Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

Windows hanging hanging

This is a discussion on Windows hanging hanging within the Resolved HJT Threads forums, part of the Tech Support Forum category. Hi, I was recommended to this thread from another one: https://www.techsupportforum.com/f10/...ng-372694.html I've downloaded dds.scr, but when I double click it


 
 
Thread Tools Search this Thread
Old 05-20-2009, 02:34 AM   #1
Registered Member
 
Join Date: Jun 2008
Location: South Africa
Posts: 125
OS: Windows 10 Pro



Hi,

I was recommended to this thread from another one:

https://www.techsupportforum.com/f10/...ng-372694.html

I've downloaded dds.scr, but when I double click it it asks me which program I would like to use to open it. I am not aware of any script blockers, I have never intentionally installed something like that.

Thanks,
Henry.
happydaze29 is offline  
Sponsored Links
Advertisement
 
Old 05-20-2009, 05:07 AM   #2
Registered Member
 
Join Date: Jun 2008
Location: South Africa
Posts: 125
OS: Windows 10 Pro



Ok never mind the prvious post, got that sorted.

Will post results soon.
happydaze29 is offline  
Old 05-20-2009, 07:16 AM   #3
Registered Member
 
Join Date: Jun 2008
Location: South Africa
Posts: 125
OS: Windows 10 Pro



Hi,

First of all thanks for the help.

I find my machine generally slow (although after removing 30G of backaups that has improved.

The main problem, and this is true for a lot of windows (programs & documents) but not all. If I dclick on My Documents the contents appear immediately, but say I open a sub window, the window open blank and the contents can take up to 10sec to appear. Same if I am in a program and click on Open, at any given point a subfolder will just hang.

PS I quit all programs before starting, but AdAware (running in background) launched into the tray halfway throught the GMER scan. Is that a problem?


DDS (Ver_09-05-14.01) - NTFSx86
Run by Henry & Lisa at 14:01:05.32 on 2009/05/20
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.991.447 [GMT 2:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

D:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
D:\WINDOWS\System32\svchost.exe -k netsvcs
D:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
D:\WINDOWS\system32\acs.exe
svchost.exe
svchost.exe
D:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
svchost.exe
D:\Program Files\Google\Update\GoogleUpdate.exe
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\WINDOWS\system32\svchost.exe -k imgsvc
D:\WINDOWS\System32\dmadmin.exe
D:\PROGRA~1\AVG\AVG8\avgemc.exe
D:\PROGRA~1\AVG\AVG8\avgrsx.exe
D:\PROGRA~1\AVG\AVG8\avgnsx.exe
D:\Program Files\AVG\AVG8\avgcsrvx.exe
D:\Program Files\AVG\AVG8\avgcsrvx.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\igfxpers.exe
D:\WINDOWS\system32\rundll32.exe
D:\PROGRA~1\AVG\AVG8\avgtray.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\PC Connectivity Solution\ServiceLayer.exe
D:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
D:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
D:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
D:\Documents and Settings\Henry & Lisa\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = www.google.co.za/advanced_search?hl=en
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - d:\program files\avg\avg8\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - d:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - d:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - d:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - d:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - d:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [ctfmon.exe] d:\windows\system32\ctfmon.exe
uRun: [Sonic RecordNow!]
uRun: [PC Suite Tray] "d:\program files\nokia\nokia pc suite 7\PCSuite.exe" -onlytray
mRun: [igfxtray] d:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] d:\windows\system32\hkcmd.exe
mRun: [igfxpers] d:\windows\system32\igfxpers.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [AVG8_TRAY] d:\progra~1\avg\avg8\avgtray.exe
dRun: [CTFMON.EXE] d:\windows\system32\CTFMON.EXE
StartupFolder: d:\docume~1\henry&~1\startm~1\programs\startup\adobeg~1.lnk - d:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: E&xport to Microsoft Excel
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - d:\program files\java\jre1.6.0_07\bin\ssv.dll
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - d:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - d:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - d:\docume~1\henry&~1\applic~1\mozilla\firefox\profiles\jkpwn3wj.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.za/advanced_search?hl=en
FF - component: d:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: d:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - plugin: d:\program files\google\google earth plugin\npgeplugin.dll
FF - plugin: d:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: d:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: d:\program files\mozilla firefox\plugins\npOGAPlugin.dll

============= SERVICES / DRIVERS ===============

R0 BtHidBus;Bluetooth HID Bus Service;d:\windows\system32\drivers\BtHidBus.sys [2009-1-7 20744]
R0 Lbd;Lbd;d:\windows\system32\drivers\Lbd.sys [2009-1-21 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;d:\windows\system32\drivers\avgldx86.sys [2009-5-3 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;d:\windows\system32\drivers\avgmfx86.sys [2009-5-3 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;d:\windows\system32\drivers\avgtdix.sys [2009-5-3 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;d:\progra~1\avg\avg8\avgemc.exe [2009-5-3 908568]
R2 avg8wd;AVG Free8 WatchDog;d:\progra~1\avg\avg8\avgwdsvc.exe [2009-5-3 298776]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;d:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 953168]
R4 PCTCore;PCTools KDS;d:\windows\system32\drivers\pctcore.sys --> d:\windows\system32\drivers\PCTCore.sys [?]
S2 gupdate1c94404ff872658;Google Update Service (gupdate1c94404ff872658);d:\program files\google\update\GoogleUpdate.exe [2008-11-11 133104]
S3 ATHFMWDL;Atheros USB Wireless Adapter Bootloader driver;d:\windows\system32\drivers\Athfmwdl.sys [2008-2-1 43392]
S3 btnetBUs;Bluetooth PAN Bus Service;d:\windows\system32\drivers\btnetBus.sys [2008-12-7 30088]
S3 getplus(r) helper;getPlus(R) Helper;d:\program files\nos\bin\getPlus_HelperSvc.exe [2009-4-24 33176]
S3 IvtBtBUs;IVT Bluetooth Bus Service;d:\windows\system32\drivers\IvtBtBus.sys [2008-7-2 26248]

=============== Created Last 30 ================

2009-05-20 11:54 185,448 a------- d:\windows\system32\AcSignIcon.dll
2009-05-20 11:36 <DIR> --d-h--- d:\windows\PIF
2009-05-19 01:33 0 a---h--- d:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2009-05-19 01:33 0 a---h--- d:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-05-19 01:32 14,640 -------- d:\windows\system32\spmsgXP_2k3.dll
2009-05-17 07:06 <DIR> --d----- d:\program files\NCH Swift Sound
2009-05-16 17:49 <DIR> --d----- d:\program files\Rockstar Games
2009-05-16 17:40 <DIR> --d----- d:\program files\DustBuster XP
2009-05-16 16:27 5,504 a------- d:\windows\system32\drivers\MSTEE.sys
2009-05-16 16:27 10,880 a------- d:\windows\system32\drivers\NdisIP.sys
2009-05-16 16:27 15,232 a------- d:\windows\system32\drivers\StreamIP.sys
2009-05-16 16:27 16,384 a------- d:\windows\system32\ipsink.ax
2009-05-16 16:27 11,136 a------- d:\windows\system32\drivers\SLIP.sys
2009-05-16 16:27 19,200 a------- d:\windows\system32\drivers\WSTCODEC.SYS
2009-05-16 16:27 85,248 a------- d:\windows\system32\drivers\NABTSFEC.sys
2009-05-16 16:26 17,024 a------- d:\windows\system32\drivers\CCDECODE.sys
2009-05-16 16:26 53,760 a------- d:\windows\system32\drivers\vfwwdm32.dll
2009-05-16 16:26 28,672 a------- d:\windows\system32\drivers\vidcap.ax
2009-05-16 16:26 91,136 a------- d:\windows\system32\drivers\kswdmcap.ax
2009-05-16 16:26 61,952 a------- d:\windows\system32\drivers\kstvtune.ax
2009-05-16 16:26 43,008 a------- d:\windows\system32\drivers\ksxbar.ax
2009-05-06 13:08 <DIR> --d----- d:\program files\Bulk Rename Utility
2009-05-06 08:53 <DIR> --d----- d:\docume~1\henry&~1\applic~1\Malwarebytes
2009-05-06 08:53 15,504 a------- d:\windows\system32\drivers\mbam.sys
2009-05-06 08:53 38,496 a------- d:\windows\system32\drivers\mbamswissarmy.sys
2009-05-06 08:52 <DIR> --d----- d:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-06 08:52 <DIR> --d----- d:\program files\Malwarebytes' Anti-Malware
2009-05-03 15:37 11,952 a------- d:\windows\system32\avgrsstx.dll
2009-05-03 15:37 108,552 a------- d:\windows\system32\drivers\avgtdix.sys
2009-05-03 15:37 325,896 a------- d:\windows\system32\drivers\avgldx86.sys
2009-05-03 15:36 <DIR> --d----- d:\windows\system32\drivers\Avg
2009-05-03 14:09 <DIR> --d----- d:\docume~1\henry&~1\applic~1\AVGTOOLBAR
2009-04-28 17:51 <DIR> --d----- d:\program files\common files\Sonic
2009-04-28 17:49 <DIR> --d----- d:\program files\Sonic
2009-04-26 11:11 <DIR> --d----- d:\program files\DVD Shrink
2009-04-26 10:31 <DIR> --d----- d:\program files\Spybot - Search & Destroy
2009-04-26 10:31 <DIR> --d----- d:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-04-26 10:16 <DIR> --d----- d:\docume~1\henry&~1\applic~1\Safer Networking
2009-04-26 10:16 <DIR> --d----- d:\program files\Safer Networking
2009-04-26 09:01 <DIR> --d----- d:\program files\Enigma Software Group
2009-04-22 06:42 <DIR> --d----- d:\program files\Nsasoft
2009-04-21 14:44 55,640 a------- d:\windows\system32\drivers\avgntflt.sys

==================== Find3M ====================

2009-05-20 10:06 3,506 a--sh--- d:\windows\system32\KGyGaAvL.sys
2009-04-25 06:38 64,160 a------- d:\windows\system32\drivers\Lbd.sys
2009-03-16 05:11 15,688 a------- d:\windows\system32\lsdelete.exe
2008-02-10 12:16 87,608 a------- d:\docume~1\henry&~1\applic~1\inst.exe
2008-02-10 12:16 47,360 a------- d:\docume~1\henry&~1\applic~1\pcouffin.sys
2008-08-24 09:08 32,768 a--sh--- d:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082420080825\index.dat

============= FINISH: 14:01:41.92 ===============
Attached Files
File Type: zip Attach.zip (4.5 KB, 13 views)
happydaze29 is offline  
Sponsored Links
Advertisement
 
Old 05-21-2009, 04:27 PM   #4
TSF Security Manager
Emeritus
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



Hello Henry,

Quote:
D:\Documents and Settings\Henry & Lisa\Desktop\HENRY_ANTISPY\734fdd98_sys.old (Backdoor.Rustock) -> Quarantined and deleted successfully.


...Now that last item is what I removed manually from the last time. I always rename and/or move stuff I am not sure about. So that was 734fdd98.sys but I moved & renamed it to 734fdd98_sys.old.
How long ago was it that you manually removed this infection?


Please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:


**Vista users - right click on the IE icon and run as administrator


Using Internet Explorer or Firefox, visit https://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.


2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.



  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 05-22-2009, 01:21 AM   #5
Registered Member
 
Join Date: Jun 2008
Location: South Africa
Posts: 125
OS: Windows 10 Pro



Hi Ried,

---Quote---
D:\Documents and Settings\Henry & Lisa\Desktop\HENRY_ANTISPY\734fdd98_sys.old (Backdoor.Rustock) -> Quarantined and deleted successfully.


...Now that last item is what I removed manually from the last time. I always rename and/or move stuff I am not sure about. So that was 734fdd98.sys but I moved & renamed it to 734fdd98_sys.old.
---End Quote---


You asked "How long ago was it that you manually removed this infection?"

That was on 04-20-2009, 03:51 PM in this thread (I only appear halfway on p2)

https://www.techsupportforum.com/f10/...er-366193.html

I will summarize it here: (I didn't before because I thought it was unrelated)

My machine stopped recognizing any external USB storage devices and it turned out to be a trojan covered by a rootkit. After booting up from a Hiren's Live CD the following happend:

Re: USB Mass storage not showing in explorer
Hahahahhaahahahahahahahhahayyyyyaaaaaaaaaaaaaaaaaayyyyy! Got him! hahahahaha IT'S IS DEAD! MY MACHINE IS BACK!!!!!!!!!!!!!!!!!!!!!!!!!!!!

For those of you that can't tell, I am ecstatic! Thank you Marton & everyone else for this... you don't realize, you are unsung heroes!

So I tried allmost 20hrs of trying to get rid of this thing... downloaded & built PEbuilder to no avail... downloaded & built UBCD4win to no avail... then I realised this crafty little **** of a trojan hijacked my burner too! So I went to a friend's house, downloaded UBCD4win again (1.2 hrs here in Africa) and burnt the .iso there (never mind the 4 DVD 'coasters' I created trying to backup my vital data at home in the meantime).

So I came home, booted up from the now functioning UBCD4Win Live CD...
Searched my d:/windows/system32/drivers and found
ovfsthqmexsuwbrmparublnsdpxlkqltaltlfp.sys

moved that to my documents/____**ckers/windows/system32/drivers


Searched my d:/windows/system32 and found:
ovfsthqyptosyfscfvwdgaqygtvmotuwuwdcwc.dat
ovfsthojshtxmjhgaiysndswwywosjkhhitjib.dat
ovfsthxrclamitqaiqjkxymuyivgpxuiufibch.dll
ovfsthvytvfcefjwjlypfhrgnjsqraansxrqob.dll
ovfsthqraivkdqomlexwkfstiqbgqyncvbwbdj.dll

moved that to my documents/____**ckers/windows/system32root

restarted from HD, and VOILA! my PC's back!

My flash drives are registering again, all my hard drives are showing up in Drive Management again! HALLELUJAH!

Now my local computer-shop guy tells me that getting rid of a trojan like this might only be temporary... is that true?

The first thing I did after booting up normally & realizing everything was back to normal was to start a full system AVG scan and true as Bob for the first time AVG found the little trojan ***ker and vaulted it.

Is that good enough?

Many thanks to all who helped on this forum... if I can do the same for someone please let me know!

Ta,
Henry


I finished the scan you asked for and attached it. I wait for your instruction.

Many thanks,
Henry.
Attached Files
File Type: txt scan result.txt (1.7 KB, 12 views)
happydaze29 is offline  
Old 05-22-2009, 06:08 AM   #6
TSF Security Manager
Emeritus
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



Nice work there, Henry.

Let's make sure you got all pieces of that rootkit. Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT- Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on combofix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 05-22-2009, 07:31 AM   #7
Registered Member
 
Join Date: Jun 2008
Location: South Africa
Posts: 125
OS: Windows 10 Pro



Hi,

So all went quite smoothly, except AVG wouldn't quit - even after right clicking the tray icon and 'exit' there were still 5 AVG processes running. I tried ending those manually but they kept popping back up again. So disabled the 2 AVG services & startup items in MSCONFIG, restarted and nothing showed in Task Manager as a AVG process. The tray icon was gone etc. So i ran ComboFix and it still told me AVG was running. I checked everywhere again and couldn't find any trace of AVG. So I went ahead with the ComboFix scan. Attached find the log.

Waiting for further instructions.

Many thanks,
Henry.

ComboFix 09-05-21.03 - Henry & Lisa 2009/05/22 16:03.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.991.619 [GMT 2:00]
Running from: d:\documents and settings\Henry & Lisa\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\desktop.ini
d:\documents and settings\Henry & Lisa\Application Data\inst.exe

.
((((((((((((((((((((((((( Files Created from 2009-04-22 to 2009-05-22 )))))))))))))))))))))))))))))))
.

2009-05-21 13:55 . 2009-03-19 11:48 136704 ----a-w d:\windows\system32\drivers\nmwcdnsu.sys
2009-05-21 13:55 . 2009-02-09 05:37 7808 ----a-w d:\windows\system32\drivers\usbser_lowerfltj.sys
2009-05-21 13:55 . 2009-02-09 05:37 7808 ----a-w d:\windows\system32\drivers\usbser_lowerflt.sys
2009-05-21 13:55 . 2009-02-09 05:37 22016 ----a-w d:\windows\system32\drivers\ccdcmbo.sys
2009-05-21 13:55 . 2009-02-09 05:37 659968 ----a-w d:\windows\system32\nmwcdcocls.dll
2009-05-21 13:55 . 2009-02-09 05:37 17664 ----a-w d:\windows\system32\drivers\ccdcmb.sys
2009-05-21 13:55 . 2009-02-09 05:32 1112288 ----a-w d:\windows\system32\wdfcoinstaller01007.dll
2009-05-21 13:53 . 2009-05-21 13:51 24376008 ----a-w d:\documents and settings\All Users\Application Data\Installations\{9F59C3AE-81B0-4EF6-9762-D674BB079705}\NokiaSoftwareUpdaterSetup_1.6.13EN.exe
2009-05-21 13:53 . 2009-05-21 13:53 36864 ----a-w d:\documents and settings\All Users\Application Data\Installations\{9F59C3AE-81B0-4EF6-9762-D674BB079705}\Installer\CommonCustomActions\Sleep.exe
2009-05-21 13:53 . 2009-05-21 13:53 3351812 ----a-w d:\documents and settings\All Users\Application Data\Installations\{9F59C3AE-81B0-4EF6-9762-D674BB079705}\Installer\CommonCustomActions\msxml6Exec.exe
2009-05-21 13:53 . 2009-05-21 13:53 3181612 ----a-w d:\documents and settings\All Users\Application Data\Installations\{9F59C3AE-81B0-4EF6-9762-D674BB079705}\Installer\CommonCustomActions\vcredistExec.exe
2009-05-20 09:54 . 2006-03-05 01:55 185448 ----a-w d:\windows\system32\AcSignIcon.dll
2009-05-20 09:36 . 2009-05-20 09:36 -------- d--h--w d:\windows\PIF
2009-05-18 23:32 . 2008-03-21 11:57 14640 ------w d:\windows\system32\spmsgXP_2k3.dll
2009-05-17 05:06 . 2009-05-17 05:06 -------- d-----w d:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-05-17 05:06 . 2009-05-20 12:00 -------- d-----w d:\program files\NCH Swift Sound
2009-05-17 05:06 . 2009-05-17 05:06 -------- d-----w d:\documents and settings\Henry & Lisa\Application Data\NCH Swift Sound
2009-05-16 15:49 . 2009-05-16 15:49 -------- d-----w d:\program files\Rockstar Games
2009-05-16 15:40 . 2009-05-16 15:40 -------- d-----w d:\program files\DustBuster XP
2009-05-16 14:27 . 2008-04-13 18:39 5504 ----a-w d:\windows\system32\drivers\MSTEE.sys
2009-05-16 14:27 . 2008-04-13 18:46 10880 ----a-w d:\windows\system32\drivers\NdisIP.sys
2009-05-16 14:27 . 2008-04-13 18:46 15232 ----a-w d:\windows\system32\drivers\StreamIP.sys
2009-05-16 14:27 . 2008-04-13 18:46 11136 ----a-w d:\windows\system32\drivers\SLIP.sys
2009-05-16 14:27 . 2008-04-13 18:46 19200 ----a-w d:\windows\system32\drivers\WSTCODEC.SYS
2009-05-16 14:27 . 2008-04-13 18:46 85248 ----a-w d:\windows\system32\drivers\NABTSFEC.sys
2009-05-16 14:26 . 2008-04-13 18:46 17024 ----a-w d:\windows\system32\drivers\CCDECODE.sys
2009-05-16 14:26 . 2008-04-14 00:12 53760 ----a-w d:\windows\system32\drivers\vfwwdm32.dll
2009-05-12 16:34 . 2009-05-12 16:34 -------- d-----w d:\documents and settings\Guest\Tracing
2009-05-06 11:08 . 2009-05-06 11:08 -------- d-----w d:\program files\Bulk Rename Utility
2009-05-06 06:53 . 2009-05-06 06:53 -------- d-----w d:\documents and settings\Henry & Lisa\Application Data\Malwarebytes
2009-05-06 06:53 . 2009-04-06 13:32 15504 ----a-w d:\windows\system32\drivers\mbam.sys
2009-05-06 06:53 . 2009-04-06 13:32 38496 ----a-w d:\windows\system32\drivers\mbamswissarmy.sys
2009-05-06 06:52 . 2009-05-06 06:52 -------- d-----w d:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-06 06:52 . 2009-05-06 06:53 -------- d-----w d:\program files\Malwarebytes' Anti-Malware
2009-05-04 03:11 . 2009-05-04 03:11 299352 ----a-w d:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-05-03 13:37 . 2009-05-03 13:37 11952 ----a-w d:\windows\system32\avgrsstx.dll
2009-05-03 13:37 . 2009-05-03 13:37 108552 ----a-w d:\windows\system32\drivers\avgtdix.sys
2009-05-03 13:37 . 2009-05-03 13:37 325896 ----a-w d:\windows\system32\drivers\avgldx86.sys
2009-05-03 13:36 . 2009-05-03 13:36 27784 ----a-w d:\windows\system32\drivers\avgmfx86.sys
2009-05-03 13:36 . 2009-05-19 10:12 -------- d-----w d:\windows\system32\drivers\Avg
2009-05-03 12:09 . 2009-05-04 07:09 -------- d-----w d:\documents and settings\Henry & Lisa\Application Data\AVGTOOLBAR
2009-04-28 15:51 . 2009-04-28 16:16 -------- d-----w d:\documents and settings\Henry & Lisa\Application Data\Sonic
2009-04-28 15:51 . 2009-04-28 15:51 -------- d-----w d:\program files\Common Files\Sonic
2009-04-28 15:49 . 2009-04-28 15:49 -------- d-----w d:\program files\Sonic
2009-04-26 09:11 . 2009-04-26 09:11 -------- d-----w d:\program files\DVD Shrink
2009-04-26 08:31 . 2009-05-03 10:08 -------- d-----w d:\program files\Spybot - Search & Destroy
2009-04-26 08:31 . 2009-05-03 10:08 -------- d-----w d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-26 08:16 . 2009-04-26 08:16 -------- d-----w d:\documents and settings\Henry & Lisa\Application Data\Safer Networking
2009-04-26 08:16 . 2009-04-26 08:16 -------- d-----w d:\program files\Safer Networking
2009-04-26 07:01 . 2009-05-20 11:59 -------- d-----w d:\program files\Enigma Software Group
2009-04-25 04:39 . 2009-04-25 04:39 25440 ----a-w d:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-04-25 04:39 . 2009-04-25 04:39 15688 ----a-w d:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-04-25 04:39 . 2009-04-25 04:39 165728 ----a-w d:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-04-25 04:39 . 2009-04-25 04:39 343888 ----a-w d:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-04-25 04:39 . 2009-04-25 04:39 289632 ----a-w d:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-04-25 04:39 . 2009-04-25 04:39 82784 ----a-w d:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-04-25 04:38 . 2009-04-25 04:38 1629024 ----a-w d:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-04-25 04:38 . 2009-04-25 04:38 212848 ----a-w d:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-04-25 04:38 . 2009-04-25 04:38 40288 ----a-w d:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-04-25 04:38 . 2009-04-25 04:38 64160 ----a-w d:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-04-25 04:38 . 2009-04-25 04:38 632680 ----a-w d:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-04-25 04:37 . 2009-04-25 04:37 539512 ----a-w d:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-04-25 04:37 . 2009-04-25 04:37 552808 ----a-w d:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-04-25 04:37 . 2009-04-25 04:37 2324808 ----a-w d:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-04-25 04:36 . 2009-04-25 04:36 626000 ----a-w d:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-04-25 04:36 . 2009-04-25 04:36 516440 ----a-w d:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-04-25 04:36 . 2009-04-25 04:36 953168 ----a-w d:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-04-24 00:14 . 2009-04-24 00:15 -------- d-----w d:\documents and settings\All Users\Application Data\NOS
2009-04-24 00:14 . 2009-04-24 00:14 -------- d-----w d:\program files\NOS
2009-04-24 00:14 . 2009-03-03 12:53 17464 ----a-w d:\documents and settings\Henry & Lisa\Application Data\Mozilla\Firefox\Profiles\jkpwn3wj.default\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}\chrome\content\getPlus_Adobe_reg.exe
2009-04-24 00:14 . 2009-03-03 12:53 12792 ----a-w d:\documents and settings\Henry & Lisa\Application Data\Mozilla\Firefox\Profiles\jkpwn3wj.default\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}\chrome\content\getPlus_Adobe_reg_bootstrap.exe
2009-04-24 00:14 . 2009-03-03 12:53 109420 ----a-w d:\documents and settings\Henry & Lisa\Application Data\Mozilla\Firefox\Profiles\jkpwn3wj.default\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}\plugins\np_gp.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-22 13:52 . 2008-05-09 17:37 -------- d-----w d:\program files\Registrytec
2009-05-22 12:01 . 2009-03-20 21:30 -------- d-----w d:\program files\Mozilla Thunderbird
2009-05-22 12:00 . 2007-08-11 17:31 3506 --sha-w d:\windows\system32\KGyGaAvL.sys
2009-05-22 10:10 . 2007-08-06 11:16 102400 ----a-w d:\documents and settings\Henry & Lisa\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-22 10:07 . 2009-03-20 05:37 1 ----a-w d:\documents and settings\Henry & Lisa\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-05-22 02:43 . 2009-01-09 17:10 -------- d-----w d:\documents and settings\All Users\Application Data\Google Updater
2009-05-21 13:55 . 2008-06-04 14:41 -------- d-----w d:\documents and settings\All Users\Application Data\Installations
2009-05-21 13:55 . 2008-06-04 14:42 -------- d-----w d:\program files\Nokia
2009-05-21 13:53 . 2008-06-04 14:43 -------- d-----w d:\program files\Common Files\Nokia
2009-05-20 11:59 . 2009-04-15 20:02 -------- d---a-w d:\documents and settings\All Users\Application Data\TEMP
2009-05-20 09:54 . 2007-08-19 15:19 -------- d-----w d:\program files\Common Files\Autodesk Shared
2009-05-20 09:54 . 2007-08-19 15:24 -------- d-----w d:\documents and settings\All Users\Application Data\Autodesk
2009-05-18 23:33 . 2009-05-18 23:33 0 ---ha-w d:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2009-05-18 23:33 . 2009-05-18 23:33 0 ---ha-w d:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-05-16 16:04 . 2007-08-12 03:35 -------- d-----w d:\program files\Common Files\Ahead
2009-05-16 16:04 . 2007-08-12 03:35 -------- d-----w d:\program files\Ahead
2009-05-16 15:49 . 2007-08-06 04:32 -------- d--h--w d:\program files\InstallShield Installation Information
2009-05-16 15:42 . 2007-09-01 17:47 -------- d-----w d:\documents and settings\Henry & Lisa\Application Data\RipIt4Me
2009-05-16 15:42 . 2008-04-11 06:43 -------- d-----w d:\program files\QuickTime
2009-05-03 13:36 . 2008-06-20 05:06 -------- d-----w d:\documents and settings\All Users\Application Data\avg8
2009-05-03 09:47 . 2007-08-06 17:27 -------- d-----w d:\program files\Common Files\Adobe
2009-04-30 05:26 . 2009-04-07 06:54 56 --sh--r d:\windows\system32\CDA356E0E4.sys
2009-04-26 09:25 . 2007-09-01 17:45 -------- d-----w d:\documents and settings\All Users\Application Data\DVD Shrink
2009-04-25 04:38 . 2009-01-21 03:11 64160 ----a-w d:\windows\system32\drivers\Lbd.sys
2009-04-22 05:49 . 2009-04-22 06:14 796440 ----a-w d:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2009-04-22 04:42 . 2009-04-22 04:42 -------- d-----w d:\program files\Nsasoft
2009-04-20 13:14 . 2009-04-20 13:14 2311 ----a-w d:\documents and settings\All Users\Application Data\xml3.tmp
2009-04-20 13:14 . 2008-04-01 08:59 9017 ----a-w d:\documents and settings\All Users\Application Data\xml14.tmp
2009-04-20 13:14 . 2008-04-01 08:59 13598 ----a-w d:\documents and settings\All Users\Application Data\xml15.tmp
2009-04-18 15:51 . 2009-04-18 09:12 -------- d-----w d:\documents and settings\All Users\Application Data\Symantec
2009-04-16 04:57 . 2008-02-10 10:35 -------- d-----w d:\program files\Back2zip
2009-04-15 09:29 . 2009-04-15 09:29 -------- d-----w d:\program files\FriendFinder
2009-04-08 10:05 . 2009-04-08 04:13 155 ----a-w d:\windows\system32\SelfDel.bat
2009-04-08 08:04 . 2007-08-11 17:30 65536 ----a-r d:\documents and settings\Henry & Lisa\Application Data\Microsoft\Installer\{F428D0FB-765D-40EB-BDD8-A1E7F5C597FA}\Shortcut0.C3A146F5_4B48_11D5_A819_00B0D0428C0C.exe
2009-04-08 08:04 . 2007-08-11 17:30 10134 ----a-r d:\documents and settings\Henry & Lisa\Application Data\Microsoft\Installer\{F428D0FB-765D-40EB-BDD8-A1E7F5C597FA}\ARPPRODUCTICON.exe
2009-04-08 08:02 . 2009-04-08 08:02 -------- d-----w d:\program files\Common Files\Corel
2009-04-07 06:45 . 2009-04-07 06:45 -------- d-----w d:\program files\Corel
2009-04-04 14:15 . 2009-04-04 14:15 -------- d-----w d:\program files\Microsoft
2009-04-04 14:15 . 2009-04-04 14:15 -------- d-----w d:\program files\Windows Live SkyDrive
2009-04-04 14:14 . 2008-03-06 17:49 -------- d-----w d:\program files\Windows Live
2009-04-04 14:11 . 2009-04-04 14:11 -------- d-----w d:\program files\Common Files\Windows Live
2009-04-02 01:44 . 2007-09-15 05:36 -------- d-----w d:\program files\Google
2009-04-02 00:42 . 2008-06-04 14:44 -------- d-----w d:\documents and settings\Henry & Lisa\Application Data\Nokia
2009-04-01 14:24 . 2008-06-04 14:44 -------- d-----w d:\documents and settings\Henry & Lisa\Application Data\PC Suite
2009-03-29 06:36 . 2009-03-29 06:14 -------- d-----w d:\program files\Windows Live Safety Center
2009-03-16 03:11 . 2009-01-22 06:19 15688 ----a-w d:\windows\system32\lsdelete.exe
2009-03-11 03:15 . 2009-03-11 03:15 69664 ----a-w d:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\64\lbd.sys
2009-03-11 03:15 . 2009-03-11 03:15 274792 ----a-w d:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\64\AAWDriverTool.exe
2009-03-11 03:15 . 2009-03-11 03:15 73064 ----a-w d:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\AAWDriverTool.exe
2007-08-22 14:36 . 2007-08-22 14:34 24 --sh--w d:\windows\SBE7B7C44.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="d:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"PC Suite Tray"="d:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-12-03 1205760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="d:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="d:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="d:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"MSConfig"="d:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]
"BluetoothAuthenticationAgent"="bthprops.cpl" - d:\windows\system32\bthprops.cpl [2008-04-14 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="d:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

d:\documents and settings\Henry & Lisa\Start Menu\Programs\Startup\
Adobe Gamma.lnk - d:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-03 13:37 11952 ----a-w d:\windows\system32\avgrsstx.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"MIDI1"= SYNCOR11.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
backup=d:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=d:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
backup=d:\windows\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Delivery Agent.lnk]
backup=d:\windows\pss\QuickBooks Delivery Agent.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=d:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^Henry & Lisa^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
backup=d:\windows\pss\OpenOffice.org 3.0.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeMem Pro
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMC
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia.PCSync
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"SandraTheSrv"=3 (0x3)
"SandraDataSrv"=3 (0x3)
"ose"=3 (0x3)
"NetSvc"=3 (0x3)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"EPSONStatusAgent2"=2 (0x2)
"Autodesk Licensing Service"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\Graphisoft\\ArchiCAD 10_new\\ArchiCAD 10\\ArchiCAD.exe"=
"d:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"d:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=
"d:\\WINDOWS\\system32\\dpvsetup.exe"=
"d:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP1\\Win32\\RpcDataSrv.exe"=
"d:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP1\\RpcSandraSrv.exe"=
"d:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"d:\\WINDOWS\\system32\\sessmgr.exe"=
"d:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"d:\\Program Files\\Messenger\\msmsgs.exe"=
"d:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"d:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"d:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 BtHidBus;Bluetooth HID Bus Service;d:\windows\system32\drivers\BtHidBus.sys [2009/01/07 11:39 PM 20744]
R0 Lbd;Lbd;d:\windows\system32\drivers\Lbd.sys [2009/01/21 05:11 AM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;d:\windows\system32\drivers\avgldx86.sys [2009/05/03 03:37 PM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;d:\windows\system32\drivers\avgtdix.sys [2009/05/03 03:37 PM 108552]
S2 gupdate1c94404ff872658;Google Update Service (gupdate1c94404ff872658);d:\program files\Google\Update\GoogleUpdate.exe [2008/11/11 03:54 PM 133104]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;d:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009/01/18 11:34 PM 953168]
S3 ATHFMWDL;Atheros USB Wireless Adapter Bootloader driver;d:\windows\system32\drivers\Athfmwdl.sys [2008/02/01 07:12 PM 43392]
S3 btnetBUs;Bluetooth PAN Bus Service;d:\windows\system32\drivers\btnetBus.sys [2008/12/07 12:44 PM 30088]
S3 getplus(r) helper;getPlus(R) Helper;d:\program files\NOS\bin\getPlus_HelperSvc.exe [2009/04/24 02:14 AM 33176]
S3 IvtBtBUs;IVT Bluetooth Bus Service;d:\windows\system32\drivers\IvtBtBus.sys [2008/07/02 02:58 PM 26248]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;d:\windows\system32\drivers\nmwcdnsu.sys [2009/05/21 03:55 PM 136704]
S4 avg8emc;AVG Free8 E-mail Scanner;d:\progra~1\AVG\AVG8\avgemc.exe [2009/05/03 03:36 PM 908568]
S4 avg8wd;AVG Free8 WatchDog;d:\progra~1\AVG\AVG8\avgwdsvc.exe [2009/05/03 03:36 PM 298776]
.
Contents of the 'Scheduled Tasks' folder

2009-05-13 d:\windows\Tasks\Ad-Aware Update (Weekly).job
- d:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 04:37]

2009-05-18 d:\windows\Tasks\AppleSoftwareUpdate.job
- d:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]

2009-05-22 d:\windows\Tasks\Google Software Updater.job
- d:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-09 20:07]

2009-05-22 d:\windows\Tasks\GoogleUpdateTaskMachine.job
- d:\program files\Google\Update\GoogleUpdate.exe [2008-11-11 14:09]

2009-05-22 d:\windows\Tasks\OGADaily.job
- d:\windows\system32\OGAVerify.exe [2008-12-31 15:04]

2009-05-22 d:\windows\Tasks\OGALogon.job
- d:\windows\system32\OGAVerify.exe [2008-12-31 15:04]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Sonic RecordNow! - (no file)
Notify-navlogon - (no file)


.
------- Supplementary Scan -------
.
uStart Page = www.google.co.za/advanced_search?hl=en
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel
FF - ProfilePath - d:\documents and settings\Henry & Lisa\Application Data\Mozilla\Firefox\Profiles\jkpwn3wj.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.za/advanced_search?hl=en
FF - component: d:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: d:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - plugin: d:\program files\Google\Google Earth Plugin\npgeplugin.dll
FF - plugin: d:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: d:\program files\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2009-05-22 16:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-05-22 16:08
ComboFix-quarantined-files.txt 2009-05-22 14:08

Pre-Run: 28,507,635,712 bytes free
Post-Run: 28,604,325,888 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

289 --- E O F --- 2009-04-02 01:02
Attached Files
File Type: txt ComboFix.txt (23.6 KB, 16 views)
happydaze29 is offline  
Old 05-22-2009, 11:51 AM   #8
TSF Security Manager
Emeritus
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



Hi Henry, not much here.

Delete these 2 files and you're good to go. If any issues remain, please return to your Windows XP thread.

d:\windows\system32\SelfDel.bat
d:\windows\SBE7B7C44.tmp
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 05-22-2009, 11:01 PM   #9
Registered Member
 
Join Date: Jun 2008
Location: South Africa
Posts: 125
OS: Windows 10 Pro



Many thanks for your help,

Was I infrcted and by what?

Please can you advise me on what anti-virus I should be having? I've got AVG but that seems poor, Ad-aware, spybot, anyi-malaware.

Which do you recommend.

Regards,
Henry
happydaze29 is offline  
Old 05-23-2009, 05:21 AM   #10
TSF Security Manager
Emeritus
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



No, there was no active infection. Just some leftovers of your previous infection.

Have a look here for comparisons --> www.av-comparatives.org .


I'm sorry, but I am not at liberty to recommend any AV in particular. You may however, want to pose your question in our General Computer Security where other members can post their personal views and experiences with various AV's.


Also, please take a look at these well written articles:

PC Safety and Security--What Do I Need?
Think Prevention
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 05-23-2009, 08:43 AM   #11
Registered Member
 
Join Date: Jun 2008
Location: South Africa
Posts: 125
OS: Windows 10 Pro



I will, things are much better but not perfect. A billion thanks for all your help. One last question, should I do a Repair or similiar reinstall from my Windows CD, and is there a way to do that without losing all my current installations?

If this is not the right thread for that please point me in the right direction.

Again, many thanks for your time.
Henry.
happydaze29 is offline  
Old 05-23-2009, 08:51 AM   #12
TSF Security Manager
Emeritus
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



Quote:
Originally Posted by Ried View Post
Hi Henry, not much here.

Delete these 2 files and you're good to go. If any issues remain, please return to your Windows XP thread.



As this focus of this forum is malware removal, you'd be better served by the folks in Windows XP Support.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 05-27-2009, 02:56 AM   #13
Registered Member
 
Join Date: Jun 2008
Location: South Africa
Posts: 125
OS: Windows 10 Pro



Hi,

On a whim I did a windows Live scan and it found this:
d:\system volume information\_restore{83f5018a-eadf-4b12-bdcf-e502d68085c9}\rp38\a0026385.dll
d:\system volume information\_restore{83f5018a-eadf-4b12-bdcf-e502d68085c9}\rp38\a0025768.dll
d:\system volume information\_restore{83f5018a-eadf-4b12-bdcf-e502d68085c9}\rp38\a0026622.exe
d:\system volume information\_restore{83f5018a-eadf-4b12-bdcf-e502d68085c9}\rp38\a0026620.dll
d:\system volume information\_restore{83f5018a-eadf-4b12-bdcf-e502d68085c9}\rp38\a0026835.exe

It couldn't be removed.

Help!

Henry
happydaze29 is offline  
Old 05-27-2009, 05:39 AM   #14
TSF Security Manager
Emeritus
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



Hi Henry,

No real worries there. D:\System Volume Information\ is where System Restore's cache is stored. Whatever is in there can't harm you unless you choose to perform a manual restore.

The only way to clear them is to turn off System Restore and clear out ALL previous restore points. I was hesitant to advise that since your issue is still not resolved. Anytime troubleshooting is being done on Windows, should any actions you take leave you with serious OS issue, you'd still have a safety net with System Restore in place. Even an infected restore point is better than none if Windows won't boot. The infection can easily be cleaned again.

Once you're finished troubleshooting your system with the Windows folks, simply do the following:

Click Start >> Run - type SYSDM.CPL & press Enter
* Select the System Restore Tab
* Tick on the checkbox - "Turn off System Restore on all drives"
Click Apply
* Then untick the same checkbox & click OK
This will flush out previous restore points (which contain the infections) and create a new restore point.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 03:18 AM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts