Can't run Hijackthis or Malwarebytes

[steve jones]

Like many others here it seems I've followed the instructions and can't run any anti malware stuff. Message is "You may not havethe appropriate permissions to access the item". I am at my wits end - pls help.

Steve Jones

[sjpritch25]

Welcome to Malwarebytes!!!!

Please download Win32kDiag.exe by AD to your Desktop.

Double-click on Win32kDiag.exe.

It will create Win32kDiag.txt on your Desktop.

In your next reply, please include the log. Thanks

[my1smthop]

Welcome to Malwarebytes!!!!

Please download Win32kDiag.exe by AD to your Desktop.

Double-click on Win32kDiag.exe.

It will create Win32kDiag.txt on your Desktop.

In your next reply, please include the log. Thanks

What can you do if your downloads disappear? I tried to download this as I'm having the same problem. It will download then it goes bye-bye.

[steve jones]

Many thanks for the response - this is one amazing site and you guys are so knowledgable! Now a confession...while waiting for your reply I read loads of similar posts and your expert responses. I thought I could safely try Combofix and it might have saved some time if I could produce a reply log quickly, so I did that (after stopping all virus checkers/popup stoppers as instructed). Combofix found and fixed a couple of problems. I them reloaded Malwarebytes and it ran OK! A quick scan found and fixed a couple more nasties. Then a full scan found some more and removed them. Finally I ran another full scan, found no errors and my PC appears to be back to normal.

I am not at that PC right now so can't give details of any logs. I must admit I'm wary of 'messing' any further if I am essentially virus free. What do you think? I am quite happy to be guided by you brilliant folk.

[sjpritch25]

I'll leave it up to you. But i would like to see the logs from mbam and ComboFix.

[steve jones]

Thanks for the warm welcome Sjpritch25, and having noticed that the laptop seems to be starting up more slowly than usual I would appreciate if you could have a look at the logs. Also I tried to run HiJack This today and I still get the 'no permissions' message so evidently I'm not yet fixed. I've now remembered that Combofix ran but for some reason didn't find the internet connection and failed to load the Recovery Console. It did however report a problem. I then ran it again (which I think I've since read was wrong to do!) after double checking my internet connection. This time it did load Recovery Console and I think it found some problems - no doubt the logs will tell you what was found.

After first run;

ComboFix 09-09-28.01 - Steve Jones 29/09/2009 21:07.1.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.3069.2640 [GMT 1:00]

Running from: c:\documents and settings\Steve Jones\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected

Restored copy from - c:\windows\system32\dllcache\eventlog.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_UACd.sys

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

-------\Service_UACd.sys

((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-29 )))))))))))))))))))))))))))))))

.

2009-09-29 19:17 . 2009-09-29 19:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-09-29 19:06 . 2009-09-29 19:08 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft

2009-09-29 19:06 . 2009-09-29 19:08 -------- d-----w- c:\documents and settings\Administrator

2009-09-28 18:53 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-28 18:53 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-28 18:53 . 2009-09-29 19:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-28 17:20 . 2009-09-28 17:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-28 13:53 . 2009-09-29 19:16 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2009-09-28 12:32 . 2009-09-28 17:10 -------- d-----w- C:\$AVG8.VAULT$

2009-09-28 12:31 . 2009-09-28 12:31 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-09-28 12:31 . 2009-09-28 12:31 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2009-09-28 12:31 . 2009-09-28 12:31 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-09-28 12:31 . 2009-09-28 12:31 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-09-28 12:30 . 2009-09-28 12:30 -------- d-----w- c:\windows\system32\drivers\Avg

2009-09-28 12:30 . 2009-09-28 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2009-09-28 12:23 . 2009-09-28 12:23 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\AVG8

2009-09-28 12:22 . 2009-09-28 12:22 848672 ----a-w- c:\program files\avg_free_stb_en_8_32_free.exe

2009-09-27 22:55 . 2009-09-29 19:24 0 ----a-r- c:\windows\win32k.sys

2009-09-27 12:55 . 2009-09-27 13:16 -------- d-----w- C:\THE_GRUDGE3

2009-09-16 21:42 . 2009-09-18 16:19 -------- d-----w- C:\ANDREA_ENCODED

2009-09-11 07:58 . 2004-08-03 22:10 15360 -c--a-w- c:\windows\system32\dllcache\mpe.sys

2009-09-11 07:58 . 2004-08-03 22:10 15360 ----a-w- c:\windows\system32\drivers\MPE.sys

2009-09-11 07:57 . 2004-08-03 23:56 363520 -c--a-w- c:\windows\system32\dllcache\psisdecd.dll

2009-09-11 07:57 . 2004-08-03 23:56 363520 ----a-w- c:\windows\system32\PsisDecd.dll

2009-09-11 07:57 . 2004-08-03 22:10 11776 -c--a-w- c:\windows\system32\dllcache\bdasup.sys

2009-09-11 07:57 . 2004-08-03 22:10 11776 ----a-w- c:\windows\system32\drivers\BdaSup.sys

2009-09-11 07:57 . 2007-08-19 03:36 26496 ----a-w- c:\windows\system32\drivers\AVerA310USB.sys

2009-09-11 07:57 . 2007-08-19 03:35 42496 ----a-w- c:\windows\system32\drivers\AVerA310Cap.sys

2009-09-11 07:57 . 2009-09-11 07:57 -------- d-----w- c:\program files\AVerMedia

2009-09-11 07:57 . 2007-08-23 16:09 -------- d-----w- c:\program files\TVTuner_AverMedia_A310_v1.1.0.22_vista_x86(WHQL)

2009-09-10 23:06 . 2009-09-10 23:06 36864 ----a-w- c:\windows\unslive.exe

2009-09-10 23:06 . 2009-09-10 23:06 -------- d-----w- C:\tape-indices

2009-09-10 23:05 . 2009-09-13 15:26 -------- d-----w- c:\program files\ScenalyzerLive.4.0_by_softland.biz_

2009-09-09 20:59 . 2009-09-09 20:59 -------- d-----w- C:\MILO_ENCODED

2009-09-02 11:16 . 2009-09-02 11:16 -------- d-----w- c:\windows\BUVC_AP

2009-08-31 14:25 . 2009-08-31 14:25 -------- d-----w- c:\documents and settings\All Users\Application Data\vsosdk

2009-08-31 14:01 . 2009-08-31 14:37 -------- d-----w- c:\program files\DVDFab 6

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-29 19:08 . 2009-09-29 19:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\Intel

2009-09-29 19:08 . 2009-09-29 19:08 -------- d-----w- c:\program files\Trend Micro

2009-09-29 19:08 . 2009-09-29 19:08 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\Malwarebytes

2009-09-28 12:09 . 2009-05-03 18:54 43736 ----a-w- c:\documents and settings\Steve Jones\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-09-27 19:29 . 2009-05-09 08:56 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\LimeWire

2009-09-02 11:16 . 2009-05-03 15:42 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-08-30 10:25 . 2009-05-09 12:34 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink

2009-08-25 22:45 . 2009-08-25 22:45 -------- d-----w- c:\program files\Network Stumbler

2009-08-19 14:41 . 2009-08-19 14:41 -------- d-----w- c:\program files\LG Electronics

2009-08-19 14:41 . 2009-08-19 14:41 -------- d-----w- c:\program files\LGUSBModemDriver_WHQL_ML_Ver_4.9.5_All

2009-08-19 13:56 . 2009-08-19 13:56 -------- d-----w- c:\program files\CCleaner

2009-08-19 12:33 . 2009-08-19 12:33 -------- d-----w- c:\program files\Autoruns

2009-08-16 14:37 . 2009-06-22 07:30 762640 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2009-08-16 12:28 . 2009-08-16 12:27 -------- d-----w- c:\documents and settings\All Users\Application Data\EPSON

2009-08-16 12:27 . 2009-08-16 12:27 -------- d-----w- c:\program files\EPSON

2009-08-13 21:05 . 2009-08-13 21:05 -------- d-----w- c:\program files\Bethesda Softworks

2009-08-13 20:25 . 2009-08-13 20:25 -------- d-----w- c:\program files\DVD Decrypter

2009-08-13 20:14 . 2009-08-13 20:13 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\RipIt4Me

2009-08-13 20:11 . 2009-08-13 20:11 202071 ----a-w- c:\program files\RipIt4Me.zip

2009-08-11 12:18 . 2009-08-11 10:10 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\DAEMON Tools Lite

2009-08-04 12:27 . 2009-08-04 12:27 -------- d--h--r- c:\documents and settings\Steve Jones\Application Data\SecuROM

2009-08-04 12:27 . 2009-08-04 12:27 107888 ----a-w- c:\windows\system32\CmdLineExt.dll

2009-08-04 11:13 . 2009-08-04 11:13 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\Apple Computer

2009-08-04 10:08 . 2009-08-04 10:08 -------- d-----w- c:\program files\vso

2009-08-04 10:07 . 2009-08-04 10:06 2496707 ----a-w- c:\program files\vsoDivxToDVD_setup_v0.5.2b.exe

2009-08-01 10:48 . 2009-08-01 10:48 0 ----a-w- c:\windows\nsreg.dat

2009-07-15 06:24 . 2009-08-19 14:41 24832 ----a-w- c:\windows\system32\drivers\lgusbmodem.sys

2009-07-15 06:23 . 2009-08-19 14:41 13056 ----a-w- c:\windows\system32\drivers\lgusbbus.sys

2009-06-21 17:42 . 2009-06-21 17:42 608578 ----a-w- c:\program files\700_DDI_CB.exe

2009-05-15 08:46 . 2009-05-15 08:46 4669067 ----a-w- c:\program files\ICS_Dx32.exe

2009-05-13 09:54 . 2009-05-13 09:54 7303913 ----a-w- c:\program files\12.2.0.0_X_Drivers.zip

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2008-08-20 1368064]

"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2008-08-20 1191936]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1024000]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-08 13594624]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-08 86016]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-09-28 2007832]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-12-08 1657376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-09-28 12:31 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [28/09/2009 13:31 335240]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [28/09/2009 13:31 108552]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [28/09/2009 13:30 297752]

R2 mdvrmng;Mobile IP Route Manager;c:\windows\system32\drivers\mdvrmng.sys [03/05/2009 20:40 10240]

R3 A310;AVerMedia A310 DVB-T;c:\windows\system32\drivers\AVerA310USB.sys [11/09/2009 08:57 26496]

R3 BDASwCap;AVerMedia A310 BDA DVBT Capture Device;c:\windows\system32\drivers\AVerA310Cap.sys [11/09/2009 08:57 42496]

S3 itecir;ITECIR Infrared Receiver;c:\windows\system32\drivers\itecir.sys [03/05/2009 16:59 54784]

S3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [03/05/2009 13:55 36864]

S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [24/09/2008 16:09 41376]

S4 gupdate1c9fdad1e7e45f2;Google Update Service (gupdate1c9fdad1e7e45f2);c:\program files\Google\Update\GoogleUpdate.exe [05/07/2009 21:13 133104]

.

Contents of the 'Scheduled Tasks' folder

2009-09-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-05 20:13]

2009-09-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-05 20:13]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.uk/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

FF - ProfilePath - c:\documents and settings\Steve Jones\Application Data\Mozilla\Firefox\Profiles\crhzgivt.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll

.

- - - - ORPHANS REMOVED - - - -

AddRemove-AVerMedia A310 (MiniCard - c:\program files\AVerMedia\AVerMedia A310 (MiniCard

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-29 21:11

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(680)

c:\windows\system32\netprovcredman.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

c:\program files\Intel\WiFi\bin\S24EvMon.exe

c:\windows\system32\agrsmsvc.exe

c:\program files\Intel\WiFi\bin\EvtEng.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\nvsvc32.exe

c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe

c:\windows\system32\wscntfy.exe

c:\program files\AVG\AVG8\avgrsx.exe

c:\progra~1\AVG\AVG8\avgnsx.exe

c:\windows\system32\rundll32.exe

c:\windows\system32\wbem\unsecapp.exe

.

**************************************************************************

.

Completion time: 2009-09-29 21:13 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-29 20:13

Pre-Run: 190,704,914,432 bytes free

Post-Run: 191,328,882,688 bytes free

186

After second run;

ComboFix 09-09-28.01 - Steve Jones 29/09/2009 21:28.2.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.3069.2491 [GMT 1:00]

Running from: c:\documents and settings\Steve Jones\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-29 )))))))))))))))))))))))))))))))

.

2009-09-29 19:17 . 2009-09-29 19:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-09-29 19:06 . 2009-09-29 19:08 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft

2009-09-29 19:06 . 2009-09-29 19:08 -------- d-----w- c:\documents and settings\Administrator

2009-09-28 18:53 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-28 18:53 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-28 18:53 . 2009-09-29 19:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-28 17:20 . 2009-09-28 17:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-28 13:53 . 2009-09-29 19:16 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2009-09-28 12:32 . 2009-09-28 17:10 -------- d-----w- C:\$AVG8.VAULT$

2009-09-28 12:31 . 2009-09-28 12:31 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-09-28 12:31 . 2009-09-28 12:31 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2009-09-28 12:31 . 2009-09-28 12:31 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-09-28 12:31 . 2009-09-28 12:31 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-09-28 12:30 . 2009-09-28 12:30 -------- d-----w- c:\windows\system32\drivers\Avg

2009-09-28 12:30 . 2009-09-28 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2009-09-28 12:23 . 2009-09-28 12:23 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\AVG8

2009-09-28 12:22 . 2009-09-28 12:22 848672 ----a-w- c:\program files\avg_free_stb_en_8_32_free.exe

2009-09-27 22:55 . 2009-09-29 19:24 0 ----a-r- c:\windows\win32k.sys

2009-09-27 12:55 . 2009-09-27 13:16 -------- d-----w- C:\THE_GRUDGE3

2009-09-16 21:42 . 2009-09-18 16:19 -------- d-----w- C:\ANDREA_ENCODED

2009-09-11 07:58 . 2004-08-03 22:10 15360 -c--a-w- c:\windows\system32\dllcache\mpe.sys

2009-09-11 07:58 . 2004-08-03 22:10 15360 ----a-w- c:\windows\system32\drivers\MPE.sys

2009-09-11 07:57 . 2004-08-03 23:56 363520 -c--a-w- c:\windows\system32\dllcache\psisdecd.dll

2009-09-11 07:57 . 2004-08-03 23:56 363520 ----a-w- c:\windows\system32\PsisDecd.dll

2009-09-11 07:57 . 2004-08-03 22:10 11776 -c--a-w- c:\windows\system32\dllcache\bdasup.sys

2009-09-11 07:57 . 2004-08-03 22:10 11776 ----a-w- c:\windows\system32\drivers\BdaSup.sys

2009-09-11 07:57 . 2007-08-19 03:36 26496 ----a-w- c:\windows\system32\drivers\AVerA310USB.sys

2009-09-11 07:57 . 2007-08-19 03:35 42496 ----a-w- c:\windows\system32\drivers\AVerA310Cap.sys

2009-09-11 07:57 . 2009-09-11 07:57 -------- d-----w- c:\program files\AVerMedia

2009-09-11 07:57 . 2007-08-23 16:09 -------- d-----w- c:\program files\TVTuner_AverMedia_A310_v1.1.0.22_vista_x86(WHQL)

2009-09-10 23:06 . 2009-09-10 23:06 36864 ----a-w- c:\windows\unslive.exe

2009-09-10 23:06 . 2009-09-10 23:06 -------- d-----w- C:\tape-indices

2009-09-10 23:05 . 2009-09-13 15:26 -------- d-----w- c:\program files\ScenalyzerLive.4.0_by_softland.biz_

2009-09-09 20:59 . 2009-09-09 20:59 -------- d-----w- C:\MILO_ENCODED

2009-09-02 11:16 . 2009-09-02 11:16 -------- d-----w- c:\windows\BUVC_AP

2009-08-31 14:25 . 2009-08-31 14:25 -------- d-----w- c:\documents and settings\All Users\Application Data\vsosdk

2009-08-31 14:01 . 2009-08-31 14:37 -------- d-----w- c:\program files\DVDFab 6

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-29 19:08 . 2009-09-29 19:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\Intel

2009-09-29 19:08 . 2009-09-29 19:08 -------- d-----w- c:\program files\Trend Micro

2009-09-29 19:08 . 2009-09-29 19:08 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\Malwarebytes

2009-09-28 12:09 . 2009-05-03 18:54 43736 ----a-w- c:\documents and settings\Steve Jones\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-09-27 19:29 . 2009-05-09 08:56 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\LimeWire

2009-09-02 11:16 . 2009-05-03 15:42 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-08-30 10:25 . 2009-05-09 12:34 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink

2009-08-25 22:45 . 2009-08-25 22:45 -------- d-----w- c:\program files\Network Stumbler

2009-08-19 14:41 . 2009-08-19 14:41 -------- d-----w- c:\program files\LG Electronics

2009-08-19 14:41 . 2009-08-19 14:41 -------- d-----w- c:\program files\LGUSBModemDriver_WHQL_ML_Ver_4.9.5_All

2009-08-19 13:56 . 2009-08-19 13:56 -------- d-----w- c:\program files\CCleaner

2009-08-19 12:33 . 2009-08-19 12:33 -------- d-----w- c:\program files\Autoruns

2009-08-16 14:37 . 2009-06-22 07:30 762640 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2009-08-16 12:28 . 2009-08-16 12:27 -------- d-----w- c:\documents and settings\All Users\Application Data\EPSON

2009-08-16 12:27 . 2009-08-16 12:27 -------- d-----w- c:\program files\EPSON

2009-08-13 21:05 . 2009-08-13 21:05 -------- d-----w- c:\program files\Bethesda Softworks

2009-08-13 20:25 . 2009-08-13 20:25 -------- d-----w- c:\program files\DVD Decrypter

2009-08-13 20:14 . 2009-08-13 20:13 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\RipIt4Me

2009-08-13 20:11 . 2009-08-13 20:11 202071 ----a-w- c:\program files\RipIt4Me.zip

2009-08-11 12:18 . 2009-08-11 10:10 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\DAEMON Tools Lite

2009-08-04 12:27 . 2009-08-04 12:27 -------- d--h--r- c:\documents and settings\Steve Jones\Application Data\SecuROM

2009-08-04 12:27 . 2009-08-04 12:27 107888 ----a-w- c:\windows\system32\CmdLineExt.dll

2009-08-04 11:13 . 2009-08-04 11:13 -------- d-----w- c:\documents and settings\Steve Jones\Application Data\Apple Computer

2009-08-04 10:08 . 2009-08-04 10:08 -------- d-----w- c:\program files\vso

2009-08-04 10:07 . 2009-08-04 10:06 2496707 ----a-w- c:\program files\vsoDivxToDVD_setup_v0.5.2b.exe

2009-08-01 10:48 . 2009-08-01 10:48 0 ----a-w- c:\windows\nsreg.dat

2009-07-15 06:24 . 2009-08-19 14:41 24832 ----a-w- c:\windows\system32\drivers\lgusbmodem.sys

2009-07-15 06:23 . 2009-08-19 14:41 13056 ----a-w- c:\windows\system32\drivers\lgusbbus.sys

2009-06-21 17:42 . 2009-06-21 17:42 608578 ----a-w- c:\program files\700_DDI_CB.exe

2009-05-15 08:46 . 2009-05-15 08:46 4669067 ----a-w- c:\program files\ICS_Dx32.exe

2009-05-13 09:54 . 2009-05-13 09:54 7303913 ----a-w- c:\program files\12.2.0.0_X_Drivers.zip

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2008-08-20 1368064]

"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2008-08-20 1191936]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1024000]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-08 13594624]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-08 86016]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-09-28 2007832]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-12-08 1657376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-09-28 12:31 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [28/09/2009 13:31 335240]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [28/09/2009 13:31 108552]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [28/09/2009 13:30 297752]

R2 mdvrmng;Mobile IP Route Manager;c:\windows\system32\drivers\mdvrmng.sys [03/05/2009 20:40 10240]

R3 A310;AVerMedia A310 DVB-T;c:\windows\system32\drivers\AVerA310USB.sys [11/09/2009 08:57 26496]

R3 BDASwCap;AVerMedia A310 BDA DVBT Capture Device;c:\windows\system32\drivers\AVerA310Cap.sys [11/09/2009 08:57 42496]

S3 itecir;ITECIR Infrared Receiver;c:\windows\system32\drivers\itecir.sys [03/05/2009 16:59 54784]

S3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [03/05/2009 13:55 36864]

S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [24/09/2008 16:09 41376]

S4 gupdate1c9fdad1e7e45f2;Google Update Service (gupdate1c9fdad1e7e45f2);c:\program files\Google\Update\GoogleUpdate.exe [05/07/2009 21:13 133104]

--- Other Services/Drivers In Memory ---

*Deregistered* - PROCEXP113

.

Contents of the 'Scheduled Tasks' folder

2009-09-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-05 20:13]

2009-09-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-05 20:13]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.uk/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

FF - ProfilePath - c:\documents and settings\Steve Jones\Application Data\Mozilla\Firefox\Profiles\crhzgivt.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll

.

- - - - ORPHANS REMOVED - - - -

AddRemove-AVerMedia A310 (MiniCard - c:\program files\AVerMedia\AVerMedia A310 (MiniCard

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-29 21:30

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(680)

c:\windows\system32\netprovcredman.dll

.

Completion time: 2009-09-29 21:31

ComboFix-quarantined-files.txt 2009-09-29 20:31

ComboFix2.txt 2009-09-29 20:13

Pre-Run: 191,328,825,344 bytes free

Post-Run: 191,310,147,584 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

168

MBAM Quick scan log;

Malwarebytes' Anti-Malware 1.41

Database version: 2873

Windows 5.1.2600 Service Pack 2

29/09/2009 21:35:40

mbam-log-2009-09-29 (21-35-36).txt

Scan type: Quick Scan

Objects scanned: 96683

Time elapsed: 1 minute(s), 33 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\win32k.sys (Trojan.Dropper) -> No action taken.

C:\Documents and Settings\Steve Jones\Desktop\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

MBAM Full Scan log;

Malwarebytes' Anti-Malware 1.41

Database version: 2873

Windows 5.1.2600 Service Pack 2

29/09/2009 22:05:30

full scan mbam-log-2009-09-29 (22-05-07).txt

Scan type: Full Scan (C:\|)

Objects scanned: 167887

Time elapsed: 24 minute(s), 12 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir (Trojan.Sirefef) -> No action taken.

C:\System Volume Information\_restore{955106F3-E2AF-4D07-9A85-13D1C4FD7D76}\RP113\A0042405.dll (Trojan.Sirefef) -> No action taken.

I hope this all as you needed. Many thanks again for your assistance.

Steve Jones

[sjpritch25]

please make sure you remove all of those items mbam detected.

Also, combofix removed a rootkit that was still present on your system.

Please download Win32kDiag.exe by AD to your Desktop.

• Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.
  
• When it's finished, there will be a log called Win32kDiag.txt on your desktop.
  
• Please open it with notepad and post the contents here.
  

"%userprofile%\desktop\win32kdiag.exe" -f -r

Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.
  

3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.

Please be patient as this can take quite a long time to download.

• Once the update is complete, click on Settings.
  
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  • 
    
  • Spyware, adware, dialers, and other riskware
    
  • Archives
    
  • E-mail databases
    

  [*]Click on My Computer under the green Scan bar to the left to start the scan.

  [*]Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.

  [*]Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.

  [*]Click View report... at the bottom.

  [*] Click the Save report... button.

  

  [*] Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

[steve jones]

Thanks for that. I didn't realise that MBAM didn't automatically remove the infected files. Did I not Can you advise how I best do that now? I will do the other bits asap and report back.

Cheers again.

Steve

[steve jones]

Oops - ignore the 'did I not' bit above. Sorry!

[sjpritch25]

I just wanted to make sure you clicked on Remove Selected botton after the scan finished. According to the log that was not the case.

Please continue with the rest of my instructions.

[steve jones]

To be honest I can't remember being given that Remove Selected option, but given I can't find the files it would seem I must have been? Doh!

I am at work now and have left the Kaspersky check running at home. Will post later this eve UK time. I'm a little worried because I ran the Win32kDiag.exe and the log file seemed like only a few lines long. Others I've seen posted here have loads of entries? Anyhow, will post it up later.

Steve

[steve jones]

Update on the 2 items I need to remove;

1) C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir (Trojan.Sirefef)

This file isn't found by a search. Could it have already been deleted or is it somehow invisible to me?

2)C:\System Volume Information\_restore{955106F3-E2AF-4D07-9A85-13D1C4FD7D76}\RP113\A0042405.dll (Trojan.Sirefef)

This file isn't found by a search, and I can't access the System Volume Information folder ("Access is denied").

The log from Win32Diag follows;

Running from: C:\Documents and Settings\Steve Jones\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Steve Jones\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Finished!

Kaspersky reported nothing! Is that good?

Steve

[sjpritch25]

Are you getting any permission errors on any applications?

[steve jones]

MBAB running a fast scan again no problem. Hijack This still gives permissions error - poss because its been sitting on the desktop from the start of the problem? Does it need deleting and reloading perhaps? Other than that the laptop appears to be running OK.

[steve jones]

If I am now clear (although my desktop icons do take longer to 'fill in' on starting up XP than they used to?) could you pls advise how to best remove the various bits that are now on my desktop;

Win32Diag

HiJack Ths

ComboFix

Is it safest to delete MBAM and reload an updated version every time I do a scan of my system?

Many thanks

Steve Jones

[sjpritch25]

You can just uninstall and re-install Hijackthis if you like.

Go to Start ---> Run ---> Type ComboFix /u and press Enter.

You can delete win32diag from your desktop.

How much memory is installed on the pc?

[steve jones]

Will do as you advise - thanks. The laptop has 4 gig installed but running 32 bit XP I think it only uses 3 gig?

Steve

[sjpritch25]

see if this speeds things up. You will probably need to reboot for it to start

Go to Start ---> Run --> Type chkdsk C: /f and press Enter.

Let me know how things are running

[steve jones]

Will try to do that when I get home from wotk tonight, thanks. As a matter of interest, when I switched the laptop on yesterday it said I needed to accept microsoft updates, then it started to load SP3. I panicked cos I thought I was already running SP3, so stopped the download. Can you tell from my logs posted earlier which I already have please?

Steve

[sjpritch25]

Right-click on your My Computer icon and choose Properties. Click on the General Tab. That will tell you what service pack is installed. Let me know

[steve jones]

Oops I'm n SP2 so I guess I'll let SP3 load!

Chckdsk wouldn't run; "the volume is in use by another process. Would you like to schedule this volume to be checked next time the system restarts?" I said yes and did a restart but nothing happened?

[sjpritch25]

okay

[steve jones]

Hi Sjpritch25 - I know you guys are very busy but I'm just checking you are not waiting for me to reply. I'm happy to close this post now if you are? One satisfied customer - many thanks for your expert help

Steve

[sjpritch25]

yes i was waiting for a post.

Now that your system is clean you should SET A NEW RESTORE POINT to prevent future reinfection from the old restore point AFTER cleaning your system of any malware infection. Any trojans or spyware you picked up could have been saved in System Restore and are waiting to re-infect you. Since System Restore is a protected directory, your tools can not access it to delete files, trapping viruses inside. Setting a new restore point should be done to prevent any future reinfection from the old restore point and enable your computer to "roll-back" in case there is a future problem.

To SET A NEW RESTORE POINT:

1. Go to Start > Programs > Accessories > System Tools and click "System Restore".

2. Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

3. Then go to Start > Run and type: Cleanmgr

4. Click "OK".

5. Click the "More Options" Tab.

6. Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

Graphics for doing this are in the following links if you need them.

How to Create a Restore Point.

How to use Cleanmgr.

======================================

Here is some useful information on keeping your computer clean:

1. Most important thing is to make sure Windows is kept up to date with the latest patches and updates from Windows Update.
   
2. Here are two great Preventive programs
   

:

1. SpywareBlaster protects you from malicious ActiveX controls and cookies. Make sure and check for updates twice a month.
   

• Anti-Spyware Programs I Recommend:
  

• Free Anti-Spyware Programs
  

1. MalwareBytes Anti-Malware
   
2. For Even More Information On Securing Your Computer read Tony Klein's So How Did I Get Infected In The First Place
   

[steve jones]

All done! Many thanks again.