surreyfrog
(regular)
Mon Jun 22 2009 01:33 PM
browser redirecting etc

Hi there, I really hope you can help with this.

My laptop was recently infected. At first I was getting fake virus alerts. I found 3 new .exe files that had been downloaded, and got rid of them. The virus alerts stopped, but now when I google something and click on one of the listed items, I'm redirected to spurious sites. Sometimes I get random audio playing. I was unable to run any antivirus scan apart from ad-aware, nor could I get system restore to run (something was stopping it). Ad-aware warned me it had found win32trojantdss but it couldn't remove it. Eventually with the help of a forum member I got malwarebytes to run. It found and removed lots of infections but there is one left, c:windows\system32\uacinit.dll. After rebooting I still get the browser redirection problem. Here's the Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:19:57, on 22/06/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\HPCC\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MrHealthy (MrHealthyService) - Symantec Corporation - C:\Program Files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

--
End of file - 5183 bytes

Joe_London
(HijackThis Helper)
Mon Jun 22 2009 04:26 PM
Re: browser redirecting etc

Hi Surreyfrog,

I read your post in the other forum. As I understand it you used Hijackthis yourself and removed certain entries that looked suspicious to you without consulting anyone.

If that is the case then its best to restore the system from the HJT backup and start again as you may have removed some vital system files.

Can you do that first as a matter of urgency and then do another HJT scan and post the complete log.

Joe.

surreyfrog
(regular)
Mon Jun 22 2009 05:11 PM
Re: browser redirecting etc

Hi Joe

OK, I did what you asked, I restored all the entries from the Hijackthis backup.

Here is the latest Hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:07:52, on 22/06/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\HPCC\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HPCC\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\HPCC\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100465 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SIMBAR={C5280A13-4B43-4C21-930D-F62ECB98FE3A}; GTB6; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" -"http://www.miniclip.com/games/police-chopper/en/"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - (no file)
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MrHealthy (MrHealthyService) - Symantec Corporation - C:\Program Files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

--
End of file - 6801 bytes

Joe_London
(HijackThis Helper)
Mon Jun 22 2009 06:24 PM
Re: browser redirecting etc

Hi again Surreyfrog,

Please open Hijackthis,
Click Config | Misc Tools | Open Unistall Manager.
A list of the entries in Add/remove programs will appear.
Click on Save List...
The list will be saved as 'Uninstall_list.txt'
Copy & Paste the contents in your next reply.

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you don't know how to disable some of your security programs have a look :- HERE

Double click on ComboFix.exe & follow the prompts.
    When finished, it will produce a report for you.


  • Please post the C:\ComboFix.txt along with a new HijackThis log for further review.


FOR OTHER USERS, DO NOT RUN COMBOFIX UNLESS YOU ARE ASKED TO DO SO BY A HJT HELPER

Joe.

surreyfrog
(regular)
Mon Jun 22 2009 07:11 PM
Re: browser redirecting etc

Joe

followed your Instructions including downloading combofix.exe to desktop.

But when it came to trying to run it, clicking on the icon to run it, the program does not run.

Joe_London
(HijackThis Helper)
Mon Jun 22 2009 09:01 PM
Re: browser redirecting etc

Something may be blocking it, the question is what?

First ensure that all your full time protections are turned off.

I see you have Spybot Search & Destroy Teatimer on.

Please disable TeaTimer, it can be re-activated once your HijackThis log is clean at the end of this fix.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.



If that doesn't work try re-naming combofix.exe to say surreyfrog.exe

Joe.

surreyfrog
(regular)
Mon Jun 22 2009 09:22 PM
Re: browser redirecting etc

OK, it has run, I renamed the file and it worked.


UNINSTALL_LIST.TXT:


2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office system
3DVIA Player 4.1
Ad-Aware
Ad-Aware
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0.8
Adobe Shockwave Player
Adobe® Photoshop® Album Starter Edition 3.0
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
AVG 8.5
CAM UnZip 4.42
CCleaner (remove only)
Cheat Engine 5.3
Cheat Engine 5.5
Conexant HD Audio
Critical Update for Windows Media Player 11 (KB959772)
Driver Detective
DV 5900
EphPod
Express Burn
Free Studio version 4.1
Gabbasoft Cube Demo
Google Earth
Google SketchUp 6
Google SketchUp 6 Exporters
Google SketchUp LayOut 6
Google SketchUp Pro 6
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Highlight Viewer (Windows Live Toolbar)
HijackThis 2.0.2
Home Media Server 4.0.0.0072
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
Hotkey 1.0.4
InterActual Player
iTunes
J2SE Runtime Environment 5.0 Update 7
Java(TM) 6 Update 10
Java(TM) 6 Update 6
Java(TM) 6 Update 7
LG MC USB Modem driver
LG PC Suite II
Macrogaming SweetIM 2.1
Malwarebytes' Anti-Malware
Map Button (Windows Live Toolbar)
Messenger Plus! Live
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Hybrid 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Movavi Video Converter 6
Mozilla Firefox (3.0.8)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Musicnotes Player V1.22.3
Nero 7 Essentials
Nero BackItUp 2 Essentials
neroxml
Nokia Connectivity Cable Driver
Nokia Lifeblog 2.1
Nokia MTP driver
Nokia PC Connectivity Solution
Nokia PC Suite
Nokia Software Launcher
Norton PC Checkup
Paragon Drive Backup™ 9.0 Express
Photo Story 3 for Windows
Photo Viewer 2.25
Pivot Stickfigure Animator
PowerDVD
QuickTime
Quivic
Sage Instant Accounts v14
SAMSUNG Mobile Composite Device Software
SAMSUNG Mobile Modem Driver Set
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung New PC Studio
Samsung New PC Studio
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Sibelius Scorch
Sibelius Scorch (ActiveX Only)
Smart Menus (Windows Live Toolbar)
Soft Data Fax Modem with SmartCP
Spybot - Search & Destroy
SpywareBlaster 4.2
SweetIM For Internet Explorer 3.0b
Switch
The Sims 2
U211 DVD 2
Ulead Photo Explorer 8.0 SE Basic
Uninstall 1.0.0.1
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office Outlook 2007 (KB969907)
Update for Outlook 2007 Junk Email Filter (kb970012)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VIA Platform Device Manager
VIA Rhine-Family Fast Ethernet Adapter
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WavePad Uninstall
Windows Driver Package - MobileTop (sshpmdm) Modem (02/23/2007 2.5.0.0)
Windows Driver Package - MobileTop (sshpusb) USB (02/23/2007 2.5.0.0)
Windows Driver Package - Nokia Modem (06/12/2006 6.81.0.21)
Windows Internet Explorer 7
Windows Live Favorites for Windows Live Toolbar
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Xdrive Desktop Lite
Xdrive Desktop Lite


COMBOFIX LOG:

ComboFix 09-06-21.01 - HPCC 22/06/2009 21:00.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.766.620 [GMT 1:00]
Running from: c:\documents and settings\HPCC\Desktop\dave.exe
AV: AVG Anti-Virus *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-1311457910-2216357783-1963112701-500
c:\recycler\S-1-5-21-1311457910-2216357783-1963112701-500\desktop.ini
c:\recycler\S-1-5-21-1311457910-2216357783-1963112701-500\INFO2
c:\windows\system32\drivers\UACnmrinqorivkcksjgc.sys
c:\windows\system32\UACercriuhnqvmaapstk.dll
c:\windows\system32\UACfalkyxuwqeefotfit.dll
c:\windows\system32\UACfiblqwpjwxnclwkls.log
c:\windows\system32\UACibvvtstnioffumyrv.log
c:\windows\system32\uacinit.dll
c:\windows\system32\UACkdqlcemidvbjljvts.dll
c:\windows\system32\UAClespwivxeeolctims.dll
c:\windows\system32\UACossfanoronsbnrerr.dll
c:\windows\system32\UACqmdbwnaqhwbdwfodc.log
c:\windows\system32\UACuxxtpelwkppyymseb.dat
E:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-05-22 to 2009-06-22 )))))))))))))))))))))))))))))))
.

2009-07-02 17:24 . 2009-07-02 17:24 -------- d-----w- c:\program files\LG Electronics
2009-07-02 17:21 . 2007-11-08 15:26 1164728 ----a-w- c:\windows\system32\NMSDVDXU.dll
2009-07-02 17:21 . 2009-07-02 17:21 -------- d-----w- c:\documents and settings\HPCC\Application Data\LG Electronics
2009-07-02 17:21 . 2009-07-02 17:22 -------- d-----w- c:\program files\LG PC Suite II
2009-07-02 17:20 . 2009-07-02 17:20 -------- d-----w- c:\documents and settings\HPCC\Application Data\InstallShield
2009-06-29 10:09 . 2009-06-29 10:09 -------- d-----w- c:\program files\CAM Development
2009-06-22 19:31 . 2009-06-22 19:31 -------- d-----w- C:\Com
2009-06-22 19:30 . 2009-06-22 19:31 -------- d-----w- C:\32788R22FWJFW.1.tmp
2009-06-22 19:30 . 2009-06-22 19:30 -------- d-----w- C:\Fix
2009-06-22 19:30 . 2009-06-22 19:30 -------- d-----w- C:\32788R22FWJFW.0.tmp
2009-06-22 10:10 . 2009-06-22 10:10 -------- d-----w- c:\documents and settings\HPCC\Application Data\Malwarebytes
2009-06-22 10:07 . 2009-06-22 10:07 -------- d-----w- c:\program files\mwb
2009-06-21 21:24 . 2009-06-22 18:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-21 21:03 . 2009-06-22 18:02 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-21 17:10 . 2009-06-22 18:01 -------- d-----w- c:\program files\Lavasoft
2009-06-21 17:10 . 2009-06-21 17:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-21 07:28 . 2009-06-18 08:58 2052888 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-06-20 14:55 . 2009-06-17 10:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-20 14:55 . 2009-06-22 12:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-20 14:55 . 2009-06-20 14:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-20 14:55 . 2009-06-17 10:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-18 08:59 . 2009-06-09 07:49 3298072 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-06-18 08:59 . 2009-06-09 07:49 1261344 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwd.dll
2009-06-18 08:59 . 2009-06-09 07:49 829208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgx.dll
2009-06-16 09:06 . 2009-06-16 09:06 -------- d-----w- c:\documents and settings\HPCC\Local Settings\Application Data\Sage
2009-06-16 09:00 . 2009-06-16 09:00 -------- d-----w- c:\program files\Common Files\InstallEngine
2009-06-16 08:57 . 2009-06-16 08:57 -------- d-----w- c:\program files\Common Files\Sage Shared
2009-06-16 08:55 . 2009-06-16 08:57 -------- d-----w- c:\program files\Common Files\Sage Line50
2009-06-16 08:55 . 2009-06-16 09:07 -------- d-----w- c:\program files\Common Files\Sage SBD
2009-06-16 08:55 . 2009-06-16 09:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Sage
2009-06-16 08:55 . 2009-06-16 08:58 -------- d-----w- c:\program files\Common Files\Sage Report Designer 2007
2009-06-16 08:54 . 2009-06-16 08:54 -------- d-----w- c:\program files\Sage
2009-06-09 12:08 . 2009-06-09 12:08 -------- d-----w- c:\documents and settings\HPCC\Local Settings\Application Data\AVG Security Toolbar
2009-06-09 08:23 . 2009-06-09 08:24 -------- d-----w- c:\documents and settings\HPCC\Local Settings\Application Data\Deployment
2009-06-09 08:22 . 2009-06-02 12:38 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-06-09 07:50 . 2009-06-09 07:49 826344 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\AVGToolbarInstall.exe
2009-06-09 07:49 . 2009-06-11 16:46 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-06-09 07:48 . 2009-06-09 07:48 1452312 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-06-01 07:14 . 2008-02-22 14:33 14976 ----a-w- c:\windows\system32\drivers\sscdmdfl.sys
2009-06-01 07:14 . 2008-02-22 14:33 12160 ----a-w- c:\windows\system32\drivers\sscdwhnt.sys
2009-06-01 07:14 . 2008-02-22 14:33 12160 ----a-w- c:\windows\system32\drivers\sscdwh.sys
2009-06-01 07:14 . 2008-02-22 14:33 114304 ----a-w- c:\windows\system32\drivers\sscdmdm.sys
2009-06-01 07:14 . 2008-02-22 14:33 87936 ----a-w- c:\windows\system32\drivers\sscdbus.sys
2009-06-01 07:14 . 2008-02-22 14:33 12160 ----a-w- c:\windows\system32\drivers\sscdcmnt.sys
2009-06-01 07:14 . 2008-02-22 14:33 12160 ----a-w- c:\windows\system32\drivers\sscdcm.sys
2009-06-01 07:14 . 2009-06-01 07:14 -------- d-----w- c:\windows\system32\Samsung_USB_Drivers
2009-06-01 07:14 . 2009-01-08 08:42 36608 ----a-w- c:\windows\system32\FsUsbExDisk.Sys
2009-06-01 07:14 . 2009-01-08 08:42 233472 ----a-w- c:\windows\system32\FsUsbExService.Exe
2009-06-01 07:14 . 2009-01-08 08:42 110592 ----a-w- c:\windows\system32\FsUsbExDevice.Dll
2009-06-01 07:14 . 2009-06-01 07:14 -------- d-----w- c:\documents and settings\HPCC\Application Data\Samsung
2009-06-01 07:13 . 2009-06-01 07:13 -------- d-----w- c:\program files\MarkAny
2009-06-01 07:13 . 2009-06-01 07:13 -------- d-----w- c:\program files\Samsung

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-22 17:37 . 2009-04-02 17:42 -------- d-----w- c:\program files\Cheat Engine
2009-06-21 15:08 . 2008-08-31 19:54 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-20 10:11 . 2008-03-10 20:24 -------- d-----w- c:\program files\Windows Live Toolbar
2009-06-18 08:58 . 2007-04-05 10:18 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-16 09:00 . 2007-01-15 17:39 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-14 06:08 . 2007-04-05 10:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-09 07:49 . 2009-03-27 16:37 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-01 07:14 . 2007-12-25 11:51 -------- d-----w- c:\program files\DIFX
2009-05-28 10:15 . 2008-08-06 08:54 34 ----a-w- c:\documents and settings\HPCC\jagex_runescape_preferences.dat
2009-05-07 15:44 . 2006-01-30 17:59 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2006-01-30 17:59 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2006-01-30 17:59 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-26 14:47 . 2008-11-03 22:07 -------- d-----w- c:\documents and settings\HPCC\Application Data\Ahead
2009-04-25 07:41 . 2009-03-27 16:37 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-04-25 07:41 . 2009-03-27 16:37 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-04-25 07:40 . 2009-03-27 16:37 12552 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-04-17 09:58 . 2006-01-30 17:59 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:26 . 2006-01-30 17:59 583168 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-07 18:51 . 2009-04-07 18:51 127 ----a-w- c:\documents and settings\HPCC\Local Settings\Application Data\fusioncache.dat
2002-04-16 09:27 . 2002-04-16 09:27 5 --sha-w- c:\windows\system32\CdI5T.drv
1998-03-19 23:00 . 1998-03-19 23:00 1048 --sha-w- c:\windows\system32\flfnlf.sys
1998-03-19 23:00 . 1998-03-19 23:00 1048 --sha-w- c:\windows\system32\rlfnlf.sys
1998-03-19 23:00 . 1998-03-19 23:00 1048 --sha-w- c:\windows\system32\TMail3FL.SYS
1998-03-19 23:00 . 1998-03-19 23:00 1048 --sha-w- c:\windows\system32\TMailRL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2004-08-04 53760]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-25 07:41 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [27/03/2009 17:37 12552]
R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [08/11/2008 12:10 40464]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [27/03/2009 17:37 108552]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [27/03/2009 17:37 327688]
S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [27/03/2009 17:37 906520]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [27/03/2009 17:37 298776]
S2 azkl;azkl;c:\windows\system32\drivers\tcym.sys --> c:\windows\system32\drivers\tcym.sys [?]
S2 Ca536av;DV 5900(Video);c:\windows\system32\drivers\Ca536av.sys [30/03/2008 14:57 514859]
S2 MrHealthyService;MrHealthy;c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe -service --> c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe -service [?]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [01/06/2009 08:14 36608]
S3 S3GIGP;S3GIGP;c:\windows\system32\drivers\S3gIGPm.sys [15/01/2007 18:40 659456]
S3 USBCamera;DV 5900(Still);c:\windows\system32\drivers\Bulk536.sys [30/03/2008 14:57 11048]
S4 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [01/06/2009 08:14 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-06-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2009-06-22 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2009-06-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3121785044-16713964-2988421403-1005.job
- c:\documents and settings\HPCC\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-09 08:24]

2009-06-17 c:\windows\Tasks\Norton PC Checkup Weekday Scanner.job
- c:\program files\Norton PC Checkup\PC_Checkup.exe [2009-01-29 22:10]

2009-06-21 c:\windows\Tasks\Norton PC Checkup Weekend Scanner.job
- c:\program files\Norton PC Checkup\PC_Checkup.exe [2009-01-29 22:10]
.
- - - - ORPHANS REMOVED - - - -

HKCU-RunOnce-Shockwave Updater - c:\windows\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100465 -Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SIMBAR={C5280A13-4B43-4C21-930D-F62ECB98FE3A}; GTB6; .NET CLR 1.1.4322; .NET
HKLM-Run-NPSStartup - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-22 21:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-06-22 21:08
ComboFix-quarantined-files.txt 2009-06-22 20:08

Pre-Run: 34,650,185,728 bytes free
Post-Run: 34,712,920,064 bytes free

198 --- E O F --- 2009-06-14 06:08

surreyfrog
(regular)
Mon Jun 22 2009 09:34 PM
Re: browser redirecting etc

Joe - dare I say it, after doing the above it all seems back to normal.

Joe_London
(HijackThis Helper)
Mon Jun 22 2009 11:43 PM
Re: browser redirecting etc

Quote:


Joe - dare I say it, after doing the above it all seems back to normal.



Thought it might but we still have work to do.

Please go to the add/remove utility in the control panel and uninstall all the following programmes:
Ask Toolbar
J2SE Runtime Environment 5.0 Update 7
Java(TM) 6 Update 10
Java(TM) 6 Update 6
Java(TM) 6 Update 7
SweetIM For Internet Explorer 3.0b

I suggest reviewing your securities as you appear to have some duplication

I recommend uninstalling the following as well as it does much the same job as other programmes you have on there.
Ad-Aware
Ad-Aware
Now run Ccleaner.
Now run malwarebytes and post the report/log (Be sure to update definitions first.)


Do you recognise these drivers? Its possible Mbam will remove them if they are dodgy. Do not remove them otherwise.

2002-04-16 09:27 . 2002-04-16 09:27 5 --sha-w- c:\windows\system32\CdI5T.drv
1998-03-19 23:00 . 1998-03-19 23:00 1048 --sha-w- c:\windows\system32\flfnlf.sys
1998-03-19 23:00 . 1998-03-19 23:00 1048 --sha-w- c:\windows\system32\rlfnlf.sys
1998-03-19 23:00 . 1998-03-19 23:00 1048 --sha-w- c:\windows\system32\TMail3FL.SYS
1998-03-19 23:00 . 1998-03-19 23:00 1048 --sha-w- c:\windows\system32\TMailRL.sys

What firewall do you have?


Post the following:
  1. The Malwarebytes log.
  2. Another Hijackthis log
  3. Another Uninstall List.
  4. The Requested Information.


This may not remove all the infections present. It is important that you post back and complete the fix.

Please post in this thread for further review and evaluation.
Please provide details of any problems you encountered whilst performing the above steps & update us on how the Computer is running.

Joe.

surreyfrog
(regular)
Tue Jun 23 2009 07:06 AM
Re: browser redirecting etc

Quote:



Please go to the add/remove utility in the control panel and uninstall all the following programmes:
Ask Toolbar
J2SE Runtime Environment 5.0 Update 7
Java(TM) 6 Update 10
Java(TM) 6 Update 6
Java(TM) 6 Update 7
SweetIM For Internet Explorer 3.0b





Joe sorry to be a pain, but it's not clear to me which button to hit.

HJT gives a list of programs that can be removed.

I first selected ASK toolbar

I saw three buttons I could use: 'delete this entry' 'edit uninstall command' and 'open add/remove software list'

I hit 'delete this entry'

Having done so I wondered if I had done the right thing, and maybe I should have used 'open add/remove software list'

Can you advise please?

Joe_London
(HijackThis Helper)
Tue Jun 23 2009 08:39 AM
Re: browser redirecting etc

Quote:


hit 'delete this entry'



Sorry if it was unclear, if you're not sure what to do post back first before doing anything as you may remove something vital to the system. HJT contains good entries as well as the nasty ones. Unfortunately in this instance it didn't show the nasties at all.

I was referring to the Add/remove utility accessible through the control panel. Go to Start | Control Panel. Then select the Add/Remove utility from there, then scroll down and remove all those entries I listed.

surreyfrog
(regular)
Tue Jun 23 2009 10:34 AM
Re: browser redirecting etc

Thanks Joe - your instructions below with my responses with asterisks round them (? couldn't put colours/bold etc in reply):

Please go to the add/remove utility in the control panel and uninstall all the following programmes:
Ask Toolbar
J2SE Runtime Environment 5.0 Update 7
Java(TM) 6 Update 10
Java(TM) 6 Update 6
Java(TM) 6 Update 7
SweetIM For Internet Explorer 3.0b

**********************************************************************
As mentioned in my last post I used the delete option in HJT on Ask Toolbar. Ask toolbar does now not show in add/remove programs in XP control panel. Removed the rest of the programs in your list using XP control panel but when removing SweetIM got this message:

trying to uninstall sweetim: error 1905 module c:\program files macrogaming\sweetimbarforie\toolbar dll failed to unregister. hresult - 2147220472. contact your support personnel
*******************************************************************


I suggest reviewing your securities as you appear to have some duplication

I recommend uninstalling the following as well as it does much the same job as other programmes you have on there.
Ad-Aware
Ad-Aware

********************************
now removed
********************************


Now run Ccleaner.

**************************************************
done, but I did not run the registry cleaner in ccleaner
********************************************************

Now run malwarebytes and post the report/log (Be sure to update definitions first.)


*************************************
done - log below.

Malwarebytes' Anti-Malware 1.38
Database version: 2321
Windows 5.1.2600 Service Pack 2

23/06/2009 10:08:17
mbam-log-2009-06-23 (10-08-17).txt

Scan type: Full Scan (C:\|)
Objects scanned: 185131
Time elapsed: 1 hour(s), 6 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Qoobox\quarantine\C\WINDOWS\system32\UACercriuhnqvmaapstk.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\UACfalkyxuwqeefotfit.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\UAClespwivxeeolctims.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\UACossfanoronsbnrerr.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{2fe390b6-fb31-48e2-8d14-5a0feedef327}\RP679\A0116026.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{2fe390b6-fb31-48e2-8d14-5a0feedef327}\RP679\A0116027.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{2fe390b6-fb31-48e2-8d14-5a0feedef327}\RP679\A0116028.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{2fe390b6-fb31-48e2-8d14-5a0feedef327}\RP679\A0116025.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
***********************************************************************



Do you recognise these drivers? Its possible Mbam will remove them if they are dodgy. Do not remove them otherwise.

2002-04-16 09:27 . 2002-04-16 09:27 5 --sha-w- c:\windows\system32\CdI5T.drv
1998-03-19 23:00 . 1998-03-19 23:00 1048 --sha-w- c:\windows\system32\flfnlf.sys
1998-03-19 23:00 . 1998-03-19 23:00 1048 --sha-w- c:\windows\system32\rlfnlf.sys
1998-03-19 23:00 . 1998-03-19 23:00 1048 --sha-w- c:\windows\system32\TMail3FL.SYS
1998-03-19 23:00 . 1998-03-19 23:00 1048 --sha-w- c:\windows\system32\TMailRL.sys

*************************************************************
Sorry, I don't have the technical knowledge to be able to interpret what these items are.
***************************************************************


What firewall do you have?

*****************************************************
As far as I know it's the one that comes with windows XP
*****************************************************


Post the following:
  1. The Malwarebytes log.
    ****************************************
    DONE - SEE ABOVE
    **************************************

  2. Another Hijackthis log

    *********************************************
    done - below

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:13:30, on 23/06/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16850)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
    C:\PROGRA~1\AVG\AVG8\avgam.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    C:\WINDOWS\system32\IoctlSvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\AVG\AVG8\avgcsrvx.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\HPCC\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    E:\our laptop HDD copy 090609\Program Files\CCleaner\CCleaner.exe
    C:\Documents and Settings\HPCC\Desktop\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
    O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
    O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - (no file)
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: MrHealthy (MrHealthyService) - Symantec Corporation - C:\Program Files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

    --
    End of file - 5665 bytes
    ************************************************************


  3. Another Uninstall List.

    **********************************************************
    done - below

    2007 Microsoft Office Suite Service Pack 1 (SP1)
    2007 Microsoft Office Suite Service Pack 1 (SP1)
    2007 Microsoft Office Suite Service Pack 1 (SP1)
    2007 Microsoft Office Suite Service Pack 1 (SP1)
    2007 Microsoft Office Suite Service Pack 1 (SP1)
    2007 Microsoft Office Suite Service Pack 1 (SP1)
    2007 Microsoft Office Suite Service Pack 1 (SP1)
    2007 Microsoft Office Suite Service Pack 1 (SP1)
    2007 Microsoft Office Suite Service Pack 1 (SP1)
    2007 Microsoft Office Suite Service Pack 1 (SP1)
    2007 Microsoft Office Suite Service Pack 1 (SP1)
    2007 Microsoft Office Suite Service Pack 1 (SP1)
    2007 Microsoft Office Suite Service Pack 1 (SP1)
    2007 Microsoft Office system
    3DVIA Player 4.1
    Adobe AIR
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 7.0.8
    Adobe Shockwave Player
    Adobe® Photoshop® Album Starter Edition 3.0
    Apple Mobile Device Support
    Apple Software Update
    AVG 8.5
    CAM UnZip 4.42
    CCleaner (remove only)
    Cheat Engine 5.3
    Cheat Engine 5.5
    Conexant HD Audio
    Critical Update for Windows Media Player 11 (KB959772)
    Driver Detective
    DV 5900
    EphPod
    Express Burn
    Free Studio version 4.1
    Gabbasoft Cube Demo
    Google Earth
    Google SketchUp 6
    Google SketchUp 6 Exporters
    Google SketchUp LayOut 6
    Google SketchUp Pro 6
    Google Toolbar for Internet Explorer
    Google Toolbar for Internet Explorer
    Highlight Viewer (Windows Live Toolbar)
    HijackThis 2.0.2
    Home Media Server 4.0.0.0072
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB914440)
    Hotfix for Windows XP (KB915865)
    Hotfix for Windows XP (KB926239)
    Hotfix for Windows XP (KB952287)
    Hotkey 1.0.4
    InterActual Player
    iTunes
    LG MC USB Modem driver
    LG PC Suite II
    Macrogaming SweetIM 2.1
    Malwarebytes' Anti-Malware
    Map Button (Windows Live Toolbar)
    Messenger Plus! Live
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Hotfix (KB928366)
    Microsoft .NET Framework 2.0 Service Pack 1
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Professional Hybrid 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 Redistributable
    Movavi Video Converter 6
    Mozilla Firefox (3.0.8)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    Musicnotes Player V1.22.3
    Nero 7 Essentials
    Nero BackItUp 2 Essentials
    neroxml
    Nokia Connectivity Cable Driver
    Nokia Lifeblog 2.1
    Nokia MTP driver
    Nokia PC Connectivity Solution
    Nokia PC Suite
    Nokia Software Launcher
    Norton PC Checkup
    Paragon Drive Backup™ 9.0 Express
    Photo Story 3 for Windows
    Photo Viewer 2.25
    Pivot Stickfigure Animator
    PowerDVD
    QuickTime
    Quivic
    Sage Instant Accounts v14
    SAMSUNG Mobile Composite Device Software
    SAMSUNG Mobile Modem Driver Set
    Samsung Mobile phone USB driver Software
    SAMSUNG Mobile USB Modem 1.0 Software
    SAMSUNG Mobile USB Modem Software
    Samsung New PC Studio
    Samsung New PC Studio
    Security Update for 2007 Microsoft Office System (KB951550)
    Security Update for 2007 Microsoft Office System (KB951944)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB969679)
    Security Update for Microsoft Office Excel 2007 (KB969682)
    Security Update for Microsoft Office PowerPoint 2007 (KB957789)
    Security Update for Microsoft Office Publisher 2007 (KB950114)
    Security Update for Microsoft Office system 2007 (KB954326)
    Security Update for Microsoft Office system 2007 (KB969613)
    Security Update for Microsoft Office Word 2007 (KB969604)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Internet Explorer 7 (KB928090)
    Security Update for Windows Internet Explorer 7 (KB931768)
    Security Update for Windows Internet Explorer 7 (KB933566)
    Security Update for Windows Internet Explorer 7 (KB937143)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB939653)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB890046)
    Security Update for Windows XP (KB899587)
    Security Update for Windows XP (KB913580)
    Security Update for Windows XP (KB918118)
    Security Update for Windows XP (KB920213)
    Security Update for Windows XP (KB921503)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB923694)
    Security Update for Windows XP (KB923980)
    Security Update for Windows XP (KB924270)
    Security Update for Windows XP (KB924667)
    Security Update for Windows XP (KB925902)
    Security Update for Windows XP (KB926255)
    Security Update for Windows XP (KB926436)
    Security Update for Windows XP (KB927779)
    Security Update for Windows XP (KB927802)
    Security Update for Windows XP (KB928090)
    Security Update for Windows XP (KB928255)
    Security Update for Windows XP (KB928843)
    Security Update for Windows XP (KB929123)
    Security Update for Windows XP (KB930178)
    Security Update for Windows XP (KB931261)
    Security Update for Windows XP (KB931784)
    Security Update for Windows XP (KB932168)
    Security Update for Windows XP (KB933729)
    Security Update for Windows XP (KB935839)
    Security Update for Windows XP (KB935840)
    Security Update for Windows XP (KB936021)
    Security Update for Windows XP (KB937894)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB938829)
    Security Update for Windows XP (KB941202)
    Security Update for Windows XP (KB941568)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB941644)
    Security Update for Windows XP (KB941693)
    Security Update for Windows XP (KB943055)
    Security Update for Windows XP (KB943460)
    Security Update for Windows XP (KB943485)
    Security Update for Windows XP (KB944653)
    Security Update for Windows XP (KB945553)
    Security Update for Windows XP (KB946026)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB948590)
    Security Update for Windows XP (KB948881)
    Security Update for Windows XP (KB950749)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB970238)
    Sibelius Scorch
    Sibelius Scorch (ActiveX Only)
    Smart Menus (Windows Live Toolbar)
    Soft Data Fax Modem with SmartCP
    Switch
    The Sims 2
    U211 DVD 2
    Ulead Photo Explorer 8.0 SE Basic
    Uninstall 1.0.0.1
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft Office Outlook 2007 (KB969907)
    Update for Outlook 2007 Junk Email Filter (kb970012)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB900485)
    Update for Windows XP (KB904942)
    Update for Windows XP (KB927891)
    Update for Windows XP (KB930916)
    Update for Windows XP (KB931836)
    Update for Windows XP (KB932823-v3)
    Update for Windows XP (KB933360)
    Update for Windows XP (KB936357)
    Update for Windows XP (KB938828)
    Update for Windows XP (KB942763)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    VIA Platform Device Manager
    VIA Rhine-Family Fast Ethernet Adapter
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    WavePad Uninstall
    Windows Driver Package - MobileTop (sshpmdm) Modem (02/23/2007 2.5.0.0)
    Windows Driver Package - MobileTop (sshpusb) USB (02/23/2007 2.5.0.0)
    Windows Driver Package - Nokia Modem (06/12/2006 6.81.0.21)
    Windows Internet Explorer 7
    Windows Live Favorites for Windows Live Toolbar
    Windows Live installer
    Windows Live Messenger
    Windows Live Sign-in Assistant
    Windows Live Toolbar
    Windows Live Toolbar
    Windows Live Toolbar Extension (Windows Live Toolbar)
    Windows Media Format 11 runtime
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Media Player 11
    Xdrive Desktop Lite
    Xdrive Desktop Lite
    ******************************************************************




  4. The Requested Information.


This may not remove all the infections present. It is important that you post back and complete the fix.

Please post in this thread for further review and evaluation.
Please provide details of any problems you encountered whilst performing the above steps & update us on how the Computer is running.

Joe.



Joe_London
(HijackThis Helper)
Tue Jun 23 2009 01:48 PM
Re: browser redirecting etc

OK, things are taking shape now but still some more to do if you wish to proceed. Basically its a tidy up and update exercise now as the immediate infection is gone. This is very important to complete while the computer is clean and also to prevent further infections.

You appear to have installed Ccleaner and Hijackthis in the wrong place which is not good. I recommend uninstalling them both via the add/remove utility in the control panel. I'll give you the re-install instructions later.

Also uninstall:
Norton PC Checkup

Do you use the following:? See discription below.

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

From Bleeping Computer:
Microsoft's Narrator program which is an accessibility program that reads the text on your screen to you via your speakers.

O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
From Answers that work:
Utterly useless and occasionally problematic background service installed when a user installs the CD that comes with some USB thumb drives (Memory sticks / Flash memory / USB memory / Pen Drive). From our tests, and from our experience, despite using very little memory this service performs no function other than seriously impact the performance of some PCs. On some PCs this service will often cause PC slowness or random freezes.
IoctlSvc.exe Recommendation : Immediately disable this task by setting its Startup Mode to Disabled on the Services tab - your thumb drive (Memory stick / Flash memory / USB memory / Pen Drive) will work fine without it.

It is your option to have these programmes running at start-up or not as you wish.
Let me know what you wish to do please. Then I can instruct you.

What kind of drive is the "E Drive" e.g. partition, removable drive?

Is there a user account called "HPCC" if so what is it?

Are there any other user accounts on there?

My understanding is that AVG 8 includes an Anti-virus and anti-malware only but not a firewall. Is that correct?

To check this out Go to Start | Control Panel | Security Centre |
Expand the firewall and virus protection by clicking the down arrow. Let me know the name of the programmes it lists.


Joe.

surreyfrog
(regular)
Tue Jun 23 2009 02:42 PM
Re: browser redirecting etc

You appear to have installed Ccleaner and Hijackthis in the wrong place which is not good. I recommend uninstalling them both via the add/remove utility in the control panel. I'll give you the re-install instructions later.

*********************************
done
************************************

Also uninstall:
Norton PC Checkup

*****************************
done
******************************


Do you use the following:?

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

*************
no
*************

O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

***************
no
***************
It is your option to have these programmes running at start-up or not as you wish.
Let me know what you wish to do please. Then I can instruct you.
*****************
don't want 'em
*****************************

What kind of drive is the "E Drive" e.g. partition, removable drive?
*****************************
external usb hard drive
****************************

Is there a user account called "HPCC" if so what is it?

***********************************
yes. this computer is my wife's work computer. it came to her already set up with an hpcc (admin) user (stands for haslemere parish something or other). she only uses the hpcc account and nothing else.
*****************************************

Are there any other user accounts on there?
********************************
control panel/users shows two users, hpcc and guest
**********************************

My understanding is that AVG 8 includes an Anti-virus and anti-malware only but not a firewall. Is that correct?

To check this out Go to Start | Control Panel | Security Centre |
Expand the firewall and virus protection by clicking the down arrow. Let me know the name of the programmes it lists.
*************************************************************
windows firewall and that's all
************************************************************


Joe.



Joe_London
(HijackThis Helper)
Tue Jun 23 2009 04:42 PM
Re: browser redirecting etc

Quote:


yes. this computer is my wife's work computer. it came to her already set up with an hpcc (admin) user (stands for haslemere parish something or other). she only uses the hpcc account and nothing else.



I'm not sure this fully complies with our rules, perhaps you would take a look yourself and give us your opinion. I'm sure you wouldn't deliberately seek to break the rules.
http://www.webuser.co.uk/forums/showflat.php/Cat/0/Number/358300/an/0/page/0#358300

If its used in a commercial environment then its not eligible for free help and support here.

In any event I will finish the work as we are now almost complete.

The next steps:

Go to: Start > Run
Type: services.msc
Click Enter

Maximize the Services window

Drag the separator bar between Name and Description, so you can see all the text in the Name column.

Scroll down for: Prolific Technology Inc.
Right click it and select "Properties"
Click the "Stop" button and wait for the service to be stopped.
Change the "Startup Type" from Automatic to "Disabled" (c/o drop-down menu)

Click Apply then OK

Close the Services window

Download and install the latest version "Hijackthis Executable" from:-
http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe
Double-click the file you've just downloaded to install the program.

It will be installed to the C:\Program Files\Trend Micro\HijackThis\ folder by default.

Now drag and drop the downloaded install file on your desktop to the trend micro folder or alternatively delete it.

Open Hijackthis, take another scan and place a checkmark next to these entries.


O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

Close all open Windows except Hijackthis and click on "fix Checked".

Reboot the computer.

Copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad*

Copy and paste all the text in the quotebox below into it:

Quote:


KillAll::

File::
C:\Program Files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe
C:\Documents and Settings\HPCC\Desktop\HiJackThis.exe

Folder::
c:\program files\Common Files\Symantec Shared
C:\Program Files\Norton PC Checkup

ADS::
C:\windows\system32





Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.




If the image isn't visible Click Here to view.

Referring to the picture above, drag CFScript.txt into ComboFix.exe

This reactivates Combofix. Again follow the prompts.

It will create another System restore point.

When finished, it shall produce a log for you at C:\ComboFix.txt

Copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply.


*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

Joe.

surreyfrog
(regular)
Tue Jun 23 2009 05:08 PM
Re: browser redirecting etc

Joe

I certainly did not intend to contravene any of the rules of the forum.

Can I say that my wife is a youth minister for our local church. She works from home and the church bought her a laptop so she coupld prepare presentations etc. She does not work in a commercial environment. There's really just the local reverend and her. They do not have a technical support team, any problems they get they try to sort out themselves. Hope this makes ourt situation a bitclearer and that you're OK with this.

surreyfrog
(regular)
Tue Jun 23 2009 05:17 PM
Re: browser redirecting etc


Go to: Start > Run
Type: services.msc
Click Enter

Maximize the Services window

Drag the separator bar between Name and Description, so you can see all the text in the Name column.

Scroll down for: Prolific Technology Inc.
Right click it and select "Properties"

****************************************************
Prolific Technology Inc was not there
******************************************

Joe_London
(HijackThis Helper)
Tue Jun 23 2009 06:38 PM
Re: browser redirecting etc

Quote:


I certainly did not intend to contravene any of the rules of the forum.

Can I say that my wife is a youth minister for our local church. She works from home and the church bought her a laptop so she coupld prepare presentations etc. She does not work in a commercial environment. There's really just the local reverend and her. They do not have a technical support team, any problems they get they try to sort out themselves. Hope this makes ourt situation a bitclearer and that you're OK with this.



Thanks for the explanation, thats fine.

Joe.

Joe_London
(HijackThis Helper)
Tue Jun 23 2009 06:40 PM
Re: browser redirecting etc

Quote:


Prolific Technology Inc was not there



It may be called PLFlash DeviceIoControl Service

Joe.

surreyfrog
(regular)
Tue Jun 23 2009 10:12 PM
Re: browser redirecting etc

Go to: Start > Run
Type: services.msc
Click Enter

Maximize the Services window

Drag the separator bar between Name and Description, so you can see all the text in the Name column.

Scroll down for: Prolific Technology Inc.
Right click it and select "Properties"
Click the "Stop" button and wait for the service to be stopped.
Change the "Startup Type" from Automatic to "Disabled" (c/o drop-down menu)

Click Apply then OK

Close the Services window

******************************************************************************
done
******************************************************************************

Download and install the latest version "Hijackthis Executable" from:-
http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe
Double-click the file you've just downloaded to install the program.

It will be installed to the C:\Program Files\Trend Micro\HijackThis\ folder by default.

Now drag and drop the downloaded install file on your desktop to the trend micro folder or alternatively delete it.

Open Hijackthis, take another scan and place a checkmark next to these entries.


O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

Close all open Windows except Hijackthis and click on "fix Checked".

*************************************************************************
done
*************************************************************************

Reboot the computer.

Copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad*

Copy and paste all the text in the quotebox below into it:

Quote:


KillAll::

File::
C:\Program Files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe
C:\Documents and Settings\HPCC\Desktop\HiJackThis.exe

Folder::
c:\program files\Common Files\Symantec Shared
C:\Program Files\Norton PC Checkup

ADS::
C:\windows\system32





Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.




If the image isn't visible Click Here to view.

Referring to the picture above, drag CFScript.txt into ComboFix.exe

This reactivates Combofix. Again follow the prompts.

It will create another System restore point.

When finished, it shall produce a log for you at C:\ComboFix.txt
********************************************************************
done but please be aware - I left Combofix running, came back to the laptop some time later, it was stuck on a 'windows is shutting down' screen. I closed the laptop with the power off button, restarted it, and the Combofix window was still there, saying it was producing its log. a few minutes later it finished running.
***************************************************************************

Copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply.

******************************************************************

COMBOFIX:

ComboFix 09-06-21.01 - HPCC 23/06/2009 20:57.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.404 [GMT 1:00]
Running from: c:\documents and settings\HPCC\Desktop\dave.exe
Command switches used :: c:\documents and settings\HPCC\Desktop\CFScript.txt
AV: AVG Anti-Virus *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\documents and settings\HPCC\Desktop\HiJackThis.exe"
"c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common Files\Symantec Shared
c:\program files\Common Files\Symantec Shared\Support Controls\SymXPep2.dll
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090513.003\CATALOG.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090513.003\CCERASER.DLL
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090513.003\ECMSVR32.DLL
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090513.003\EECTRL.SYS
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090513.003\ERASER.GRD
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090513.003\ERASER.SIG
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090513.003\ERASER.SPM
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090513.003\ERASER.SYS
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090513.003\ESRDEF.BIN
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090513.003\HH
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090513.003\hub.scr
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090513.003\NAVENG.SYS
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090513.003\NAVENG32.DLL
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090513.003\NAVEX15.SYS
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090513.003\NAVEX32A.DLL
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090513.003\NCSACERT.TXT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090513.003\SCRAUTH.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090513.003\SYMAVENG.CAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090513.003\SYMAVENG.INF
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090513.003\SYMERASE.CAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090513.003\SYMERASE.INF
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090513.003\TCDEFS.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090513.003\TCSCAN7.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090513.003\TCSCAN8.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090513.003\TCSCAN9.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090513.003\TECHNOTE.TXT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090513.003\TINF.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090513.003\TINFIDX.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090513.003\TINFL.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090513.003\TSCAN1.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090513.003\TSCAN1HD.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090513.003\V.GRD
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090513.003\V.SIG
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090513.003\VIRSCAN.INF
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090513.003\VIRSCAN1.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090513.003\VIRSCAN2.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090513.003\VIRSCAN3.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090513.003\VIRSCAN4.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090513.003\VIRSCAN5.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090513.003\VIRSCAN6.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090513.003\VIRSCAN7.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090513.003\VIRSCAN8.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090513.003\VIRSCAN9.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090513.003\VIRSCANT.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090513.003\WHATSNEW.TXT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090513.003\ZDONE.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090607.004\CATALOG.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090607.004\CCERASER.DLL
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090607.004\ECMSVR32.DLL
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090607.004\EECTRL.SYS
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090607.004\ERASER.GRD
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090607.004\ERASER.SIG
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090607.004\ERASER.SPM
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090607.004\ERASER.SYS
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090607.004\ESRDEF.BIN
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090607.004\HH
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090607.004\hub.scr
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090607.004\NAVENG.SYS
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090607.004\NAVENG32.DLL
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090607.004\NAVEX15.SYS
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090607.004\NAVEX32A.DLL
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090607.004\NCSACERT.TXT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090607.004\SCRAUTH.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090607.004\SYMAVENG.CAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090607.004\SYMAVENG.INF
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090607.004\SYMERASE.CAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090607.004\SYMERASE.INF
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090607.004\TCDEFS.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090607.004\TCSCAN7.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090607.004\TCSCAN8.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090607.004\TCSCAN9.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090607.004\TECHNOTE.TXT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090607.004\TINF.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090607.004\TINFIDX.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090607.004\TINFL.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090607.004\TSCAN1.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090607.004\TSCAN1HD.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090607.004\V.GRD
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090607.004\V.SIG
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090607.004\VIRSCAN.INF
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090607.004\VIRSCAN1.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090607.004\VIRSCAN2.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090607.004\VIRSCAN3.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090607.004\VIRSCAN4.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090607.004\VIRSCAN5.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090607.004\VIRSCAN6.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090607.004\VIRSCAN7.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090607.004\VIRSCAN8.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090607.004\VIRSCAN9.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090607.004\VIRSCANT.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090607.004\WHATSNEW.TXT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090607.004\ZDONE.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090620.025\CATALOG.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090620.025\CCERASER.DLL
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090620.025\ECMSVR32.DLL
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090620.025\EECTRL.SYS
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090620.025\ERASER.GRD
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090620.025\ERASER.SIG
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090620.025\ERASER.SPM
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090620.025\ERASER.SYS
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090620.025\ESRDEF.BIN
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090620.025\HH
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090620.025\hub.scr
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090620.025\NAVENG.SYS
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090620.025\NAVENG32.DLL
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090620.025\NAVEX15.SYS
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090620.025\NAVEX32A.DLL
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090620.025\NCSACERT.TXT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090620.025\SCRAUTH.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090620.025\SYMAVENG.CAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090620.025\SYMAVENG.INF
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090620.025\SYMERASE.CAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090620.025\SYMERASE.INF
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090620.025\TCDEFS.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090620.025\TCSCAN7.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090620.025\TCSCAN8.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090620.025\TCSCAN9.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090620.025\TECHNOTE.TXT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090620.025\TINF.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090620.025\TINFIDX.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090620.025\TINFL.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090620.025\TSCAN1.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090620.025\TSCAN1HD.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090620.025\V.GRD
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090620.025\V.SIG
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090620.025\VIRSCAN.INF
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090620.025\VIRSCAN1.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090620.025\VIRSCAN2.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090620.025\VIRSCAN3.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090620.025\VIRSCAN4.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090620.025\VIRSCAN5.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090620.025\VIRSCAN6.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090620.025\VIRSCAN7.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090620.025\VIRSCAN8.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090620.025\VIRSCAN9.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090620.025\VIRSCANT.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090620.025\WHATSNEW.TXT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090620.025\ZDONE.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\catalog.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\cceraser.dll
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\ecmsvr32.dll
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\eeCtrl.sys
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\ERASER.grd
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\ERASER.sig
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\ERASER.spm
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\ERASER.sys
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\esrdef.bin
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\hh
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\naveng.sys
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\naveng32.dll
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\navex15.sys
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\navex32a.dll
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\ncsacert.txt
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\scrauth.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\symaveng.cat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\symaveng.inf
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\SymErase.cat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\SymErase.inf
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\tcdefs.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\tcscan7.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\tcscan8.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\tcscan9.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\technote.txt
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\tinf.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\tinfidx.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\tinfl.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\tscan1.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\tscan1hd.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\v.grd
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\v.sig
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\virscan.inf
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\virscan1.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\virscan2.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\virscan3.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\virscan4.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\virscan5.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\virscan6.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\virscan7.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\virscan8.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\virscan9.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\VIRSCANT.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\whatsnew.txt
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\zdone.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\definfo.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp1f61.tmp\cur.scr
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp1f61.tmp\ESRDEF.999
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp1f61.tmp\TCDEFS.998
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp1f61.tmp\TCSCAN7.997
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp1f61.tmp\TCSCAN8.996
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp1f61.tmp\TCSCAN9.995
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp1f61.tmp\TINF.994
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp1f61.tmp\TINFL.993
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp1f61.tmp\TSCAN1.992
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp1f61.tmp\V.990
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp1f61.tmp\V.991
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp1f61.tmp\VIRSCAN.989
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp1f61.tmp\VIRSCAN1.988
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp1f61.tmp\VIRSCAN2.987
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp1f61.tmp\VIRSCAN3.986
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp1f61.tmp\VIRSCAN4.985
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp1f61.tmp\VIRSCAN5.984
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp1f61.tmp\VIRSCAN6.983
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp1f61.tmp\VIRSCAN7.982
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp1f61.tmp\VIRSCAN8.981
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp1f61.tmp\VIRSCAN9.980
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp1f61.tmp\VIRSCANT.979
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp1f61.tmp\WHATSNEW.978
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp247f.tmp\cur.scr
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp247f.tmp\ESRDEF.999
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp247f.tmp\TCDEFS.998
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp247f.tmp\TCSCAN7.997
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp247f.tmp\TCSCAN8.996
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp247f.tmp\TCSCAN9.995
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp247f.tmp\TINF.994
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp247f.tmp\TINFL.993
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp247f.tmp\TSCAN1.992
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp247f.tmp\V.990
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp247f.tmp\V.991
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp247f.tmp\VIRSCAN.989
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp247f.tmp\VIRSCAN1.988
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp247f.tmp\VIRSCAN2.987
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp247f.tmp\VIRSCAN3.986
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp247f.tmp\VIRSCAN4.985
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp247f.tmp\VIRSCAN5.984
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp247f.tmp\VIRSCAN6.983
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp247f.tmp\VIRSCAN7.982
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp247f.tmp\VIRSCAN8.981
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp247f.tmp\VIRSCAN9.980
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp247f.tmp\VIRSCANT.979
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp247f.tmp\WHATSNEW.978
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp5c2d.tmp\cur.scr
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp5c2d.tmp\ESRDEF.999
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp5c2d.tmp\TCDEFS.998
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp5c2d.tmp\TCSCAN7.997
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp5c2d.tmp\TCSCAN8.996
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp5c2d.tmp\TCSCAN9.995
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp5c2d.tmp\TINF.994
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp5c2d.tmp\TINFL.993
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp5c2d.tmp\TSCAN1.992
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp5c2d.tmp\V.990
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp5c2d.tmp\V.991
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp5c2d.tmp\VIRSCAN.989
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp5c2d.tmp\VIRSCAN1.988
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp5c2d.tmp\VIRSCAN2.987
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp5c2d.tmp\VIRSCAN3.986
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp5c2d.tmp\VIRSCAN4.985
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp5c2d.tmp\VIRSCAN5.984
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp5c2d.tmp\VIRSCAN6.983
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp5c2d.tmp\VIRSCAN7.982
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp5c2d.tmp\VIRSCAN8.981
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp5c2d.tmp\VIRSCAN9.980
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp5c2d.tmp\virscant.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp5c2d.tmp\WHATSNEW.979
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp7620.tmp\CATALOG.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp7620.tmp\CCERASER.DLL
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp7620.tmp\ECMSVR32.DLL
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp7620.tmp\EECTRL.SYS
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp7620.tmp\ERASER.GRD
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp7620.tmp\ERASER.SIG
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp7620.tmp\ERASER.SPM
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp7620.tmp\ERASER.SYS
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp7620.tmp\ESRDEF.BIN
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp7620.tmp\HH
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp7620.tmp\hub.scr
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp7620.tmp\NAVENG.SYS
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp7620.tmp\NAVENG32.DLL
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp7620.tmp\NAVEX15.SYS
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp7620.tmp\NAVEX32A.DLL
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp7620.tmp\NCSACERT.TXT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp7620.tmp\SCRAUTH.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp7620.tmp\SYMAVENG.CAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp7620.tmp\SYMAVENG.INF
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp7620.tmp\SYMERASE.CAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp7620.tmp\SYMERASE.INF
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp7620.tmp\TCDEFS.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp7620.tmp\TCSCAN7.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp7620.tmp\TCSCAN8.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp7620.tmp\TCSCAN9.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp7620.tmp\TECHNOTE.TXT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp7620.tmp\TINF.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp7620.tmp\TINFIDX.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp7620.tmp\TINFL.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp7620.tmp\TSCAN1.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp7620.tmp\TSCAN1HD.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp7620.tmp\V.GRD
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp7620.tmp\V.SIG
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp7620.tmp\VIRSCAN.INF
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp7620.tmp\VIRSCAN1.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp7620.tmp\VIRSCAN2.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp7620.tmp\VIRSCAN3.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp7620.tmp\VIRSCAN4.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp7620.tmp\VIRSCAN5.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp7620.tmp\VIRSCAN6.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp7620.tmp\VIRSCAN7.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp7620.tmp\VIRSCAN8.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp7620.tmp\VIRSCAN9.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp7620.tmp\VIRSCANT.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp7620.tmp\WHATSNEW.TXT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\tmp7620.tmp\ZDONE.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\usage.dat

.
((((((((((((((((((((((((( Files Created from 2009-05-23 to 2009-06-23 )))))))))))))))))))))))))))))))
.

2009-07-02 17:24 . 2009-07-02 17:24 -------- d-----w- c:\program files\LG Electronics
2009-07-02 17:21 . 2007-11-08 15:26 1164728 ----a-w- c:\windows\system32\NMSDVDXU.dll
2009-07-02 17:21 . 2009-07-02 17:21 -------- d-----w- c:\documents and settings\HPCC\Application Data\LG Electronics
2009-07-02 17:21 . 2009-07-02 17:22 -------- d-----w- c:\program files\LG PC Suite II
2009-07-02 17:20 . 2009-07-02 17:20 -------- d-----w- c:\documents and settings\HPCC\Application Data\InstallShield
2009-06-29 10:09 . 2009-06-29 10:09 -------- d-----w- c:\program files\CAM Development
2009-06-23 19:29 . 2009-06-23 19:29 -------- d-----w- c:\program files\Trend Micro
2009-06-23 10:17 . 2009-06-23 10:17 -------- d-----w- c:\windows\system32\scripting
2009-06-23 10:17 . 2009-06-23 10:17 -------- d-----w- c:\windows\l2schemas
2009-06-23 10:17 . 2009-06-23 10:17 -------- d-----w- c:\windows\system32\en
2009-06-23 10:17 . 2009-06-23 10:17 -------- d-----w- c:\windows\system32\bits
2009-06-23 10:10 . 2009-06-23 10:18 -------- d-----w- c:\windows\ServicePackFiles
2009-06-22 19:31 . 2009-06-22 19:31 -------- d-----w- C:\Com
2009-06-22 19:30 . 2009-06-22 19:31 -------- d-----w- C:\32788R22FWJFW.1.tmp
2009-06-22 19:30 . 2009-06-22 19:30 -------- d-----w- C:\Fix
2009-06-22 19:30 . 2009-06-22 19:30 -------- d-----w- C:\32788R22FWJFW.0.tmp
2009-06-22 10:10 . 2009-06-22 10:10 -------- d-----w- c:\documents and settings\HPCC\Application Data\Malwarebytes
2009-06-22 10:07 . 2009-06-22 10:07 -------- d-----w- c:\program files\mwb
2009-06-21 21:24 . 2009-06-22 18:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-21 21:03 . 2009-06-22 18:02 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-21 17:10 . 2009-06-22 18:01 -------- d-----w- c:\program files\Lavasoft
2009-06-21 17:10 . 2009-06-21 17:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-21 07:28 . 2009-06-18 08:58 2052888 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-06-20 14:55 . 2009-06-17 10:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-20 14:55 . 2009-06-22 12:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-20 14:55 . 2009-06-20 14:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-20 14:55 . 2009-06-17 10:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-18 08:59 . 2009-06-09 07:49 3298072 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-06-18 08:59 . 2009-06-09 07:49 1261344 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwd.dll
2009-06-18 08:59 . 2009-06-09 07:49 829208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgx.dll
2009-06-16 09:06 . 2009-06-16 09:06 -------- d-----w- c:\documents and settings\HPCC\Local Settings\Application Data\Sage
2009-06-16 09:00 . 2009-06-16 09:00 -------- d-----w- c:\program files\Common Files\InstallEngine
2009-06-16 08:57 . 2009-06-16 08:57 -------- d-----w- c:\program files\Common Files\Sage Shared
2009-06-16 08:55 . 2009-06-16 08:57 -------- d-----w- c:\program files\Common Files\Sage Line50
2009-06-16 08:55 . 2009-06-16 09:07 -------- d-----w- c:\program files\Common Files\Sage SBD
2009-06-16 08:55 . 2009-06-16 09:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Sage
2009-06-16 08:55 . 2009-06-16 08:58 -------- d-----w- c:\program files\Common Files\Sage Report Designer 2007
2009-06-16 08:54 . 2009-06-16 08:54 -------- d-----w- c:\program files\Sage
2009-06-09 12:08 . 2009-06-09 12:08 -------- d-----w- c:\documents and settings\HPCC\Local Settings\Application Data\AVG Security Toolbar
2009-06-09 08:23 . 2009-06-09 08:24 -------- d-----w- c:\documents and settings\HPCC\Local Settings\Application Data\Deployment
2009-06-09 08:22 . 2009-06-02 12:38 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-06-09 07:50 . 2009-06-09 07:49 826344 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\AVGToolbarInstall.exe
2009-06-09 07:49 . 2009-06-11 16:46 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-06-09 07:48 . 2009-06-09 07:48 1452312 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-06-01 07:14 . 2008-02-22 14:33 14976 ----a-w- c:\windows\system32\drivers\sscdmdfl.sys
2009-06-01 07:14 . 2008-02-22 14:33 12160 ----a-w- c:\windows\system32\drivers\sscdwhnt.sys
2009-06-01 07:14 . 2008-02-22 14:33 12160 ----a-w- c:\windows\system32\drivers\sscdwh.sys
2009-06-01 07:14 . 2008-02-22 14:33 114304 ----a-w- c:\windows\system32\drivers\sscdmdm.sys
2009-06-01 07:14 . 2008-02-22 14:33 87936 ----a-w- c:\windows\system32\drivers\sscdbus.sys
2009-06-01 07:14 . 2008-02-22 14:33 12160 ----a-w- c:\windows\system32\drivers\sscdcmnt.sys
2009-06-01 07:14 . 2008-02-22 14:33 12160 ----a-w- c:\windows\system32\drivers\sscdcm.sys
2009-06-01 07:14 . 2009-06-01 07:14 -------- d-----w- c:\windows\system32\Samsung_USB_Drivers
2009-06-01 07:14 . 2009-01-08 08:42 36608 ----a-w- c:\windows\system32\FsUsbExDisk.Sys
2009-06-01 07:14 . 2009-01-08 08:42 233472 ----a-w- c:\windows\system32\FsUsbExService.Exe
2009-06-01 07:14 . 2009-01-08 08:42 110592 ----a-w- c:\windows\system32\FsUsbExDevice.Dll
2009-06-01 07:14 . 2009-06-01 07:14 -------- d-----w- c:\documents and settings\HPCC\Application Data\Samsung
2009-06-01 07:13 . 2009-06-01 07:13 -------- d-----w- c:\program files\MarkAny
2009-06-01 07:13 . 2009-06-01 07:13 -------- d-----w- c:\program files\Samsung

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-23 12:44 . 2007-04-20 15:26 85600 ----a-w- c:\documents and settings\HPCC\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-23 10:22 . 2006-01-30 19:15 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-06-23 07:24 . 2008-03-16 08:35 -------- d-----w- c:\program files\Macrogaming
2009-06-23 07:24 . 2007-04-05 10:03 -------- d-----w- c:\program files\Java
2009-06-22 17:37 . 2009-04-02 17:42 -------- d-----w- c:\program files\Cheat Engine
2009-06-20 10:11 . 2008-03-10 20:24 -------- d-----w- c:\program files\Windows Live Toolbar
2009-06-18 08:58 . 2007-04-05 10:18 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-16 09:00 . 2007-01-15 17:39 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-14 06:08 . 2007-04-05 10:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-09 07:49 . 2009-03-27 16:37 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-01 07:14 . 2007-12-25 11:51 -------- d-----w- c:\program files\DIFX
2009-05-28 10:15 . 2008-08-06 08:54 34 ----a-w- c:\documents and settings\HPCC\jagex_runescape_preferences.dat
2009-05-07 15:32 . 2006-01-30 17:59 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2006-01-30 17:59 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2006-01-30 17:59 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-26 14:47 . 2008-11-03 22:07 -------- d-----w- c:\documents and settings\HPCC\Application Data\Ahead
2009-04-25 07:41 . 2009-03-27 16:37 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-04-25 07:41 . 2009-03-27 16:37 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-04-25 07:40 . 2009-03-27 16:37 12552 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-04-17 12:26 . 2006-01-30 17:59 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2006-01-30 17:59 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-07 18:51 . 2009-04-07 18:51 127 ----a-w- c:\documents and settings\HPCC\Local Settings\Application Data\fusioncache.dat
2002-04-16 09:27 . 2002-04-16 09:27 5 --sha-w- c:\windows\system32\CdI5T.drv
1998-03-19 23:00 . 1998-03-19 23:00 1048 --sha-w- c:\windows\system32\flfnlf.sys
1998-03-19 23:00 . 1998-03-19 23:00 1048 --sha-w- c:\windows\system32\rlfnlf.sys
1998-03-19 23:00 . 1998-03-19 23:00 1048 --sha-w- c:\windows\system32\TMail3FL.SYS
1998-03-19 23:00 . 1998-03-19 23:00 1048 --sha-w- c:\windows\system32\TMailRL.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-06-22_20.06.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-09-06 00:16 . 2008-04-14 00:12 57344 c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.5512_x-ww_3fd60d63\msvcirt.dll
- 2007-04-21 09:00 . 2007-01-19 20:15 74802 c:\windows\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_08a6620a\atl.dll
+ 2008-09-06 00:16 . 2008-04-14 00:12 74802 c:\windows\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_08a6620a\atl.dll
+ 2006-01-30 17:59 . 2008-04-14 00:12 50688 c:\windows\twain_32.dll
- 2006-01-30 17:59 . 2004-08-04 12:00 50688 c:\windows\twain_32.dll
- 2006-01-30 19:12 . 2006-03-01 19:42 11776 c:\windows\system32\xolehlp.dll
+ 2006-01-30 19:12 . 2008-04-14 00:12 11776 c:\windows\system32\xolehlp.dll
- 2006-01-30 17:59 . 2004-08-04 12:00 50176 c:\windows\system32\xmlprovi.dll
+ 2006-01-30 17:59 . 2008-04-14 00:12 50176 c:\windows\system32\xmlprovi.dll
+ 2006-01-30 17:59 . 2008-04-14 00:12 30720 c:\windows\system32\xcopy.exe
- 2006-01-30 17:59 . 2004-08-04 12:00 30720 c:\windows\system32\xcopy.exe
+ 2006-01-30 17:59 . 2008-04-14 00:12 91648 c:\windows\system32\xactsrv.dll
- 2006-01-30 17:59 . 2004-08-04 12:00 91648 c:\windows\system32\xactsrv.dll
+ 2004-08-04 00:56 . 2008-04-14 00:12 52736 c:\windows\system32\wzcsapi.dll
- 2006-01-30 17:59 . 2004-08-04 12:00 18432 c:\windows\system32\wtsapi32.dll
+ 2006-01-30 17:59 . 2008-04-14 00:12 18432 c:\windows\system32\wtsapi32.dll
+ 2006-01-30 17:59 . 2008-04-14 00:12 50688 c:\windows\system32\wstdecod.dll
- 2006-01-30 17:59 . 2004-08-04 12:00 50688 c:\windows\system32\wstdecod.dll
+ 2006-01-30 17:59 . 2008-04-14 00:12 22528 c:\windows\system32\wsock32.dll
- 2006-01-30 17:59 . 2004-08-04 12:00 22528 c:\windows\system32\wsock32.dll
+ 2006-01-30 17:59 . 2008-04-14 00:12 41984 c:\windows\system32\wsnmp32.dll
+ 2006-01-30 17:59 . 2008-04-14 00:12 19456 c:\windows\system32\wshtcpip.dll
+ 2006-01-30 17:59 . 2008-04-14 00:12 11264 c:\windows\system32\wshrm.dll
+ 2006-01-30 17:59 . 2008-04-14 00:12 14336 c:\windows\system32\wship6.dll
- 2006-01-30 17:59 . 2004-08-04 12:00 14336 c:\windows\system32\wship6.dll
+ 2006-01-30 17:59 . 2008-04-14 00:12 90112 c:\windows\system32\wshext.dll
+ 2006-01-30 17:59 . 2008-04-14 00:12 36864 c:\windows\system32\wshcon.dll
+ 2006-01-30 17:59 . 2008-04-14 00:12 80896 c:\windows\system32\wscsvc.dll
+ 2006-01-30 17:59 . 2008-04-14 00:12 13824 c:\windows\system32\wscntfy.exe
- 2006-01-30 17:59 . 2004-08-04 12:00 13824 c:\windows\system32\wscntfy.exe
- 2006-01-30 17:59 . 2004-08-04 12:00 19968 c:\windows\system32\ws2help.dll
+ 2006-01-30 17:59 . 2008-04-14 00:12 19968 c:\windows\system32\ws2help.dll
+ 2006-01-30 17:59 . 2008-04-14 00:12 82432 c:\windows\system32\ws2_32.dll
+ 2006-01-30 17:59 . 2008-04-14 00:12 11264 c:\windows\system32\wpnpinst.exe
- 2006-01-30 17:59 . 2004-08-04 12:00 32256 c:\windows\system32\wpabaln.exe
+ 2006-01-30 17:59 . 2008-04-14 00:12 32256 c:\windows\system32\wpabaln.exe
- 2006-01-30 17:59 . 2004-08-04 12:00 20480 c:\windows\system32\wmpui.dll
+ 2006-01-30 17:59 . 2008-04-14 00:12 20480 c:\windows\system32\wmpui.dll
- 2006-01-30 17:59 . 2004-08-04 12:00 20480 c:\windows\system32\wmpcore.dll
+ 2006-01-30 17:59 . 2008-04-14 00:12 20480 c:\windows\system32\wmpcore.dll
- 2006-01-30 17:59 . 2004-08-04 12:00 20480 c:\windows\system32\wmpcd.dll
+ 2006-01-30 17:59 . 2008-04-14 00:12 20480 c:\windows\system32\wmpcd.dll
+ 2006-01-30 17:59 . 2008-04-14 00:12 92672 c:\windows\system32\wlnotify.dll
- 2006-01-30 17:59 . 2004-08-04 12:00 92672 c:\windows\system32\wlnotify.dll
+ 2008-09-06 00:18 . 2008-04-14 00:12 69120 c:\windows\system32\wlanapi.dll
+ 2006-01-30 17:59 . 2008-04-14 00:12 53760 c:\windows\system32\winsta.dll
- 2006-01-30 17:59 . 2004-08-04 12:00 53760 c:\windows\system32\winsta.dll
- 2006-01-30 17:59 . 2004-08-04 12:00 17408 c:\windows\system32\winshfhc.dll
+ 2006-01-30 17:59 . 2008-04-14 00:12 17408 c:\windows\system32\winshfhc.dll
- 2006-01-30 17:59 . 2004-08-04 12:00 99328 c:\windows\system32\winscard.dll
+ 2006-01-30 17:59 . 2008-04-14 00:12 99328 c:\windows\system32\winscard.dll
+ 2006-01-30 17:59 . 2008-04-14 00:12 16896 c:\windows\system32\winrnr.dll
- 2006-01-30 17:59 . 2004-08-04 12:00 16896 c:\windows\system32\winrnr.dll
+ 2006-01-30 17:59 . 2008-04-14 00:12 32256 c:\windows\system32\winipsec.dll
+ 2006-01-30 17:59 . 2008-04-14 00:12 75776 c:\windows\system32\wiascr.dll
- 2006-01-30 17:59 . 2004-08-04 12:00 75776 c:\windows\system32\wiascr.dll
+ 2006-01-30 17:59 . 2008-04-14 00:12 65024 c:\windows\system32\wextract.exe
- 2006-01-30 17:59 . 2006-01-04 03:35 68096 c:\windows\system32\webclnt.dll
+ 2006-01-30 17:59 . 2008-04-14 00:12 68096 c:\windows\system32\webclnt.dll
+ 2004-08-04 00:56 . 2008-04-14 00:12 23552 c:\windows\system32\wdmaud.drv
- 2004-08-04 00:56 . 2004-08-04 00:56 23552 c:\windows\system32\wdmaud.drv
- 2006-01-30 17:59 . 2006-03-24 04:37 49152 c:\windows\system32\wdigest.dll
+ 2006-01-30 17:59 . 2008-04-14 00:12 49152 c:\windows\system32\wdigest.dll
- 2006-01-30 19:12 . 2004-08-04 12:00 95232 c:\windows\system32\wbem\wmiutils.dll
+ 2006-01-30 19:12 . 2008-04-14 00:12 95232 c:\windows\system32\wbem\wmiutils.dll
- 2006-01-30 19:12 . 2004-08-04 12:00 41472 c:\windows\system32\wbem\wmipsess.dll
+ 2006-01-30 19:12 . 2008-04-14 00:12 41472 c:\windows\system32\wbem\wmipsess.dll
+ 2006-01-30 19:12 . 2008-04-14 00:12 62464 c:\windows\system32\wbem\wmipjobj.dll
+ 2006-01-30 19:12 . 2008-04-14 00:12 61952 c:\windows\system32\wbem\wmipiprt.dll
- 2006-01-30 19:12 . 2004-08-04 12:00 60928 c:\windows\system32\wbem\wmicookr.dll
+ 2006-01-30 19:12 . 2008-04-14 00:12 60928 c:\windows\system32\wbem\wmicookr.dll
+ 2006-01-30 19:12 . 2008-04-14 00:12 88576 c:\windows\system32\wbem\wmiaprpl.dll
- 2006-01-30 19:12 . 2004-08-04 12:00 43520 c:\windows\system32\wbem\wbemsvc.dll
+ 2006-01-30 19:12 . 2008-04-14 00:12 43520 c:\windows\system32\wbem\wbemsvc.dll
- 2006-01-30 19:12 . 2004-08-04 12:00 18944 c:\windows\system32\wbem\wbemprox.dll
+ 2006-01-30 19:12 . 2008-04-14 00:12 18944 c:\windows\system32\wbem\wbemprox.dll
+ 2006-01-30 17:59 . 2008-04-14 00:12 43008 c:\windows\system32\wbem\wbemperf.dll
- 2006-01-30 17:59 . 2004-08-04 12:00 43008 c:\windows\system32\wbem\wbemperf.dll
- 2006-01-30 19:12 . 2004-08-04 12:00 71680 c:\windows\system32\wbem\wbemcons.dll
+ 2006-01-30 19:12 . 2008-04-14 00:12 71680 c:\windows\system32\wbem\wbemcons.dll
- 2006-01-30 19:12 . 2004-08-04 12:00 86528 c:\windows\system32\wbem\stdprov.dll
+ 2006-01-30 19:12 . 2008-04-14 00:12 86528 c:\windows\system32\wbem\stdprov.dll
+ 2006-01-30 19:12 . 2008-04-14 00:12 36352 c:\windows\system32\wbem\scrcons.exe
- 2006-01-30 19:12 . 2004-08-04 12:00 92672 c:\windows\system32\wbem\policman.dll
+ 2006-01-30 19:12 . 2008-04-14 00:12 92672 c:\windows\system32\wbem\policman.dll
- 2006-01-30 19:12 . 2004-08-04 12:00 47104 c:\windows\system32\wbem\ncprov.dll
+ 2006-01-30 19:12 . 2008-04-14 00:12 47104 c:\windows\system32\wbem\ncprov.dll
- 2006-01-30 19:12 . 2004-08-04 12:00 16384 c:\windows\system32\wbem\mofcomp.exe
+ 2006-01-30 19:12 . 2008-04-14 00:12 16384 c:\windows\system32\wbem\mofcomp.exe
+ 2006-01-30 19:12 . 2008-04-14 00:11 24576 c:\windows\system32\wbem\krnlprov.dll
- 2006-01-30 19:12 . 2004-08-04 12:00 24576 c:\windows\system32\wbem\krnlprov.dll
+ 2006-01-30 17:59 . 2008-04-14 00:11 21504 c:\windows\system32\wbem\evntrprv.dll
+ 2006-01-30 17:59 . 2008-04-14 00:11 45056 c:\windows\system32\wbem\cmdevtgprov.dll
+ 2006-01-30 17:59 . 2008-04-13 18:44 17664 c:\windows\system32\watchdog.sys
- 2006-01-30 17:59 . 2004-08-04 12:00 17664 c:\windows\system32\watchdog.sys
+ 2006-01-30 17:59 . 2008-04-14 00:12 15872 c:\windows\system32\w3ssl.dll
- 2006-01-30 17:59 . 2004-08-04 12:00 15872 c:\windows\system32\w3ssl.dll
+ 2008-04-06 12:42 . 2008-04-14 00:12 53760 c:\windows\system32\vfwwdm32.dll
- 2008-04-06 12:42 . 2004-08-03 23:56 53760 c:\windows\system32\vfwwdm32.dll
+ 2006-01-30 17:59 . 2008-04-14 00:12 18944 c:\windows\system32\version.dll
- 2006-01-30 17:59 . 2004-08-04 12:00 18944 c:\windows\system32\version.dll
+ 2006-01-30 17:59 . 2008-04-14 00:12 26624 c:\windows\system32\verifier.dll
- 2007-04-05 10:05 . 2006-03-17 00:38 28672 c:\windows\system32\verclsid.exe
+ 2007-04-05 10:05 . 2008-04-14 00:12 28672 c:\windows\system32\verclsid.exe
- 2006-01-30 17:59 . 2004-08-04 12:00 51712 c:\windows\system32\vdmredir.dll
+ 2006-01-30 17:59 . 2008-04-14 00:12 51712 c:\windows\system32\vdmredir.dll
- 2006-01-30 17:59 . 2004-08-04 12:00 26112 c:\windows\system32\vdmdbg.dll
+ 2006-01-30 17:59 . 2008-04-14 00:12 26112 c:\windows\system32\vdmdbg.dll
- 2006-01-30 17:59 . 2004-08-04 12:00 30749 c:\windows\system32\vbajet32.dll
+ 2006-01-30 17:59 . 2008-04-14 00:12 30749 c:\windows\system32\vbajet32.dll
+ 2006-01-30 17:59 . 2008-04-14 00:12 50176 c:\windows\system32\utilman.exe
- 2006-01-30 17:59 . 2004-08-04 12:00 50176 c:\windows\system32\utilman.exe
- 2006-01-30 17:59 . 2004-08-04 12:00 19968 c:\windows\system32\usmt\log.dll
+ 2006-01-30 17:59 . 2008-04-14 00:11 19968 c:\windows\system32\usmt\log.dll
+ 2008-09-06 00:16 . 2008-04-13 16:44 17920 c:\windows\system32\usmt\cobramsg.dll
+ 2006-01-30 17:59 . 2008-04-14 00:12 26112 c:\windows\system32\userinit.exe
- 2006-01-30 19:09 . 2004-08-04 00:56 74240 c:\windows\system32\usbui.dll
+ 2006-01-30 19:09 . 2008-04-14 00:12 74240 c:\windows\system32\usbui.dll
- 2006-01-30 17:59 . 2004-08-04 12:00 16896 c:\windows\system32\usbmon.dll
+ 2006-01-30 17:59 . 2008-04-14 00:12 16896 c:\windows\system32\usbmon.dll
+ 2006-01-30 17:59 . 2008-04-14 00:12 18432 c:\windows\system32\ups.exe
- 2006-01-30 17:59 . 2004-08-04 12:00 18432 c:\windows\system32\ups.exe
+ 2006-01-30 17:59 . 2008-04-14 00:12 16896 c:\windows\system32\upnpcont.exe
- 2006-01-30 17:59 . 2004-08-04 12:00 16896 c:\windows\system32\upnpcont.exe
- 2006-01-30 17:59 . 2004-08-04 12:00 13824 c:\windows\system32\uniplat.dll
+ 2006-01-30 17:59 . 2008-04-14 00:12 13824 c:\windows\system32\uniplat.dll
- 2006-01-30 17:59 . 2004-08-04 12:00 74240 c:\windows\system32\unimdmat.dll
+ 2006-01-30 17:59 . 2008-04-14 00:12 74240 c:\windows\system32\unimdmat.dll
+ 2006-01-30 17:59 . 2008-04-14 00:12 35840 c:\windows\system32\umandlg.dll
- 2006-01-30 17:59 . 2004-08-04 12:00 35840 c:\windows\system32\umandlg.dll
+ 2006-01-30 17:59 . 2008-04-14 00:12 26624 c:\windows\system32\udhisapi.dll
+ 2007-01-29 08:58 . 2008-04-14 00:12 60416 c:\windows\system32\tzchange.exe
+ 2006-01-30 17:59 . 2008-04-14 00:12 57856 c:\windows\system32\twext.dll
+ 2008-09-06 00:18 . 2008-04-14 00:12 50688 c:\windows\system32\tspkg.dll
+ 2008-09-06 00:18 . 2008-04-14 00:12 53248 c:\windows\system32\tsgqec.dll
+ 2006-01-30 17:59 . 2008-04-14 00:13 12168 c:\windows\system32\tsddd.dll
- 2006-01-30 17:59 . 2004-08-04 12:00 12168 c:\windows\system32\tsddd.dll
+ 2006-01-30 19:12 . 2008-04-14 00:12 93696 c:\windows\system32\tscfgwmi.dll
- 2006-01-30 19:12 . 2004-08-04 12:00 93696 c:\windows\system32\tscfgwmi.dll
+ 2006-01-30 17:59 . 2008-04-14 00:12 90112 c:\windows\system32\trkwks.dll
+ 2006-01-30 17:59 . 2008-04-14 00:12 12800 c:\windows\system32\tree.com
+ 2006-01-30 17:59 . 2008-04-14 00:12 12288 c:\windows\system32\tracert.exe
- 2006-01-30 17:59 . 2004-08-04 12:00 12288 c:\windows\system32\tracert.exe
- 2006-01-30 17:59 . 2004-08-04 12:00 73216 c:\windows\system32\tlntsvr.exe
+ 2006-01-30 17:59 . 2008-04-14 00:12 73216 c:\windows\system32\tlntsvr.exe
- 2006-01-30 17:59 . 2004-08-04 12:00 78336 c:\windows\system32\tlntsess.exe
+ 2006-01-30 17:59 . 2008-04-14 00:12 78336 c:\windows\system32\tlntsess.exe
- 2006-01-30 17:59 . 2004-08-04 12:00 61440 c:\windows\system32\tlntadmn.exe
+ 2006-01-30 17:59 . 2008-04-14 00:12 61440 c:\windows\system32\tlntadmn.exe
+ 2006-01-30 17:59 . 2008-04-14 00:12 75776 c:\windows\system32\telnet.exe
- 2006-01-30 17:59 . 2005-05-10 23:45 75776 c:\windows\system32\telnet.exe
- 2006-01-30 17:59 . 2004-08-04 12:00 45568 c:\windows\system32\tcpmonui.dll
+ 2006-01-30 17:59 . 2008-04-14 00:12 45568 c:\windows\system32\tcpmonui.dll
- 2006-01-30 17:59 . 2004-08-04 12:00 45568 c:\windows\system32\tcpmon.dll
+ 2006-01-30 17:59 . 2008-04-14 00:12 45568 c:\windows\system32\tcpmon.dll
+ 2006-01-30 17:59 . 2008-04-14 00:12 14848 c:\windows\system32\tcpmib.dll
- 2006-01-30 17:59 . 2004-08-04 12:00 14848 c:\windows\system32\tcpmib.dll
+ 2006-01-30 17:59 . 2008-04-14 00:12 77824 c:\windows\system32\tasklist.exe
+ 2006-01-30 17:59 . 2008-04-14 00:12 76288 c:\windows\system32\taskkill.exe
+ 2006-01-30 17:58 . 2008-04-14 00:12 71680 c:\windows\system32\systeminfo.exe
+ 2006-01-30 17:59 . 2008-04-14 00:12 57856 c:\windows\system32\synceng.dll
- 2006-01-30 17:59 . 2004-08-04 12:00 57856 c:\windows\system32\synceng.dll
- 2006-01-30 17:59 . 2004-08-04 12:00 14336 c:\windows\system32\svchost.exe
+ 2006-01-30 17:59 . 2008-04-14 00:12 14336 c:\windows\system32\svchost.exe
- 2006-01-30 17:59 . 2004-08-04 12:00 75776 c:\windows\system32\strmfilt.dll
+ 2006-01-30 17:59 . 2008-04-14 00:12 75776 c:\windows\system32\strmfilt.dll
+ 2006-01-30 19:07 . 2008-04-14 00:12 74752 c:\windows\system32\storprop.dll
- 2006-01-30 19:07 . 2004-08-04 00:56 74752 c:\windows\system32\storprop.dll
+ 2006-01-30 17:59 . 2008-04-14 00:12 14848 c:\windows\system32\stimon.exe
- 2006-01-30 17:59 . 2004-08-04 12:00 14848 c:\windows\system32\stimon.exe
+ 2006-01-30 17:59 . 2008-04-14 00:12 68096 c:\windows\system32\sti.dll
+ 2006-01-30 19:12 . 2008-04-14 00:12 59392 c:\windows\system32\stclient.dll
- 2006-01-30 17:59 . 2004-08-04 12:00 14336 c:\windows\system32\ssstars.scr
+ 2006-01-30 17:59 . 2008-04-14 00:12 14336 c:\windows\system32\ssstars.scr
+ 2006-01-30 17:59 . 2008-04-14 00:12 18944 c:\windows\system32\ssmyst.scr
- 2006-01-30 17:59 . 2004-08-04 12:00 18944 c:\windows\system32\ssmyst.scr
+ 2006-01-30 17:59 . 2008-04-14 00:12 47104 c:\windows\system32\ssmypics.scr
- 2006-01-30 17:59 . 2004-08-04 12:00 47104 c:\windows\system32\ssmypics.scr
- 2006-01-30 17:59 . 2004-08-04 12:00 20992 c:\windows\system32\ssmarque.scr
+ 2006-01-30 17:59 . 2008-04-14 00:12 20992 c:\windows\system32\ssmarque.scr
- 2006-01-30 17:59 . 2004-08-04 12:00 71680 c:\windows\system32\ssdpsrv.dll
+ 2006-01-30 17:59 . 2008-04-14 00:12 71680 c:\windows\system32\ssdpsrv.dll
- 2006-01-30 17:59 . 2004-08-04 12:00 34816 c:\windows\system32\ssdpapi.dll
+ 2006-01-30 17:59 . 2008-04-14 00:12 34816 c:\windows\system32\ssdpapi.dll
- 2006-01-30 17:59 . 2004-08-04 12:00 19968 c:\windows\system32\ssbezier.scr
+ 2006-01-30 17:59 . 2008-04-14 00:12 19968 c:\windows\system32\ssbezier.scr
+ 2006-01-30 17:59 . 2008-04-14 00:12 96768 c:\windows\system32\srvsvc.dll
- 2006-01-30 17:59 . 2004-12-07 19:32 96768 c:\windows\system32\srvsvc.dll
+ 2006-01-30 19:14 . 2008-04-14 00:12 67584 c:\windows\system32\srclient.dll
- 2006-01-30 19:14 . 2004-08-04 12:00 67584 c:\windows\system32\srclient.dll
+ 2008-09-06 00:18 . 2008-04-14 00:12 20992 c:\windows\system32\spupdwxp.exe
+ 2006-01-30 19:25 . 2007-08-10 19:46 26488 c:\windows\system32\spupdsvc.exe
- 2006-01-30 19:25 . 2008-07-09 07:38 26488 c:\windows\system32\spupdsvc.exe
+ 2006-01-30 17:59 . 2008-04-14 00:12 57856 c:\windows\system32\spoolsv.exe
- 2006-01-30 17:59 . 2005-06-10 23:53 57856 c:\windows\system32\spoolsv.exe
+ 2006-01-30 17:59 . 2008-04-14 00:12 75264 c:\windows\system32\spoolss.dll
+ 2006-01-30 17:59 . 2008-04-14 04:42 11264 c:\windows\system32\spnpinst.exe
- 2007-05-09 10:41 . 2008-07-09 07:38 17272 c:\windows\system32\spmsg.dll
+ 2007-05-09 10:41 . 2007-11-30 11:18 17272 c:\windows\system32\spmsg.dll
+ 2006-01-30 17:59 . 2008-04-13 18:43 12800 c:\windows\system32\spiisupd.exe
- 2006-01-30 17:59 . 2004-08-04 12:00 12800 c:\windows\system32\spiisupd.exe
+ 2006-01-30 17:59 . 2008-04-14 00:12 24576 c:\windows\system32\sort.exe
- 2006-01-30 17:59 . 2004-08-04 12:00 18944 c:\windows\system32\snmpapi.dll
+ 2006-01-30 17:59 . 2008-04-14 00:12 18944 c:\windows\system32\snmpapi.dll
+ 2008-09-06 00:16 . 2008-04-14 00:12 10752 c:\windows\system32\smtpapi.dll
- 2006-01-30 17:59 . 2004-08-04 12:00 50688 c:\windows\system32\smss.exe
+ 2006-01-30 17:59 . 2008-04-14 00:12 50688 c:\windows\system32\smss.exe
- 2006-01-30 17:59 . 2004-08-04 12:00 89600 c:\windows\system32\smlogsvc.exe
+ 2006-01-30 17:59 . 2008-04-14 00:12 89600 c:\windows\system32\smlogsvc.exe
+ 2008-09-06 00:18 . 2008-04-14 00:12 73796 c:\windows\system32\slserv.exe
+ 2008-09-06 00:18 . 2008-04-14 00:12 32866 c:\windows\system32\slrundll.exe
+ 2008-09-06 00:18 . 2008-04-14 00:12 73832 c:\windows\system32\slcoinst.dll
- 2006-01-30 17:59 . 2004-08-04 12:00 98304 c:\windows\system32\slbiop.dll
+ 2006-01-30 17:59 . 2008-04-14 00:12 98304 c:\windows\system32\slbiop.dll
+ 2006-01-30 17:59 . 2008-04-14 00:12 25088 c:\windows\system32\slayerxp.dll
- 2006-01-30 17:59 . 2004-08-04 12:00 25088 c:\windows\system32\slayerxp.dll
- 2006-01-30 17:59 . 2004-08-04 12:00 26112 c:\windows\system32\skeys.exe
+ 2006-01-30 17:59 . 2008-04-14 00:12 26112 c:\windows\system32\skeys.exe
- 2006-01-30 17:59 . 2004-08-04 12:00 70144 c:\windows\system32\sigverif.exe
+ 2006-01-30 17:59 . 2008-04-14 00:12 70144 c:\windows\system32\sigverif.exe
+ 2006-01-30 17:59 . 2008-04-14 00:12 13312 c:\windows\system32\sigtab.dll
- 2006-01-30 17:59 . 2004-08-04 12:00 13312 c:\windows\system32\sigtab.dll
- 2006-01-30 17:59 . 2004-08-04 12:00 19456 c:\windows\system32\shutdown.exe
+ 2006-01-30 17:59 . 2008-04-14 00:12 19456 c:\windows\system32\shutdown.exe
surreyfrog
(regular)
Tue Jun 23 2009 10:25 PM
Re: browser redirecting etc

I was not able to post all the combofix log due to its size

IT WAS 160 PAGES IN NOTEPAD

Here is HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:55:08, on 23/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\HPCC\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HPCC\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HPCC\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - (no file)
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 5796 bytes

Joe_London
(HijackThis Helper)
Tue Jun 23 2009 11:03 PM
Re: browser redirecting etc

OK thanks, I shall be out tomorrow so it will probably be sometime in the afternoon before getting back to you.

Joe.

Joe_London
(HijackThis Helper)
Wed Jun 24 2009 02:25 PM
Re: browser redirecting etc

Open Hijackthis, take another scan and place a checkmark next to these entries.


O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Close all open Windows except Hijackthis and click on "fix Checked".

Reboot the computer.

Copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad*

Copy and paste all the text in the quotebox below into it:

Quote:


KillAll::

Folder::
c:\program files\Lavasoft

ADS::
C:\windows\system32





Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.




If the image isn't visible Click Here to view.

Referring to the picture above, drag CFScript.txt into ComboFix.exe

This reactivates Combofix. Again follow the prompts.

It will create another System restore point.

When finished, it shall produce a log for you at C:\ComboFix.txt

Copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply.


*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

I cannot find anything definitive about these drivers.

2002-04-16 09:27 . 2002-04-16 09:27 5 --sha-w- c:\windows\system32\CdI5T.drv
1998-03-19 23:00 . 1998-03-19 23:00 1048 --sha-w- c:\windows\system32\flfnlf.sys
1998-03-19 23:00 . 1998-03-19 23:00 1048 --sha-w- c:\windows\system32\rlfnlf.sys
1998-03-19 23:00 . 1998-03-19 23:00 1048 --sha-w- c:\windows\system32\TMail3FL.SYS
1998-03-19 23:00 . 1998-03-19 23:00 1048 --sha-w- c:\windows\system32\TMailRL.sys

Please go to Start | Run and then copy and paste in the following:
c:\windows\system32 and then click OK.

The system32 folder should now be open. Please scroll down right click each of the following files and rename them by adding old to the existing name e.g.
CdI5T.drv to CdI5Told.drv
flfnlf.sys to flfnlfold.sys
rlfnlf.sys to rlfnlfold.sys
TMail3FL.SYS to TMail3FLold.SYS
TMailRL.sys to TMailRLold.sys

You will now need to monitor the computer over the next few days and let me know if something stops working. They may be related to something you've uninstalled earlier or something undesirable so its best to deal with them.

Please go to Start | All programs |Windows Update.
Make sure Automatic updates are turned on in the security centre and update your system including Internet Explorer.

Please go here and update your java to the latest version:
Java SE Runtime Environment (JRE)
JRE 6 Update 14
http://java.sun.com/javase/downloads/index.jsp

Post the following:
  1. The Combofix log.
  2. A new Hijackthis log
  3. A new Uninstall List.
  4. A full report.


This may not remove all the infections present. It is important that you post back and complete the fix.

Please post in this thread for further review and evaluation.
Please provide details of any problems you encountered whilst performing the above steps & update us on how the Computer is running.

Joe.

surreyfrog
(regular)
Wed Jun 24 2009 06:04 PM
Re: browser redirecting etc

Open Hijackthis, take another scan and place a checkmark next to these entries.


O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Close all open Windows except Hijackthis and click on "fix Checked".

Reboot the computer.

****************************************
done
****************************************

Copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad*

Copy and paste all the text in the quotebox below into it:

Quote:


KillAll::

Folder::
c:\program files\Lavasoft

ADS::
C:\windows\system32





Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.




If the image isn't visible Click Here to view.

Referring to the picture above, drag CFScript.txt into ComboFix.exe

This reactivates Combofix. Again follow the prompts.

It will create another System restore point.

When finished, it shall produce a log for you at C:\ComboFix.txt

Copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply.

*********************************************
done: logs are below:

ComboFix 09-06-21.01 - HPCC 24/06/2009 16:14.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.433 [GMT 1:00]
Running from: c:\documents and settings\HPCC\Desktop\surreyfrog.exe
Command switches used :: c:\documents and settings\HPCC\Desktop\CFScript.txt
AV: AVG Anti-Virus *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Lavasoft

.
((((((((((((((((((((((((( Files Created from 2009-05-24 to 2009-06-24 )))))))))))))))))))))))))))))))
.

2009-07-02 17:24 . 2009-07-02 17:24 -------- d-----w- c:\program files\LG Electronics
2009-07-02 17:21 . 2007-11-08 15:26 1164728 ----a-w- c:\windows\system32\NMSDVDXU.dll
2009-07-02 17:21 . 2009-07-02 17:21 -------- d-----w- c:\documents and settings\HPCC\Application Data\LG Electronics
2009-07-02 17:21 . 2009-07-02 17:22 -------- d-----w- c:\program files\LG PC Suite II
2009-07-02 17:20 . 2009-07-02 17:20 -------- d-----w- c:\documents and settings\HPCC\Application Data\InstallShield
2009-06-29 10:09 . 2009-06-29 10:09 -------- d-----w- c:\program files\CAM Development
2009-06-24 15:11 . 2009-06-24 15:12 -------- d-s---w- C:\dave
2009-06-23 19:29 . 2009-06-23 19:29 -------- d-----w- c:\program files\Trend Micro
2009-06-23 10:17 . 2009-06-23 10:17 -------- d-----w- c:\windows\system32\scripting
2009-06-23 10:17 . 2009-06-23 10:17 -------- d-----w- c:\windows\l2schemas
2009-06-23 10:17 . 2009-06-23 10:17 -------- d-----w- c:\windows\system32\en
2009-06-23 10:17 . 2009-06-23 10:17 -------- d-----w- c:\windows\system32\bits
2009-06-23 10:10 . 2009-06-23 10:18 -------- d-----w- c:\windows\ServicePackFiles
2009-06-22 19:31 . 2009-06-22 19:31 -------- d-----w- C:\Com
2009-06-22 19:30 . 2009-06-22 19:31 -------- d-----w- C:\32788R22FWJFW.1.tmp
2009-06-22 19:30 . 2009-06-22 19:30 -------- d-----w- C:\Fix
2009-06-22 19:30 . 2009-06-22 19:30 -------- d-----w- C:\32788R22FWJFW.0.tmp
2009-06-22 10:10 . 2009-06-22 10:10 -------- d-----w- c:\documents and settings\HPCC\Application Data\Malwarebytes
2009-06-22 10:07 . 2009-06-22 10:07 -------- d-----w- c:\program files\mwb
2009-06-21 21:24 . 2009-06-22 18:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-21 21:03 . 2009-06-22 18:02 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-21 17:10 . 2009-06-21 17:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-21 07:28 . 2009-06-18 08:58 2052888 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-06-20 14:55 . 2009-06-17 10:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-20 14:55 . 2009-06-22 12:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-20 14:55 . 2009-06-20 14:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-20 14:55 . 2009-06-17 10:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-18 08:59 . 2009-06-09 07:49 3298072 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-06-18 08:59 . 2009-06-09 07:49 1261344 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwd.dll
2009-06-18 08:59 . 2009-06-09 07:49 829208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgx.dll
2009-06-16 09:06 . 2009-06-16 09:06 -------- d-----w- c:\documents and settings\HPCC\Local Settings\Application Data\Sage
2009-06-16 09:00 . 2009-06-16 09:00 -------- d-----w- c:\program files\Common Files\InstallEngine
2009-06-16 08:57 . 2009-06-16 08:57 -------- d-----w- c:\program files\Common Files\Sage Shared
2009-06-16 08:55 . 2009-06-16 08:57 -------- d-----w- c:\program files\Common Files\Sage Line50
2009-06-16 08:55 . 2009-06-16 09:07 -------- d-----w- c:\program files\Common Files\Sage SBD
2009-06-16 08:55 . 2009-06-16 09:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Sage
2009-06-16 08:55 . 2009-06-16 08:58 -------- d-----w- c:\program files\Common Files\Sage Report Designer 2007
2009-06-16 08:54 . 2009-06-16 08:54 -------- d-----w- c:\program files\Sage
2009-06-09 12:08 . 2009-06-09 12:08 -------- d-----w- c:\documents and settings\HPCC\Local Settings\Application Data\AVG Security Toolbar
2009-06-09 08:23 . 2009-06-09 08:24 -------- d-----w- c:\documents and settings\HPCC\Local Settings\Application Data\Deployment
2009-06-09 08:22 . 2009-06-02 12:38 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-06-09 07:50 . 2009-06-09 07:49 826344 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\AVGToolbarInstall.exe
2009-06-09 07:49 . 2009-06-11 16:46 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-06-09 07:48 . 2009-06-09 07:48 1452312 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-06-01 07:14 . 2008-02-22 14:33 14976 ----a-w- c:\windows\system32\drivers\sscdmdfl.sys
2009-06-01 07:14 . 2008-02-22 14:33 12160 ----a-w- c:\windows\system32\drivers\sscdwhnt.sys
2009-06-01 07:14 . 2008-02-22 14:33 12160 ----a-w- c:\windows\system32\drivers\sscdwh.sys
2009-06-01 07:14 . 2008-02-22 14:33 114304 ----a-w- c:\windows\system32\drivers\sscdmdm.sys
2009-06-01 07:14 . 2008-02-22 14:33 87936 ----a-w- c:\windows\system32\drivers\sscdbus.sys
2009-06-01 07:14 . 2008-02-22 14:33 12160 ----a-w- c:\windows\system32\drivers\sscdcmnt.sys
2009-06-01 07:14 . 2008-02-22 14:33 12160 ----a-w- c:\windows\system32\drivers\sscdcm.sys
2009-06-01 07:14 . 2009-06-01 07:14 -------- d-----w- c:\windows\system32\Samsung_USB_Drivers
2009-06-01 07:14 . 2009-01-08 08:42 36608 ----a-w- c:\windows\system32\FsUsbExDisk.Sys
2009-06-01 07:14 . 2009-01-08 08:42 233472 ----a-w- c:\windows\system32\FsUsbExService.Exe
2009-06-01 07:14 . 2009-01-08 08:42 110592 ----a-w- c:\windows\system32\FsUsbExDevice.Dll
2009-06-01 07:14 . 2009-06-01 07:14 -------- d-----w- c:\documents and settings\HPCC\Application Data\Samsung
2009-06-01 07:13 . 2009-06-01 07:13 -------- d-----w- c:\program files\MarkAny
2009-06-01 07:13 . 2009-06-01 07:13 -------- d-----w- c:\program files\Samsung

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-23 12:44 . 2007-04-20 15:26 85600 ----a-w- c:\documents and settings\HPCC\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-23 10:22 . 2006-01-30 19:15 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-06-23 07:24 . 2008-03-16 08:35 -------- d-----w- c:\program files\Macrogaming
2009-06-23 07:24 . 2007-04-05 10:03 -------- d-----w- c:\program files\Java
2009-06-22 17:37 . 2009-04-02 17:42 -------- d-----w- c:\program files\Cheat Engine
2009-06-20 10:11 . 2008-03-10 20:24 -------- d-----w- c:\program files\Windows Live Toolbar
2009-06-18 08:58 . 2007-04-05 10:18 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-16 09:00 . 2007-01-15 17:39 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-14 06:08 . 2007-04-05 10:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-09 07:49 . 2009-03-27 16:37 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-01 07:14 . 2007-12-25 11:51 -------- d-----w- c:\program files\DIFX
2009-05-28 10:15 . 2008-08-06 08:54 34 ----a-w- c:\documents and settings\HPCC\jagex_runescape_preferences.dat
2009-05-07 15:32 . 2006-01-30 17:59 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2006-01-30 17:59 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2006-01-30 17:59 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-26 14:47 . 2008-11-03 22:07 -------- d-----w- c:\documents and settings\HPCC\Application Data\Ahead
2009-04-25 07:41 . 2009-03-27 16:37 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-04-25 07:41 . 2009-03-27 16:37 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-04-25 07:40 . 2009-03-27 16:37 12552 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-04-17 12:26 . 2006-01-30 17:59 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2006-01-30 17:59 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-07 18:51 . 2009-04-07 18:51 127 ----a-w- c:\documents and settings\HPCC\Local Settings\Application Data\fusioncache.dat
2002-04-16 09:27 . 2002-04-16 09:27 5 --sha-w- c:\windows\system32\CdI5T.drv
1998-03-19 23:00 . 1998-03-19 23:00 1048 --sha-w- c:\windows\system32\flfnlf.sys
1998-03-19 23:00 . 1998-03-19 23:00 1048 --sha-w- c:\windows\system32\rlfnlf.sys
1998-03-19 23:00 . 1998-03-19 23:00 1048 --sha-w- c:\windows\system32\TMail3FL.SYS
1998-03-19 23:00 . 1998-03-19 23:00 1048 --sha-w- c:\windows\system32\TMailRL.sys
.

((((((((((((((((((((((((((((( SnapShot_2009-06-23_20.43.50 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-25 07:41 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [3/27/2009 5:37 PM 12552]
R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [11/8/2008 12:10 PM 40464]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/27/2009 5:37 PM 327688]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/27/2009 5:37 PM 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [3/27/2009 5:37 PM 906520]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [3/27/2009 5:37 PM 298776]
R3 S3GIGP;S3GIGP;c:\windows\system32\drivers\S3gIGPm.sys [1/15/2007 6:40 PM 659456]
S2 azkl;azkl;c:\windows\system32\drivers\tcym.sys --> c:\windows\system32\drivers\tcym.sys [?]
S2 Ca536av;DV 5900(Video);c:\windows\system32\drivers\Ca536av.sys [3/30/2008 2:57 PM 514859]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [6/1/2009 8:14 AM 36608]
S3 USBCamera;DV 5900(Still);c:\windows\system32\drivers\Bulk536.sys [3/30/2008 2:57 PM 11048]
S4 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [6/1/2009 8:14 AM 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-06-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2009-06-24 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2009-06-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3121785044-16713964-2988421403-1005.job
- c:\documents and settings\HPCC\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-09 08:24]
.
.
------- Supplementary Scan -------
.
uStart Page = <a href="hxxp://www.google.co.uk/" target="_blank">hxxp://www.google.co.uk/</a>
uSearchMigratedDefaultURL = <a href="hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8" target="_blank">hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8</a>
uInternet Connection Wizard,ShellNext = iexplore
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-24 16:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4040)
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll
c:\windows\system32\ConnAPI.DLL
c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Nero\Nero 7\Nero BackItUp\NBService.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-06-24 16:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-24 15:43
ComboFix2.txt 2009-06-23 20:49
ComboFix3.txt 2009-06-22 20:08

Pre-Run: 32,857,935,872 bytes free
Post-Run: 32,837,455,872 bytes free

210 --- E O F --- 2009-06-23 19:36






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:01:32, on 24/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\HPCC\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HPCC\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HPCC\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - <a href="res://C:\Program" target="_blank">res://C:\Program</a> Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - <a href="res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000" target="_blank">res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000</a>
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - (no file)
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 5755 bytes









***********************************************

*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

I cannot find anything definitive about these drivers.

2002-04-16 09:27 . 2002-04-16 09:27 5 --sha-w- c:\windows\system32\CdI5T.drv
1998-03-19 23:00 . 1998-03-19 23:00 1048 --sha-w- c:\windows\system32\flfnlf.sys
1998-03-19 23:00 . 1998-03-19 23:00 1048 --sha-w- c:\windows\system32\rlfnlf.sys
1998-03-19 23:00 . 1998-03-19 23:00 1048 --sha-w- c:\windows\system32\TMail3FL.SYS
1998-03-19 23:00 . 1998-03-19 23:00 1048 --sha-w- c:\windows\system32\TMailRL.sys

Please go to Start | Run and then copy and paste in the following:
c:\windows\system32 and then click OK.

The system32 folder should now be open. Please scroll down right click each of the following files and rename them by adding old to the existing name e.g.
CdI5T.drv to CdI5Told.drv
flfnlf.sys to flfnlfold.sys
rlfnlf.sys to rlfnlfold.sys
TMail3FL.SYS to TMail3FLold.SYS
TMailRL.sys to TMailRLold.sys

********************************************************************
none of those files were in the system32 folder
*******************************************************************

You will now need to monitor the computer over the next few days and let me know if something stops working. They may be related to something you've uninstalled earlier or something undesirable so its best to deal with them.

Please go to Start | All programs |Windows Update.
Make sure Automatic updates are turned on in the security centre and update your system including Internet Explorer.

******************************************************************
done
*******************************************************************

Please go here and update your java to the latest version:
Java SE Runtime Environment (JRE)
JRE 6 Update 14
http://java.sun.com/javase/downloads/index.jsp

***********************************************************************
I went there, selected windows/mulitlanguage as the platform, got this:

We were unable to detect a recent version of Java Runtime Environment (JRE) on your system. With the latest JRE, you can automatically download, install, and run Sun Download Manager (SDM) directly from this page. We highly recommend SDM to easily manage your downloads (pause, resume, restart, verify, and more). Visit java.com for the latest JRE.

***************************************************************************

Post the following:
  1. The Combofix log.
  2. A new Hijackthis log

    ***************************************************************************
    see above
    **************************************************************************
  3. A new Uninstall List.

    **************************************************************************
    2007 Microsoft Office system
    3DVIA Player 4.1
    Adobe AIR
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 7.0.8
    Adobe Shockwave Player
    Adobe® Photoshop® Album Starter Edition 3.0
    Apple Mobile Device Support
    Apple Software Update
    AVG 8.5
    CAM UnZip 4.42
    Cheat Engine 5.3
    Cheat Engine 5.5
    Conexant HD Audio
    Critical Update for Windows Media Player 11 (KB959772)
    Driver Detective
    DV 5900
    EphPod
    Express Burn
    Free Studio version 4.1
    Gabbasoft Cube Demo
    Google Earth
    Google SketchUp 6
    Google SketchUp 6 Exporters
    Google SketchUp LayOut 6
    Google SketchUp Pro 6
    Google Toolbar for Internet Explorer
    Google Toolbar for Internet Explorer
    Highlight Viewer (Windows Live Toolbar)
    HijackThis 2.0.2
    Home Media Server 4.0.0.0072
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB952287)
    Hotkey 1.0.4
    InterActual Player
    iTunes
    LG MC USB Modem driver
    LG PC Suite II
    Macrogaming SweetIM 2.1
    Malwarebytes' Anti-Malware
    Map Button (Windows Live Toolbar)
    Messenger Plus! Live
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Hotfix (KB928366)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 3.5 SP1
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Professional Hybrid 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 Redistributable
    Movavi Video Converter 6
    Mozilla Firefox (3.0.8)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    Musicnotes Player V1.22.3
    Nero 7 Essentials
    Nero BackItUp 2 Essentials
    neroxml
    Nokia Connectivity Cable Driver
    Nokia Lifeblog 2.1
    Nokia MTP driver
    Nokia PC Connectivity Solution
    Nokia PC Suite
    Nokia Software Launcher
    Paragon Drive Backup™ 9.0 Express
    Photo Story 3 for Windows
    Photo Viewer 2.25
    Pivot Stickfigure Animator
    PowerDVD
    QuickTime
    Quivic
    Sage Instant Accounts v14
    SAMSUNG Mobile Composite Device Software
    SAMSUNG Mobile Modem Driver Set
    Samsung Mobile phone USB driver Software
    SAMSUNG Mobile USB Modem 1.0 Software
    SAMSUNG Mobile USB Modem Software
    Samsung New PC Studio
    Samsung New PC Studio
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB969679)
    Security Update for Microsoft Office Excel 2007 (KB969682)
    Security Update for Microsoft Office PowerPoint 2007 (KB957789)
    Security Update for Microsoft Office system 2007 (KB969613)
    Security Update for Microsoft Office Word 2007 (KB969604)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Internet Explorer 7 (KB928090)
    Security Update for Windows Internet Explorer 7 (KB931768)
    Security Update for Windows Internet Explorer 7 (KB933566)
    Security Update for Windows Internet Explorer 7 (KB937143)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB939653)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB969897)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB970238)
    Sibelius Scorch
    Sibelius Scorch (ActiveX Only)
    Smart Menus (Windows Live Toolbar)
    Soft Data Fax Modem with SmartCP
    Switch
    The Sims 2
    U211 DVD 2
    Ulead Photo Explorer 8.0 SE Basic
    Uninstall 1.0.0.1
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft Office Outlook 2007 (KB969907)
    Update for Outlook 2007 Junk Email Filter (kb970012)
    Update for Windows Internet Explorer 8 (KB971930)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    VIA Platform Device Manager
    VIA Rhine-Family Fast Ethernet Adapter
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    WavePad Uninstall
    Windows Driver Package - MobileTop (sshpmdm) Modem (02/23/2007 2.5.0.0)
    Windows Driver Package - MobileTop (sshpusb) USB (02/23/2007 2.5.0.0)
    Windows Driver Package - Nokia Modem (06/12/2006 6.81.0.21)
    Windows Internet Explorer 8
    Windows Live Favorites for Windows Live Toolbar
    Windows Live installer
    Windows Live Messenger
    Windows Live Sign-in Assistant
    Windows Live Toolbar
    Windows Live Toolbar
    Windows Live Toolbar Extension (Windows Live Toolbar)
    Windows Media Format 11 runtime
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Media Player 11
    Windows XP Service Pack 3
    Xdrive Desktop Lite
    Xdrive Desktop Lite



    **************************************************************************
  4. A full report.


This may not remove all the infections present. It is important that you post back and complete the fix.

Please post in this thread for further review and evaluation.
Please provide details of any problems you encountered whilst performing the above steps & update us on how the Computer is running.

Joe.

Joe_London
(HijackThis Helper)
Wed Jun 24 2009 07:28 PM
Re: browser redirecting etc

Quote:


none of those files were in the system32 folder



They may be hidden.

Windows XP

To enable the viewing of Hidden files follow these steps:

Close all programs so that you are at your desktop.
Double-click on the My Computer icon.
Select the Tools menu and click Folder Options.
After the new window appears select the View tab.
Put a checkmark in the checkbox labelled Display the contents of system folders.
Under the Hidden files and folders section select the radio button labelled Show hidden files and folders.
Remove the checkmark from the checkbox labelled Hide file extensions for known file types.
Remove the checkmark from the checkbox labelled Hide protected operating system files.
Press the Apply button and then the OK button and shutdown My Computer.
Now your computer is configured to show all hidden files.
Quote:


I went there, selected windows/mulitlanguage as the platform, got this:

We were unable to detect a recent version of Java Runtime Environment (JRE) on your system. With the latest JRE, you can automatically download, install, and run Sun Download Manager (SDM) directly from this page. We highly recommend SDM to easily manage your downloads (pause, resume, restart, verify, and more). Visit java.com for the latest JRE.



Ignore that message and continue to install the update.

Sorry I missed this undesirable programme.
Messenger Plus! Live

A LOP infection usually comes bundled with Messenger Plus if you did not reject the Lop sponsored advertising program during installation and updates. I recommend uninstalling Messenger Plus.

To do so:

Go to Add/Remove programs. Double click on "Messenger Plus!" (or click on Remove)

Then remove messenger Plus from the hard drive, open windows Explorer, navigate to:
C:\Program Files\Messenger Plus! 3.7
Then delete the folder and contents.

Did you update to IE 8? The HJT log is still showing IE 7.

Please download the latest version of Ccleaner to your desktop and then install it from there. Be careful during the install process and reject anything that comes bundled with this programme such as toolbars etc. Do not allow it to run at start-up. Once installed into its default location which is c:\program files\ccleaner either drag the install exe file into that folder or delete it.


To do:

You also need to add a third party firewall, Let me know if you have any preferences?

Do not proceed just yet.

I'm currently using Comodo firewall along with Avast anti-virus which is a good combination and they are free, It would of course mean dumping your current AVG.

Let me know your decision please.

Post the following:
  1. A new List.
  2. The Requested Information and your usual report.


This may not remove all the infections present. It is important that you post back and complete the fix.

Please post in this thread for further review and evaluation.
Please provide details of any problems you encountered whilst performing the above steps & update us on how the Computer is running.

Joe.

surreyfrog
(regular)
Wed Jun 24 2009 10:43 PM
Re: browser redirecting etc

To enable the viewing of Hidden files follow these steps:

Close all programs so that you are at your desktop.
Double-click on the My Computer icon.
Select the Tools menu and click Folder Options.
After the new window appears select the View tab.
Put a checkmark in the checkbox labelled Display the contents of system folders.
Under the Hidden files and folders section select the radio button labelled Show hidden files and folders.
Remove the checkmark from the checkbox labelled Hide file extensions for known file types.
Remove the checkmark from the checkbox labelled Hide protected operating system files.
Press the Apply button and then the OK button and shutdown My Computer.
Now your computer is configured to show all hidden files.

***********************************************************************
done - was then able to rename all those files
***********************************************************************

Ignore that message and continue to install the update.

*****************************************************************
done - installed
****************************************************************

Sorry I missed this undesirable programme.
Messenger Plus! Live

A LOP infection usually comes bundled with Messenger Plus if you did not reject the Lop sponsored advertising program during installation and updates. I recommend uninstalling Messenger Plus.

To do so:

Go to Add/Remove programs. Double click on "Messenger Plus!" (or click on Remove)

Then remove messenger Plus from the hard drive, open windows Explorer, navigate to:
C:\Program Files\Messenger Plus! 3.7
Then delete the folder and contents.

************************************************************************
done - removed
************************************************************************


Did you update to IE 8? The HJT log is still showing IE 7.


**************************************************************************
now on IE8
**************************************************************************

Please download the latest version of Ccleaner to your desktop and then install it from there. Be careful during the install process and reject anything that comes bundled with this programme such as toolbars etc. Do not allow it to run at start-up. Once installed into its default location which is c:\program files\ccleaner either drag the install exe file into that folder or delete it.

****************************************************************************
done
***************************************************************************
To do:

You also need to add a third party firewall, Let me know if you have any preferences?

Do not proceed just yet.

I'm currently using Comodo firewall along with Avast anti-virus which is a good combination and they are free, It would of course mean dumping your current AVG.

Let me know your decision please.

************************************************************************
I'll use what you use - will swap AVG to Avast
************************************************************************
Post the following:
  1. A new List.
  2. The Requested Information and your usual report.


************************************************************************
Joe - which lists/reports are needed now?
************************************************************************

This may not remove all the infections present. It is important that you post back and complete the fix.

Please post in this thread for further review and evaluation.
Please provide details of any problems you encountered whilst performing the above steps & update us on how the Computer is running.

Joe.



Joe_London
(HijackThis Helper)
Thu Jun 25 2009 10:39 AM
Re: browser redirecting etc

OK, you've done a great job. Leave things as they are for a few days and then post back and let me know if renaming those files had any adverse effect on any programmes you use?

Also let me know how the computer is running?

Joe.

surreyfrog
(regular)
Thu Jun 25 2009 10:49 AM
Re: browser redirecting etc

Joe, I'll post back in a few days' time.

In the meantime should I install the firewall you recommended?

If I do, would it run as well as the windows firewall or should I turn the windows firewall off?

Joe, you have been an incredible help. I would have been stuck without you. You have my and my wife's thanks for all the time and effort you have put into solving this problem.

Joe_London
(HijackThis Helper)
Thu Jun 25 2009 04:17 PM
Re: browser redirecting etc

Quote:


I'll post back in a few days' time.



Thats fine.
Quote:

In the meantime should I install the firewall you recommended?



Best wait until last.
Quote:


If I do, would it run as well as the windows firewall or should I turn the windows firewall off?



Once the new firewall is installed turn off the windows version via the control panel.

Look forward to hearing from you later.

Joe.

surreyfrog
(regular)
Sun Jul 05 2009 12:40 PM
Re: browser redirecting etc

Joe - all running OK

Joe_London
(HijackThis Helper)
Sun Jul 05 2009 08:05 PM
Re: browser redirecting etc

Thats great news.

Now you recall my instruction to rename those unidentified files:
Quote:


Please go to Start | Run and then copy and paste in the following:
c:\windows\system32 and then click OK.

The system32 folder should now be open. Please scroll down right click each of the following files and rename them by adding old to the existing name e.g.
CdI5T.drv to CdI5Told.drv
flfnlf.sys to flfnlfold.sys
rlfnlf.sys to rlfnlfold.sys
TMail3FL.SYS to TMail3FLold.SYS
TMailRL.sys to TMailRLold.sys




Assuming you've not had any alerts please go back to Start | Run and then copy and paste in the following:
c:\windows\system32 and then click OK.

Now delete all those previously renamed files listed above from the system32 folder.

Go to this site and download the free version of Comodo firewall to your desktop:
http://personalfirewall.comodo.com/downl...&country=GB

Do not install it at this point.

Go to this site and download Avast Anti-virus to your desktop:
http://www.avast.com/eng/avast_4_home.html

Do not install it yet.

Post back your usual report when you've done.

Joe.

surreyfrog
(regular)
Mon Jul 06 2009 09:28 AM
Re: browser redirecting etc



Now delete all those previously renamed files listed above from the system32 folder.

************************
done
************************

Go to this site and download the free version of Comodo firewall to your desktop:
Do not install it at this point.

*********************************
done IT SAYS FIREWALL PLUS ANTIVIRUS
*********************************

Go to this site and download Avast Anti-virus to your desktop:
Do not install it yet.

*********************************
done
*********************************

Post back your usual report when you've done.

Joe_London
(HijackThis Helper)
Mon Jul 06 2009 10:01 AM
Re: browser redirecting etc

We need to remove Combofix. This should work but may not as we renamed it. Try it and let me know how you get on?

  • Click START then RUN
  • Now type or copy and paste Combofix /u in the runbox and click OK ](case insensitive)

  • If shown the disclaimer, Select "2"

    In a little while the above procedure will
  • Delete ComboFix and its associated files and folders.


Also re-hide hidden files and folders.

Basically you need to reverse the earlier steps. See here:

http://www.bleepingcomputer.com/tutorials/tutorial62.html#winxp

surreyfrog
(regular)
Mon Jul 06 2009 11:52 AM
Re: browser redirecting etc

We need to remove Combofix.

*****************************
done
*****************************

Also re-hide hidden files and folders.

**************************************
done
***************************************

Joe_London
(HijackThis Helper)
Mon Jul 06 2009 02:05 PM
Re: browser redirecting etc

Good work.

Now uninstall AVG Anti-virus and delete its folder from the hard drive. This is usually locatd in C:\Grisoft or C:\AVG

Once thats done install Avast Anti-virus. Please use the Custom install and be careful not to accept anything bundled such as browser helper objects or toolbars etc and only install the Anti-virus.

Once all thats done and your happy its ok install the Comodo firewall you downloaded earlier.

Again use the custom install rejecting any bundled stuff. Make sure you install the firewall only and nothing else. Reject the Anti-virus part and also reject the Defense plus part.

Any queries post back before proceeding.

Hope it all goes well. The usual report when complete please.

Finally on a different note make sure you have enabled private messages at Web-user.

Note

surreyfrog
(regular)
Tue Jul 07 2009 11:51 AM
Re: browser redirecting etc

Joe

all done as per your last post.

private messages enabled/ replied.

Thank you so much for all your help.

Joe_London
(HijackThis Helper)
Tue Jul 07 2009 01:42 PM
Re: browser redirecting etc

I think that all we have to do. Let me know if I've forgotten anything. I hope you get used to the Avast update voice. If it annoys you I think it can be turned off.

Good luck,

Joe.

Joe_London
(HijackThis Helper)
Wed Jul 08 2009 08:55 AM
Re: browser redirecting etc

One thing I did forget and that is to check in the control panel security centre to ensure the following.
click on the down arrows beside your firewall to make sure its Comodo. Then do the same to Anti-virus to ensure its Avast and also make sure Windows updates are on.

Then go back to the control panel and click on Windows firewall. Make sure the it is set to off.

Joe.

Contact Us | Privacy statement Main website

Webuser.co.uk

Web User Alerts

Web User Network

Site Policies

Magazine Subscription

Contacts


Search

© Copyright IPC Media Limited 2009, All rights reserved