Infected computer unable to do any scans

[truCido]

Hi, I've been having a problem for a while now where Avast tell's me user32.dll is infected with Bamital-AG and it is unable to repair it and obviously I don't want to just delete user32.dll.

I've tried running Malwarebytes Anti-malware and this doesn't find it. I have ran TDSSKiller however it also didn't find anything....so I thought I'd run ComboFix and get a nice log of whats happening however it scans the 50 stages and then I see a prompt for "Deleting Files: " and then my computer restarts and no ComboFix.txt is produced

Also a strange one...if I go into C:\ there is an item called ComboFix however it has a my computer logo and when I click it I am redirected as if I clicked My Computer.

I have also tried running "GMER Rootkit Scanner" however as soon as this launches my computer restarts....

Can someone help me please?

[truCido]

seems I can run things in safe mode but would like a little guidance if possible as I'll probably destroy my computer lol

[Maniac]

Hello truCido! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

• The process of cleaning your system may take some time, so please be patient.
  
• Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  
• Stay with the thread until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  
• Instructions that I give are for your system only!
  
• If you don't know or can't understand something please ask.
  
• Do not install or uninstall any software or hardware, while work on.
  
• Keep me informed about any changes.
  

Download DDS and save it to your desktop from here or here or here.

Double click dds.scr to run the tool.

• When done, DDS will open two (2) logs:
  1. DDS.txt
     
  2. Attach.txt
     

  [*]Save both reports to your desktop. Post them back to your topic.

[truCido]

DDS.txt

DDS (Ver_10-12-12.01) - NTFSx86

Run by Administrator at 21:19:55.70 on 15/01/2011

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14

Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2046.1526 [GMT 0:00]

AV: Bitdefender Antivirus *Disabled/Updated* {6C4BB89C-B0ED-4F41-A29C-4373888923BB}

AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

FW: Bitdefender Firewall *Disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\WINDOWS\system32\dgdersvc.exe

C:\WINDOWS\system32\FsUsbExService.Exe

C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\TVersity\Media Server\MediaServer.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Documents and Settings\Administrator\My Documents\Downloads\dds.pif

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: FlashFXP Helper for Internet Explorer: {e5a1691b-d188-4419-ad02-90002030b8ee} - c:\progra~1\flashfxp\IEFlash.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - No File

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

dRunOnce: [RunNarrator] Narrator.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll

IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.2.cab

DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} - hxxps://moneymanager.egg.com/Pinsafe/accounttracking.cab

DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab

DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab

Handler: AutorunsDisabled\skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\coreftp\pftpns.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\hpqen42f.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk

FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\hpqen42f.default\extensions\turntoolviewer@turntool.com\plugins\nptnt.dll

FF - plugin: c:\documents and settings\administrator\application data\mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\documents and settings\administrator\application data\mozilla\plugins\npgtpo3dautoplugin.dll

FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

FF - plugin: c:\program files\shiretoko\plugins\npDivxPlayerPlugin.dll

FF - plugin: c:\program files\shiretoko\plugins\npnul32.dll

FF - plugin: c:\program files\shiretoko\plugins\NPOFF12.DLL

FF - plugin: c:\program files\shiretoko\plugins\nppdf32.dll

FF - plugin: c:\program files\shiretoko\plugins\npqtplugin.dll

FF - plugin: c:\program files\shiretoko\plugins\npqtplugin2.dll

FF - plugin: c:\program files\shiretoko\plugins\npqtplugin3.dll

FF - plugin: c:\program files\shiretoko\plugins\npqtplugin4.dll

FF - plugin: c:\program files\shiretoko\plugins\npqtplugin5.dll

FF - plugin: c:\program files\shiretoko\plugins\npqtplugin6.dll

FF - plugin: c:\program files\shiretoko\plugins\npqtplugin7.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}

FF - Extension: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\hpqen42f.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}

FF - Extension: eBay Sidebar for Firefox: {62760FD6-B943-48C9-AB09-F99C6FE96088} - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\hpqen42f.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}

FF - Extension: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\hpqen42f.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}

FF - Extension: TurnTool Viewer: turntoolviewer@turntool.com - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\hpqen42f.default\extensions\turntoolviewer@turntool.com

FF - Extension: Photobucket Uploader em:version=1.3>: pbupload@photobucket.com - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\hpqen42f.default\extensions\pbupload@photobucket.com

FF - Extension: FacePAD: Facebook Photo Album Downloader: facepad@lazyrussian.com - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\hpqen42f.default\extensions\facepad@lazyrussian.com

FF - Extension: ScrapBook: {53A03D43-5363-4669-8190-99061B2DEBA5} - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\hpqen42f.default\extensions\{53A03D43-5363-4669-8190-99061B2DEBA5}

FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

============= SERVICES / DRIVERS ===============

R1 archlp;archlp;c:\windows\system32\drivers\ArcHlp.sys [2009-6-3 131584]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2008-3-30 294608]

R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2009-1-14 142992]

R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2009-1-14 41936]

R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2010/02/27 21:11:32];c:\program files\cyberlink\powerdvd9\navfilter\000.fcl [2010-1-28 87536]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-3-30 17744]

R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-2 40384]

R2 dgdersvc;Device Error Recovery Service;c:\windows\system32\dgdersvc.exe [2010-6-9 95568]

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-3-22 54752]

R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2010-10-18 233472]

R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]

R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]

R3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys [2010-6-9 18120]

R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2010-10-18 36640]

R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2009-8-28 100496]

R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [2010-6-25 111312]

S3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\drivers\ssadadb.sys [2010-11-29 30312]

S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2010-5-29 13192]

S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2010-5-29 8456]

S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]

S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2009-2-10 13224]

S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-12-23 30192]

S3 MarkFun_NT;MarkFun_NT;c:\program files\gigabyte\@bios\markfun.w32 [2008-2-9 17912]

S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [2010-11-29 96488]

S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [2010-11-29 12776]

S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [2010-11-29 121576]

S3 TNET1130;D-Link AirPlus XtremeG+ Wireless Adapter;c:\windows\system32\drivers\GPlus.sys [2007-1-1 202496]

S3 WT6563F;PS3 ISP Update;c:\windows\system32\drivers\WT6563F.sys [2009-11-16 13120]

S4 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-11-13 92008]

=============== Created Last 30 ================

2011-01-15 17:06:41 -------- d-s---w- C:\sdfasdt

2011-01-15 13:02:18 98816 ----a-w- c:\windows\sed.exe

2011-01-15 13:02:18 89088 ----a-w- c:\windows\MBR.exe

2011-01-15 13:02:18 256512 ----a-w- c:\windows\PEV.exe

2011-01-15 13:02:18 161792 ----a-w- c:\windows\SWREG.exe

==================== Find3M ====================

2011-01-13 08:47:35 38848 ----a-w- c:\windows\avastSS.scr

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll

2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll

2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll

2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec

2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

2010-10-25 09:07:48 95568 ----a-w- c:\windows\system32\dgdersvc.exe

2010-10-25 09:07:48 763216 ----a-w- c:\windows\system32\dgderapi.dll

2010-10-25 09:03:52 36640 ----a-w- c:\windows\system32\FsUsbExDisk.Sys

============= FINISH: 21:23:44.03 ===============

[truCido]

Attach...

DDS (Ver_10-12-12.01)

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 28/10/2006 14:33:18

System Uptime: 15/01/2011 21:11:25 (0 hours ago)

Motherboard: Gigabyte Technology Co., Ltd. | | 965P-DS4

Processor: Intel® Core2 CPU 6600 @ 2.40GHz | Socket 775 | 2400/266mhz

==== Disk Partitions =========================

A: is Removable

C: is FIXED (NTFS) - 222 GiB total, 13.003 GiB free.

D: is CDROM ()

Z: is FIXED (NTFS) - 11 GiB total, 1.081 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}

Description: Marvell Yukon 88E8053 PCI-E Gigabit Ethernet Controller

Device ID: PCI\VEN_11AB&DEV_4362&SUBSYS_E0001458&REV_22\4&19FEE395&0&00E4

Manufacturer: Marvell

Name: Marvell Yukon 88E8053 PCI-E Gigabit Ethernet Controller

PNP Device ID: PCI\VEN_11AB&DEV_4362&SUBSYS_E0001458&REV_22\4&19FEE395&0&00E4

Service: yukonwxp

==== System Restore Points ===================

RP886: 14/10/2010 19:48:32 - Software Distribution Service 3.0

RP887: 18/10/2010 20:42:29 - System Checkpoint

RP888: 18/10/2010 21:41:10 - Installed Kies

RP889: 20/10/2010 20:07:32 - System Checkpoint

RP890: 23/10/2010 15:19:10 - System Checkpoint

RP891: 24/10/2010 22:01:16 - System Checkpoint

RP892: 26/10/2010 21:30:34 - Installed Windows XP KB961118.

RP893: 28/10/2010 22:43:58 - System Checkpoint

RP894: 30/10/2010 17:26:03 - System Checkpoint

RP895: 31/10/2010 19:00:50 - System Checkpoint

RP896: 08/11/2010 00:19:12 - System Checkpoint

RP897: 10/11/2010 00:47:14 - Removed D-Link AirPlus XtremeG+ Wireless LAN Adapter

RP898: 10/11/2010 00:48:12 - Removed PCMSCAN

RP899: 10/11/2010 01:06:37 - Removed Vimeo Uploader

RP900: 10/11/2010 09:01:04 - Software Distribution Service 3.0

RP901: 13/11/2010 04:13:43 - System Checkpoint

RP902: 15/11/2010 01:03:22 - System Checkpoint

RP903: 18/11/2010 01:39:31 - System Checkpoint

RP904: 19/11/2010 02:37:26 - System Checkpoint

RP905: 20/11/2010 03:31:47 - System Checkpoint

RP906: 21/11/2010 17:10:37 - System Checkpoint

RP907: 29/11/2010 18:26:37 - System Checkpoint

RP908: 01/12/2010 20:23:08 - System Checkpoint

RP909: 02/12/2010 22:04:18 - System Checkpoint

RP910: 04/12/2010 00:15:18 - System Checkpoint

RP911: 07/12/2010 01:24:22 - System Checkpoint

RP912: 08/12/2010 01:29:21 - System Checkpoint

RP913: 10/12/2010 21:56:17 - System Checkpoint

RP914: 10/12/2010 23:19:34 - Installed DirectX

RP915: 12/12/2010 13:45:25 - System Checkpoint

RP916: 15/12/2010 22:58:11 - System Checkpoint

RP917: 15/12/2010 23:20:23 - Software Distribution Service 3.0

RP918: 16/12/2010 00:31:42 - Software Distribution Service 3.0

RP919: 18/12/2010 14:11:05 - System Checkpoint

RP920: 24/12/2010 19:31:32 - System Checkpoint

RP921: 26/12/2010 16:37:56 - System Checkpoint

RP922: 28/12/2010 21:56:08 - System Checkpoint

RP923: 30/12/2010 18:26:47 - System Checkpoint

RP924: 31/12/2010 19:42:17 - System Checkpoint

RP925: 01/01/2011 19:55:03 - System Checkpoint

RP926: 02/01/2011 20:26:24 - System Checkpoint

RP927: 04/01/2011 15:11:36 - System Checkpoint

RP928: 05/01/2011 23:17:03 - System Checkpoint

RP929: 08/01/2011 05:49:28 - System Checkpoint

RP930: 09/01/2011 23:58:39 - System Checkpoint

RP931: 11/01/2011 22:16:59 - Software Distribution Service 3.0

RP932: 15/01/2011 13:02:34 - ComboFix created restore point

==== Installed Programs ======================

@BIOS

Acrobat.com

ActivePerl 5.10.0 Build 1004

Adobe Acrobat 4.0

Adobe AIR

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Photoshop CS

Adobe Reader 9.4.1

Adobe Shockwave Player 11.5

Apple Application Support

Apple Mobile Device Support

Apple Software Update

ArcSoft TotalMedia Theatre 3

[Maniac]

Step 1

You still have leftovers from BitDefender Antivirus. Let's clean them! Follow the instruction from their official web page:

http://kb.bitdefender.com/site/article/333/

Step 2

Going over your logs I noticed that you have

[truCido]

I have removed the final bits of Bitdefender (thanks that was really annoying me)

However since this afternoon I have been receiving constant pop ups for "There is no disk in the drive. Please insert a disk into drive A:" processing for anything seems to stop whilst this pops up and I have to constantly click it to get anything to do anything....

Now when I try to run Malwarebytes I get a "VBACCELERATOR SGRID II CONTROL" pop up box saying "Run-time error '0'"

followed by "MALWAREBYTES' ANTI-MALWARE" "Run-time error '440': Automation error"

It was working fine a couple of hours ago and wasn't finding any problems

[truCido]

found a fix for Malwarebytes, updated a few registry entries and it seems to be working now, will post a log when its finished

[truCido]

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5527

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

15/01/2011 23:51:17

mbam-log-2011-01-15 (23-51-17).txt

Scan type: Quick scan

Objects scanned: 167019

Time elapsed: 4 minute(s), 2 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[Maniac]

Good work!

Please post a new fresh DDS log.

[truCido]

DDS (Ver_10-12-12.01) - NTFSx86

Run by Administrator at 23:52:17.92 on 15/01/2011

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14

Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2046.1274 [GMT 0:00]

AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\WINDOWS\system32\dgdersvc.exe

C:\WINDOWS\system32\FsUsbExService.Exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\TVersity\Media Server\MediaServer.exe

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Documents and Settings\Administrator\My Documents\Downloads\dds.pif

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: FlashFXP Helper for Internet Explorer: {e5a1691b-d188-4419-ad02-90002030b8ee} - c:\progra~1\flashfxp\IEFlash.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - No File

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

dRunOnce: [RunNarrator] Narrator.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll

IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.2.cab

DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} - hxxps://moneymanager.egg.com/Pinsafe/accounttracking.cab

DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab

DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab

Handler: AutorunsDisabled\skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\coreftp\pftpns.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\hpqen42f.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk

FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\hpqen42f.default\extensions\turntoolviewer@turntool.com\plugins\nptnt.dll

FF - plugin: c:\documents and settings\administrator\application data\mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\documents and settings\administrator\application data\mozilla\plugins\npgtpo3dautoplugin.dll

FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

FF - plugin: c:\program files\shiretoko\plugins\npDivxPlayerPlugin.dll

FF - plugin: c:\program files\shiretoko\plugins\npnul32.dll

FF - plugin: c:\program files\shiretoko\plugins\NPOFF12.DLL

FF - plugin: c:\program files\shiretoko\plugins\nppdf32.dll

FF - plugin: c:\program files\shiretoko\plugins\npqtplugin.dll

FF - plugin: c:\program files\shiretoko\plugins\npqtplugin2.dll

FF - plugin: c:\program files\shiretoko\plugins\npqtplugin3.dll

FF - plugin: c:\program files\shiretoko\plugins\npqtplugin4.dll

FF - plugin: c:\program files\shiretoko\plugins\npqtplugin5.dll

FF - plugin: c:\program files\shiretoko\plugins\npqtplugin6.dll

FF - plugin: c:\program files\shiretoko\plugins\npqtplugin7.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}

FF - Extension: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\hpqen42f.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}

FF - Extension: eBay Sidebar for Firefox: {62760FD6-B943-48C9-AB09-F99C6FE96088} - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\hpqen42f.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}

FF - Extension: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\hpqen42f.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}

FF - Extension: TurnTool Viewer: turntoolviewer@turntool.com - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\hpqen42f.default\extensions\turntoolviewer@turntool.com

FF - Extension: Photobucket Uploader em:version=1.3>: pbupload@photobucket.com - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\hpqen42f.default\extensions\pbupload@photobucket.com

FF - Extension: FacePAD: Facebook Photo Album Downloader: facepad@lazyrussian.com - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\hpqen42f.default\extensions\facepad@lazyrussian.com

FF - Extension: ScrapBook: {53A03D43-5363-4669-8190-99061B2DEBA5} - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\hpqen42f.default\extensions\{53A03D43-5363-4669-8190-99061B2DEBA5}

FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

============= SERVICES / DRIVERS ===============

R1 archlp;archlp;c:\windows\system32\drivers\ArcHlp.sys [2009-6-3 131584]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2008-3-30 294608]

R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2009-1-14 142992]

R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2009-1-14 41936]

R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2010/02/27 21:11:32];c:\program files\cyberlink\powerdvd9\navfilter\000.fcl [2010-1-28 87536]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-3-30 17744]

R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-2 40384]

R2 dgdersvc;Device Error Recovery Service;c:\windows\system32\dgdersvc.exe [2010-6-9 95568]

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-3-22 54752]

R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2010-10-18 233472]

R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]

R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]

R3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys [2010-6-9 18120]

R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2010-10-18 36640]

R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2009-8-28 100496]

R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [2010-6-25 111312]

S3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\drivers\ssadadb.sys [2010-11-29 30312]

S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2010-5-29 13192]

S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2010-5-29 8456]

S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]

S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2009-2-10 13224]

S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-12-23 30192]

S3 MarkFun_NT;MarkFun_NT;c:\program files\gigabyte\@bios\markfun.w32 [2008-2-9 17912]

S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [2010-11-29 96488]

S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [2010-11-29 12776]

S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [2010-11-29 121576]

S3 TNET1130;D-Link AirPlus XtremeG+ Wireless Adapter;c:\windows\system32\drivers\GPlus.sys [2007-1-1 202496]

S3 WT6563F;PS3 ISP Update;c:\windows\system32\drivers\WT6563F.sys [2009-11-16 13120]

S4 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-11-13 92008]

=============== Created Last 30 ================

2011-01-15 17:06:41 -------- d-s---w- C:\sdfasdt

2011-01-15 13:02:18 98816 ----a-w- c:\windows\sed.exe

2011-01-15 13:02:18 89088 ----a-w- c:\windows\MBR.exe

2011-01-15 13:02:18 256512 ----a-w- c:\windows\PEV.exe

2011-01-15 13:02:18 161792 ----a-w- c:\windows\SWREG.exe

==================== Find3M ====================

2011-01-13 08:47:35 38848 ----a-w- c:\windows\avastSS.scr

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll

2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll

2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll

2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec

2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

2010-10-25 09:07:48 95568 ----a-w- c:\windows\system32\dgdersvc.exe

2010-10-25 09:07:48 763216 ----a-w- c:\windows\system32\dgderapi.dll

2010-10-25 09:03:52 36640 ----a-w- c:\windows\system32\FsUsbExDisk.Sys

============= FINISH: 23:55:58.82 ===============

[Maniac]

Please manually delete your copy of ComboFix. Now:

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

1. If you are using Firefox, make sure that your download settings are as follows:
   
   • Open Tools -> Options -> Main tab
     
   • Set to Always ask me where to Save the files.
     

[*]During the download, rename Combofix to Combo-Fix as follows:

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

AFsAKgBd-Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  

  -----------------------------------------------------------

  
  

• Close any open browsers.
  
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  
• If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

[truCido]

It got to Stage 50...said Deleting Files and then the computer rebooted, no combofix.txt was produced. Shall I run it in safemode?

[Maniac]

Please try again in Safe Mode with Networking.

http://www.microsoft.com/resources/documen...e.mspx?mfr=true

[truCido]

Sorry it wont let me post its too long so I've attached it

[truCido]

Try that again

ComboFix.txt

[Maniac]

Open Notepad and copy and paste the text in the code box below into it:

FCopy::
c:\windows\ERDNT\cache\tcpip.sys | c:\windows\system32\drivers\TCPIP.SYS
c:\windows\ServicePackFiles\i386\user32.dll | c:\windows\system32\user32.dll

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

[truCido]

ComboFix 11-01-14.01 - Administrator 16/01/2011 0:52.11.2 - x86 NETWORK

Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2046.1673 [GMT 0:00]

Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Thumbs.db

.

--------------- FCopy ---------------

c:\windows\ERDNT\cache\tcpip.sys --> c:\windows\system32\drivers\TCPIP.SYS

c:\windows\ServicePackFiles\i386\user32.dll --> c:\windows\system32\user32.dll

.

((((((((((((((((((((((((( Files Created from 2010-12-16 to 2011-01-16 )))))))))))))))))))))))))))))))

.

2011-01-15 17:06 . 2011-01-15 17:55 -------- d-----w- C:\sdfasdt

2011-01-04 19:34 . 2011-01-04 19:34 -------- d-----w- c:\program files\Common Files\Skype

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-01-13 08:47 . 2010-07-02 17:58 38848 ----a-w- c:\windows\avastSS.scr

2011-01-13 08:47 . 2007-10-21 19:24 188216 ----a-w- c:\windows\system32\aswBoot.exe

2011-01-13 08:41 . 2008-03-30 11:22 294608 ----a-w- c:\windows\system32\drivers\aswSP.sys

2011-01-13 08:40 . 2007-10-21 19:24 47440 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2011-01-13 08:40 . 2007-10-21 19:24 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2011-01-13 08:39 . 2007-10-21 19:24 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys

2011-01-13 08:37 . 2007-10-21 19:24 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2011-01-13 08:37 . 2007-10-21 19:24 29392 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2011-01-13 08:37 . 2008-03-30 11:22 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2010-12-20 18:09 . 2009-12-10 00:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-20 18:08 . 2009-12-10 00:04 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-11-18 18:12 . 2006-10-28 13:29 81920 ----a-w- c:\windows\system32\isign32.dll

2010-11-09 14:52 . 2004-08-04 12:00 249856 ----a-w- c:\windows\system32\odbc32.dll

2010-11-06 00:26 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-11-06 00:26 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-11-06 00:26 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-11-03 12:25 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec

2010-11-02 15:17 . 2004-08-04 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys

2010-10-28 13:13 . 2004-08-04 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-10-26 13:25 . 2004-08-04 12:00 1853312 ----a-w- c:\windows\system32\win32k.sys

2010-10-25 09:07 . 2010-06-09 09:24 95568 ----a-w- c:\windows\system32\dgdersvc.exe

2010-10-25 09:07 . 2010-06-09 09:24 763216 ----a-w- c:\windows\system32\dgderapi.dll

2010-10-25 09:07 . 2010-06-09 09:24 18120 ----a-w- c:\windows\system32\drivers\dgderdrv.sys

2010-10-25 09:03 . 2010-10-18 20:32 36640 ----a-w- c:\windows\system32\FsUsbExDisk.Sys

2006-05-06 16:42 . 2006-11-09 21:55 7260160 ----a-w- c:\program files\mozilla firefox\plugins\libvlc.dll

2008-12-29 21:26 . 2007-12-23 19:52 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" [2008-02-13 16857600]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-09-01 30192]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-10-08 185632]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-17 421160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2008-04-14 53760]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]

path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk

backup=c:\windows\pss\OpenOffice.org 2.4.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]

path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk

backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^ShutDown After.lnk]

path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\ShutDown After.lnk

backup=c:\windows\pss\ShutDown After.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk

backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Rainmeter.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Rainmeter.lnk

backup=c:\windows\pss\Rainmeter.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2010-09-20 23:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2010-09-23 04:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

2005-05-03 17:43 69632 ----a-w- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDRegion]

2010-01-28 17:48 75048 ------w- c:\program files\CyberLink\Shared files\brs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]

2008-01-17 16:51 486856 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLSService]

2010-05-11 03:53 55808 ----a-w- c:\program files\DYMO\DYMO Label Software\DLSService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DymoQuickPrint]

2010-05-11 04:06 1885512 ----a-w- c:\program files\DYMO\DYMO Label Software\DymoQuickPrint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyTuneVPro]

2007-07-26 14:05 20480 ----a-w- c:\program files\GIGABYTE\ET5Pro\ETcall.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gainward]

2008-01-29 03:20 2177576 ----a-w- c:\windows\TBPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GBB36X Configure]

2006-06-02 08:46 385024 ------r- c:\windows\system32\JMRaidTool.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]

2010-09-01 21:47 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2009-11-23 22:44 135664 ----atw- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]

2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]

2008-10-25 11:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]

2006-11-13 13:39 1289000 ----a-w- c:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2010-11-17 20:59 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KiesTrayAgent]

2010-10-27 10:36 3365176 ----a-w- c:\program files\Samsung\Kies\KiesTrayAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]

2005-06-08 14:44 196608 ----a-w- c:\program files\Logitech\Video\ManifestEngine.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]

2005-06-08 15:24 458752 ----a-w- c:\program files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]

2005-06-08 15:14 217088 ----a-w- c:\program files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]

2005-07-19 17:32 221184 ----a-w- c:\windows\system32\LVCOMSX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

2010-04-16 22:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

2007-12-05 01:41 8523776 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

2007-12-05 01:41 81920 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

2007-12-05 01:41 1626112 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-09-08 10:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl9]

2009-07-06 14:22 87336 ------w- c:\program files\CyberLink\PowerDVD9\PDVD9Serv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]

2008-02-13 13:31 16857600 ----a-w- c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]

2007-11-20 17:15 1826816 ----a-w- c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmartDefrag]

2010-03-26 15:48 2708312 ----a-w- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2009-05-21 10:34 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2007-10-08 21:25 185632 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]

2009-11-13 11:31 247144 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Steam\\steamapps\\trucido@blueyonder.co.uk\\counter-strike\\hl.exe"=

"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=

"c:\\Program Files\\uTorrent\\utorrent.exe"=

"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=

"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\Program Files\\CyberLink\\PowerDVD9\\PowerDVD9.exe"=

"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=

"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [28/08/2009 23:55 100496]

R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [25/06/2010 15:01 111312]

S1 archlp;archlp;c:\windows\system32\drivers\ArcHlp.sys [03/06/2009 16:17 131584]

S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [30/03/2008 11:22 294608]

S1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [14/01/2009 23:53 142992]

S1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [14/01/2009 23:53 41936]

S2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2010/02/27 21:11];c:\program files\CyberLink\PowerDVD9\NavFilter\000.fcl [28/01/2010 17:48 87536]

S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [30/03/2008 11:22 17744]

S2 dgdersvc;Device Error Recovery Service;c:\windows\system32\dgdersvc.exe [09/06/2010 09:24 95568]

S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [18/10/2010 20:32 233472]

S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [20/10/2009 18:19 50704]

S2 regi;regi;c:\windows\system32\drivers\regi.sys [17/04/2007 20:09 11032]

S3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\drivers\ssadadb.sys [29/11/2010 20:08 30312]

S3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys [09/06/2010 09:24 18120]

S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [29/05/2010 23:18 13192]

S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [29/05/2010 23:18 8456]

S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [18/10/2010 20:32 36640]

S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [10/02/2009 19:40 13224]

S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [23/12/2007 19:52 30192]

S3 MarkFun_NT;MarkFun_NT;c:\program files\GIGABYTE\@BIOS\markfun.w32 [09/02/2008 00:20 17912]

S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [29/11/2010 20:08 96488]

S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [29/11/2010 20:08 12776]

S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [29/11/2010 20:08 121576]

S3 TNET1130;D-Link AirPlus XtremeG+ Wireless Adapter;c:\windows\system32\drivers\GPlus.sys [01/01/2007 19:27 202496]

S3 WT6563F;PS3 ISP Update;c:\windows\system32\drivers\WT6563F.sys [16/11/2009 21:01 13120]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [02/02/2008 19:24 716272]

S4 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [13/11/2009 11:31 92008]

.

Contents of the 'Scheduled Tasks' folder

2010-11-29 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 10:50]

2011-01-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-583907252-2000478354-839522115-500Core.job

- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-23 22:44]

2011-01-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-583907252-2000478354-839522115-500UA.job

- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-23 22:44]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hpqen42f.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk

FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}

FF - Ext: eBay Sidebar for Firefox: {62760FD6-B943-48C9-AB09-F99C6FE96088} - %profile%\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}

FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}

FF - Ext: TurnTool Viewer: turntoolviewer@turntool.com - %profile%\extensions\turntoolviewer@turntool.com

FF - Ext: Photobucket Uploader em:version=1.3>: pbupload@photobucket.com - %profile%\extensions\pbupload@photobucket.com

FF - Ext: FacePAD: Facebook Photo Album Downloader: facepad@lazyrussian.com - %profile%\extensions\facepad@lazyrussian.com

FF - Ext: ScrapBook: {53A03D43-5363-4669-8190-99061B2DEBA5} - %profile%\extensions\{53A03D43-5363-4669-8190-99061B2DEBA5}

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-01-16 00:56

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MarkFun_NT]

"ImagePath"="\??\c:\program files\Gigabyte\@BIOS\markfun.w32"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{B154377D-700F-42cc-9474-23858FBDF4BD}]

"ImagePath"="\??\c:\program files\CyberLink\PowerDVD9\NavFilter\000.fcl"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-583907252-2000478354-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,aa,ec,fc,fe,a1,25,ca,45,b4,1a,30,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,aa,ec,fc,fe,a1,25,ca,45,b4,1a,30,\

[HKEY_USERS\S-1-5-21-583907252-2000478354-839522115-500\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:83,ec,59,d4,19,76,a2,ac,66,af,5a,a6,58,e7,95,39,32,a1,a5,1b,0b,9d,61,

ee,de,67,55,3b,2a,89,24,94,da,4c,8c,a2,c7,3c,cc,22,98,57,15,fb,74,f6,de,ac,\

"??"=hex:fa,77,b5,08,5b,2f,36,ca,83,ac,2b,ef,4c,e7,f2,68

[HKEY_USERS\S-1-5-21-583907252-2000478354-839522115-500\Software\SecuROM\License information*]

"datasecu"=hex:e7,59,b4,ef,c4,82,db,c5,14,a3,4d,10,32,16,d2,7d,24,26,d9,f2,b5,

a3,8c,8f,e5,5a,be,bb,0c,8b,13,ae,09,5d,75,8b,4b,31,78,89,46,9e,e7,59,3f,20,\

"rkeysecu"=hex:33,68,90,f0,b9,55,8b,f6,00,b2,17,a6,32,95,44,e0

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

Completion time: 2011-01-16 00:58:20

ComboFix-quarantined-files.txt 2011-01-16 00:58

ComboFix2.txt 2011-01-16 00:39

ComboFix3.txt 2010-06-11 23:34

ComboFix4.txt 2010-06-01 18:12

ComboFix5.txt 2011-01-16 00:52

Pre-Run: 14,406,696,960 bytes free

Post-Run: 14,374,686,720 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4

- - End Of File - - 7636441D6E3F53A00AFDEFD5F8A78775

[Maniac]

Good!

Please update your Avast and perform a full system scan. Let me know about the resaults!

[truCido]

Thanks for your help Borislav, appreciate it. Will let you know when the scan has finished, it takes a while. I'll do a boot scan after as well just to make sure.

I assume that running combofix with that CFScript replaced the user32.dll and tcpip.sys I had with a proper version of them?

[Maniac]

That's right and now everything should be fine.

[truCido]

scan found 2 files in ComboFix quarantined folder and in a system restore file so everything ok Thanks for all your help!!

[Maniac]

Glad I could help!

Last steps for you:

Step 1

1. Go to Start => Run... and copy & paste next command in the field:
   

   ComboFix /uninstall

   
   

2. Then hit Enter button.
   

This procedure will do the following:

• Uninstall ComboFix
  
• Delete its related folders and files
  
• Reset your clock settings
  
• Hide file extensions
  
• Hide the system/hidden files
  
• Resets System Restore again
  

P.S.: Make sure there's a space between ComboFix and /uninstall

Step 2

Please manually delete DDS.

Step 3

Keep your software up-to-date:

http://www.bleepingcomputer.com/tutorials/tutorial174.html

Some malware preventions:

http://forums.malwarebytes.org/index.php?showtopic=9365

Safe surfing!

[truCido]

all done!! again..thank you!

[Maniac]

You're welcome!

Take care!