steve jones

So it seems like a bit of housework can get you a PC that starts in around a minute or less - compared with my wife's (which takes minutes cos the children are forever downloading smileys etc ). It's amazing what we accept though - if you had to turn your car's ignition key then wait a couple of minutes before moving off, it wouldn't feel like a good car! Good ol' Bill Gates eh?

Wow that's good! As you say, mine has a typical load of software and 1000's of pics, so I'm happy. I don't have a netbook, but am i right in thinking they boot up pdq?

I suppose I'm boasting but after some brilliant help on these forums I now have a clean laptop that boots up in 60 seconds dead. From what I've read that's pretty swift. Can anyone beat my time?

Oops I'm n SP2 so I guess I'll let SP3 load! Chckdsk wouldn't run; "the volume is in use by another process. Would you like to schedule this volume to be checked next time the system restarts?" I said yes and did a restart but nothing happened?

Will try to do that when I get home from wotk tonight, thanks. As a matter of interest, when I switched the laptop on yesterday it said I needed to accept microsoft updates, then it started to load SP3. I panicked cos I thought I was already running SP3, so stopped the download. Can you tell from my logs posted earlier which I already have please? Steve

In case it helps , the Nov 09 issue of PC Pro covers the subject of Crapware ( which new PC's are better and worse) and how to remove some of the least worthwhile stuff. It also discusses upgrading from XP/Vista to Windows 7 as I recall - what software is retained and what is lost. I know they have an online version of the mag so you might be able to read about it there?

Will do as you advise - thanks. The laptop has 4 gig installed but running 32 bit XP I think it only uses 3 gig? Steve

If I am now clear (although my desktop icons do take longer to 'fill in' on starting up XP than they used to?) could you pls advise how to best remove the various bits that are now on my desktop; Win32Diag HiJack Ths ComboFix Is it safest to delete MBAM and reload an updated version every time I do a scan of my system? Many thanks Steve Jones

MBAB running a fast scan again no problem. Hijack This still gives permissions error - poss because its been sitting on the desktop from the start of the problem? Does it need deleting and reloading perhaps? Other than that the laptop appears to be running OK.

Update on the 2 items I need to remove; 1) C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir (Trojan.Sirefef) This file isn't found by a search. Could it have already been deleted or is it somehow invisible to me? 2)C:\System Volume Information\_restore{955106F3-E2AF-4D07-9A85-13D1C4FD7D76}\RP113\A0042405.dll (Trojan.Sirefef) This file isn't found by a search, and I can't access the System Volume Information folder ("Access is denied"). The log from Win32Diag follows; Running from: C:\Documents and Settings\Steve Jones\desktop\win32kdiag.exe Log file at : C:\Documents and Settings\Steve Jones\Desktop\Win32kDiag.txt Removing all found mount points. Attempting to reset file permissions. WARNING: Could not get backup privileges! Searching 'C:\WINDOWS'... Finished! Kaspersky reported nothing! Is that good? Steve

To be honest I can't remember being given that Remove Selected option, but given I can't find the files it would seem I must have been? Doh! I am at work now and have left the Kaspersky check running at home. Will post later this eve UK time. I'm a little worried because I ran the Win32kDiag.exe and the log file seemed like only a few lines long. Others I've seen posted here have loads of entries? Anyhow, will post it up later. Steve

Hi all, nice to hear from you. I hear what you are saying Noknojon - most families can't afford to do it, and many are glad of a break from the kids come Monday morning! We are lucky because my wife and I both work part time with some flexibilty, so we can cope. It's frustrating in the UK because we get no support whatsoever but still pay all the usual taxes! Still, it's a choice we have made so suffer the consequences...

Oops - ignore the 'did I not' bit above. Sorry!

Thanks for that. I didn't realise that MBAM didn't automatically remove the infected files. Did I not Can you advise how I best do that now? I will do the other bits asap and report back. Cheers again. Steve

I live in the UK and my wife and I educate our 11 year old daughter ourselves - there is no dramatic reason why we took her out of school, but we love it. The Home Educating community here in the UK is fairly active, but the government don't make it easy! I believe it's actually illegal in some countries, and subsidised financially in others?

Thanks for the warm welcome Sjpritch25, and having noticed that the laptop seems to be starting up more slowly than usual I would appreciate if you could have a look at the logs. Also I tried to run HiJack This today and I still get the 'no permissions' message so evidently I'm not yet fixed. I've now remembered that Combofix ran but for some reason didn't find the internet connection and failed to load the Recovery Console. It did however report a problem. I then ran it again (which I think I've since read was wrong to do!) after double checking my internet connection. This time it did load Recovery Console and I think it found some problems - no doubt the logs will tell you what was found. After first run; ComboFix 09-09-28.01 - Steve Jones 29/09/2009 21:07.1.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.3069.2640 [GMT 1:00] Running from: c:\documents and settings\Steve Jones\Desktop\ComboFix.exe AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . Infected copy of c:\windows\system32\eventlog.dll was found and disinfected Restored copy from - c:\windows\system32\dllcache\eventlog.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_UACd.sys -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED} -------\Service_UACd.sys ((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-29 ))))))))))))))))))))))))))))))) . 2009-09-29 19:17 . 2009-09-29 19:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2009-09-29 19:06 . 2009-09-29 19:08 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft 2009-09-29 19:06 . 2009-09-29 19:08 -------- d-----w- c:\documents and settings\Administrator 2009-09-28 18:53 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-09-28 18:53 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-09-28 18:53 . 2009-09-29 19:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-09-28 17:20 . 2009-09-28 17:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-09-28 13:53 . 2009-09-29 19:16 1324 ----a-w- c:\windows\system32\d3d9caps.dat 2009-09-28 12:32 . 2009-09-28 17:10 -------- d-----w- C:\$AVG8.VAULT$ 2009-09-28 12:31 . 2009-09-28 12:31 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-09-28 12:31 . 2009-09-28 12:31 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2009-09-28 12:31 . 2009-09-28 12:31 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-09-28 12:31 . 2009-09-28 12:31 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-09-28 12:30 . 2009-09-28 12:30 -------- d-----w- c:\windows\system32\drivers\Avg 2009-09-28 12:30 . 2009-09-28 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-09-28 12:23 . 2009-09-28 12:23 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\AVG8 2009-09-28 12:22 . 2009-09-28 12:22 848672 ----a-w- c:\program files\avg_free_stb_en_8_32_free.exe 2009-09-27 22:55 . 2009-09-29 19:24 0 ----a-r- c:\windows\win32k.sys 2009-09-27 12:55 . 2009-09-27 13:16 -------- d-----w- C:\THE_GRUDGE3 2009-09-16 21:42 . 2009-09-18 16:19 -------- d-----w- C:\ANDREA_ENCODED 2009-09-11 07:58 . 2004-08-03 22:10 15360 -c--a-w- c:\windows\system32\dllcache\mpe.sys 2009-09-11 07:58 . 2004-08-03 22:10 15360 ----a-w- c:\windows\system32\drivers\MPE.sys 2009-09-11 07:57 . 2004-08-03 23:56 363520 -c--a-w- c:\windows\system32\dllcache\psisdecd.dll 2009-09-11 07:57 . 2004-08-03 23:56 363520 ----a-w- c:\windows\system32\PsisDecd.dll 2009-09-11 07:57 . 2004-08-03 22:10 11776 -c--a-w- c:\windows\system32\dllcache\bdasup.sys 2009-09-11 07:57 . 2004-08-03 22:10 11776 ----a-w- c:\windows\system32\drivers\BdaSup.sys 2009-09-11 07:57 . 2007-08-19 03:36 26496 ----a-w- c:\windows\system32\drivers\AVerA310USB.sys 2009-09-11 07:57 . 2007-08-19 03:35 42496 ----a-w- c:\windows\system32\drivers\AVerA310Cap.sys 2009-09-11 07:57 . 2009-09-11 07:57 -------- d-----w- c:\program files\AVerMedia 2009-09-11 07:57 . 2007-08-23 16:09 -------- d-----w- c:\program files\TVTuner_AverMedia_A310_v1.1.0.22_vista_x86(WHQL) 2009-09-10 23:06 . 2009-09-10 23:06 36864 ----a-w- c:\windows\unslive.exe 2009-09-10 23:06 . 2009-09-10 23:06 -------- d-----w- C:\tape-indices 2009-09-10 23:05 . 2009-09-13 15:26 -------- d-----w- c:\program files\ScenalyzerLive.4.0_by_softland.biz_ 2009-09-09 20:59 . 2009-09-09 20:59 -------- d-----w- C:\MILO_ENCODED 2009-09-02 11:16 . 2009-09-02 11:16 -------- d-----w- c:\windows\BUVC_AP 2009-08-31 14:25 . 2009-08-31 14:25 -------- d-----w- c:\documents and settings\All Users\Application Data\vsosdk 2009-08-31 14:01 . 2009-08-31 14:37 -------- d-----w- c:\program files\DVDFab 6 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-09-29 19:08 . 2009-09-29 19:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\Intel 2009-09-29 19:08 . 2009-09-29 19:08 -------- d-----w- c:\program files\Trend Micro 2009-09-29 19:08 . 2009-09-29 19:08 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\Malwarebytes 2009-09-28 12:09 . 2009-05-03 18:54 43736 ----a-w- c:\documents and settings\Steve Jones\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-09-27 19:29 . 2009-05-09 08:56 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\LimeWire 2009-09-02 11:16 . 2009-05-03 15:42 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-08-30 10:25 . 2009-05-09 12:34 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink 2009-08-25 22:45 . 2009-08-25 22:45 -------- d-----w- c:\program files\Network Stumbler 2009-08-19 14:41 . 2009-08-19 14:41 -------- d-----w- c:\program files\LG Electronics 2009-08-19 14:41 . 2009-08-19 14:41 -------- d-----w- c:\program files\LGUSBModemDriver_WHQL_ML_Ver_4.9.5_All 2009-08-19 13:56 . 2009-08-19 13:56 -------- d-----w- c:\program files\CCleaner 2009-08-19 12:33 . 2009-08-19 12:33 -------- d-----w- c:\program files\Autoruns 2009-08-16 14:37 . 2009-06-22 07:30 762640 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat 2009-08-16 12:28 . 2009-08-16 12:27 -------- d-----w- c:\documents and settings\All Users\Application Data\EPSON 2009-08-16 12:27 . 2009-08-16 12:27 -------- d-----w- c:\program files\EPSON 2009-08-13 21:05 . 2009-08-13 21:05 -------- d-----w- c:\program files\Bethesda Softworks 2009-08-13 20:25 . 2009-08-13 20:25 -------- d-----w- c:\program files\DVD Decrypter 2009-08-13 20:14 . 2009-08-13 20:13 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\RipIt4Me 2009-08-13 20:11 . 2009-08-13 20:11 202071 ----a-w- c:\program files\RipIt4Me.zip 2009-08-11 12:18 . 2009-08-11 10:10 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\DAEMON Tools Lite 2009-08-04 12:27 . 2009-08-04 12:27 -------- d--h--r- c:\documents and settings\Steve Jones\Application Data\SecuROM 2009-08-04 12:27 . 2009-08-04 12:27 107888 ----a-w- c:\windows\system32\CmdLineExt.dll 2009-08-04 11:13 . 2009-08-04 11:13 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\Apple Computer 2009-08-04 10:08 . 2009-08-04 10:08 -------- d-----w- c:\program files\vso 2009-08-04 10:07 . 2009-08-04 10:06 2496707 ----a-w- c:\program files\vsoDivxToDVD_setup_v0.5.2b.exe 2009-08-01 10:48 . 2009-08-01 10:48 0 ----a-w- c:\windows\nsreg.dat 2009-07-15 06:24 . 2009-08-19 14:41 24832 ----a-w- c:\windows\system32\drivers\lgusbmodem.sys 2009-07-15 06:23 . 2009-08-19 14:41 13056 ----a-w- c:\windows\system32\drivers\lgusbbus.sys 2009-06-21 17:42 . 2009-06-21 17:42 608578 ----a-w- c:\program files\700_DDI_CB.exe 2009-05-15 08:46 . 2009-05-15 08:46 4669067 ----a-w- c:\program files\ICS_Dx32.exe 2009-05-13 09:54 . 2009-05-13 09:54 7303913 ----a-w- c:\program files\12.2.0.0_X_Drivers.zip . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2008-08-20 1368064] "IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2008-08-20 1191936] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1024000] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-08 13594624] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-08 86016] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-09-28 2007832] "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-12-08 1657376] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-09-28 12:31 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [28/09/2009 13:31 335240] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [28/09/2009 13:31 108552] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [28/09/2009 13:30 297752] R2 mdvrmng;Mobile IP Route Manager;c:\windows\system32\drivers\mdvrmng.sys [03/05/2009 20:40 10240] R3 A310;AVerMedia A310 DVB-T;c:\windows\system32\drivers\AVerA310USB.sys [11/09/2009 08:57 26496] R3 BDASwCap;AVerMedia A310 BDA DVBT Capture Device;c:\windows\system32\drivers\AVerA310Cap.sys [11/09/2009 08:57 42496] S3 itecir;ITECIR Infrared Receiver;c:\windows\system32\drivers\itecir.sys [03/05/2009 16:59 54784] S3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [03/05/2009 13:55 36864] S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [24/09/2008 16:09 41376] S4 gupdate1c9fdad1e7e45f2;Google Update Service (gupdate1c9fdad1e7e45f2);c:\program files\Google\Update\GoogleUpdate.exe [05/07/2009 21:13 133104] . Contents of the 'Scheduled Tasks' folder 2009-09-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-07-05 20:13] 2009-09-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-07-05 20:13] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.co.uk/ IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm FF - ProfilePath - c:\documents and settings\Steve Jones\Application Data\Mozilla\Firefox\Profiles\crhzgivt.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll . - - - - ORPHANS REMOVED - - - - AddRemove-AVerMedia A310 (MiniCard - c:\program files\AVerMedia\AVerMedia A310 (MiniCard ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-09-29 21:11 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(680) c:\windows\system32\netprovcredman.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe c:\program files\Intel\WiFi\bin\S24EvMon.exe c:\windows\system32\agrsmsvc.exe c:\program files\Intel\WiFi\bin\EvtEng.exe c:\program files\Java\jre6\bin\jqs.exe c:\windows\system32\nvsvc32.exe c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe c:\windows\system32\wscntfy.exe c:\program files\AVG\AVG8\avgrsx.exe c:\progra~1\AVG\AVG8\avgnsx.exe c:\windows\system32\rundll32.exe c:\windows\system32\wbem\unsecapp.exe . ************************************************************************** . Completion time: 2009-09-29 21:13 - machine was rebooted ComboFix-quarantined-files.txt 2009-09-29 20:13 Pre-Run: 190,704,914,432 bytes free Post-Run: 191,328,882,688 bytes free 186 After second run; ComboFix 09-09-28.01 - Steve Jones 29/09/2009 21:28.2.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.3069.2491 [GMT 1:00] Running from: c:\documents and settings\Steve Jones\Desktop\ComboFix.exe AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-29 ))))))))))))))))))))))))))))))) . 2009-09-29 19:17 . 2009-09-29 19:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2009-09-29 19:06 . 2009-09-29 19:08 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft 2009-09-29 19:06 . 2009-09-29 19:08 -------- d-----w- c:\documents and settings\Administrator 2009-09-28 18:53 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-09-28 18:53 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-09-28 18:53 . 2009-09-29 19:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-09-28 17:20 . 2009-09-28 17:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-09-28 13:53 . 2009-09-29 19:16 1324 ----a-w- c:\windows\system32\d3d9caps.dat 2009-09-28 12:32 . 2009-09-28 17:10 -------- d-----w- C:\$AVG8.VAULT$ 2009-09-28 12:31 . 2009-09-28 12:31 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-09-28 12:31 . 2009-09-28 12:31 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2009-09-28 12:31 . 2009-09-28 12:31 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-09-28 12:31 . 2009-09-28 12:31 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-09-28 12:30 . 2009-09-28 12:30 -------- d-----w- c:\windows\system32\drivers\Avg 2009-09-28 12:30 . 2009-09-28 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-09-28 12:23 . 2009-09-28 12:23 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\AVG8 2009-09-28 12:22 . 2009-09-28 12:22 848672 ----a-w- c:\program files\avg_free_stb_en_8_32_free.exe 2009-09-27 22:55 . 2009-09-29 19:24 0 ----a-r- c:\windows\win32k.sys 2009-09-27 12:55 . 2009-09-27 13:16 -------- d-----w- C:\THE_GRUDGE3 2009-09-16 21:42 . 2009-09-18 16:19 -------- d-----w- C:\ANDREA_ENCODED 2009-09-11 07:58 . 2004-08-03 22:10 15360 -c--a-w- c:\windows\system32\dllcache\mpe.sys 2009-09-11 07:58 . 2004-08-03 22:10 15360 ----a-w- c:\windows\system32\drivers\MPE.sys 2009-09-11 07:57 . 2004-08-03 23:56 363520 -c--a-w- c:\windows\system32\dllcache\psisdecd.dll 2009-09-11 07:57 . 2004-08-03 23:56 363520 ----a-w- c:\windows\system32\PsisDecd.dll 2009-09-11 07:57 . 2004-08-03 22:10 11776 -c--a-w- c:\windows\system32\dllcache\bdasup.sys 2009-09-11 07:57 . 2004-08-03 22:10 11776 ----a-w- c:\windows\system32\drivers\BdaSup.sys 2009-09-11 07:57 . 2007-08-19 03:36 26496 ----a-w- c:\windows\system32\drivers\AVerA310USB.sys 2009-09-11 07:57 . 2007-08-19 03:35 42496 ----a-w- c:\windows\system32\drivers\AVerA310Cap.sys 2009-09-11 07:57 . 2009-09-11 07:57 -------- d-----w- c:\program files\AVerMedia 2009-09-11 07:57 . 2007-08-23 16:09 -------- d-----w- c:\program files\TVTuner_AverMedia_A310_v1.1.0.22_vista_x86(WHQL) 2009-09-10 23:06 . 2009-09-10 23:06 36864 ----a-w- c:\windows\unslive.exe 2009-09-10 23:06 . 2009-09-10 23:06 -------- d-----w- C:\tape-indices 2009-09-10 23:05 . 2009-09-13 15:26 -------- d-----w- c:\program files\ScenalyzerLive.4.0_by_softland.biz_ 2009-09-09 20:59 . 2009-09-09 20:59 -------- d-----w- C:\MILO_ENCODED 2009-09-02 11:16 . 2009-09-02 11:16 -------- d-----w- c:\windows\BUVC_AP 2009-08-31 14:25 . 2009-08-31 14:25 -------- d-----w- c:\documents and settings\All Users\Application Data\vsosdk 2009-08-31 14:01 . 2009-08-31 14:37 -------- d-----w- c:\program files\DVDFab 6 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-09-29 19:08 . 2009-09-29 19:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\Intel 2009-09-29 19:08 . 2009-09-29 19:08 -------- d-----w- c:\program files\Trend Micro 2009-09-29 19:08 . 2009-09-29 19:08 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\Malwarebytes 2009-09-28 12:09 . 2009-05-03 18:54 43736 ----a-w- c:\documents and settings\Steve Jones\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-09-27 19:29 . 2009-05-09 08:56 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\LimeWire 2009-09-02 11:16 . 2009-05-03 15:42 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-08-30 10:25 . 2009-05-09 12:34 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink 2009-08-25 22:45 . 2009-08-25 22:45 -------- d-----w- c:\program files\Network Stumbler 2009-08-19 14:41 . 2009-08-19 14:41 -------- d-----w- c:\program files\LG Electronics 2009-08-19 14:41 . 2009-08-19 14:41 -------- d-----w- c:\program files\LGUSBModemDriver_WHQL_ML_Ver_4.9.5_All 2009-08-19 13:56 . 2009-08-19 13:56 -------- d-----w- c:\program files\CCleaner 2009-08-19 12:33 . 2009-08-19 12:33 -------- d-----w- c:\program files\Autoruns 2009-08-16 14:37 . 2009-06-22 07:30 762640 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat 2009-08-16 12:28 . 2009-08-16 12:27 -------- d-----w- c:\documents and settings\All Users\Application Data\EPSON 2009-08-16 12:27 . 2009-08-16 12:27 -------- d-----w- c:\program files\EPSON 2009-08-13 21:05 . 2009-08-13 21:05 -------- d-----w- c:\program files\Bethesda Softworks 2009-08-13 20:25 . 2009-08-13 20:25 -------- d-----w- c:\program files\DVD Decrypter 2009-08-13 20:14 . 2009-08-13 20:13 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\RipIt4Me 2009-08-13 20:11 . 2009-08-13 20:11 202071 ----a-w- c:\program files\RipIt4Me.zip 2009-08-11 12:18 . 2009-08-11 10:10 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\DAEMON Tools Lite 2009-08-04 12:27 . 2009-08-04 12:27 -------- d--h--r- c:\documents and settings\Steve Jones\Application Data\SecuROM 2009-08-04 12:27 . 2009-08-04 12:27 107888 ----a-w- c:\windows\system32\CmdLineExt.dll 2009-08-04 11:13 . 2009-08-04 11:13 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\Apple Computer 2009-08-04 10:08 . 2009-08-04 10:08 -------- d-----w- c:\program files\vso 2009-08-04 10:07 . 2009-08-04 10:06 2496707 ----a-w- c:\program files\vsoDivxToDVD_setup_v0.5.2b.exe 2009-08-01 10:48 . 2009-08-01 10:48 0 ----a-w- c:\windows\nsreg.dat 2009-07-15 06:24 . 2009-08-19 14:41 24832 ----a-w- c:\windows\system32\drivers\lgusbmodem.sys 2009-07-15 06:23 . 2009-08-19 14:41 13056 ----a-w- c:\windows\system32\drivers\lgusbbus.sys 2009-06-21 17:42 . 2009-06-21 17:42 608578 ----a-w- c:\program files\700_DDI_CB.exe 2009-05-15 08:46 . 2009-05-15 08:46 4669067 ----a-w- c:\program files\ICS_Dx32.exe 2009-05-13 09:54 . 2009-05-13 09:54 7303913 ----a-w- c:\program files\12.2.0.0_X_Drivers.zip . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2008-08-20 1368064] "IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2008-08-20 1191936] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1024000] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-08 13594624] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-08 86016] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-09-28 2007832] "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-12-08 1657376] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-09-28 12:31 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [28/09/2009 13:31 335240] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [28/09/2009 13:31 108552] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [28/09/2009 13:30 297752] R2 mdvrmng;Mobile IP Route Manager;c:\windows\system32\drivers\mdvrmng.sys [03/05/2009 20:40 10240] R3 A310;AVerMedia A310 DVB-T;c:\windows\system32\drivers\AVerA310USB.sys [11/09/2009 08:57 26496] R3 BDASwCap;AVerMedia A310 BDA DVBT Capture Device;c:\windows\system32\drivers\AVerA310Cap.sys [11/09/2009 08:57 42496] S3 itecir;ITECIR Infrared Receiver;c:\windows\system32\drivers\itecir.sys [03/05/2009 16:59 54784] S3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [03/05/2009 13:55 36864] S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [24/09/2008 16:09 41376] S4 gupdate1c9fdad1e7e45f2;Google Update Service (gupdate1c9fdad1e7e45f2);c:\program files\Google\Update\GoogleUpdate.exe [05/07/2009 21:13 133104] --- Other Services/Drivers In Memory --- *Deregistered* - PROCEXP113 . Contents of the 'Scheduled Tasks' folder 2009-09-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-07-05 20:13] 2009-09-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-07-05 20:13] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.co.uk/ IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm FF - ProfilePath - c:\documents and settings\Steve Jones\Application Data\Mozilla\Firefox\Profiles\crhzgivt.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll . - - - - ORPHANS REMOVED - - - - AddRemove-AVerMedia A310 (MiniCard - c:\program files\AVerMedia\AVerMedia A310 (MiniCard ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-09-29 21:30 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(680) c:\windows\system32\netprovcredman.dll . Completion time: 2009-09-29 21:31 ComboFix-quarantined-files.txt 2009-09-29 20:31 ComboFix2.txt 2009-09-29 20:13 Pre-Run: 191,328,825,344 bytes free Post-Run: 191,310,147,584 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect 168 MBAM Quick scan log; Malwarebytes' Anti-Malware 1.41 Database version: 2873 Windows 5.1.2600 Service Pack 2 29/09/2009 21:35:40 mbam-log-2009-09-29 (21-35-36).txt Scan type: Quick Scan Objects scanned: 96683 Time elapsed: 1 minute(s), 33 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\win32k.sys (Trojan.Dropper) -> No action taken. C:\Documents and Settings\Steve Jones\Desktop\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> No action taken. MBAM Full Scan log; Malwarebytes' Anti-Malware 1.41 Database version: 2873 Windows 5.1.2600 Service Pack 2 29/09/2009 22:05:30 full scan mbam-log-2009-09-29 (22-05-07).txt Scan type: Full Scan (C:\|) Objects scanned: 167887 Time elapsed: 24 minute(s), 12 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir (Trojan.Sirefef) -> No action taken. C:\System Volume Information\_restore{955106F3-E2AF-4D07-9A85-13D1C4FD7D76}\RP113\A0042405.dll (Trojan.Sirefef) -> No action taken. I hope this all as you needed. Many thanks again for your assistance. Steve Jones

Many thanks for the response - this is one amazing site and you guys are so knowledgable! Now a confession...while waiting for your reply I read loads of similar posts and your expert responses. I thought I could safely try Combofix and it might have saved some time if I could produce a reply log quickly, so I did that (after stopping all virus checkers/popup stoppers as instructed). Combofix found and fixed a couple of problems. I them reloaded Malwarebytes and it ran OK! A quick scan found and fixed a couple more nasties. Then a full scan found some more and removed them. Finally I ran another full scan, found no errors and my PC appears to be back to normal. I am not at that PC right now so can't give details of any logs. I must admit I'm wary of 'messing' any further if I am essentially virus free. What do you think? I am quite happy to be guided by you brilliant folk.

Like many others here it seems I've followed the instructions and can't run any anti malware stuff. Message is "You may not havethe appropriate permissions to access the item". I am at my wits end - pls help. Steve Jones