infections galore

**klarej** · August 10th, 2010, 11:12 AM

I have all manner of problems on my work laptop and having recently been witnessing the dreaded BSOD on a number of occasions I can no longer ignore them.
I hope someone can help.
I have the latest version of Malware bytes installed.
Here is the log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4412

Windows 5.1.2600 Service Pack 3, v.3264
Internet Explorer 6.0.2900.3264

8/10/2010 4:03:03 PM
mbam-log-2010-08-10 (16-03-03).txt

Scan type: Quick scan
Objects scanned: 123650
Time elapsed: 9 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

**Broni** · August 10th, 2010, 10:32 PM

Welcome aboard

Please, read here: http://discussions.virtualdr.com/sho...d.php?t=167915 and post required logs.

**klarej** · August 11th, 2010, 07:25 AM

ok, I don't speak fluent computer but I'll have a go:
is it the correct malware log btw?

here is the gmer log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-11 12:22:36
Windows 5.1.2600 Service Pack 3, v.3264
Running: 0om7hh9w.exe; Driver: C:\DOCUME~1\GOODYT~1\LOCALS~1\Temp\uwtdipow.sys

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1052] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 5 Bytes JMP 006C000A
.text C:\WINDOWS\System32\svchost.exe[1052] ntdll.dll!NtWriteVirtualMemory 7C90DF90 5 Bytes JMP 006D000A
.text C:\WINDOWS\System32\svchost.exe[1052] ntdll.dll!KiUserExceptionDispatcher 7C90E45C 5 Bytes JMP 006B000C
.text C:\WINDOWS\System32\svchost.exe[1052] USER32.dll!GetCursorPos 7E41BD6E 5 Bytes JMP 0175000A
.text C:\WINDOWS\System32\svchost.exe[1052] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00C7000A
.text C:\WINDOWS\Explorer.EXE[1464] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 5 Bytes JMP 00A2000A
.text C:\WINDOWS\Explorer.EXE[1464] ntdll.dll!NtWriteVirtualMemory 7C90DF90 5 Bytes JMP 00A8000A
.text C:\WINDOWS\Explorer.EXE[1464] ntdll.dll!KiUserExceptionDispatcher 7C90E45C 5 Bytes JMP 00A1000C
.text C:\Program Files\Mozilla Firefox\firefox.exe[3576] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 5 Bytes JMP 00B3000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3576] ntdll.dll!NtWriteVirtualMemory 7C90DF90 5 Bytes JMP 00B4000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3576] ntdll.dll!KiUserExceptionDispatcher 7C90E45C 5 Bytes JMP 00B2000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 mouclass.sys (Mouse Class Driver/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)

---- EOF - GMER 1.0.15 ----

**klarej** · August 11th, 2010, 10:34 AM

the dds log:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Goody Two Shoes at 15:29:42.53 on Wed 08/11/2010
Internet Explorer: 6.0.2900.3264 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.735.315 [GMT 1:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
svchost.exe 4
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\WINDOWS\system32\CNAB4RPK.EXE
svchost.exe 4
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Adobe\Photoshop 7.0\Photoshop.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Goody Two Shoes\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
mDefault_Page_URL = hxxp://forum.maxiwarez.com
uURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
uURLSearchHooks: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aim search\AOLSearch.dll
mURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aim search\AOLSearch.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AIM Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
uRun: [EPSON Stylus Photo R360 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatiboe.exe /fu "c:\windows\temp\E_S110.tmp" /EF "HKCU"
uRun: [EPSON Stylus Photo R360 Series (Copy 1)] c:\windows\system32\spool\drivers\w32x86\3\e_fatiboe.exe /fu "c:\windows\temp\E_S129.tmp" /EF "HKCU"
uRun: [EPSON Stylus Photo R360 Series (Copy 2)] c:\windows\system32\spool\drivers\w32x86\3\e_fatiboe.exe /fu "c:\windows\temp\E_S4.tmp" /EF "HKCU"
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
Notify: igfxcui - igfxsrvc.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, credssp.dll, msnsspc.dll
LSA: Notification Packages = scecli scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\goodyt~1\applic~1\mozilla\firefox\profiles\9na5dgyo.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&query=
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 aaatimeo;aaatimeo;c:\windows\system32\drivers\aaatimeo.sys [2006-2-26 4928]
R0 afamgt;afamgt;c:\windows\system32\drivers\afamgt.sys [2006-3-28 91707]
R0 siwinacc;siwinacc;c:\windows\system32\drivers\siwinacc.sys [2004-11-1 10368]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-8-26 24652]

=============== Created Last 30 ================

2010-08-10 11:33:18 0 d-----w- c:\program files\CCleaner
2010-08-09 13:29:21 0 d-----w- c:\program files\IObit
2010-08-09 13:29:21 0 d-----w- c:\docume~1\goodyt~1\applic~1\IObit
2010-08-09 13:13:52 0 d-----w- c:\docume~1\goodyt~1\applic~1\Registry Mechanic
2010-08-09 09:21:58 0 d-----w- c:\program files\SpywareBlaster
2010-08-07 20:06:03 0 d-----w- c:\program files\Eusing Free Registry Cleaner
2010-08-07 20:01:42 0 d-----w- c:\windows\system32\appmgmt
2010-08-07 19:54:00 0 d-----w- c:\docume~1\goodyt~1\applic~1\Uniblue
2010-08-07 19:39:03 0 d-----w- c:\docume~1\goodyt~1\applic~1\Error Fix
2010-08-07 19:38:09 0 d-----w- c:\program files\Error Fix
2010-08-07 19:28:28 0 d-----w- c:\windows\system32\CatRoot2
2010-08-07 18:45:56 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-07 18:16:53 0 d-----w- c:\windows\system32\wbem\Repository
2010-07-30 14:44:17 0 d-----w- c:\docume~1\goodyt~1\applic~1\Malwarebytes
2010-07-30 14:44:11 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-30 14:44:10 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-30 14:44:10 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-30 14:44:10 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-13 21:46:17 25168 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys
2010-07-13 21:46:15 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-07-13 21:45:51 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-13 21:45:47 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-07-13 21:43:04 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2010-07-13 21:43:03 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2010-07-13 21:30:35 0 d-----w- c:\program files\AVG
2010-07-13 21:27:26 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-07-13 20:11:17 21728 ----a-w- c:\windows\system32\wucltui.dll.mui
2010-07-13 20:11:15 17632 ----a-w- c:\windows\system32\wuaueng.dll.mui
2010-07-13 20:11:15 15072 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2010-07-13 20:11:14 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2010-07-13 20:11:14 0 d-----w- c:\windows\system32\SoftwareDistribution
2010-07-13 20:02:00 0 d-----w- c:\docume~1\alluse~1\applic~1\Driver Whiz
2010-07-13 19:52:34 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Drivers HeadQuarters

==================== Find3M ====================

============= FINISH: 15:31:07.20 ===============

**klarej** · August 11th, 2010, 10:36 AM

and the attach:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 7/19/2008 7:40:47 PM
System Uptime: 8/11/2010 2:19:58 PM (1 hours ago)

Motherboard: ARIMA | | W720P4
Processor: Mobile Intel(R) Celeron(R) CPU 2.50GHz | Laptop Computer CPU | 2492/400mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 56 GiB total, 42.755 GiB free.
D: is CDROM ()
E: is Removable
G: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Modem
Device ID: PCI\VEN_8086&DEV_24C6&SUBSYS_2030161F&REV_03\3&267A616A&0&FE
Manufacturer:
Name: PCI Modem
PNP Device ID: PCI\VEN_8086&DEV_24C6&SUBSYS_2030161F&REV_03\3&267A616A&0&FE
Service:

==== System Restore Points ===================

RP71: 5/17/2010 12:32:58 PM - System Checkpoint
RP72: 5/18/2010 4:24:29 PM - System Checkpoint
RP73: 5/2/2009 4:52:22 PM - System Checkpoint
RP74: 5/4/2009 6:23:44 PM - System Checkpoint
RP75: 5/8/2009 10:13:15 PM - System Checkpoint
RP76: 5/10/2009 10:33:43 AM - System Checkpoint
RP77: 5/11/2009 7:42:43 PM - System Checkpoint
RP78: 5/13/2009 9:09:35 AM - System Checkpoint
RP79: 5/14/2009 2:30:59 PM - System Checkpoint
RP80: 5/17/2009 7:40:53 AM - System Checkpoint
RP81: 6/1/2009 1:59:44 PM - System Checkpoint
RP82: 6/3/2009 11:57:40 AM - System Checkpoint
RP83: 6/5/2009 2:23:00 PM - System Checkpoint
RP84: 11/1/2009 6:35:26 PM - System Checkpoint
RP85: 11/3/2009 10:59:51 AM - System Checkpoint
RP86: 11/4/2009 2:43:09 PM - System Checkpoint
RP87: 11/9/2009 10:09:38 AM - System Checkpoint
RP88: 11/10/2009 10:15:39 AM - System Checkpoint
RP89: 11/11/2009 10:16:04 AM - System Checkpoint
RP90: 11/12/2009 1:07:49 PM - System Checkpoint
RP91: 11/13/2009 6:35:19 PM - System Checkpoint
RP92: 11/15/2009 1:56:57 PM - System Checkpoint
RP93: 11/16/2009 3:44:51 PM - System Checkpoint
RP94: 11/17/2009 4:28:27 PM - System Checkpoint
RP95: 11/18/2009 6:09:31 PM - System Checkpoint
RP96: 11/19/2009 6:52:16 PM - System Checkpoint
RP97: 11/20/2009 6:59:18 PM - System Checkpoint
RP98: 11/21/2009 8:11:46 PM - System Checkpoint
RP99: 11/22/2009 9:48:51 PM - System Checkpoint
RP100: 11/23/2009 11:30:21 PM - System Checkpoint
RP101: 11/25/2009 9:55:18 AM - System Checkpoint
RP102: 11/26/2009 11:25:58 AM - System Checkpoint
RP103: 11/27/2009 2:02:33 PM - System Checkpoint
RP104: 11/28/2009 7:18:56 PM - System Checkpoint
RP105: 11/29/2009 8:22:08 PM - System Checkpoint
RP106: 12/1/2009 10:00:32 AM - System Checkpoint
RP107: 12/2/2009 10:07:30 AM - System Checkpoint
RP108: 12/3/2009 11:48:24 AM - System Checkpoint
RP109: 12/4/2009 12:04:55 PM - System Checkpoint
RP110: 12/5/2009 4:21:30 PM - System Checkpoint
RP111: 12/7/2009 4:25:59 PM - System Checkpoint
RP112: 12/25/2009 11:28:37 AM - System Checkpoint
RP113: 12/9/2009 12:42:33 AM - System Checkpoint
RP114: 12/10/2009 10:21:54 AM - System Checkpoint
RP115: 12/11/2009 12:27:03 PM - System Checkpoint
RP116: 12/12/2009 1:20:26 PM - System Checkpoint
RP117: 12/13/2009 4:42:42 PM - System Checkpoint
RP118: 12/14/2009 5:23:54 PM - System Checkpoint
RP119: 12/15/2009 5:58:13 PM - System Checkpoint
RP120: 12/16/2009 6:00:11 PM - System Checkpoint
RP121: 12/17/2009 6:45:19 PM - System Checkpoint
RP122: 12/19/2009 8:37:02 AM - System Checkpoint
RP123: 1/7/2010 9:39:19 PM - System Checkpoint
RP124: 1/8/2010 10:25:17 PM - System Checkpoint
RP125: 1/12/2010 7:52:06 AM - System Checkpoint
RP126: 1/13/2010 9:36:33 AM - System Checkpoint
RP127: 1/14/2010 9:54:12 AM - System Checkpoint
RP128: 1/26/2010 8:58:25 AM - System Checkpoint
RP129: 1/27/2010 9:10:00 AM - System Checkpoint
RP130: 1/28/2010 9:17:43 AM - System Checkpoint
RP131: 1/29/2010 9:34:11 AM - System Checkpoint
RP132: 1/31/2010 6:04:31 PM - System Checkpoint
RP133: 2/1/2010 6:11:59 PM - System Checkpoint
RP134: 2/2/2010 6:29:13 PM - System Checkpoint
RP135: 2/3/2010 6:47:09 PM - System Checkpoint
RP136: 2/5/2010 1:12:23 PM - System Checkpoint
RP137: 2/10/2010 9:45:37 AM - System Checkpoint
RP138: 2/11/2010 10:24:21 AM - System Checkpoint
RP139: 2/12/2010 11:01:27 AM - System Checkpoint
RP140: 2/13/2010 1:06:07 PM - System Checkpoint
RP141: 2/15/2010 11:15:31 AM - System Checkpoint
RP142: 2/16/2010 12:38:14 PM - System Checkpoint
RP143: 2/17/2010 1:36:35 PM - System Checkpoint
RP144: 2/21/2010 2:20:23 PM - System Checkpoint
RP145: 2/22/2010 2:21:49 PM - System Checkpoint
RP146: 2/23/2010 2:29:51 PM - System Checkpoint
RP147: 2/24/2010 2:39:15 PM - System Checkpoint
RP148: 2/25/2010 4:14:40 PM - System Checkpoint
RP149: 2/26/2010 4:27:58 PM - System Checkpoint
RP150: 3/1/2010 11:30:29 AM - System Checkpoint
RP151: 3/2/2010 11:40:21 AM - System Checkpoint
RP152: 3/3/2010 12:00:45 PM - System Checkpoint
RP153: 3/4/2010 12:22:13 PM - System Checkpoint
RP154: 3/8/2010 12:09:40 PM - System Checkpoint
RP155: 3/9/2010 12:37:46 PM - System Checkpoint
RP156: 3/10/2010 2:31:50 PM - System Checkpoint
RP157: 3/11/2010 3:28:01 PM - System Checkpoint
RP158: 3/12/2010 3:50:34 PM - System Checkpoint
RP159: 3/16/2010 7:50:15 PM - System Checkpoint
RP160: 3/19/2010 4:25:21 PM - System Checkpoint
RP161: 3/25/2010 12:45:00 PM - System Checkpoint
RP162: 4/1/2010 11:54:11 AM - System Checkpoint
RP163: 4/2/2010 2:51:32 PM - System Checkpoint
RP164: 4/23/2010 2:21:52 PM - System Checkpoint
RP165: 4/26/2010 11:01:10 AM - System Checkpoint
RP166: 4/27/2010 2:35:28 PM - System Checkpoint
RP167: 4/28/2010 9:53:44 AM - Installed Java(TM) 6 Update 13
RP168: 4/29/2010 11:30:30 AM - System Checkpoint
RP169: 4/30/2010 11:56:19 AM - System Checkpoint
RP170: 5/1/2010 1:48:29 PM - System Checkpoint
RP171: 5/2/2010 2:00:09 PM - System Checkpoint
RP172: 5/3/2010 5:46:22 PM - System Checkpoint
RP173: 5/4/2010 6:35:09 PM - System Checkpoint
RP174: 5/6/2010 12:22:03 PM - System Checkpoint
RP175: 5/7/2010 12:48:52 PM - System Checkpoint
RP176: 5/8/2010 1:17:55 PM - System Checkpoint
RP177: 5/10/2010 11:09:53 AM - System Checkpoint
RP178: 5/13/2010 9:43:48 PM - System Checkpoint
RP179: 5/14/2010 10:30:08 PM - System Checkpoint
RP180: 5/17/2010 9:20:51 AM - System Checkpoint
RP181: 5/18/2010 12:26:27 PM - System Checkpoint
RP182: 5/19/2010 2:39:55 PM - System Checkpoint
RP183: 5/20/2010 2:44:11 PM - System Checkpoint
RP184: 6/1/2010 11:20:21 AM - System Checkpoint
RP185: 6/2/2010 12:20:17 PM - System Checkpoint
RP186: 6/4/2010 10:20:45 AM - System Checkpoint
RP187: 6/5/2010 11:45:52 AM - System Checkpoint
RP188: 6/7/2010 1:22:36 PM - System Checkpoint
RP189: 6/8/2010 2:29:44 PM - System Checkpoint
RP190: 6/15/2010 12:09:06 PM - System Checkpoint
RP191: 6/16/2010 12:44:54 PM - System Checkpoint
RP192: 6/18/2010 7:24:42 AM - System Checkpoint
RP193: 6/19/2010 4:01:50 PM - System Checkpoint
RP194: 6/20/2010 5:40:45 PM - System Checkpoint
RP195: 6/21/2010 10:41:00 PM - System Checkpoint
RP196: 6/22/2010 10:59:20 PM - System Checkpoint
RP197: 7/2/2010 10:04:09 AM - System Checkpoint
RP198: 7/3/2010 10:58:09 AM - System Checkpoint
RP199: 7/4/2010 5:54:00 PM - System Checkpoint
RP200: 7/5/2010 6:26:50 PM - System Checkpoint
RP201: 7/6/2010 8:49:00 PM - System Checkpoint
RP202: 7/8/2010 2:22:34 PM - System Checkpoint
RP203: 7/9/2010 6:19:34 PM - System Checkpoint
RP204: 7/10/2010 6:43:42 PM - System Checkpoint
RP205: 7/12/2010 2:26:40 PM - System Checkpoint
RP206: 7/13/2010 8:18:19 PM - Configured SoundMAX
RP207: 7/13/2010 8:21:20 PM - Rollback to an unsigned driver
RP208: 7/13/2010 8:48:20 PM - Installed Driver Detective.
RP209: 7/13/2010 9:01:15 PM - Installed Driver Whiz.
RP210: 7/13/2010 9:05:50 PM - Removed Driver Whiz.
RP211: 7/13/2010 9:06:14 PM - Removed Driver Detective.
RP212: 7/13/2010 9:43:15 PM - Rollback to an unsigned driver
RP213: 7/13/2010 10:27:25 PM - Installed AVG 9.0
RP214: 7/14/2010 8:42:03 AM - Configured AVG Free 9.0
RP215: 7/22/2010 4:43:49 PM - System Checkpoint
RP216: 7/27/2010 8:33:41 AM - System Checkpoint
RP217: 7/28/2010 3:21:41 PM - System Checkpoint
RP218: 7/29/2010 3:34:57 PM - System Checkpoint
RP219: 7/30/2010 4:49:05 PM - System Checkpoint
RP220: 8/2/2010 10:34:29 AM - System Checkpoint
RP221: 8/3/2010 10:43:25 AM - System Checkpoint
RP222: 8/6/2010 9:00:40 AM - System Checkpoint
RP223: 8/7/2010 12:44:34 PM - System Checkpoint
RP224: 8/7/2010 7:16:26 PM - Restore Operation
RP225: 8/7/2010 7:41:22 PM - Installed Java(TM) 6 Update 21
RP226: 8/9/2010 12:17:15 PM - System Checkpoint
RP227: 8/9/2010 2:30:07 PM - Advanced SystemCare RestorePoint
RP228: 8/10/2010 4:46:51 PM - System Checkpoint

==== Installed Programs ======================

Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop 7.0
Adobe Reader 9
Advanced SystemCare 3
AIM 6
AIM Search
AIM Toolbar 5.0
Ancient Secrets
BCM Wireless Network Adapter
Canon LBP2900
CCleaner
EPSON Printer Software
GameHouse
Intel(R) Extreme Graphics 2 Driver
Java Auto Updater
Java(TM) 6 Update 21
Java(TM) 6 Update 7
Malwarebytes' Anti-Malware
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office 2000 SR-1 Professional
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.7)
MSN
MSVCRT
RealPlayer
Sage Accounts 8.20
Segoe UI
SoundMAX
SSC Service Utility v4.30
Switch Sound File Converter
Synaptics Pointing Device Driver
Viewpoint Media Player
Vista Ultimate Edition final v1.0
WebFldrs XP
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Vista Sounds Pack
Yahoo! Messenger

==== Event Viewer Messages From Past Week ========

8/6/2010 8:36:38 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the DNS Client service to connect.
8/6/2010 8:36:38 AM, error: Service Control Manager [7000] - The DNS Client service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
8/6/2010 3:23:19 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
8/6/2010 1:53:12 PM, error: DCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {DCBCA92E-7DBE-4EDA-8B7B-3AAEA4DD412B} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be modified using the Component Services administrative tool.
8/6/2010 1:26:53 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: IntelIde
8/6/2010 1:26:48 PM, error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{390B2F00-7D4E-4DD1-A26E-1E74DC289CA6} because another computer on the network has the same name. The server could not start.
8/6/2010 1:26:48 PM, error: NetBT [4321] - The name "TOM-PC :20" could not be registered on the Interface with IP address 192.168.2.3. The machine with the IP address 192.168.2.2 did not allow the name to be claimed by this machine.
8/6/2010 1:26:43 PM, error: NetBT [4321] - The name "TOM-PC :0" could not be registered on the Interface with IP address 192.168.2.3. The machine with the IP address 192.168.2.2 did not allow the name to be claimed by this machine.
8/6/2010 1:26:23 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
8/6/2010 1:26:23 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
8/6/2010 1:26:23 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
8/4/2010 2:54:17 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.

==== End Of File ===========================

**Broni** · August 11th, 2010, 11:39 PM

You did very well

You don't have any active antivirus program.
Please, download and install ONE of these:
- Avast! free antivirus: http://www.avast.com/eng/download-avast-home.html
- Avira free antivirus: http://www.free-av.com/en/download/1...antivirus.html

After installation, run full scan.

=================================================================

Unless you installed Viewpoint Manager knowledgeably...
Go Start>Control Panel>Add\Remove (Programs and Features in Vista), and...
Uninstall any of the following programs associated with Viewpoint:
* Viewpoint Manager
* Viewpoint Media Player
* Viewpoint Toolbar
This program does not do anything bad such as deliver ads or spy on you, but it is considered foistware ("drive-by-install") as it is installed without your consent through programs like AOL, AIM, Compuserve, etc.

=============================================================

Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it to its own folder

Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
Accept any prompts.

================================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

**klarej** · August 12th, 2010, 02:18 AM

ok the antivir programme seemed to find nothing amiss:
here's the report:

Avira AntiVir Personal
Report file date: Thursday, August 12, 2010 07:12

Scanning for 2708713 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3, v.3264) [5.1.2600]
Boot mode : Normally booted
Username : Goody Two Shoes
Computer name : TOM-PC

Version information:
BUILD.DAT : 10.0.0.567 32097 Bytes 4/19/2010 15:07:00
AVSCAN.EXE : 10.0.3.0 433832 Bytes 4/1/2010 12:37:38
AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2010 12:57:04
LUKE.DLL : 10.0.2.3 104296 Bytes 3/7/2010 18:33:04
LUKERES.DLL : 10.0.0.1 12648 Bytes 2/10/2010 23:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 09:05:36
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 19:27:49
VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 17:37:42
VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 16:37:42
VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 11:29:03
VBASE005.VDF : 7.10.6.82 2494464 Bytes 4/15/2010 06:10:03
VBASE006.VDF : 7.10.7.218 2294784 Bytes 6/2/2010 06:10:10
VBASE007.VDF : 7.10.9.165 4840960 Bytes 7/23/2010 06:10:25
VBASE008.VDF : 7.10.9.166 2048 Bytes 7/23/2010 06:10:25
VBASE009.VDF : 7.10.9.167 2048 Bytes 7/23/2010 06:10:26
VBASE010.VDF : 7.10.9.168 2048 Bytes 7/23/2010 06:10:26
VBASE011.VDF : 7.10.9.169 2048 Bytes 7/23/2010 06:10:26
VBASE012.VDF : 7.10.9.170 2048 Bytes 7/23/2010 06:10:26
VBASE013.VDF : 7.10.9.198 157696 Bytes 7/26/2010 06:10:26
VBASE014.VDF : 7.10.9.255 997888 Bytes 7/29/2010 06:10:30
VBASE015.VDF : 7.10.10.28 139264 Bytes 8/2/2010 06:10:30
VBASE016.VDF : 7.10.10.52 127488 Bytes 8/3/2010 06:10:31
VBASE017.VDF : 7.10.10.84 137728 Bytes 8/6/2010 06:10:31
VBASE018.VDF : 7.10.10.107 176640 Bytes 8/9/2010 06:10:32
VBASE019.VDF : 7.10.10.130 132608 Bytes 8/10/2010 06:10:32
VBASE020.VDF : 7.10.10.131 2048 Bytes 8/10/2010 06:10:32
VBASE021.VDF : 7.10.10.132 2048 Bytes 8/10/2010 06:10:32
VBASE022.VDF : 7.10.10.133 2048 Bytes 8/10/2010 06:10:33
VBASE023.VDF : 7.10.10.134 2048 Bytes 8/10/2010 06:10:33
VBASE024.VDF : 7.10.10.135 2048 Bytes 8/10/2010 06:10:33
VBASE025.VDF : 7.10.10.136 2048 Bytes 8/10/2010 06:10:33
VBASE026.VDF : 7.10.10.137 2048 Bytes 8/10/2010 06:10:33
VBASE027.VDF : 7.10.10.138 2048 Bytes 8/10/2010 06:10:33
VBASE028.VDF : 7.10.10.139 2048 Bytes 8/10/2010 06:10:33
VBASE029.VDF : 7.10.10.140 2048 Bytes 8/10/2010 06:10:33
VBASE030.VDF : 7.10.10.141 2048 Bytes 8/10/2010 06:10:33
VBASE031.VDF : 7.10.10.151 73728 Bytes 8/11/2010 06:10:33
Engineversion : 8.2.4.34
AEVDF.DLL : 8.1.2.1 106868 Bytes 8/12/2010 06:10:44
AESCRIPT.DLL : 8.1.3.42 1364347 Bytes 8/12/2010 06:10:44
AESCN.DLL : 8.1.6.1 127347 Bytes 8/12/2010 06:10:43
AESBX.DLL : 8.1.3.1 254324 Bytes 8/12/2010 06:10:45
AERDL.DLL : 8.1.8.2 614772 Bytes 8/12/2010 06:10:43
AEPACK.DLL : 8.2.3.5 471412 Bytes 8/12/2010 06:10:42
AEOFFICE.DLL : 8.1.1.8 201081 Bytes 8/12/2010 06:10:41
AEHEUR.DLL : 8.1.2.11 2834805 Bytes 8/12/2010 06:10:40
AEHELP.DLL : 8.1.13.2 242039 Bytes 8/12/2010 06:10:36
AEGEN.DLL : 8.1.3.19 393587 Bytes 8/12/2010 06:10:36
AEEMU.DLL : 8.1.2.0 393588 Bytes 8/12/2010 06:10:35
AECORE.DLL : 8.1.16.2 192887 Bytes 8/12/2010 06:10:35
AEBB.DLL : 8.1.1.0 53618 Bytes 8/12/2010 06:10:34
AVWINLL.DLL : 10.0.0.0 19304 Bytes 1/14/2010 12:03:38
AVPREF.DLL : 10.0.0.0 44904 Bytes 1/14/2010 12:03:35
AVREP.DLL : 10.0.0.8 62209 Bytes 2/18/2010 16:47:40
AVREG.DLL : 10.0.3.0 53096 Bytes 4/1/2010 12:35:46
AVSCPLR.DLL : 10.0.3.0 83816 Bytes 4/1/2010 12:39:51
AVARKT.DLL : 10.0.0.14 227176 Bytes 4/1/2010 12:22:13
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 1/26/2010 09:53:30
SQLITE3.DLL : 3.6.19.0 355688 Bytes 1/28/2010 12:57:58
AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/16/2010 15:38:56
NETNT.DLL : 10.0.0.0 11624 Bytes 2/19/2010 14:41:00
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 13:10:20
RCTEXT.DLL : 10.0.53.0 97128 Bytes 4/9/2010 14:14:29

Configuration settings for the scan:
Jobname.............................: Short system scan after installation
Configuration file..................: c:\program files\avira\antivir desktop\setupprf.dat
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: off
Integrity checking of system files..: off
Scan all files......................: Intelligent file selection
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Thursday, August 12, 2010 07:12

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avconfig.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avshadow.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'setup.exe' - '1' Module(s) have been scanned
Scan process 'msiexec.exe' - '1' Module(s) have been scanned
Scan process 'presetup.exe' - '1' Module(s) have been scanned
Scan process 'avira_antivir_personal_en.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'wscntfy.exe' - '1' Module(s) have been scanned
Scan process 'bcmwltry.exe' - '1' Module(s) have been scanned
Scan process 'wltrysvc.exe' - '1' Module(s) have been scanned
Scan process 'ViewpointService.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'CNAB4RPK.EXE' - '1' Module(s) have been scanned
Scan process 'AWC.exe' - '1' Module(s) have been scanned
Scan process 'realsched.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned
Scan process 'SynTPLpr.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'igfxtray.exe' - '1' Module(s) have been scanned
Scan process 'SOUNDMAN.EXE' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'Explorer.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!

Start scanning boot sectors:

Starting to scan executable files (registry).
The registry was scanned ( '347' files ).

End of the scan: Thursday, August 12, 2010 07:13
Used time: 00:52 Minute(s)

The scan has been done completely.

0 Scanned directories
822 Files were scanned
0 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
822 Files not concerned
3 Archives were scanned
0 Warnings
0 Notes

now for the rest............

**Broni** · August 12th, 2010, 07:10 PM

Go on...

**klarej** · August 12th, 2010, 07:26 PM

boy does my laptop not like Combofix!!!!!!!

I tried to run it four times and got the blue screen each time. pfft!
Also on the fourth attempt it knocked my wireless connection off and now it won't find the network.. so I can't let it download the recovery console like it asked.
I don't know..... should I keep trying?

**Broni** · August 12th, 2010, 09:13 PM

Try to run it from Safe Mode.

**klarej** · August 13th, 2010, 04:24 AM

ok, I tried it in safe mode but couldn't seem to disable the Antivir software as there is no icons in the system tray and I didn't want to go ahead with the scan with Antivir running. I opened the programme from the shortcut on the desktop but really couldn't see how to do it from there.
Did I miss something obvious or do I have to uninstall it or something?
god, I'm awful at this!!!

**Broni** · August 13th, 2010, 12:54 PM

Delete your Combofix file, download fresh one, but rename combofix.exe to broni.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.pif
* Rkill.exe

* Double-click on the Rkill desktop icon to run the tool.
* If using Vista or Windows 7 right-click on it and choose Run As Administrator.
* A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
* If not, delete the file, then download and use the one provided in Link 2.
* If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
* Do not reboot until instructed.
* If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run then try to immediately run the following.

Now download and run exeHelper.

* Please download exeHelper from Raktor to your desktop.
* Double-click on exeHelper.com to run the fix.
* A black window should pop up, press any key to close once the fix is completed.
* A log file named log.txt will be created in the directory where you ran exeHelper.com
* Attach the log.txt file to your next message.

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Now, run broni.exe

**klarej** · August 16th, 2010, 01:34 PM

Hi Broni
The rkill and exe helper seemed to run fine, however, the Broni (combofix application) resulted in yet another blue screen.

the logs for rkill and exehelper are here:
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Goody Two Shoes on 08/16/2010 at 16:10:27.

Processes terminated by Rkill or while it was running:

C:\Documents and Settings\Goody Two Shoes\Desktop\rkill.com

Rkill completed on 08/16/2010 at 16:10:56.

---------------------------------------------------------------------------------
exeHelper by Raktor
Build 20100414
Run at 16:14:38 on 08/16/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

-----------------------------------------------------------------------------

The error messages when I get the blue screen are different each time but now it's happening so often I'm starting to panic.
Do you honestly think we can fix whatever's wrong?

the last few messages have been as follows:

BAD_POOL_CALLER

Technical Information:

***STOP: 0x000000C2 (0x00000007, 0x00000CD4, 0x00000001, 0xF694FA9C)

IRQL_NOT_LESS_OR_EQUAL

Technical Information:

***STOP: 0x0000000A (0xEECCCAAC, 0x00000002, 0x00000001, 0x804FD944)

INVALID_PROCESS_DETACH_ATTEMPT

Technical Information:

***STOP: 0x00000006 (0x00000000, 0x00000000, 0x00000000, 0x00000000)

**Broni** · August 16th, 2010, 07:12 PM

OK. Try all three tools from safe mode.

**klarej** · August 17th, 2010, 02:26 PM

I am hesitant to throw a party just yet but I think I actually got it to work!!!!

the rkill log:
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Administrator on 08/17/2010 at 17:55:23.

Processes terminated by Rkill or while it was running:

Rkill completed on 08/17/2010 at 17:55:39.

The exehelper:
exeHelper by Raktor
Build 20100414
Run at 16:14:38 on 08/16/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

exeHelper by Raktor
Build 20100414
Run at 17:56:40 on 08/17/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

And the Broni (Combofix):
ComboFix 10-08-16.04 - Goody Two Shoes 08/17/2010 19:04:22.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.735.508 [GMT 1:00]
Running from: c:\documents and settings\Goody Two Shoes\Desktop\Broni.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\ntload.exe

Infected copy of c:\windows\system32\drivers\rdpcdd.sys was found and disinfected
Restored copy from - Kitty had a snack

.
\\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2010-07-17 to 2010-08-17 )))))))))))))))))))))))))))))))
.

2010-08-13 08:02 . 2010-08-13 08:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\Avira
2010-08-12 07:13 . 2010-08-12 07:13 -------- d-----w- c:\windows\system32\NtmsData
2010-08-12 07:10 . 2010-08-12 07:10 -------- d-----w- c:\documents and settings\Goody Two Shoes\Application Data\Avira
2010-08-12 06:08 . 2010-03-01 09:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-08-12 06:08 . 2010-02-16 13:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-08-12 06:08 . 2009-05-11 11:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-08-12 06:08 . 2009-05-11 11:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-08-12 06:08 . 2010-08-12 06:08 -------- d-----w- c:\program files\Avira
2010-08-12 06:08 . 2010-08-12 06:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-08-10 11:33 . 2010-08-10 11:33 -------- d-----w- c:\program files\CCleaner
2010-08-09 13:29 . 2010-08-09 13:29 -------- d-----w- c:\program files\IObit
2010-08-09 13:29 . 2010-08-09 13:29 -------- d-----w- c:\documents and settings\Goody Two Shoes\Application Data\IObit
2010-08-09 13:13 . 2010-08-09 13:13 -------- d-----w- c:\documents and settings\Goody Two Shoes\Application Data\Registry Mechanic
2010-08-09 09:22 . 2010-08-10 11:37 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-09 09:21 . 2010-08-10 11:37 -------- d-----w- c:\program files\SpywareBlaster
2010-08-07 20:06 . 2010-08-10 11:36 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2010-08-07 19:54 . 2010-08-07 19:54 -------- d-----w- c:\documents and settings\Goody Two Shoes\Application Data\Uniblue
2010-08-07 19:39 . 2010-08-07 19:43 -------- d-----w- c:\documents and settings\Goody Two Shoes\Application Data\Error Fix
2010-08-07 19:38 . 2010-08-07 20:01 -------- d-----w- c:\program files\Error Fix
2010-08-07 19:28 . 2010-08-17 18:16 -------- d-----w- c:\windows\system32\CatRoot2
2010-08-07 19:15 . 2010-08-07 19:15 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\AOL
2010-08-07 18:46 . 2010-08-07 18:46 503808 ----a-w- c:\documents and settings\Goody Two Shoes\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5e1ba386-n\msvcp71.dll
2010-08-07 18:46 . 2010-08-07 18:46 499712 ----a-w- c:\documents and settings\Goody Two Shoes\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5e1ba386-n\jmc.dll
2010-08-07 18:46 . 2010-08-07 18:46 348160 ----a-w- c:\documents and settings\Goody Two Shoes\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5e1ba386-n\msvcr71.dll
2010-08-07 18:46 . 2010-08-07 18:46 61440 ----a-w- c:\documents and settings\Goody Two Shoes\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-349dcea8-n\decora-sse.dll
2010-08-07 18:46 . 2010-08-07 18:46 12800 ----a-w- c:\documents and settings\Goody Two Shoes\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-349dcea8-n\decora-d3d.dll
2010-08-07 18:45 . 2010-07-17 04:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-07 18:16 . 2010-08-07 18:16 -------- d-----w- c:\windows\system32\wbem\Repository
2010-07-30 14:44 . 2010-07-30 14:44 -------- d-----w- c:\documents and settings\Goody Two Shoes\Application Data\Malwarebytes
2010-07-30 14:44 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-30 14:44 . 2010-08-07 18:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-30 14:44 . 2010-07-30 14:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-30 14:44 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-30 14:06 . 2010-07-30 15:05 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ywbakvqxv
2010-07-29 08:40 . 2010-07-29 08:40 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-12 06:19 . 2008-08-26 09:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-08-07 18:45 . 2008-07-23 02:47 -------- d-----w- c:\program files\Java
2010-07-14 07:55 . 2008-07-19 12:17 -------- d-----w- c:\program files\Thoosje Sidebar V2.3
2010-07-13 21:46 . 2010-07-13 21:46 25168 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys
2010-07-13 21:46 . 2010-07-13 21:46 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-07-13 21:46 . 2010-07-13 21:45 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-13 21:45 . 2010-07-13 21:45 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-07-13 21:43 . 2010-07-13 21:43 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2010-07-13 21:43 . 2010-07-13 21:43 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2010-07-13 21:30 . 2010-07-13 21:30 -------- d-----w- c:\program files\AVG
2010-07-13 21:27 . 2010-07-13 21:27 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-07-13 20:02 . 2010-07-13 20:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Driver Whiz
2010-07-13 19:52 . 2010-07-13 19:52 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2010-07-13 19:17 . 2008-07-19 18:56 -------- d-----w- c:\program files\Common Files\InstallShield
2010-07-11 17:26 . 2010-07-11 17:12 -------- d-----w- c:\program files\Shareaza
2010-07-11 17:26 . 2010-07-11 17:12 -------- d-----w- c:\documents and settings\Goody Two Shoes\Application Data\Shareaza
2010-06-07 09:50 . 2008-07-19 18:48 84328 ----a-w- c:\documents and settings\Goody Two Shoes\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

------- Sigcheck -------

[-] 2008-01-11 . 2B60598FE17A9EAA1468C1B8F73EA0B9 . 1613824 . . [5.1.2600.3264] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2010-07-02 2347216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2007-11-30 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2007-11-30 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2007-11-30 455168]
"SoundMan"="SOUNDMAN.EXE" [2008-01-11 64512]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2003-07-10 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-07-10 114688]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-07-18 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-07-18 618496]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-08-26 185896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-7-20 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, credssp.dll, msnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-11-10 15:39 5244216 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\CNAB4RPK.EXE"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 aaatimeo;aaatimeo;c:\windows\system32\drivers\aaatimeo.sys [2/26/2006 4:21 PM 4928]
R0 afamgt;afamgt;c:\windows\system32\drivers\afamgt.sys [3/28/2006 3:43 PM 91707]
R0 siwinacc;siwinacc;c:\windows\system32\drivers\siwinacc.sys [11/1/2004 11:21 AM 10368]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/12/2010 7:08 AM 135336]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
FF - ProfilePath - c:\documents and settings\Goody Two Shoes\Application Data\Mozilla\Firefox\Profiles\9na5dgyo.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&query=
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-HookURL - (no file)
URLSearchHooks-Rank - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-17 19:15
Windows 5.1.2600 Service Pack 3, v.3264 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SOUNDMAN.EXE
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\System32\wltrysvc.exe
c:\windows\system32\CNAB4RPK.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-08-17 19:20:20 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-17 18:20

Pre-Run: 46,833,704,960 bytes free
Post-Run: 48,098,852,864 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 393180D21CA12941B84DFD260C4F38F2

Thread: infections galore

Thread Tools

Search Thread

Display

infections galore

Thread Information

Users Browsing this Thread

Posting Permissions