl.manifest
2009-06-26 10:51 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest
2009-06-26 10:51 749 a---hr-- c:\windows\system32\cdplayer.exe.manifest
2009-06-26 10:50 <DIR> --d-h--- c:\program files\WindowsUpdate
2009-06-26 10:50 <DIR> --d----- c:\program files\common files\MSSoap
2009-06-26 10:48 <DIR> --d----- c:\program files\Online Services
2009-06-26 10:48 <DIR> --d----- c:\program files\Messenger
2009-06-26 10:48 <DIR> --d----- c:\program files\MSN Gaming Zone
2009-06-26 10:47 <DIR> --d----- c:\program files\Windows NT
2009-06-26 07:41 <DIR> --d----- c:\program files\common files\ODBC
2009-06-26 07:41 <DIR> --d----- c:\program files\common files\SpeechEngines
2009-06-26 07:41 <DIR> --d--r-- c:\documents and settings\all users\Documents

==================== Find3M ====================

2009-06-26 12:15 87,263 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-06-26 10:48 21,640 a------- c:\windows\system32\emptyregdb.dat
2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll

============= FINISH: 22:07:16.12 ===============

Attached Files

Attach.zip (3.0 KB, 3 views)

Glaswegian

Hi Andy

My name is Iain and I will be helping you clean your system.

You may wish to Subscribe to this thread (Thread Tools > Subscribe to this thread) so that you are notified when you receive a reply.

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.

Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your logs are clean. Remember that although your symptoms may vanish, this does NOT mean that your system is clean.

If there is anything you don't understand, please ask BEFORE proceeding with the fixes.

Please ensure that you follow the instructions in the order I have them listed.

Please do not install or uninstall any programmes, or run any other scanners or software, unless I specifically ask you to do so.




Combofix
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please read all the information carefully!

You MUST disable your AntiVirus and AntiSpyware applications - please read this thread as a guide. They may otherwise interfere with our tools and interrupt the cleansing process.

Please include the log C:\ComboFix.txt in your next reply for further review.

Everest63

ComboFix 09-07-11.02 - Andrew 07/12/2009 11:44.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.756 [GMT -4:00]
Running from: c:\documents and settings\Andrew\Desktop\Combo-Fix.exe
AV: avast! antivirus 4.8.1335 [VPS 090711-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\6d6b7d.msi

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE


((((((((((((((((((((((((( Files Created from 2009-06-12 to 2009-07-12 )))))))))))))))))))))))))))))))
.

2009-07-10 14:38 . 2009-07-10 14:39 152576 ----a-w- c:\documents and settings\Andrew\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-07-10 00:51 . 2009-07-10 00:51 -------- d-----w- c:\documents and settings\Andrew\Application Data\Malwarebytes
2009-07-10 00:50 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-10 00:50 . 2009-07-10 00:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-10 00:50 . 2009-07-10 00:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-10 00:50 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-08 01:44 . 2009-07-08 12:30 -------- d-----w- c:\windows\system32\Adobe
2009-07-01 20:30 . 2009-07-01 20:30 -------- d-----w- c:\program files\LWW
2009-06-30 12:17 . 2009-06-30 12:17 42552 ----a-w- c:\documents and settings\Jane\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-28 00:51 . 2009-07-10 01:08 -------- d-----w- c:\program files\Google
2009-06-26 22:57 . 2009-06-26 22:57 -------- d-----w- c:\documents and settings\Ginny\Application Data\acccore
2009-06-26 22:26 . 2008-10-16 18:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-06-26 22:23 . 2001-08-17 17:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2009-06-26 22:23 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2009-06-26 22:23 . 2008-04-14 04:15 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2009-06-26 22:23 . 2008-04-14 04:15 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2009-06-26 19:06 . 2009-06-26 19:06 -------- d-----w- c:\documents and settings\Ginny\Local Settings\Application Data\AOL OCP
2009-06-26 19:06 . 2009-06-26 19:06 -------- d-----w- c:\documents and settings\Ginny\Local Settings\Application Data\AOL
2009-06-26 18:58 . 2009-06-26 18:58 -------- d-----w- c:\documents and settings\Andrew\Local Settings\Application Data\AOL OCP
2009-06-26 18:58 . 2009-06-26 18:58 -------- d-----w- c:\documents and settings\Andrew\Local Settings\Application Data\AOL
2009-06-26 18:58 . 2009-06-26 18:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-06-26 18:58 . 2009-06-26 18:58 -------- d-----w- c:\program files\Viewpoint
2009-06-26 18:58 . 2009-06-26 18:58 -------- d-----w- c:\documents and settings\All Users\Application Data\acccore
2009-06-26 18:58 . 2009-06-26 18:59 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL OCP
2009-06-26 18:58 . 2009-06-26 18:58 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-06-26 18:58 . 2009-06-26 18:58 -------- d-----w- c:\program files\Common Files\AOL
2009-06-26 18:57 . 2009-06-26 18:58 -------- d-----w- c:\program files\AIM6
2009-06-26 18:32 . 2009-06-26 18:32 -------- d-----w- c:\documents and settings\Sophie\Local Settings\Application Data\Mozilla
2009-06-26 18:31 . 2009-06-26 18:31 -------- d-----w- c:\documents and settings\Jane\Local Settings\Application Data\Mozilla
2009-06-26 18:29 . 2009-06-26 18:29 -------- d-----w- c:\documents and settings\Ginny\Local Settings\Application Data\Mozilla
2009-06-26 18:28 . 2009-06-26 18:28 0 ----a-w- c:\windows\nsreg.dat
2009-06-26 18:28 . 2009-06-26 18:28 -------- d-----w- c:\documents and settings\Andrew\Local Settings\Application Data\Mozilla
2009-06-26 18:24 . 2009-06-26 18:24 -------- d-sh--w- c:\documents and settings\Sophie\IECompatCache
2009-06-26 18:21 . 2009-06-26 18:21 -------- d-----w- c:\documents and settings\Jane\Local Settings\Application Data\Microsoft
2009-06-26 18:18 . 2009-06-26 18:18 -------- d-sh--w- c:\documents and settings\Ginny\IECompatCache
2009-06-26 18:17 . 2009-06-26 18:17 -------- d-sh--w- c:\documents and settings\Ginny\PrivacIE
2009-06-26 18:10 . 2009-06-26 18:10 -------- d-----w- c:\windows\ie8updates
2009-06-26 18:08 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-26 18:08 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-26 18:08 . 2009-04-30 21:22 1985024 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-06-26 18:08 . 2009-04-30 21:22 11064832 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-06-26 17:52 . 2007-04-09 17:23 28040 ----a-w- c:\windows\system32\mdimon.dll
2009-06-26 17:51 . 2009-06-26 17:51 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-06-26 17:51 . 2009-06-26 17:51 -------- d-----w- c:\windows\SHELLNEW
2009-06-26 17:46 . 2009-06-26 17:46 -------- d--h--r- C:\MSOCache
2009-06-26 17:44 . 2009-06-26 17:44 -------- d-sh--w- c:\documents and settings\Andrew\IECompatCache
2009-06-26 17:44 . 2009-06-26 17:44 -------- d-sh--w- c:\documents and settings\Andrew\PrivacIE
2009-06-26 17:42 . 2009-06-26 17:42 -------- d-sh--w- c:\documents and settings\Andrew\IETldCache
2009-06-26 17:31 . 2009-06-26 17:32 -------- dc-h--w- c:\windows\ie8
2009-06-26 17:11 . 2009-04-29 04:46 81920 -c----w- c:\windows\system32\dllcache\ieencode.dll
2009-06-26 17:11 . 2009-04-29 04:46 81920 ------w- c:\windows\system32\ieencode.dll
2009-06-26 17:10 . 2009-04-15 14:51 585216 -c----w- c:\windows\system32\dllcache\rpcrt4.dll
2009-06-26 17:10 . 2009-04-17 12:26 1847168 -c----w- c:\windows\system32\dllcache\win32k.sys
2009-06-26 17:10 . 2009-05-07 15:32 345600 -c----w- c:\windows\system32\dllcache\localspl.dll
2009-06-26 17:08 . 2008-12-20 22:14 1288192 -c----w- c:\windows\system32\dllcache\quartz.dll
2009-06-26 17:08 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-06-26 17:08 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-06-26 17:08 . 2008-06-17 19:02 8461312 -c----w- c:\windows\system32\dllcache\shell32.dll
2009-06-26 17:07 . 2008-12-05 06:54 144896 -c----w- c:\windows\system32\dllcache\schannel.dll
2009-06-26 17:07 . 2008-12-11 10:57 333952 -c----w- c:\windows\system32\dllcache\srv.sys
2009-06-26 17:05 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-06-26 17:05 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2009-06-26 16:09 . 2009-06-26 16:09 -------- d-----w- c:\windows\ServicePackFiles
2009-06-26 16:09 . 2008-04-14 09:42 294912 -c----w- c:\windows\system32\dllcache\dlimport.exe
2009-06-26 15:27 . 2009-01-07 22:21 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2009-06-26 15:24 . 2008-10-16 18:09 43544 ----a-w- c:\windows\system32\wups2.dll
2009-06-26 15:23 . 2009-06-26 15:23 -------- d-sh--w- c:\documents and settings\Andrew\UserData
2009-06-26 15:21 . 2003-07-03 19:59 189056 ----a-w- c:\windows\system32\drivers\HSFHWICH.sys
2009-06-26 15:21 . 2003-07-03 19:56 631680 ----a-w- c:\windows\system32\drivers\HSF_CNXT.sys
2009-06-26 15:21 . 2003-07-03 19:55 1063936 ----a-w- c:\windows\system32\drivers\HSF_DP.sys
2009-06-26 15:21 . 2003-04-14 22:53 27765 ----a-w- c:\windows\system32\HSFCI006.dll
2009-06-26 15:21 . 2003-04-09 18:01 90112 ----a-w- c:\windows\system32\mdmxsdk.dll
2009-06-26 15:21 . 2003-04-09 17:48 11043 ----a-w- c:\windows\system32\drivers\mdmxsdk.sys
2009-06-26 15:21 . 2009-06-26 15:21 -------- d-----w- c:\program files\CONEXANT
2009-06-26 15:17 . 2009-06-26 15:17 -------- d-----w- c:\program files\Apoint
2009-06-26 15:17 . 2003-08-21 23:25 94600 ----a-w- c:\windows\system32\drivers\Apfiltr.sys
2009-06-26 15:17 . 2003-07-04 19:00 87805 ----a-w- c:\windows\system32\Vxdif.dll
2009-06-26 15:15 . 2009-06-26 15:15 -------- d--h--w- c:\documents and settings\Andrew\WLANProfiles
2009-06-26 15:14 . 2009-06-26 15:14 14037 ----a-w- c:\windows\system32\drivers\mdc8021x.sys
2009-06-26 15:14 . 2009-06-26 15:14 -------- d-----w- c:\windows\system32\LogFiles
2009-06-26 15:14 . 2003-03-18 01:03 966656 ----a-w- c:\windows\system32\W70MLRES.DLL
2009-06-26 15:14 . 2003-03-18 01:01 966656 ----a-w- c:\windows\system32\W20MLRES.DLL
2009-06-26 15:13 . 2003-06-11 09:06 2477952 ----a-w- c:\windows\system32\drivers\w70n51.sys
2009-06-26 15:13 . 2003-05-06 17:24 315392 ----a-w- c:\windows\system32\W20NCPA.dll
2009-06-26 15:13 . 2003-01-19 20:49 32768 ----a-w- c:\windows\system32\w70n5msg.dll
2009-06-26 15:12 . 2003-05-21 22:47 175360 -c--a-w- c:\windows\system32\dllcache\b57xp32.sys
2009-06-26 15:12 . 2003-05-21 22:47 175360 ----a-r- c:\windows\system32\drivers\b57xp32.sys
2009-06-26 15:12 . 2009-06-26 15:12 -------- d-----w- c:\program files\Broadcom
2009-06-26 15:10 . 2002-11-08 17:13 20579 ----a-w- c:\windows\system32\drivers\ozscr.sys
2009-06-26 15:08 . 2009-06-26 15:08 -------- d-----w- c:\program files\ATI Technologies
2009-06-26 15:05 . 2009-06-26 15:14 -------- d-----w- c:\program files\Intel
2009-06-26 15:01 . 2003-03-06 18:02 666 ----a-w- c:\windows\speed.reg
2009-06-26 15:01 . 2009-06-26 15:01 -------- d-----w- c:\program files\Dell Computer Corporation
2009-06-26 15:01 . 2002-10-09 14:20 53248 ----a-w- c:\windows\system32\DellSys.dll
2009-06-26 15:01 . 2009-06-26 15:01 -------- d-----w- c:\program files\Dell
2009-06-26 15:00 . 2002-01-08 21:00 176128 ----a-w- c:\windows\system32\RcdScan.dll
2009-06-26 15:00 . 2000-03-23 16:50 446464 ----a-r- c:\windows\system32\hhactivex.dll
2009-06-26 15:00 . 1998-06-18 03:00 89360 ----a-w- c:\windows\system32\VB5DB.DLL
2009-06-26 15:00 . 2009-06-26 15:17 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-26 15:00 . 2002-10-09 14:20 17153 ----a-w- c:\windows\system32\drivers\omci.sys
2009-06-26 15:00 . 2009-06-26 15:12 -------- d-----w- c:\program files\Common Files\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-26 19:28 . 2009-06-26 19:28 -------- d-----w- c:\program files\Alwil Software
2009-06-26 16:15 . 2009-06-26 14:51 87263 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-06-26 15:16 . 2009-06-26 15:16 -------- d-----w- c:\program files\SigmaTel
2009-06-26 14:53 . 2009-06-26 14:53 -------- d-----w- c:\program files\microsoft frontpage
2009-06-26 14:48 . 2009-06-26 14:48 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-05-13 05:15 . 2006-03-04 03:33 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2004-08-04 10:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2004-08-04 10:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-04 10:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-29 335872]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-05-28 86016]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2003-08-21 151552]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"ATIModeChange"="Ati2mdxx.exe" - c:\windows\system32\Ati2mdxx.exe [2001-09-04 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2003-06-20 11:03 110592 ----a-w- c:\windows\system32\LgNotify.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [6/26/2009 3:28 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/26/2009 3:28 PM 20560]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/26/2009 2:58 PM 24652]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\3f2dk4km.default\
FF - prefs.js: browser.search.selectedEngine - MyWebSearch
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZNfox000&fl=0&ptb=Xip6MeZFKcF058iUh8wnjw&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor=
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-12 12:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(868)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LgNotify.dll

- - - - - - - > 'explorer.exe'(2408)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\S24EvMon.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\ZCfgSvc.exe
c:\windows\system32\1XConfig.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\scardsvr.exe
c:\windows\system32\RegSrvc.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\Apoint\ApntEx.exe
.
**************************************************************************
.
Completion time: 2009-07-12 12:27 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-12 16:27

Pre-Run: 32,989,749,248 bytes free
Post-Run: 33,054,298,112 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

213

Glaswegian

Hi again

How is your system running now?

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.



Combofix

• Close any open browsers.
  
• Open notepad and copy/paste the text in the box below into it:

Looking at the image below as an example



Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript onto ComboFix.exe.

When finished, it will produce a log for you at "C:\ComboFix.txt"

Do not mouseclick combofix's window whilst it's running. This may cause it to stall.

CAUTION! Anyone else thinking of using the above script does so at their own risk - you may end up having to re-install Windows!


Please post the log C:\ComboFix.txt for further review.



Online Scan
Perform an online scan with Panda ActiveScan

• Click on Scan Your PC Now
• A "pop up" window will appear, or a new tab will open.
• Click on Register
• Choose the option you like most, but we recommend the Free Registration.
• Click on Register
• Enter your e-mail address, and create a password.
• Select "I do not want to receive any type of information". (unless you want to receive such information)
• Click on Send
• Confirm registration, and continue by entering your user name and password, then click on Enter
• Select Full Scan, then Click on Scan Now
• Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.
• If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect
• Please ignore the offer to buy the program. Click on Export To
  
• Export the log and save it to your desktop.
• Please attach the contents of that log to your reply.

* Turn off the real time scanner of any existing antivirus program while performing the online scan.

Avast users note:

Please do continue with the online scan at Panda if you receive an alert. It is a false positive from Avast because Panda Antivirus does not encrypt its virus database.

Everest63

Hi Iain,

I ran the CFScript in ComboFix and saved the report, and about 1 hour into the Panda online scan I got the blue screen Kernal_Data_Inpage_Error

I am about to start the Panda scan all over again and hope it finishes.

Do you think that blue screen of death is caused by a virus, or would it best just to get another HD and install XP Pro fresh?

-Andrew

I will attach the Panda scan results if it finishes without a blue screen error.

Everest63

Iain,

The laptop will not boot now. It keeps getting BSOD with a STOP 0X000000F4.
I took the HD out of the laptop and put it into an external enclosure (USB) and the HD spins up then stops, and cycles through this. I am going to grab another HD and install XP Pro fresh.
Thanks for your help. Please close this thread.
-Andrew

Glaswegian

Sorry to hear that Andrew - not much any of us can do when the hard disc gives up. Always make sure you have all your data backed up though.