Jump to content

bw41101

Members
 View Profile  See their activity

  • Posts

    9

  • Joined

  • Last visited

Reputation

0 Neutral
  1. bw41101
    Safe surfing to you too. Many thanks for your help and assistance. Regards bw41101
  2. bw41101
    Sorry I think there may be misunderstanding on my part, as I was thinking that there was/is no more treatment that was needed for my PC? If you consider that there is more to do - then yes we can go ahead. Like I said earlier in this thread, the original problem I had with: C:\Documents and Settings\LocalService\Cookies Has gone, I.e. the cookies subdirectory no longer exists and I am receiving security updates from Microsoft. Regards Chris (bw41101)
  3. bw41101
    Well it's been nearly a week since my last message and no reply.This being the case, I can only assume that you guys consider that my issue has been dealt with - to which I can concur. In view of this, I would like to take this opprorunity to thank all those involved for their help and advice. Cheers all Regards; Chris (bw41101).
  4. bw41101
    Greetings; Result ofthe scan: C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DeltaToolbar27.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined C:\Documents and Settings\Chris D\Desktop\Applications\Nero-6.6.1.15a.exe Win32/Toolbar.AskSBar application deleted - quarantined C:\Documents and Settings\Chris D\Desktop\Applications\Setup_FreeFlvConverter.exe Win32/Toolbar.Widgi application cleaned by deleting - quarantined C:\Documents and Settings\Chris D\Desktop\JL Dowmloads\ImTOO.Video.Converter.Ultimate.7.7.2.20130225.rar Win32/HackTool.Patcher.AC application deleted - quarantined C:\Documents and Settings\Chris D\Desktop\Old Firefox Data\prefs.j~ JS/SecurityDisabler.A.Gen application cleaned by deleting - quarantined C:\Documents and Settings\Chris D\Desktop\Old Firefox Data\extensions\plugin@yontoo.com.xpi Win32/Adware.Yontoo application deleted - quarantined C:\Documents and Settings\Chris D\Desktop\torrent downloads\Corel WinDVD 9.rar a variant of Win32/Keygen.AF application deleted - quarantined C:\Documents and Settings\Chris D\Desktop\torrent downloads\car radio code calculator\Car Radio Universal Code Calculator ©2.2 Keygen.rar multiple threats deleted - quarantined C:\Documents and Settings\Chris D\Desktop\torrent downloads\Windows XP Pro SP3 - Activated\WXPVOL_EN.iso multiple threats deleted - quarantined C:\Documents and Settings\Chris D\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\52\67ddc5b4-65f48022 multiple threats cleaned by deleting - quarantined C:\Program Files\ImTOO\MPEG Encoder Platinum\ImTOO MPEG Encoder Ultimate 5.1.37 Build-0723_Patch.exe Win32/HackTool.Patcher.AC application cleaned by deleting - quarantined C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\mrxsmb.sys.vir a variant of Win32/Rootkit.Kryptik.UI trojan cleaned by deleting - quarantined D:\Backup May30 07\Nero-6.6.1.15a.exe Win32/Toolbar.AskSBar application deleted - quarantined E:\Mozilla Backups\Firefox 11.0 (en-GB) - 2012-04-06.pcv JS/SecurityDisabler.A.Gen application deleted - quarantined E:\Mozilla Backups\Firefox 23.0.1 (en-US) - 2013-08-28.pcv JS/SecurityDisabler.A.Gen application deleted - quarantined E:\Mozilla Backups\Firefox 3.6.16 (en-GB) - 2011-04-25.pcv JS/SecurityDisabler.A.Gen application deleted - quarantined E:\Mozilla Backups\Firefox 8.0 (en-GB) - 2011-12-18.pcv JS/SecurityDisabler.A.Gen application deleted - quarantined Upon reading the above, the pcv files are created via a utility called Mozbackup. What's really disturbing is that is just how long I've had these infected backups - the first one being circa 2010. The thing is (as these are Firefox backups) whre did the infections come from? Also noticed that (after running Combofix), the cookies subdirectory has disapeared from: C:\Documents and Settings\LocalService - addressing my original problem. One thing though - the following were been created at the same time: C:\Documents and Settings\LocalService.NT AUTHORITY C:\Documents and Settings\LocalService.NT AUTHORITY.000 Is there any action required (on my part) for the above? Also noticed that the Microsoft security updates have suddenly come through as well - which was welcome. Am wondering if there's anything else that needs doing? Regards
  5. bw41101
    Back again! Have run ComboFix - results: ComboFix 13-09-28.02 - Chris D 28/09/2013 19:18:16.1.4 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3454.2821 [GMT 1:00] Running from: c:\documents and settings\Chris D\Desktop\ComboFix.exe AV: AVG update module *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF} FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66} FW: AVG update module *Enabled* {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ADS - system32: deleted 40 bytes in 1 streams. . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\All Users\Application Data\A39268BD60.sys c:\documents and settings\All Users\Application Data\TEMP c:\documents and settings\All Users\Application Data\TEMP\{9867824A-C86D-4A83-8F3C-E7A86BE0AFD3}\PostBuild.exe c:\documents and settings\All Users\Application Data\TEMP\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}\PostBuild.exe c:\documents and settings\All Users\Application Data\TEMP\{D36DD326-7280-11D8-97C8-000129760CBE}\PostBuild.exe c:\documents and settings\All Users\Application Data\TEMP\RAIDTest c:\documents and settings\All Users\Application Data\xml4F.tmp c:\documents and settings\All Users\Application Data\xml50.tmp c:\documents and settings\All Users\Application Data\xml51.tmp c:\documents and settings\All Users\Start Menu\Programs\Startup\install.exe.lnk c:\documents and settings\Chris D\WINDOWS c:\windows\$NtUninstallKB59052$ c:\windows\$NtUninstallKB59052$\1449177292\@ c:\windows\$NtUninstallKB59052$\1449177292\Desktop.ini c:\windows\$NtUninstallKB59052$\1449177292\L\00000004.@ c:\windows\$NtUninstallKB59052$\1449177292\L\201d3dde c:\windows\$NtUninstallKB59052$\1449177292\L\6715e287 c:\windows\$NtUninstallKB59052$\1449177292\L\76603ac3 c:\windows\$NtUninstallKB59052$\1449177292\L\hpaatoxo c:\windows\$NtUninstallKB59052$\1449177292\U\00000004.@ c:\windows\$NtUninstallKB59052$\1449177292\U\00000008.@ c:\windows\$NtUninstallKB59052$\1449177292\U\000000cb.@ c:\windows\$NtUninstallKB59052$\1449177292\U\80000000.@ c:\windows\$NtUninstallKB59052$\1449177292\U\80000032.@ c:\windows\$NtUninstallKB59052$\3838291087 c:\windows\system32\Cache c:\windows\system32\Cache\08a61509af93bf6d.fb c:\windows\system32\Cache\2007c417fe96506c.fb c:\windows\system32\Cache\26c630d098e22dd5.fb c:\windows\system32\Cache\272512937d9e61a4.fb c:\windows\system32\Cache\287204568329e189.fb c:\windows\system32\Cache\28bc8f716fd76a47.fb c:\windows\system32\Cache\2c53092c95605355.fb c:\windows\system32\Cache\31a0997e9a5b5eb3.fb c:\windows\system32\Cache\3279f0a0608e9c2c.fb c:\windows\system32\Cache\32c84fe32bb74d60.fb c:\windows\system32\Cache\3917078cb68ec657.fb c:\windows\system32\Cache\4197d7ad02ba45f5.fb c:\windows\system32\Cache\45cec46626a5d32e.fb c:\windows\system32\Cache\590ba23ce359fd0c.fb c:\windows\system32\Cache\610289e025a3ee9a.fb c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb c:\windows\system32\Cache\6d03dad1035885d3.fb c:\windows\system32\Cache\89e9acde41c828cd.fb c:\windows\system32\Cache\95f567698be8a182.fb c:\windows\system32\Cache\a8556537add6dfc5.fb c:\windows\system32\Cache\ad10a52aff5e038d.fb c:\windows\system32\Cache\baca9499959642d2.fb c:\windows\system32\Cache\c1fa887b03019701.fb c:\windows\system32\Cache\c4d28dca2e7648be.fb c:\windows\system32\Cache\d201ef9910cd39de.fb c:\windows\system32\Cache\d2e94710a5708128.fb c:\windows\system32\Cache\d79b9dfe81484ec4.fb c:\windows\system32\Cache\e0de16f883bea794.fb c:\windows\system32\Cache\e62b1fca887b2155.fb c:\windows\system32\Cache\f998975c9cc711ee.fb c:\windows\system32\Temp c:\windows\WINDOWS . Infected copy of c:\windows\system32\drivers\mrxsmb.sys was found and disinfected Restored copy from - The cat found it . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Legacy_BROWSERDEFENDERT . . ((((((((((((((((((((((((( Files Created from 2013-08-28 to 2013-09-28 ))))))))))))))))))))))))))))))) . . 2013-09-28 18:16 . 2011-07-15 13:29 456320 -c--a-w- c:\windows\system32\dllcache\mrxsmb.sys 2013-09-28 18:16 . 2011-07-15 13:29 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2013-09-28 18:12 . 2013-09-28 18:15 -------- d-----w- c:\windows\system32\MRT 2013-09-28 17:50 . 2013-09-28 17:50 -------- d-sh--w- c:\documents and settings\LocalService.NT AUTHORITY 2013-09-22 15:39 . 2013-09-22 18:39 -------- d-----w- C:\AdwCleaner 2013-09-22 15:22 . 2013-09-22 15:22 -------- d-----w- c:\windows\ERUNT . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-09-23 21:26 . 2012-03-29 20:40 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2013-09-23 21:26 . 2011-05-19 21:13 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2013-09-10 00:34 . 2013-03-01 09:32 22328 ----a-w- c:\windows\system32\drivers\avgidsshimx.sys 2013-09-05 00:43 . 2010-09-07 02:48 39224 ----a-w- c:\windows\system32\drivers\avgrkx86.sys 2013-07-20 00:51 . 2013-02-08 03:37 246072 ----a-w- c:\windows\system32\drivers\avglogx.sys 2013-07-20 00:50 . 2013-02-26 22:40 208184 ----a-w- c:\windows\system32\drivers\avgidsdriverx.sys 2013-07-20 00:50 . 2013-02-08 03:37 60216 ----a-w- c:\windows\system32\drivers\avgidshx.sys 2013-07-20 00:50 . 2010-09-07 02:48 171320 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2013-07-12 16:32 . 2009-03-03 22:45 13824 ----a-w- c:\windows\system32\LAYOUT.DLL 2013-07-01 00:45 . 2010-09-07 02:48 96568 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2013-05-14 10:54 . 2013-05-14 10:54 2174976 ----a-w- c:\program files\Common Files\atimpenc.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2013-05-08 41056] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576] "WinDVRCtrl"="c:\windows\WDVRCtrl.exe" [2002-04-01 94208] "AVG_UI"="c:\program files\AVG\AVG2013\avgui.exe" [2013-08-15 4411440] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] . c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled\ WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2009-10-14 2049344] WDSmartWare.lnk - c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe View=show_in_tray . View=show_in_tray [2009-10-14 9085760] . [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "DisallowCpl"= 1 (0x1) "MaxRecentDocs"= 11 (0xb) . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024] . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *\0c:\progra~1\AVG\AVG2013\avgrsx.exe /sync /restart . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE] @="" HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= . R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [08/02/2013 04:37 60216] R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [08/02/2013 04:37 246072] R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [07/09/2010 03:48 39224] R0 Pnp680;SiI 680 ATA Controller;c:\windows\system32\drivers\PnP680.sys [01/03/2009 18:46 71720] R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [26/02/2013 23:40 208184] R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [01/03/2013 10:32 22328] R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [07/09/2010 03:48 171320] R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [07/09/2010 03:49 182072] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [22/07/2011 17:27 12880] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/07/2011 22:55 67664] R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [12/08/2011 00:38 116608] R2 avgfws;AVG Firewall;c:\program files\AVG\AVG2013\avgfws.exe [04/09/2013 09:20 1432080] R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2013\avgidsagent.exe [04/07/2013 15:53 4939312] R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2013\avgwdsvc.exe [23/07/2013 19:09 283136] R2 HsdService;HsdService;c:\program files\Virgin Media\Chat Extension\HsdService.exe [09/10/2010 19:22 1410288] R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [12/09/2012 21:58 418376] R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [02/08/2011 21:52 701512] R2 PdiService;Portrait Displays SDK Service;c:\program files\Common Files\Portrait Displays\Drivers\pdisrvc.exe [15/02/2013 01:14 123248] R2 regi;regi;c:\windows\system32\drivers\regi.sys [17/04/2007 21:09 11032] R2 ServicepointService;ServicepointService;c:\program files\Virgin Media\Digital Home Support\ServicepointService.exe [09/10/2010 19:22 689392] R2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [15/02/2009 22:35 618896] R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [12/07/2010 04:33 30944] R3 HCWBT8XX;Hauppauge WinTV 848/9 WDM Video Driver;c:\windows\system32\drivers\HCWBT8XX.sys [12/07/2012 22:54 472644] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [02/08/2011 21:52 22856] S0 eigvon;eigvon;c:\windows\system32\drivers\nbahv.sys --> c:\windows\system32\drivers\nbahv.sys [?] S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?] S0 mofmjxqe;mofmjxqe;c:\windows\system32\drivers\wwjgdp.sys --> c:\windows\system32\drivers\wwjgdp.sys [?] S1 DCxxMJPG;Pinnacle DC10plus, Motion-JPEG VideoIO Board;c:\windows\system32\drivers\DCxxMJPG.sys --> c:\windows\system32\drivers\DCxxMJPG.sys [?] S3 AF9035HB;AF9035 Hybrid Device;c:\windows\system32\drivers\AF9035HB.sys [02/10/2011 15:25 863616] S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [12/07/2010 04:33 30944] S3 BT848;Studio WDM Video Capture;c:\windows\system32\drivers\BT848.sys [01/04/2002 13:00 211936] S3 BTTUNER;Studio WDM TvTuner;c:\windows\system32\drivers\bttuner.sys [01/04/2002 13:00 10052] S3 BTXBAR;Studio WDM Crossbar;c:\windows\system32\drivers\btxbar.sys [21/07/1999 15:28 13308] S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [06/02/2013 00:01 35144] S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [10/04/2010 13:27 19056] S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Professional Business 2009.SP1b\RpcAgentSrv.exe [16/02/2009 20:54 98488] S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [06/05/2008 17:06 11520] S4 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [14/10/2009 15:31 98304] S4 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [16/06/2009 10:58 20480] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] getPlusHelper REG_MULTI_SZ getPlusHelper . Contents of the 'Scheduled Tasks' folder . 2013-09-28 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-29 21:26] . 2013-06-29 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job - c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-02-20 15:31] . . ------- Supplementary Scan ------- . IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 TCP: DhcpNameServer = 194.168.4.100 194.168.8.100 FF - ProfilePath - c:\documents and settings\Chris D\Application Data\Mozilla\Firefox\Profiles\yvkzwzdw.default\ FF - ExtSQL: 2013-08-17 22:29; jid0-9XfBwUWnvPx4wWsfBWMCm4Jj69E@jetpack; c:\documents and settings\Chris D\Application Data\Mozilla\Firefox\Profiles\yvkzwzdw.default\extensions\jid0-9XfBwUWnvPx4wWsfBWMCm4Jj69E@jetpack.xpi FF - ExtSQL: 2013-08-27 19:18; treestyletab@piro.sakura.ne.jp; c:\documents and settings\Chris D\Application Data\Mozilla\Firefox\Profiles\yvkzwzdw.default\extensions\treestyletab@piro.sakura.ne.jp.xpi . - - - - ORPHANS REMOVED - - - - . Toolbar-{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - (no file) MSConfigStartUp-CTFMON - (no file) . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2013-09-28 19:46 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OMSCAN] "ImagePath"="\Sys" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_175_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_175_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\WPAEvents] @Denied: (Full) (LocalSystem) "OOBETimer"=hex:31,53,04,eb,fa,ed,2b,8d,6a,63,b6,7b "LastWPAEventLogged"=hex: . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'explorer.exe'(2220) c:\windows\system32\WININET.dll c:\windows\system32\msi.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe c:\program files\Java\jre7\bin\jqs.exe c:\program files\Raxco\PerfectDisk10\PDAgent.exe c:\program files\Common Files\Protexis\License Service\PsiService_2.exe c:\program files\CyberLink\Shared files\RichVideo.exe c:\program files\Raxco\PerfectDisk10\PDEngine.exe c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2013-09-28 19:51:31 - machine was rebooted ComboFix-quarantined-files.txt 2013-09-28 18:51 . Pre-Run: 63,973,318,656 bytes free Post-Run: 64,770,469,888 bytes free . WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect . - - End Of File - - 8F291FFE1B6740CF06C93E7C5044A75A 8F558EB6672622401DA993E1E865C861 Regards
  6. bw41101
    Greetings again; Apologies for the slow reply as I've been away on company business - so not near my PC. I've followed Maniac's advice and have managed to run TFC successfully including Malwarebytes scanning. However after all this, I'm still suffering with the same problem as previously described, I.e. loads of cookies appearing within my C:\Documents and Settings\LocalService\Cookies. I've tried everything to track down where these are coming from but cannot detect any processes running in the background. Perhaps as this cookie folder is normally hidden this may be normal and hence the title of my thread - "had anyone else noticed this"? Looking forward to your inputs Regards
  7. bw41101
    Greetings again Have progressed as per your instructions above - except for running the TFC programme. I tried several times to run this and couldn't get it to work - the last time I left it for over an hour and nothing happened. Also when I tried to exit the programme the status bar showed [not responding] in fact the whole computer locked up forcing me to do a hard re-boot. Results for the others as below: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Junkware Removal Tool (JRT) by Thisisu Version: 6.0.1 (09.15.2013:1) OS: Microsoft Windows XP x86 Ran by Chris D on 22/09/2013 at 16:22:59.41 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~ Services ~~~ Registry Values Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\AboutURLs\\Tabs ~~~ Registry Keys Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\{39CB8175-E224-4446-8746-00566302DF8D} Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921} Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D} Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800} Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\escortapp.dll Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\escorteng.dll Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\escortlbr.dll Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\esrv.exe Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1} Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468} Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{03E2A1F3-4402-4121-8B35-733216D61217} Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC} Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8} Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800} Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\pricegong Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\softonic Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\yahoopartnertoolbar Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233} Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233} Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706} Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-1454471165-299502267-1547161642-1003\Software\SweetIM Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\conduit Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\tarma installer Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\prod.cap Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\4B2468513CA2D6943A1A233CD3F88CE7 Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Toolbar.CT2786678 Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233} ~~~ Files Successfully deleted: [File] "C:\WINDOWS\system32\conduitengine.tmp" ~~~ Folders Successfully deleted: [Folder] "C:\Documents and Settings\Chris D\Local Settings\Application Data\conduit" Successfully deleted: [Folder] "C:\Program Files\conduit" ~~~ FireFox Successfully deleted: [File] C:\Documents and Settings\Chris D\Application Data\mozilla\firefox\profiles\yvkzwzdw.default\user.js Successfully deleted: [File] C:\Documents and Settings\Chris D\Application Data\mozilla\firefox\profiles\yvkzwzdw.default\invalidprefs.js Successfully deleted: [File] C:\Documents and Settings\Chris D\Application Data\mozilla\firefox\profiles\yvkzwzdw.default\extensions\browserprotect@browserprotect.com.xpi Successfully deleted the following from C:\Documents and Settings\Chris D\Application Data\mozilla\firefox\profiles\yvkzwzdw.default\prefs.js user_pref("browser.search.selectedEngine", "Delta Search"); ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Scan was completed on 22/09/2013 at 16:32:04.25 End of JRT log ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # AdwCleaner v3.004 - Report created 22/09/2013 at 16:43:25 # Updated 15/09/2013 by Xplode # Operating System : Microsoft Windows XP Service Pack 3 (32 bits) # Username : Chris D - SCROTTEB-BB8E88 # Running from : C:\Documents and Settings\Chris D\Desktop\Malware tools\AdwCleaner.exe # Option : Clean ***** [ Services ] ***** ***** [ Files / Folders ] ***** Folder Deleted : C:\Documents and Settings\Chris D\Local Settings\Application Data\PackageAware Folder Deleted : C:\Documents and Settings\Administrator\Local Settings\Application Data\AVG Security Toolbar Folder Deleted : C:\Documents and Settings\Chris D\Application Data\Mozilla\Firefox\Profiles\yvkzwzdw.default\jetpack File Deleted : C:\Program Files\Mozilla Firefox\searchplugins\avg-secure-search.xml ***** [ Shortcuts ] ***** ***** [ Registry ] ***** Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\niapdbllcanepiiimjjndipklodoedlc Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\grusskartencenter.com Key Deleted : HKCU\Software\85588d8bc6ae914 Key Deleted : HKLM\SOFTWARE\85588d8bc6ae914 Key Deleted : HKLM\SOFTWARE\Classes\Interface\{F05B12E1-ADE8-4485-B45B-898748B53C37} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE} Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}] Key Deleted : HKCU\Software\Microsoft\Babylon Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{889DF117-14D1-44EE-9F31-C5FB5D47F68B} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\AVG Secure Search Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Delta Chrome Toolbar Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Delta Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Wajam ***** [ Browsers ] ***** -\\ Internet Explorer v8.0.6001.18702 -\\ Mozilla Firefox v24.0 (en-US) [ File : C:\Documents and Settings\Chris D\Application Data\Mozilla\Firefox\Profiles\yvkzwzdw.default\prefs.js ] ************************* AdwCleaner[R0].txt - [2476 octets] - [22/09/2013 16:40:43] AdwCleaner[s0].txt - [2439 octets] - [22/09/2013 16:43:25] ########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [2499 octets] ########## Malwarebytes log 2013/09/22 16:01:48 +0100 SCROTTEB-BB8E88 MESSAGE Starting protection 2013/09/22 16:01:48 +0100 SCROTTEB-BB8E88 MESSAGE Protection started successfully 2013/09/22 16:01:48 +0100 SCROTTEB-BB8E88 MESSAGE Starting IP protection 2013/09/22 16:02:23 +0100 SCROTTEB-BB8E88 Chris D MESSAGE IP Protection started successfully 2013/09/22 16:17:47 +0100 SCROTTEB-BB8E88 Chris D IP-BLOCK 5.149.255.46 (Type: outgoing) 2013/09/22 16:17:50 +0100 SCROTTEB-BB8E88 Chris D IP-BLOCK 5.149.255.46 (Type: outgoing) 2013/09/22 16:17:56 +0100 SCROTTEB-BB8E88 Chris D IP-BLOCK 5.149.255.46 (Type: outgoing) 2013/09/22 16:46:22 +0100 SCROTTEB-BB8E88 MESSAGE Starting protection 2013/09/22 16:46:22 +0100 SCROTTEB-BB8E88 MESSAGE Protection started successfully 2013/09/22 16:46:23 +0100 SCROTTEB-BB8E88 MESSAGE Starting IP protection 2013/09/22 16:47:05 +0100 SCROTTEB-BB8E88 Chris D MESSAGE IP Protection started successfully 2013/09/22 16:59:01 +0100 SCROTTEB-BB8E88 MESSAGE Starting protection 2013/09/22 16:59:02 +0100 SCROTTEB-BB8E88 MESSAGE Protection started successfully 2013/09/22 16:59:02 +0100 SCROTTEB-BB8E88 MESSAGE Starting IP protection 2013/09/22 16:59:40 +0100 SCROTTEB-BB8E88 Chris D MESSAGE IP Protection started successfully 2013/09/22 17:47:42 +0100 SCROTTEB-BB8E88 Chris D MESSAGE Starting protection 2013/09/22 17:47:42 +0100 SCROTTEB-BB8E88 Chris D MESSAGE Protection started successfully 2013/09/22 17:47:42 +0100 SCROTTEB-BB8E88 Chris D MESSAGE Starting IP protection 2013/09/22 17:48:14 +0100 SCROTTEB-BB8E88 Chris D ERROR IP protection failed: PfBindInterfaceToIPAddress failed with error code 87 2013/09/22 18:06:53 +0100 SCROTTEB-BB8E88 MESSAGE Starting protection 2013/09/22 18:06:53 +0100 SCROTTEB-BB8E88 MESSAGE Protection started successfully 2013/09/22 18:06:53 +0100 SCROTTEB-BB8E88 MESSAGE Starting IP protection 2013/09/22 18:07:03 +0100 SCROTTEB-BB8E88 MESSAGE IP Protection started successfully 2013/09/22 18:17:54 +0100 SCROTTEB-BB8E88 MESSAGE Starting protection 2013/09/22 18:17:55 +0100 SCROTTEB-BB8E88 MESSAGE Protection started successfully 2013/09/22 18:17:55 +0100 SCROTTEB-BB8E88 MESSAGE Starting IP protection 2013/09/22 18:29:29 +0100 SCROTTEB-BB8E88 Chris D MESSAGE Starting protection 2013/09/22 18:29:30 +0100 SCROTTEB-BB8E88 Chris D MESSAGE Protection started successfully 2013/09/22 18:29:30 +0100 SCROTTEB-BB8E88 Chris D MESSAGE Starting IP protection 2013/09/22 18:29:59 +0100 SCROTTEB-BB8E88 Chris D MESSAGE IP Protection started successfully 2013/09/22 19:34:39 +0100 SCROTTEB-BB8E88 Chris D MESSAGE Starting protection 2013/09/22 19:34:39 +0100 SCROTTEB-BB8E88 Chris D MESSAGE Protection started successfully 2013/09/22 19:34:39 +0100 SCROTTEB-BB8E88 Chris D MESSAGE Starting IP protection 2013/09/22 19:35:09 +0100 SCROTTEB-BB8E88 Chris D MESSAGE IP Protection started successfully 2013/09/22 19:36:09 +0100 SCROTTEB-BB8E88 Chris D MESSAGE Starting database refresh 2013/09/22 19:36:09 +0100 SCROTTEB-BB8E88 Chris D MESSAGE Stopping IP protection 2013/09/22 19:36:09 +0100 SCROTTEB-BB8E88 Chris D MESSAGE IP Protection stopped successfully 2013/09/22 19:36:19 +0100 SCROTTEB-BB8E88 Chris D MESSAGE Database refreshed successfully 2013/09/22 19:36:19 +0100 SCROTTEB-BB8E88 Chris D MESSAGE Starting IP protection 2013/09/22 19:36:46 +0100 SCROTTEB-BB8E88 Chris D MESSAGE IP Protection started successfully 2013/09/22 19:44:30 +0100 SCROTTEB-BB8E88 Chris D MESSAGE Starting protection 2013/09/22 19:44:30 +0100 SCROTTEB-BB8E88 Chris D MESSAGE Protection started successfully 2013/09/22 19:44:31 +0100 SCROTTEB-BB8E88 Chris D MESSAGE Starting IP protection 2013/09/22 19:45:02 +0100 SCROTTEB-BB8E88 Chris D MESSAGE IP Protection started successfully 2013/09/22 20:01:56 +0100 SCROTTEB-BB8E88 Chris D IP-BLOCK 5.149.255.46 (Type: outgoing) 2013/09/22 20:01:58 +0100 SCROTTEB-BB8E88 Chris D IP-BLOCK 5.149.255.46 (Type: outgoing) 2013/09/22 20:02:05 +0100 SCROTTEB-BB8E88 Chris D IP-BLOCK 5.149.255.46 (Type: outgoing) 2013/09/22 20:02:11 +0100 SCROTTEB-BB8E88 Chris D IP-BLOCK 5.149.255.46 (Type: outgoing) 2013/09/22 20:02:14 +0100 SCROTTEB-BB8E88 Chris D IP-BLOCK 5.149.255.46 (Type: outgoing) 2013/09/22 20:02:20 +0100 SCROTTEB-BB8E88 Chris D IP-BLOCK 5.149.255.46 (Type: outgoing) 2013/09/22 21:27:42 +0100 SCROTTEB-BB8E88 Chris D IP-BLOCK 31.207.2.154 (Type: outgoing) 2013/09/22 21:27:45 +0100 SCROTTEB-BB8E88 Chris D IP-BLOCK 31.207.2.154 (Type: outgoing) 2013/09/22 21:27:51 +0100 SCROTTEB-BB8E88 Chris D IP-BLOCK 31.207.2.154 (Type: outgoing) Am still getting the same problem with the cookie generation occuring in my: C:\Documents and Settings\LocalService\Cookies Thanks again Regards
  8. bw41101
    Greetings again Many thanks for the prompt reply. I have set my Cookie control in Firefox and am happy that the controls are working.However like I said in my original post the problrm with the cookie generation is only occuring in my: C:\Documents and Settings\LocalService\Cookies I have made a scan which I have attached below and would be grateful if you would kindly have a look at it. ******************************************************** Attach.txt ********************************************** . UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT . DDS (Ver_2012-11-20.01) . Microsoft Windows XP Professional Boot Device: \Device\HarddiskVolume1 Install Date: 15/02/2009 17:44:24 System Uptime: 18/09/2013 21:13:51 (0 hours ago) . Motherboard: ASUSTeK COMPUTER INC. | | PCH-DL Processor: Intel® Xeon CPU 3.06GHz | Socket 604 | 3073/133mhz Processor: Intel® Xeon CPU 3.06GHz | Socket 604 | 3073/133mhz . ==== Disk Partitions ========================= . A: is Removable C: is FIXED (NTFS) - 149 GiB total, 56.118 GiB free. D: is FIXED (FAT32) - 76 GiB total, 50.21 GiB free. E: is FIXED (NTFS) - 59 GiB total, 51.597 GiB free. F: is FIXED (NTFS) - 16 GiB total, 15.139 GiB free. G: is CDROM () . ==== Disabled Device Manager Items ============= . Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: Intel® PRO/1000 CT Network Connection Device ID: PCI\VEN_8086&DEV_1075&SUBSYS_81151043&REV_00\4&2D894BD&0&0818 Manufacturer: Intel Name: Intel® PRO/1000 CT Network Connection PNP Device ID: PCI\VEN_8086&DEV_1075&SUBSYS_81151043&REV_00\4&2D894BD&0&0818 Service: E1000 . ==== System Restore Points =================== . RP270: 21/06/2013 19:19:02 - System Checkpoint RP271: 28/06/2013 19:48:41 - System Checkpoint RP272: 29/06/2013 20:06:23 - System Checkpoint RP273: 06/07/2013 19:16:40 - System Checkpoint RP274: 12/07/2013 19:32:07 - System Checkpoint RP275: 13/07/2013 20:30:03 - System Checkpoint RP276: 26/07/2013 19:08:52 - System Checkpoint RP277: 02/08/2013 19:11:28 - System Checkpoint RP278: 04/08/2013 12:34:45 - System Checkpoint RP279: 09/08/2013 19:09:13 - System Checkpoint RP280: 17/08/2013 20:17:22 - System Checkpoint RP281: 23/08/2013 19:32:28 - System Checkpoint RP282: 25/08/2013 16:07:21 - System Checkpoint RP283: 30/08/2013 22:19:27 - System Checkpoint RP284: 13/09/2013 19:16:07 - System Checkpoint RP285: 15/09/2013 17:52:48 - System Checkpoint . ==== Installed Programs ====================== . ACDSee 5.0 Standard Trial Acrobat.com Adobe AIR Adobe Download Manager Adobe Flash Player 11 ActiveX Adobe Flash Player 11 Plugin Adobe Reader 9.5.5 Adobe Shockwave Player 11.6 Advanced File Fixer 2012 version 2.8 AnyDVD µTorrent Auslogics BoostSpeed Auslogics BoostSpeed 5.4 AVG 2013 AVG PC Tuneup BBC Globe Screen Saver CloneDVD2 ConvertHelper 2.2 Corel WinDVD 9 CyberLink PhotoNow CyberLink PowerDirector Email Updater FileASSASSIN Free FLV Converter V 7.0.0 Freez FLV to MP3 Converter Hauppauge WinTV Source Selector Hauppauge WinTV2000 HDD Regenerator Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484) Hotfix for Windows XP (KB2779562) ImTOO MPEG Encoder Platinum Intel® Network Connections 13.5.32.0 Java Auto Updater Java 6 Update 17 Java 7 Update 1 JDownloader 0.9 K-Lite Mega Codec Pack 6.8.0 Magic FLAC to MP3 Converter 3.72 MahJong Suite 2009 v6.1 MahJong Suite Graphics Pack Volume 1 - v1.9 MahJong Suite Graphics Pack Volume 2 - v2.9 Malwarebytes Anti-Malware version 1.75.0.1300 Media Player Classic - Home Cinema v1.5.2.3456 Microsoft .NET Framework 2.0 Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 Microsoft .NET Framework 3.5 SP1 Microsoft Compression Client Pack 1.0 for Windows XP Microsoft Internationalized Domain Names Mitigation APIs Microsoft National Language Support Downlevel APIs Microsoft Office Professional Edition 2003 Microsoft Office Visio Professional 2003 Microsoft OpenType Font File Properties Extension Microsoft User-Mode Driver Framework Feature Pack 1.0 Microsoft Visual C++ 2005 Redistributable Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 Mozilla Firefox 24.0 (x86 en-US) Mozilla Thunderbird 17.0.8 (x86 en-US) MSXML 4.0 SP2 (KB954430) MSXML 4.0 SP2 (KB973688) Nero 6 Ultra Edition Nero Digital Nero Media Player Pale Moon 19.0.1 (x86 en-US) PeerBlock 1.1 (r518) PerfectDisk 11 Professional PicaView Pinnacle Studio AV/DV Pinnacle Studio DC10plus Pinnacle Studio LINX PowerISO Radialpoint Security Advisor 2.5.13 RapidLinkConverter RealPlayer Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111) Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424) Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416) Security Update for Windows Internet Explorer 7 (KB938127-v2) Security Update for Windows Internet Explorer 7 (KB956390) Security Update for Windows Internet Explorer 7 (KB961260) Security Update for Windows Internet Explorer 7 (KB963027) Security Update for Windows Internet Explorer 8 (KB2183461) Security Update for Windows Internet Explorer 8 (KB2360131) Security Update for Windows Internet Explorer 8 (KB2416400) Security Update for Windows Internet Explorer 8 (KB2482017) Security Update for Windows Internet Explorer 8 (KB2497640) Security Update for Windows Internet Explorer 8 (KB2510531) Security Update for Windows Internet Explorer 8 (KB2530548) Security Update for Windows Internet Explorer 8 (KB2544521) Security Update for Windows Internet Explorer 8 (KB2559049) Security Update for Windows Internet Explorer 8 (KB2586448) Security Update for Windows Internet Explorer 8 (KB2618444) Security Update for Windows Internet Explorer 8 (KB2647516) Security Update for Windows Internet Explorer 8 (KB2675157) Security Update for Windows Internet Explorer 8 (KB2699988) Security Update for Windows Internet Explorer 8 (KB2722913) Security Update for Windows Internet Explorer 8 (KB2744842) Security Update for Windows Internet Explorer 8 (KB2761465) Security Update for Windows Internet Explorer 8 (KB2792100) Security Update for Windows Internet Explorer 8 (KB2797052) Security Update for Windows Internet Explorer 8 (KB2799329) Security Update for Windows Internet Explorer 8 (KB2809289) Security Update for Windows Internet Explorer 8 (KB2817183) Security Update for Windows Internet Explorer 8 (KB969897) Security Update for Windows Internet Explorer 8 (KB971961) Security Update for Windows Internet Explorer 8 (KB972260) Security Update for Windows Internet Explorer 8 (KB974455) Security Update for Windows Internet Explorer 8 (KB976325) Security Update for Windows Internet Explorer 8 (KB978207) Security Update for Windows Internet Explorer 8 (KB981332) Security Update for Windows Internet Explorer 8 (KB982381) Security Update for Windows XP (KB2753842-v2) Security Update for Windows XP (KB2753842) Security Update for Windows XP (KB2757638) Security Update for Windows XP (KB2758857) Security Update for Windows XP (KB2770660) Security Update for Windows XP (KB2778344) Security Update for Windows XP (KB2779030) Security Update for Windows XP (KB2780091) Security Update for Windows XP (KB2799494) Security Update for Windows XP (KB2802968) Security Update for Windows XP (KB2807986) Security Update for Windows XP (KB2808735) Security Update for Windows XP (KB2813170) Security Update for Windows XP (KB2813345) Security Update for Windows XP (KB2820917) SiSoftware Sandra Professional Business 2009.SP3 SoundMAX Spelling Dictionaries Support For Adobe Reader 9 Spybot - Search & Destroy SpywareBlaster 5.0 Studio Super Fast Shutdown 1.0 Super Video Joiner 5.7.8 Super Video Splitter 5.4 SUPERAntiSpyware swMSM System Requirements Lab Trust Webcam 14921 Turbo ZIP Cracker v. 1.0 TweakNow RegCleaner Professional Unlocker 1.9.1 Update for Microsoft .NET Framework 3.5 SP1 (KB963707) Update for Windows Internet Explorer 8 (KB968220) Update for Windows Internet Explorer 8 (KB969497) Update for Windows Internet Explorer 8 (KB976662) Update for Windows Internet Explorer 8 (KB976749) Update for Windows Internet Explorer 8 (KB980182) uTorrentBar Toolbar VC 9.0 Runtime Video Grabber Virgin Media Chat Extension 2.0.23 Virgin Media Digital Home Support 3.7.20 Visual C++ 2008 x86 Runtime - (v9.0.30729) Visual C++ 2008 x86 Runtime - v9.0.30729.01 WD SmartWare WebFldrs XP Window Washer Windows Internet Explorer 7 Windows Internet Explorer 8 Windows Media Format 11 runtime Windows Media Player 11 WinRAR archiver WinZip 14.5 XP Smoker Pro 5.4 Yahoo! BrowserPlus 2.9.8 . ==== Event Viewer Messages From Past Week ======== . 15/09/2013 13:59:14, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751) 14/09/2013 17:28:04, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Lbd PCIIde Pnp680 Pnp680r UlSata 13/09/2013 16:20:28, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Lbd 13/09/2013 16:20:28, error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service. 13/09/2013 16:20:28, error: Service Control Manager [7000] - The OMSCAN service failed to start due to the following error: The system cannot find the file specified. 13/09/2013 16:20:28, error: Service Control Manager [7000] - The ASInsHelp service failed to start due to the following error: The system cannot find the file specified. . ==== End Of File =========================== *************************************************************************** dds.txt.************************************* DDS (Ver_2012-11-20.01) - NTFS_x86 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.1.0 Run by Chris D at 21:45:18 on 2013-09-18 Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3454.2849 [GMT 1:00] . AV: AVG Internet Security 2013 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF} FW: AVG Internet Security 2013 *Enabled* FW: AVG Firewall *Disabled* . ============== Running Processes ================ . C:\WINDOWS\system32\spoolsv.exe C:\Program Files\SUPERAntiSpyware\SASCORE.EXE C:\Program Files\AVG\AVG2013\avgfws.exe C:\Program Files\AVG\AVG2013\avgwdsvc.exe C:\Program Files\Virgin Media\Chat Extension\HsdService.exe C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe C:\Program Files\Java\jre7\bin\jqs.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe C:\Program Files\Common Files\Portrait Displays\Drivers\pdisrvc.exe C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe C:\Program Files\CyberLink\Shared files\RichVideo.exe C:\Program Files\Virgin Media\Digital Home Support\ServicepointService.exe C:\Program Files\Webroot\Washer\WasherSvc.exe C:\Program Files\Raxco\PerfectDisk10\PDEngine.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\WDVRCtrl.exe C:\Program Files\AVG\AVG2013\avgui.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\msiexec.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k NetworkService C:\WINDOWS\system32\svchost.exe -k LocalService C:\WINDOWS\system32\svchost.exe -k imgsvc . ============== Pseudo HJT Report =============== . mSearchAssistant = about:blank dURLSearchHooks: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned> BHO: AutorunsDisabled - <orphaned> BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll TB: uTorrentBar Toolbar: {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - c:\program files\utorrentbar\prxtbuTo2.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [WinDVRCtrl] c:\windows\WDVRCtrl.exe mRun: [AVG_UI] "c:\program files\avg\avg2013\avgui.exe" /TRAYONLY dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\instal~1.lnk - c:\windows\explorer.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\wddmst~1.lnk - c:\program files\western digital\wd smartware\wd drive manager\WDDMStatus.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\wdsmar~1.lnk - c:\program files\western digital\wd smartware\front parlor\WDSmartWare.exe uPolicies-Explorer: NoDriveTypeAutoRun = dword:147 uPolicies-Explorer: DisallowRun = dword:0 uPolicies-Explorer: DisallowCpl = dword:1 uPolicies-Explorer: NoCDBurning = dword:1 uPolicies-Explorer: MaxRecentDocs = dword:11 mPolicies-Explorer: NoDriveTypeAutoRun = dword:147 mPolicies-Explorer: NoDriveTypeAutoRun = dword:145 IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe LSP: mswsock.dll . INFO: HKCU has more than 50 listed domains. If you wish to scan all of them, select the 'Force scan all domains' option. . . INFO: HKLM has more than 50 listed domains. If you wish to scan all of them, select the 'Force scan all domains' option. . SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL Hosts: 127.0.0.1 mpa.one.microsoft.com Hosts: 127.0.0.1 www.spywareinfo.com . ================= FIREFOX =================== . FF - ProfilePath - c:\documents and settings\chris d\application data\mozilla\firefox\profiles\yvkzwzdw.default\ FF - prefs.js: browser.search.selectedEngine - Delta Search FF - plugin: c:\documents and settings\chris d\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll FF - plugin: c:\program files\java\jre7\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\java\jre7\bin\new_plugin\npjp2.dll FF - plugin: c:\program files\virgin media\digital home support\nprpspa.dll FF - plugin: c:\windows\system32\adobe\director\np32dsw_1166636.dll FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_8_800_168.dll FF - ExtSQL: 2013-08-17 22:29; jid0-9XfBwUWnvPx4wWsfBWMCm4Jj69E@jetpack; c:\documents and settings\chris d\application data\mozilla\firefox\profiles\yvkzwzdw.default\extensions\jid0-9XfBwUWnvPx4wWsfBWMCm4Jj69E@jetpack.xpi FF - ExtSQL: 2013-08-27 19:18; treestyletab@piro.sakura.ne.jp; c:\documents and settings\chris d\application data\mozilla\firefox\profiles\yvkzwzdw.default\extensions\treestyletab@piro.sakura.ne.jp.xpi . ---- FIREFOX POLICIES ---- FF - user.js: network.cookie.cookieBehavior - 0 FF - user.js: privacy.clearOnShutdown.cookies - false FF - user.js: security.warn_viewing_mixed - false FF - user.js: security.warn_viewing_mixed.show_once - false FF - user.js: security.warn_submit_insecure - false FF - user.js: security.warn_submit_insecure.show_once - false . ============= SERVICES / DRIVERS =============== . R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2013-2-8 60216] R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [2013-2-8 245048] R0 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 96568] R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 39224] R0 Pnp680;SiI 680 ATA Controller;c:\windows\system32\drivers\PnP680.sys [2009-3-1 71720] R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2013-2-26 208184] R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2013-3-1 22328] R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 170808] R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 182072] R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880] R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664] R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2011-8-12 116608] R2 avgfws;AVG Firewall;c:\program files\avg\avg2013\avgfws.exe [2013-2-19 1418184] R2 avgwd;AVG WatchDog;c:\program files\avg\avg2013\avgwdsvc.exe [2013-2-19 282624] R2 HsdService;HsdService;c:\program files\virgin media\chat extension\HsdService.exe [2010-10-9 1410288] R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2012-9-12 418376] R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-8-2 701512] R2 PdiService;Portrait Displays SDK Service;c:\program files\common files\portrait displays\drivers\pdisrvc.exe [2013-2-15 123248] R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032] R2 ServicepointService;ServicepointService;c:\program files\virgin media\digital home support\ServicepointService.exe [2010-10-9 689392] R2 wwEngineSvc;Window Washer Engine;c:\program files\webroot\washer\WasherSvc.exe [2009-2-15 618896] R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30944] R3 HCWBT8XX;Hauppauge WinTV 848/9 WDM Video Driver;c:\windows\system32\drivers\HCWBT8XX.sys [2012-7-12 472644] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-8-2 22856] S0 eigvon;eigvon;c:\windows\system32\drivers\nbahv.sys --> c:\windows\system32\drivers\nbahv.sys [?] S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?] S0 mofmjxqe;mofmjxqe;c:\windows\system32\drivers\wwjgdp.sys --> c:\windows\system32\drivers\wwjgdp.sys [?] S1 DCxxMJPG;Pinnacle DC10plus, Motion-JPEG VideoIO Board;c:\windows\system32\drivers\dcxxmjpg.sys --> c:\windows\system32\drivers\DCxxMJPG.sys [?] S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2013\avgidsagent.exe [2013-2-27 4937264] S3 AF9035HB;AF9035 Hybrid Device;c:\windows\system32\drivers\AF9035HB.sys [2011-10-2 863616] S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30944] S3 BT848;Studio WDM Video Capture;c:\windows\system32\drivers\BT848.sys [2002-4-1 211936] S3 BTTUNER;Studio WDM TvTuner;c:\windows\system32\drivers\bttuner.sys [2002-4-1 10052] S3 BTXBAR;Studio WDM Crossbar;c:\windows\system32\drivers\btxbar.sys [1999-7-21 13308] S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2013-2-6 35144] S3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2010-4-10 19056] S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\sisoftware\sisoftware sandra professional business 2009.sp1b\RpcAgentSrv.exe [2009-2-16 98488] S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520] S4 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2009-10-14 98304] S4 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480] . =============== File Associations =============== . FileExt: .vbs: VBSFile=c:\windows\system32\WScript.exe "%1" %* [userChoice] . =============== Created Last 30 ================ . 2013-09-15 14:31:44 -------- d-----w- c:\documents and settings\chris d\local settings\application data\Conduit . ==================== Find3M ==================== . 2013-09-13 15:27:22 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2013-09-13 15:27:20 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2013-07-12 16:32:35 13824 ----a-w- c:\windows\system32\LAYOUT.DLL 2013-06-28 21:50:12 0 ----a-w- c:\windows\system32\TempWmicBatchFile.bat 2013-05-14 10:54:38 2174976 ----a-w- c:\program files\common files\atimpenc.dll . ============= FINISH: 21:45:31.68 =============== Thanks again- look forward to you reply. Kind Regards Chris (BW41101)
  9. bw41101
    Greetings all; I'm running Windows XP Proffesional (SP4) and whilst checking through my system I noticed that within the following: C:\Documents and Settings\LocalService\Cookies An absolutely humungeous amount of cookies have appeared within this subdirectory? Naturaly upon seeing this I immediately started to delete same (over 1000), only to find that soon after more started appearing and not just in ones and twos but in blocks of 10- 20 -30 or more. What's more puzzling is the fact that this is happening when no browser is actually open?? I've searched on the net to see whether this is a known phenomenon but with no luck. In addition I've run all of my anti virus/malware programmes - including Malware bytes and all come up clean. Could anyone please advise me as to whether this activity is normal and (if it turns out to be malware) how to effectivelly deal with it? Please advise Regards BW41101
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.