|
|
surreyfrog
regular
Reg'd: Tue
Posts: 80
|
|
I was not able to post all the combofix log due to its size
IT WAS 160 PAGES IN NOTEPAD
Here is HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:55:08, on 23/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\HPCC\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HPCC\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HPCC\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - (no file)
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
--
End of file - 5796 bytes
|
|
Joe_London
HijackThis Helper
Reg'd: Tue
Posts: 11788
Loc: London
|
|
OK thanks, I shall be out tomorrow so it will probably be sometime in the afternoon before getting back to you.
Joe.
--------------------
If I've helped you and saved you money please consider a donation to support my work :
Member of UNITE and ASAP.
|
Joe_London
HijackThis Helper
Reg'd: Tue
Posts: 11788
Loc: London
|
|
Open Hijackthis, take another scan and place a checkmark next to these entries.
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
Close all open Windows except Hijackthis and click on "fix Checked".
Reboot the computer.
Copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.
It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open *notepad*
Copy and paste all the text in the quotebox below into it:
Quote:
KillAll::
Folder::
c:\program files\Lavasoft
ADS::
C:\windows\system32
Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.
If the image isn't visible Click Here to view.
Referring to the picture above, drag CFScript.txt into ComboFix.exe
This reactivates Combofix. Again follow the prompts.
It will create another System restore point.
When finished, it shall produce a log for you at C:\ComboFix.txt
Copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply.
*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall*
I cannot find anything definitive about these drivers.
2002-04-16 09:27 . 2002-04-16 09:27 5 --sha-w- c:\windows\system32\CdI5T.drv
1998-03-19 23:00 . 1998-03-19 23:00 1048 --sha-w- c:\windows\system32\flfnlf.sys
1998-03-19 23:00 . 1998-03-19 23:00 1048 --sha-w- c:\windows\system32\rlfnlf.sys
1998-03-19 23:00 . 1998-03-19 23:00 1048 --sha-w- c:\windows\system32\TMail3FL.SYS
1998-03-19 23:00 . 1998-03-19 23:00 1048 --sha-w- c:\windows\system32\TMailRL.sys
Please go to Start | Run and then copy and paste in the following:
c:\windows\system32 and then click OK.
The system32 folder should now be open. Please scroll down right click each of the following files and rename them by adding old to the existing name e.g.
CdI5T.drv to CdI5Told.drv
flfnlf.sys to flfnlfold.sys
rlfnlf.sys to rlfnlfold.sys
TMail3FL.SYS to TMail3FLold.SYS
TMailRL.sys to TMailRLold.sys
You will now need to monitor the computer over the next few days and let me know if something stops working. They may be related to something you've uninstalled earlier or something undesirable so its best to deal with them.
Please go to Start | All programs |Windows Update.
Make sure Automatic updates are turned on in the security centre and update your system including Internet Explorer.
Please go here and update your java to the latest version:
Java SE Runtime Environment (JRE)
JRE 6 Update 14
http://java.sun.com/javase/downloads/index.jsp
Post the following:
- The Combofix log.
- A new Hijackthis log
- A new Uninstall List.
- A full report.
This may not remove all the infections present. It is important that you post back and complete the fix.
Please post in this thread for further review and evaluation.
Please provide details of any problems you encountered whilst performing the above steps & update us on how the Computer is running.
Joe.
--------------------
If I've helped you and saved you money please consider a donation to support my work :
Member of UNITE and ASAP.
|
surreyfrog
regular
Reg'd: Tue
Posts: 80
|
|
Open Hijackthis, take another scan and place a checkmark next to these entries.
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
Close all open Windows except Hijackthis and click on "fix Checked".
Reboot the computer.
****************************************
done
****************************************
Copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.
It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open *notepad*
Copy and paste all the text in the quotebox below into it:
Quote:
KillAll::
Folder::
c:\program files\Lavasoft
ADS::
C:\windows\system32
Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.
If the image isn't visible Click Here to view.
Referring to the picture above, drag CFScript.txt into ComboFix.exe
This reactivates Combofix. Again follow the prompts.
It will create another System restore point.
When finished, it shall produce a log for you at C:\ComboFix.txt
Copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply.
*********************************************
done: logs are below:
ComboFix 09-06-21.01 - HPCC 24/06/2009 16:14.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.433 [GMT 1:00]
Running from: c:\documents and settings\HPCC\Desktop\surreyfrog.exe
Command switches used :: c:\documents and settings\HPCC\Desktop\CFScript.txt
AV: AVG Anti-Virus *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\Lavasoft
.
((((((((((((((((((((((((( Files Created from 2009-05-24 to 2009-06-24 )))))))))))))))))))))))))))))))
.
2009-07-02 17:24 . 2009-07-02 17:24 -------- d-----w- c:\program files\LG Electronics
2009-07-02 17:21 . 2007-11-08 15:26 1164728 ----a-w- c:\windows\system32\NMSDVDXU.dll
2009-07-02 17:21 . 2009-07-02 17:21 -------- d-----w- c:\documents and settings\HPCC\Application Data\LG Electronics
2009-07-02 17:21 . 2009-07-02 17:22 -------- d-----w- c:\program files\LG PC Suite II
2009-07-02 17:20 . 2009-07-02 17:20 -------- d-----w- c:\documents and settings\HPCC\Application Data\InstallShield
2009-06-29 10:09 . 2009-06-29 10:09 -------- d-----w- c:\program files\CAM Development
2009-06-24 15:11 . 2009-06-24 15:12 -------- d-s---w- C:\dave
2009-06-23 19:29 . 2009-06-23 19:29 -------- d-----w- c:\program files\Trend Micro
2009-06-23 10:17 . 2009-06-23 10:17 -------- d-----w- c:\windows\system32\scripting
2009-06-23 10:17 . 2009-06-23 10:17 -------- d-----w- c:\windows\l2schemas
2009-06-23 10:17 . 2009-06-23 10:17 -------- d-----w- c:\windows\system32\en
2009-06-23 10:17 . 2009-06-23 10:17 -------- d-----w- c:\windows\system32\bits
2009-06-23 10:10 . 2009-06-23 10:18 -------- d-----w- c:\windows\ServicePackFiles
2009-06-22 19:31 . 2009-06-22 19:31 -------- d-----w- C:\Com
2009-06-22 19:30 . 2009-06-22 19:31 -------- d-----w- C:\32788R22FWJFW.1.tmp
2009-06-22 19:30 . 2009-06-22 19:30 -------- d-----w- C:\Fix
2009-06-22 19:30 . 2009-06-22 19:30 -------- d-----w- C:\32788R22FWJFW.0.tmp
2009-06-22 10:10 . 2009-06-22 10:10 -------- d-----w- c:\documents and settings\HPCC\Application Data\Malwarebytes
2009-06-22 10:07 . 2009-06-22 10:07 -------- d-----w- c:\program files\mwb
2009-06-21 21:24 . 2009-06-22 18:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-21 21:03 . 2009-06-22 18:02 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-21 17:10 . 2009-06-21 17:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-21 07:28 . 2009-06-18 08:58 2052888 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-06-20 14:55 . 2009-06-17 10:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-20 14:55 . 2009-06-22 12:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-20 14:55 . 2009-06-20 14:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-20 14:55 . 2009-06-17 10:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-18 08:59 . 2009-06-09 07:49 3298072 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-06-18 08:59 . 2009-06-09 07:49 1261344 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwd.dll
2009-06-18 08:59 . 2009-06-09 07:49 829208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgx.dll
2009-06-16 09:06 . 2009-06-16 09:06 -------- d-----w- c:\documents and settings\HPCC\Local Settings\Application Data\Sage
2009-06-16 09:00 . 2009-06-16 09:00 -------- d-----w- c:\program files\Common Files\InstallEngine
2009-06-16 08:57 . 2009-06-16 08:57 -------- d-----w- c:\program files\Common Files\Sage Shared
2009-06-16 08:55 . 2009-06-16 08:57 -------- d-----w- c:\program files\Common Files\Sage Line50
2009-06-16 08:55 . 2009-06-16 09:07 -------- d-----w- c:\program files\Common Files\Sage SBD
2009-06-16 08:55 . 2009-06-16 09:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Sage
2009-06-16 08:55 . 2009-06-16 08:58 -------- d-----w- c:\program files\Common Files\Sage Report Designer 2007
2009-06-16 08:54 . 2009-06-16 08:54 -------- d-----w- c:\program files\Sage
2009-06-09 12:08 . 2009-06-09 12:08 -------- d-----w- c:\documents and settings\HPCC\Local Settings\Application Data\AVG Security Toolbar
2009-06-09 08:23 . 2009-06-09 08:24 -------- d-----w- c:\documents and settings\HPCC\Local Settings\Application Data\Deployment
2009-06-09 08:22 . 2009-06-02 12:38 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-06-09 07:50 . 2009-06-09 07:49 826344 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\AVGToolbarInstall.exe
2009-06-09 07:49 . 2009-06-11 16:46 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-06-09 07:48 . 2009-06-09 07:48 1452312 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-06-01 07:14 . 2008-02-22 14:33 14976 ----a-w- c:\windows\system32\drivers\sscdmdfl.sys
2009-06-01 07:14 . 2008-02-22 14:33 12160 ----a-w- c:\windows\system32\drivers\sscdwhnt.sys
2009-06-01 07:14 . 2008-02-22 14:33 12160 ----a-w- c:\windows\system32\drivers\sscdwh.sys
2009-06-01 07:14 . 2008-02-22 14:33 114304 ----a-w- c:\windows\system32\drivers\sscdmdm.sys
2009-06-01 07:14 . 2008-02-22 14:33 87936 ----a-w- c:\windows\system32\drivers\sscdbus.sys
2009-06-01 07:14 . 2008-02-22 14:33 12160 ----a-w- c:\windows\system32\drivers\sscdcmnt.sys
2009-06-01 07:14 . 2008-02-22 14:33 12160 ----a-w- c:\windows\system32\drivers\sscdcm.sys
2009-06-01 07:14 . 2009-06-01 07:14 -------- d-----w- c:\windows\system32\Samsung_USB_Drivers
2009-06-01 07:14 . 2009-01-08 08:42 36608 ----a-w- c:\windows\system32\FsUsbExDisk.Sys
2009-06-01 07:14 . 2009-01-08 08:42 233472 ----a-w- c:\windows\system32\FsUsbExService.Exe
2009-06-01 07:14 . 2009-01-08 08:42 110592 ----a-w- c:\windows\system32\FsUsbExDevice.Dll
2009-06-01 07:14 . 2009-06-01 07:14 -------- d-----w- c:\documents and settings\HPCC\Application Data\Samsung
2009-06-01 07:13 . 2009-06-01 07:13 -------- d-----w- c:\program files\MarkAny
2009-06-01 07:13 . 2009-06-01 07:13 -------- d-----w- c:\program files\Samsung
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-23 12:44 . 2007-04-20 15:26 85600 ----a-w- c:\documents and settings\HPCC\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-23 10:22 . 2006-01-30 19:15 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-06-23 07:24 . 2008-03-16 08:35 -------- d-----w- c:\program files\Macrogaming
2009-06-23 07:24 . 2007-04-05 10:03 -------- d-----w- c:\program files\Java
2009-06-22 17:37 . 2009-04-02 17:42 -------- d-----w- c:\program files\Cheat Engine
2009-06-20 10:11 . 2008-03-10 20:24 -------- d-----w- c:\program files\Windows Live Toolbar
2009-06-18 08:58 . 2007-04-05 10:18 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-16 09:00 . 2007-01-15 17:39 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-14 06:08 . 2007-04-05 10:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-09 07:49 . 2009-03-27 16:37 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-01 07:14 . 2007-12-25 11:51 -------- d-----w- c:\program files\DIFX
2009-05-28 10:15 . 2008-08-06 08:54 34 ----a-w- c:\documents and settings\HPCC\jagex_runescape_preferences.dat
2009-05-07 15:32 . 2006-01-30 17:59 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2006-01-30 17:59 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2006-01-30 17:59 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-26 14:47 . 2008-11-03 22:07 -------- d-----w- c:\documents and settings\HPCC\Application Data\Ahead
2009-04-25 07:41 . 2009-03-27 16:37 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-04-25 07:41 . 2009-03-27 16:37 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-04-25 07:40 . 2009-03-27 16:37 12552 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-04-17 12:26 . 2006-01-30 17:59 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2006-01-30 17:59 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-07 18:51 . 2009-04-07 18:51 127 ----a-w- c:\documents and settings\HPCC\Local Settings\Application Data\fusioncache.dat
2002-04-16 09:27 . 2002-04-16 09:27 5 --sha-w- c:\windows\system32\CdI5T.drv
1998-03-19 23:00 . 1998-03-19 23:00 1048 --sha-w- c:\windows\system32\flfnlf.sys
1998-03-19 23:00 . 1998-03-19 23:00 1048 --sha-w- c:\windows\system32\rlfnlf.sys
1998-03-19 23:00 . 1998-03-19 23:00 1048 --sha-w- c:\windows\system32\TMail3FL.SYS
1998-03-19 23:00 . 1998-03-19 23:00 1048 --sha-w- c:\windows\system32\TMailRL.sys
.
((((((((((((((((((((((((((((( SnapShot_2009-06-23_20.43.50 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-25 07:41 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [3/27/2009 5:37 PM 12552]
R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [11/8/2008 12:10 PM 40464]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/27/2009 5:37 PM 327688]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/27/2009 5:37 PM 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [3/27/2009 5:37 PM 906520]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [3/27/2009 5:37 PM 298776]
R3 S3GIGP;S3GIGP;c:\windows\system32\drivers\S3gIGPm.sys [1/15/2007 6:40 PM 659456]
S2 azkl;azkl;c:\windows\system32\drivers\tcym.sys --> c:\windows\system32\drivers\tcym.sys [?]
S2 Ca536av;DV 5900(Video);c:\windows\system32\drivers\Ca536av.sys [3/30/2008 2:57 PM 514859]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [6/1/2009 8:14 AM 36608]
S3 USBCamera;DV 5900(Still);c:\windows\system32\drivers\Bulk536.sys [3/30/2008 2:57 PM 11048]
S4 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [6/1/2009 8:14 AM 233472]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
2009-06-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]
2009-06-24 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]
2009-06-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3121785044-16713964-2988421403-1005.job
- c:\documents and settings\HPCC\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-09 08:24]
.
.
------- Supplementary Scan -------
.
uStart Page = <a href="hxxp://www.google.co.uk/" target="_blank">hxxp://www.google.co.uk/</a>
uSearchMigratedDefaultURL = <a href="hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8" target="_blank">hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8</a>
uInternet Connection Wizard,ShellNext = iexplore
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath -
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-24 16:38
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(4040)
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll
c:\windows\system32\ConnAPI.DLL
c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Nero\Nero 7\Nero BackItUp\NBService.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-06-24 16:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-24 15:43
ComboFix2.txt 2009-06-23 20:49
ComboFix3.txt 2009-06-22 20:08
Pre-Run: 32,857,935,872 bytes free
Post-Run: 32,837,455,872 bytes free
210 --- E O F --- 2009-06-23 19:36
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:01:32, on 24/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\HPCC\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HPCC\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HPCC\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - <a href="res://C:\Program" target="_blank">res://C:\Program</a> Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - <a href="res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000" target="_blank">res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000</a>
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - (no file)
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
--
End of file - 5755 bytes
***********************************************
*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall*
I cannot find anything definitive about these drivers.
2002-04-16 09:27 . 2002-04-16 09:27 5 --sha-w- c:\windows\system32\CdI5T.drv
1998-03-19 23:00 . 1998-03-19 23:00 1048 --sha-w- c:\windows\system32\flfnlf.sys
1998-03-19 23:00 . 1998-03-19 23:00 1048 --sha-w- c:\windows\system32\rlfnlf.sys
1998-03-19 23:00 . 1998-03-19 23:00 1048 --sha-w- c:\windows\system32\TMail3FL.SYS
1998-03-19 23:00 . 1998-03-19 23:00 1048 --sha-w- c:\windows\system32\TMailRL.sys
Please go to Start | Run and then copy and paste in the following:
c:\windows\system32 and then click OK.
The system32 folder should now be open. Please scroll down right click each of the following files and rename them by adding old to the existing name e.g.
CdI5T.drv to CdI5Told.drv
flfnlf.sys to flfnlfold.sys
rlfnlf.sys to rlfnlfold.sys
TMail3FL.SYS to TMail3FLold.SYS
TMailRL.sys to TMailRLold.sys
********************************************************************
none of those files were in the system32 folder
*******************************************************************
You will now need to monitor the computer over the next few days and let me know if something stops working. They may be related to something you've uninstalled earlier or something undesirable so its best to deal with them.
Please go to Start | All programs |Windows Update.
Make sure Automatic updates are turned on in the security centre and update your system including Internet Explorer.
******************************************************************
done
*******************************************************************
Please go here and update your java to the latest version:
Java SE Runtime Environment (JRE)
JRE 6 Update 14
http://java.sun.com/javase/downloads/index.jsp
***********************************************************************
I went there, selected windows/mulitlanguage as the platform, got this:
We were unable to detect a recent version of Java Runtime Environment (JRE) on your system. With the latest JRE, you can automatically download, install, and run Sun Download Manager (SDM) directly from this page. We highly recommend SDM to easily manage your downloads (pause, resume, restart, verify, and more). Visit java.com for the latest JRE.
***************************************************************************
Post the following:
- The Combofix log.
- A new Hijackthis log
***************************************************************************
see above
**************************************************************************
- A new Uninstall List.
**************************************************************************
2007 Microsoft Office system
3DVIA Player 4.1
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0.8
Adobe Shockwave Player
Adobe® Photoshop® Album Starter Edition 3.0
Apple Mobile Device Support
Apple Software Update
AVG 8.5
CAM UnZip 4.42
Cheat Engine 5.3
Cheat Engine 5.5
Conexant HD Audio
Critical Update for Windows Media Player 11 (KB959772)
Driver Detective
DV 5900
EphPod
Express Burn
Free Studio version 4.1
Gabbasoft Cube Demo
Google Earth
Google SketchUp 6
Google SketchUp 6 Exporters
Google SketchUp LayOut 6
Google SketchUp Pro 6
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Highlight Viewer (Windows Live Toolbar)
HijackThis 2.0.2
Home Media Server 4.0.0.0072
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotkey 1.0.4
InterActual Player
iTunes
LG MC USB Modem driver
LG PC Suite II
Macrogaming SweetIM 2.1
Malwarebytes' Anti-Malware
Map Button (Windows Live Toolbar)
Messenger Plus! Live
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Hybrid 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Movavi Video Converter 6
Mozilla Firefox (3.0.8)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Musicnotes Player V1.22.3
Nero 7 Essentials
Nero BackItUp 2 Essentials
neroxml
Nokia Connectivity Cable Driver
Nokia Lifeblog 2.1
Nokia MTP driver
Nokia PC Connectivity Solution
Nokia PC Suite
Nokia Software Launcher
Paragon Drive Backup™ 9.0 Express
Photo Story 3 for Windows
Photo Viewer 2.25
Pivot Stickfigure Animator
PowerDVD
QuickTime
Quivic
Sage Instant Accounts v14
SAMSUNG Mobile Composite Device Software
SAMSUNG Mobile Modem Driver Set
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung New PC Studio
Samsung New PC Studio
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Sibelius Scorch
Sibelius Scorch (ActiveX Only)
Smart Menus (Windows Live Toolbar)
Soft Data Fax Modem with SmartCP
Switch
The Sims 2
U211 DVD 2
Ulead Photo Explorer 8.0 SE Basic
Uninstall 1.0.0.1
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office Outlook 2007 (KB969907)
Update for Outlook 2007 Junk Email Filter (kb970012)
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VIA Platform Device Manager
VIA Rhine-Family Fast Ethernet Adapter
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WavePad Uninstall
Windows Driver Package - MobileTop (sshpmdm) Modem (02/23/2007 2.5.0.0)
Windows Driver Package - MobileTop (sshpusb) USB (02/23/2007 2.5.0.0)
Windows Driver Package - Nokia Modem (06/12/2006 6.81.0.21)
Windows Internet Explorer 8
Windows Live Favorites for Windows Live Toolbar
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
Xdrive Desktop Lite
Xdrive Desktop Lite
**************************************************************************
- A full report.
This may not remove all the infections present. It is important that you post back and complete the fix.
Please post in this thread for further review and evaluation.
Please provide details of any problems you encountered whilst performing the above steps & update us on how the Computer is running.
Joe.
Edited by surreyfrog (Wed Jun 24 2009 06:07 PM)
|
Joe_London
HijackThis Helper
Reg'd: Tue
Posts: 11788
Loc: London
|
|
Quote:
none of those files were in the system32 folder
They may be hidden.
Windows XP
To enable the viewing of Hidden files follow these steps:
Close all programs so that you are at your desktop.
Double-click on the My Computer icon.
Select the Tools menu and click Folder Options.
After the new window appears select the View tab.
Put a checkmark in the checkbox labelled Display the contents of system folders.
Under the Hidden files and folders section select the radio button labelled Show hidden files and folders.
Remove the checkmark from the checkbox labelled Hide file extensions for known file types.
Remove the checkmark from the checkbox labelled Hide protected operating system files.
Press the Apply button and then the OK button and shutdown My Computer.
Now your computer is configured to show all hidden files.
Quote:
I went there, selected windows/mulitlanguage as the platform, got this:
We were unable to detect a recent version of Java Runtime Environment (JRE) on your system. With the latest JRE, you can automatically download, install, and run Sun Download Manager (SDM) directly from this page. We highly recommend SDM to easily manage your downloads (pause, resume, restart, verify, and more). Visit java.com for the latest JRE.
Ignore that message and continue to install the update.
Sorry I missed this undesirable programme.
Messenger Plus! Live
A LOP infection usually comes bundled with Messenger Plus if you did not reject the Lop sponsored advertising program during installation and updates. I recommend uninstalling Messenger Plus.
To do so:
Go to Add/Remove programs. Double click on "Messenger Plus!" (or click on Remove)
Then remove messenger Plus from the hard drive, open windows Explorer, navigate to:
C:\Program Files\Messenger Plus! 3.7
Then delete the folder and contents.
Did you update to IE 8? The HJT log is still showing IE 7.
Please download the latest version of Ccleaner to your desktop and then install it from there. Be careful during the install process and reject anything that comes bundled with this programme such as toolbars etc. Do not allow it to run at start-up. Once installed into its default location which is c:\program files\ccleaner either drag the install exe file into that folder or delete it.
To do:
You also need to add a third party firewall, Let me know if you have any preferences?
Do not proceed just yet.
I'm currently using Comodo firewall along with Avast anti-virus which is a good combination and they are free, It would of course mean dumping your current AVG.
Let me know your decision please.
Post the following:
- A new List.
- The Requested Information and your usual report.
This may not remove all the infections present. It is important that you post back and complete the fix.
Please post in this thread for further review and evaluation.
Please provide details of any problems you encountered whilst performing the above steps & update us on how the Computer is running.
Joe.
--------------------
If I've helped you and saved you money please consider a donation to support my work :
Member of UNITE and ASAP.
|
surreyfrog
regular
Reg'd: Tue
Posts: 80
|
|
To enable the viewing of Hidden files follow these steps:
Close all programs so that you are at your desktop.
Double-click on the My Computer icon.
Select the Tools menu and click Folder Options.
After the new window appears select the View tab.
Put a checkmark in the checkbox labelled Display the contents of system folders.
Under the Hidden files and folders section select the radio button labelled Show hidden files and folders.
Remove the checkmark from the checkbox labelled Hide file extensions for known file types.
Remove the checkmark from the checkbox labelled Hide protected operating system files.
Press the Apply button and then the OK button and shutdown My Computer.
Now your computer is configured to show all hidden files.
***********************************************************************
done - was then able to rename all those files
***********************************************************************
Ignore that message and continue to install the update.
*****************************************************************
done - installed
****************************************************************
Sorry I missed this undesirable programme.
Messenger Plus! Live
A LOP infection usually comes bundled with Messenger Plus if you did not reject the Lop sponsored advertising program during installation and updates. I recommend uninstalling Messenger Plus.
To do so:
Go to Add/Remove programs. Double click on "Messenger Plus!" (or click on Remove)
Then remove messenger Plus from the hard drive, open windows Explorer, navigate to:
C:\Program Files\Messenger Plus! 3.7
Then delete the folder and contents.
************************************************************************
done - removed
************************************************************************
Did you update to IE 8? The HJT log is still showing IE 7.
**************************************************************************
now on IE8
**************************************************************************
Please download the latest version of Ccleaner to your desktop and then install it from there. Be careful during the install process and reject anything that comes bundled with this programme such as toolbars etc. Do not allow it to run at start-up. Once installed into its default location which is c:\program files\ccleaner either drag the install exe file into that folder or delete it.
****************************************************************************
done
***************************************************************************
To do:
You also need to add a third party firewall, Let me know if you have any preferences?
Do not proceed just yet.
I'm currently using Comodo firewall along with Avast anti-virus which is a good combination and they are free, It would of course mean dumping your current AVG.
Let me know your decision please.
************************************************************************
I'll use what you use - will swap AVG to Avast
************************************************************************
Post the following:
- A new List.
- The Requested Information and your usual report.
************************************************************************
Joe - which lists/reports are needed now?
************************************************************************
This may not remove all the infections present. It is important that you post back and complete the fix.
Please post in this thread for further review and evaluation.
Please provide details of any problems you encountered whilst performing the above steps & update us on how the Computer is running.
Joe.
|
Joe_London
HijackThis Helper
Reg'd: Tue
Posts: 11788
Loc: London
|
|
OK, you've done a great job. Leave things as they are for a few days and then post back and let me know if renaming those files had any adverse effect on any programmes you use?
Also let me know how the computer is running?
Joe.
--------------------
If I've helped you and saved you money please consider a donation to support my work :
Member of UNITE and ASAP.
|
surreyfrog
regular
Reg'd: Tue
Posts: 80
|
|
Joe, I'll post back in a few days' time.
In the meantime should I install the firewall you recommended?
If I do, would it run as well as the windows firewall or should I turn the windows firewall off?
Joe, you have been an incredible help. I would have been stuck without you. You have my and my wife's thanks for all the time and effort you have put into solving this problem.
|
Joe_London
HijackThis Helper
Reg'd: Tue
Posts: 11788
Loc: London
|
|
Quote:
I'll post back in a few days' time.
Thats fine.
Quote:
In the meantime should I install the firewall you recommended?
Best wait until last.
Quote:
If I do, would it run as well as the windows firewall or should I turn the windows firewall off?
Once the new firewall is installed turn off the windows version via the control panel.
Look forward to hearing from you later.
Joe.
--------------------
If I've helped you and saved you money please consider a donation to support my work :
Member of UNITE and ASAP.
|
surreyfrog
regular
Reg'd: Tue
Posts: 80
|
|
Joe - all running OK
|
Joe_London
HijackThis Helper
Reg'd: Tue
Posts: 11788
Loc: London
|
|
Thats great news.
Now you recall my instruction to rename those unidentified files:
Quote:
Please go to Start | Run and then copy and paste in the following:
c:\windows\system32 and then click OK.
The system32 folder should now be open. Please scroll down right click each of the following files and rename them by adding old to the existing name e.g.
CdI5T.drv to CdI5Told.drv
flfnlf.sys to flfnlfold.sys
rlfnlf.sys to rlfnlfold.sys
TMail3FL.SYS to TMail3FLold.SYS
TMailRL.sys to TMailRLold.sys
Assuming you've not had any alerts please go back to Start | Run and then copy and paste in the following:
c:\windows\system32 and then click OK.
Now delete all those previously renamed files listed above from the system32 folder.
Go to this site and download the free version of Comodo firewall to your desktop:
http://personalfirewall.comodo.com/downl...&country=GB
Do not install it at this point.
Go to this site and download Avast Anti-virus to your desktop:
http://www.avast.com/eng/avast_4_home.html
Do not install it yet.
Post back your usual report when you've done.
Joe.
--------------------
If I've helped you and saved you money please consider a donation to support my work :
Member of UNITE and ASAP.
|
surreyfrog
regular
Reg'd: Tue
Posts: 80
|
|
Now delete all those previously renamed files listed above from the system32 folder.
************************
done
************************
Go to this site and download the free version of Comodo firewall to your desktop:
Do not install it at this point.
*********************************
done IT SAYS FIREWALL PLUS ANTIVIRUS
*********************************
Go to this site and download Avast Anti-virus to your desktop:
Do not install it yet.
*********************************
done
*********************************
Post back your usual report when you've done.
|
Joe_London
HijackThis Helper
Reg'd: Tue
Posts: 11788
Loc: London
|
|
We need to remove Combofix. This should work but may not as we renamed it. Try it and let me know how you get on?
- Click START then RUN
- Now type or copy and paste Combofix /u in the runbox and click OK ](case insensitive)
- If shown the disclaimer, Select "2"
In a little while the above procedure will
- Delete ComboFix and its associated files and folders.
Also re-hide hidden files and folders.
Basically you need to reverse the earlier steps. See here:
http://www.bleepingcomputer.com/tutorials/tutorial62.html#winxp
--------------------
If I've helped you and saved you money please consider a donation to support my work :
Member of UNITE and ASAP.
|
surreyfrog
regular
Reg'd: Tue
Posts: 80
|
|
We need to remove Combofix.
*****************************
done
*****************************
Also re-hide hidden files and folders.
**************************************
done
***************************************
|
Joe_London
HijackThis Helper
Reg'd: Tue
Posts: 11788
Loc: London
|
|
Good work.
Now uninstall AVG Anti-virus and delete its folder from the hard drive. This is usually locatd in C:\Grisoft or C:\AVG
Once thats done install Avast Anti-virus. Please use the Custom install and be careful not to accept anything bundled such as browser helper objects or toolbars etc and only install the Anti-virus.
Once all thats done and your happy its ok install the Comodo firewall you downloaded earlier.
Again use the custom install rejecting any bundled stuff. Make sure you install the firewall only and nothing else. Reject the Anti-virus part and also reject the Defense plus part.
Any queries post back before proceeding.
Hope it all goes well. The usual report when complete please.
Finally on a different note make sure you have enabled private messages at Web-user.
Note
--------------------
If I've helped you and saved you money please consider a donation to support my work :
Member of UNITE and ASAP.
|
surreyfrog
regular
Reg'd: Tue
Posts: 80
|
|
Joe
all done as per your last post.
private messages enabled/ replied.
Thank you so much for all your help.
|
Joe_London
HijackThis Helper
Reg'd: Tue
Posts: 11788
Loc: London
|
|
I think that all we have to do. Let me know if I've forgotten anything. I hope you get used to the Avast update voice. If it annoys you I think it can be turned off.
Good luck,
Joe.
--------------------
If I've helped you and saved you money please consider a donation to support my work :
Member of UNITE and ASAP.
|
Joe_London
HijackThis Helper
Reg'd: Tue
Posts: 11788
Loc: London
|
|
One thing I did forget and that is to check in the control panel security centre to ensure the following.
click on the down arrows beside your firewall to make sure its Comodo. Then do the same to Anti-virus to ensure its Avast and also make sure Windows updates are on.
Then go back to the control panel and click on Windows firewall. Make sure the it is set to off.
Joe.
--------------------
If I've helped you and saved you money please consider a donation to support my work :
Member of UNITE and ASAP.
|
Previous
Index
Next
Threaded
Edit
Reply
Quote
