You are not logged in.

Sunday, April 20th 2014, 5:50pm

Dear visitor, welcome to Avira Support Forum. If this is your first visit here, please read the Help. It explains in detail how this page works. To use all features of this page, you should consider registering. Please use the registration form, to register here or read more information about the registration process. If you are already registered, please login here.

Barrie

Community member

Date of registration:
Jan 31st 2006

Version:
none

Operating System:
Mac OS X 10.8.3

  • Send private message

21

Sunday, May 27th 2012, 8:11pm

Hi,

I am beging to think this may be a Rootkit infection so with that in mind download Blacklight from here and run it, please tell us the results.


Barrie
Cordialement - Grüße and Regards.

[Avira Tech Blog - Avira VL Virusscan.jotti -HijackThis - - Avira tools - Online shop - Avira safe mode scan
Sorry NO support via PM > Kein Support über PN > Aucun support par message privé.

  • "jp1216" started this thread

Date of registration:
May 23rd 2012

Version:
Avira Free Antivirus

Operating System:
WinXP SP3

  • Send private message

22

Sunday, May 27th 2012, 10:35pm

Here is my Blacklight log:

Didn't find any problems, but finished the scan with a Error message - something about partial scan only etc. Tried it twice.

05/27/12 15:23:29 [Info]: BlackLight Engine 2.2.1092 initialized
05/27/12 15:23:29 [Info]: OS: 5.1 build 2600 (Service Pack 3)
05/27/12 15:23:29 [Note]: 7019 4
05/27/12 15:23:29 [Note]: 7005 0
05/27/12 15:23:30 [Error]: 6002 0
05/27/12 15:26:21 [Note]: 7006 0
05/27/12 15:26:21 [Note]: 7011 1984
05/27/12 15:26:21 [Note]: 7035 0
05/27/12 15:26:21 [Note]: 7037 1000
05/27/12 15:26:21 [Note]: 8001 2
05/27/12 15:26:29 [Note]: FSRAW library version 1.7.1024
05/27/12 16:31:46 [Note]: 7007 0

  • "jp1216" started this thread

Date of registration:
May 23rd 2012

Version:
Avira Free Antivirus

Operating System:
WinXP SP3

  • Send private message

23

Sunday, May 27th 2012, 11:12pm

Ran Backlight a 3rd time and got the Error: "Scan partially completed (Error: 8001 2) No hidden items found."

Barrie

Community member

Date of registration:
Jan 31st 2006

Version:
none

Operating System:
Mac OS X 10.8.3

  • Send private message

24

Monday, May 28th 2012, 2:59pm

Hi,


There is something fundamentally wrong here, as that error seems to indicate a permission issue, IE :You do not have administrative privileges.
Which you need to fully run the Blacklight program and also Avira.

Barrie
Cordialement - Grüße and Regards.

[Avira Tech Blog - Avira VL Virusscan.jotti -HijackThis - - Avira tools - Online shop - Avira safe mode scan
Sorry NO support via PM > Kein Support über PN > Aucun support par message privé.

  • "jp1216" started this thread

Date of registration:
May 23rd 2012

Version:
Avira Free Antivirus

Operating System:
WinXP SP3

  • Send private message

25

Monday, May 28th 2012, 3:39pm

Any suggestions? I am in the process of replacing this desktop (11 years old) this week - just want to fix it for learning purposes. Everything important is backed up etc. Full Avira scans work and automatic daily updates still occur. Just can't enable real time protection or do any Windows Updates.

Barrie

Community member

Date of registration:
Jan 31st 2006

Version:
none

Operating System:
Mac OS X 10.8.3

  • Send private message

26

Monday, May 28th 2012, 4:08pm

Hi,

Ok lets deal with windows updates first, as long as you are running as admin. Download the winsock fix app from cnet.com and the windows update fix from the microsoft fixit website to a usb thumb drive from another computer. Next install and run both of those apps on the machine with errors. Run the winsock fix app first.

Report results.

Now Avira go to your services folder by typing msconfig.exe in the Run box accessed via the Start Menu, followed by clicking the Services tab. You should see a box like the following.



Make sure all Avira services are both started under statues and automatic under startup type if not click and change.

If the above still fails to correct the issues the download and run ComboFix from here you will also find instructions.


Barrie
Cordialement - Grüße and Regards.

[Avira Tech Blog - Avira VL Virusscan.jotti -HijackThis - - Avira tools - Online shop - Avira safe mode scan
Sorry NO support via PM > Kein Support über PN > Aucun support par message privé.

  • "jp1216" started this thread

Date of registration:
May 23rd 2012

Version:
Avira Free Antivirus

Operating System:
WinXP SP3

  • Send private message

27

Monday, May 28th 2012, 5:54pm

Downloaded XP TCPIP Repair from CNET and ran the WInsock fix. Took 1 second and a box popped up telling me to reboot - I did.

No noticeable changes.

My msconfig/services box looks different. All Avira (Scheduler, Guard, Device) are checked, but Guard says Stopped under Status (not running).

Downloaded ComboFix. Ran it. I get
"Access denied - C:\boot.ini "
SED: can't read C:\Boot.bak: No such file or directory
Access is denied
Access denied - C:\boot.ini

It stalled for about 10 minutes then began running. I will post back shortly.....

  • "jp1216" started this thread

Date of registration:
May 23rd 2012

Version:
Avira Free Antivirus

Operating System:
WinXP SP3

  • Send private message

28

Monday, May 28th 2012, 6:36pm

Just waiting for ComboFix to finish. WOW. It rebooted and EVERYTHING appears back to normal. Fantastic. I will report back shortly and provide any log information. I did follow the process and noticed a few .exe and .dll files being deleted.

Many thanks. Everything appears back to normal. If you see anything weird in the log - please post.

Only issue remaining is the CHKDSK blue screen on boot up. Something for that one?

FINISHED - LOG FILE:

ComboFix 12-05-28.02 - jp 05/28/2012 11:58:03.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.455 [GMT -4:00]
Running from: c:\documents and settings\jp\My Documents\Magic Briefcase\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\jp\WINDOWS
c:\windows\CDAC13BA.EXE
c:\windows\CDAC14BA.DLL
c:\windows\Downloaded Program Files\ocget.dll
c:\windows\system32\csh390D.tmp
c:\windows\system32\csh44BC.tmp
c:\windows\system32\csh5793.tmp
c:\windows\system32\csh713D.tmp
c:\windows\system32\drivers\8763cb8ce1c4a1c5.sys
c:\windows\system32\qdc2712.tmp
c:\windows\system32\qdc334B.tmp
c:\windows\system32\qdc5786.tmp
c:\windows\system32\qdc6F5C.tmp
c:\windows\system32\SET248.tmp
c:\windows\system32\SET254.tmp
c:\windows\system32\SET25D.tmp
c:\windows\system32\SET25E.tmp
c:\windows\system32\SET25F.tmp
c:\windows\system32\SET262.tmp
c:\windows\system32\SET26F.tmp
c:\windows\system32\SET278.tmp
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_usnjsvc
-------\Legacy_8763cb8ce1c4a1c5
-------\Service_8763cb8ce1c4a1c5
.
.
((((((((((((((((((((((((( Files Created from 2012-04-28 to 2012-05-28 )))))))))))))))))))))))))))))))
.
.
2012-05-28 15:28 . 2012-05-28 15:28 -------- d-----w- c:\program files\XP TCPIP Repair
2012-05-28 15:28 . 2012-05-28 15:28 -------- d-----w- c:\documents and settings\All Users\Application Data\blekko toolbars
2012-05-28 15:27 . 2012-05-28 15:28 -------- d-----w- c:\documents and settings\jp\Application Data\blekkotb_031
2012-05-28 15:27 . 2012-05-28 15:28 -------- d-----w- c:\program files\blekkotb_031
2012-05-28 15:27 . 2012-05-28 15:27 -------- d-----w- c:\documents and settings\jp\Local Settings\Application Data\blekkotb_031
2012-05-28 15:27 . 2012-05-28 15:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Anti-phishing Domain Advisor
2012-05-27 17:15 . 2012-05-27 17:15 -------- d-----w- c:\documents and settings\jp\Application Data\Avira
2012-05-27 17:00 . 2011-07-21 16:15 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-05-27 17:00 . 2010-06-17 19:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2012-05-27 17:00 . 2010-06-17 19:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2012-05-27 17:00 . 2012-05-27 17:00 -------- d-----w- c:\program files\Avira
2012-05-27 17:00 . 2012-05-27 17:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2012-05-22 22:15 . 2012-05-22 22:15 -------- d-----w- c:\documents and settings\Administrator.DELL8200\Application Data\Malwarebytes
2012-05-22 22:15 . 2012-05-22 22:15 -------- d-sh--w- c:\documents and settings\Administrator.DELL8200\PrivacIE
2012-05-22 22:14 . 2012-05-22 22:14 -------- d-sh--w- c:\documents and settings\Administrator.DELL8200\IETldCache
2012-05-22 12:21 . 2012-05-22 12:21 -------- d-----w- c:\documents and settings\jp\Application Data\ElevatedDiagnostics
2012-05-22 12:09 . 2012-05-22 12:09 -------- d-----w- c:\program files\Windows Resource Kits
2012-05-04 23:38 . 2012-05-04 23:38 -------- d-----w- c:\program files\iPod
2012-05-03 10:51 . 2012-05-03 10:51 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-05-03 10:50 . 2012-05-03 10:50 129976 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice.exe
2012-05-03 10:50 . 2012-05-03 10:50 157352 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice_installer.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-08 12:05 . 2011-10-22 12:04 137928 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-05-04 21:05 . 2012-03-29 10:57 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-04 21:05 . 2011-05-15 11:20 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-22 11:30 . 2012-03-31 14:45 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2012-04-11 13:12 . 2002-06-25 21:50 1862272 ----a-w- c:\windows\system32\win32k.sys
2012-04-11 13:10 . 2002-06-25 21:43 2192640 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 12:35 . 2002-06-25 21:43 2069120 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-04 19:56 . 2012-01-04 01:26 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-31 14:45 . 2012-03-31 14:45 53248 ----a-r- c:\documents and settings\jp\Application Data\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2012-03-01 11:01 . 2004-02-06 22:05 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2002-12-03 00:24 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2002-12-03 00:22 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10 . 2002-06-25 21:50 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2002-06-25 21:38 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2012-05-03 10:50 . 2012-02-02 21:47 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2005-10-14 02:27 422400 --sha-r- c:\windows\x2.64.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8769adce-dba5-48e9-afb5-67b12cdf2e61}]
2012-05-18 19:44 85288 ----a-w- c:\program files\blekkotb_031\blekkotb_019X.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{8769adce-dba5-48e9-afb5-67b12cdf2e61}"= "c:\program files\blekkotb_031\blekkotb_019X.dll" [2012-05-18 85288]
.
[HKEY_CLASSES_ROOT\clsid\{8769adce-dba5-48e9-afb5-67b12cdf2e61}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncBackedUp]
@="{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}"
[HKEY_CLASSES_ROOT\CLSID\{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}]
2012-03-19 20:29 365648 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.

This post has been edited 2 times, last edit by "jp1216" (May 28th 2012, 7:04pm)


  • "jp1216" started this thread

Date of registration:
May 23rd 2012

Version:
Avira Free Antivirus

Operating System:
WinXP SP3

  • Send private message

29

Monday, May 28th 2012, 6:56pm

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncPending]
@="{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}"
[HKEY_CLASSES_ROOT\CLSID\{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}]
2012-03-19 20:29 365648 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncRoot]
@="{A759AFF6-5851-457D-A540-F4ECED148351}"
[HKEY_CLASSES_ROOT\CLSID\{A759AFF6-5851-457D-A540-F4ECED148351}]
2012-03-19 20:29 365648 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncShared]
@="{1574C9EF-7D58-488F-B358-8B78C1538F51}"
[HKEY_CLASSES_ROOT\CLSID\{1574C9EF-7D58-488F-B358-8B78C1538F51}]
2012-03-19 20:29 365648 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SugarSync"="c:\program files\SugarSync\SugarSyncManager.exe" [2012-03-19 9413712]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-07-15 4112384]
"nwiz"="nwiz.exe" [2004-07-15 843776]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2011-10-07 1387288]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768]
"Anti-phishing
Domain Advisor"="c:\documents and settings\All Users\Application
Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe" [2012-05-03
217256]
.
c:\documents and settings\jp\Start Menu\Programs\Startup\
PdaNet Desktop.lnk - c:\program files\PdaNet for Android\PdaNetPC.exe [2011-3-12 484976]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\Logonui.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2011-09-27 19:03 66328 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]
backup=c:\windows\pss\GStartup.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NETGEAR Media Server.lnk]
backup=c:\windows\pss\NETGEAR Media Server.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ulead Photo Express Calendar Checker.lnk]
backup=c:\windows\pss\Ulead Photo Express Calendar Checker.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^jp^Start Menu^Programs^Startup^iMesh.lnk]
backup=c:\windows\pss\iMesh.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^jp^Start Menu^Programs^Startup^PdaNet Desktop.lnk]
backup=c:\windows\pss\PdaNet Desktop.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^jp^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
backup=c:\windows\pss\PowerReg Scheduler V3.exeStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\180ax
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AAWTray
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AltnetPointsManager
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\babeie
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ClrSchLoader
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CMESys
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D22YuYEYiwkw
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeskAd Service
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NCLaunch
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2P Networking
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PLoader
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pop-Up Stopper
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QD FastAndSafe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunDLL
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SAHAgent
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SAHBundle
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\stcpfdfm
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\STYLEXP
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Trickler
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebRebates0
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Winad Client
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows AdControl
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows AdService
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows AdTools
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xpsystem
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 06:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]
2002-04-03 06:01 135264 ----a-w- c:\program files\Creative\SBLive\Diagnostics\diagent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DropBoxUtility]
2008-02-10 00:53 405504 ----a-w- c:\program files\DropBox\DropBox\DropBox.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EM_EXEC]
2004-01-08 13:50 37888 ----a-w- c:\progra~1\Logitech\MOUSEW~1\system\EM_EXEC.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EverioService]
2007-11-01 21:13 151552 ------w- c:\program files\CyberLink\PCM4Everio\EverioService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2009-02-26 23:36 30040 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iexplore.exe]
2009-03-08 18:09 638816 ----a-w- c:\program files\Internet Explorer\iexplore.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
2001-08-23 21:52 331830 ----a-w- c:\program files\Microsoft Works\wkssb.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-07-09 14:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 14:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2004-07-15 15:42 81920 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 18:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
2001-07-25 19:04 57344 ----a-w- c:\program files\REGSHAVE\Regshave.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 06:00 90112 ------w- c:\windows\Updreg.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
2004-11-11 04:15 111816 ----a-w- c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-19 01:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
2001-10-06 00:34 24576 ----a-w- c:\program files\Microsoft Works\wkfud.exe
.

  • "jp1216" started this thread

Date of registration:
May 23rd 2012

Version:
Avira Free Antivirus

Operating System:
WinXP SP3

  • Send private message

30

Monday, May 28th 2012, 6:56pm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UleadBurningHelper"=2 (0x2)
"Speed Disk service"=2 (0x2)
"NVSvc"=2 (0x2)
"IDriverT"=3 (0x3)
"Creative Service for CDROM Access"=2 (0x2)
"comHost"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Xolox\\mldonkey\\mlnet.exe"=
"c:\\Program Files\\Xolox\\XoloxEXE.exe"=
"c:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"c:\\Program Files\\messenger\\msmsgs.exe"=
"c:\\Program Files\\NETGEAR\\Media Server\\MediaServer.exe"=
"c:\\Program Files\\NETGEAR\\Media Server\\immsService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\FileZilla\\FileZilla.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\EyeSpyFX\\MyWebcamBroadcasterSetup\\MyWebcamBroadcaster.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/27/2012 1:00 PM 136360]
R2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [11/15/2006 9:54 PM 3744]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [3/31/2012 10:43 AM 12184]
R2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [11/15/2006 9:54 PM 3904]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [1/3/2012 9:26 PM 654408]
R2
PassThru Service;Internet Pass-Through Service;c:\program
files\HTC\Internet Pass-Through\PassThruSvr.exe [8/12/2011 5:13 PM
87040]
R2 Viewpoint Manager Service;Viewpoint Manager
Service;c:\program files\Viewpoint\Common\ViewpointService.exe
[10/18/2008 2:42 PM 24652]
R3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\drivers\LEqdUsb.sys [9/2/2011 2:31 AM 42648]
R3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\drivers\LHidEqd.sys [9/2/2011 2:31 AM 12184]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [1/3/2012 9:26 PM 22344]
R3 pneteth;PdaNet Broadband;c:\windows\system32\drivers\pneteth.sys [3/12/2011 10:19 AM 13440]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 3127;3127; [x]
S2 ALIEHCD;ALi PCI to USB Enhanced Host Controller;c:\windows\system32\drivers\AliEhci.sys [9/25/2003 10:06 PM 104088]
S2
clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN
v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
[3/18/2010 1:16 PM 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash
Player Update
Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
[3/29/2012 6:57 AM 257696]
S3 aliroothub;USB 2.0 Root Hub;c:\windows\system32\drivers\AliRtHub.sys [9/25/2003 10:06 PM 5337]
S3 CFcatchme;CFcatchme;\??\c:\combofix\CFcatchme.sys --> c:\combofix\CFcatchme.sys [?]
S3 fd_dbus;FutureDial USB Composite Device driver (WDM);c:\windows\system32\drivers\fd_dbus.sys [8/3/2004 3:03 PM 51040]
S3 fd_dmdfl;FutureDial USB Modem Filter;c:\windows\system32\drivers\fd_dmdfl.sys [8/3/2004 3:04 PM 6000]
S3 fd_dmdm;FutureDial USB Modem Drivers;c:\windows\system32\drivers\fd_dmdm.sys [8/3/2004 3:04 PM 73984]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [3/11/2011 2:29 PM 24576]
S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [6/22/2010 7:01 PM 21248]
S3 Lavasoft Kernexplorer;Lavasoft helper driver; [x]
S3
MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla
Maintenance Service\maintenanceservice.exe [5/3/2012 6:51 AM 129976]
S3 OEMSTOR;USB Mass Storage;c:\windows\system32\drivers\USBMSDk.sys [7/24/2003 8:46 PM 17024]
S3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [10/5/2003 3:31 PM 8576]
S3 radpms;Driver for RADPMS Device;c:\windows\system32\DRIVERS\radpms.sys --> c:\windows\system32\DRIVERS\radpms.sys [?]
S3
WPFFontCache_v0400;Windows Presentation Foundation Font Cache
4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
[3/18/2010 1:16 PM 753504]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - AVGIO
*NewlyCreated* - SSMDRV
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-28 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-29 21:05]
.
2012-05-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 21:57]
.
.
------- Supplementary Scan -------
.
uStart
Page =
hxxp://blekko.com/ws/?source=c3348dd4&toolbarid=blekkotb_031&u=59C7FA07982F695531BBCB4FC39978F3&tbp=homepage
uSearchMigratedDefaultURL
=
hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>;*.local
uSearchAssistant = about:blank
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: aol.com\free
Trusted Zone: xjt.com\xtend
TCP: DhcpNameServer = 192.168.1.1
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\jp\Application Data\Mozilla\Firefox\Profiles\rkh1tvn3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.xjet.com
FF - prefs.js: browser.search.selectedEngine - Blekko
FF
- prefs.js: keyword.URL -
hxxp://blekko.com/ws/?source=c3348dd4&tbp=rbox&toolbarid=blekkotb_031&u=59C7FA07982F695531BBCB4FC39978F3&q=
FF - user.js: general.useragent.extra.brc - BRI/1
.
.
------- File Associations -------
.
vbefile\shell\open2\command=%SystemRoot%\System32\WScript.exe "%1" %*
vbsfile\shell\open2\command=%SystemRoot%\System32\WScript.exe "%1" %*
jsefile\shell\open2\command=%SystemRoot%\System32\WScript.exe "%1" %*



.

- - - - ORPHANS REMOVED - - - -

.

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

MSConfigStartUp-addmv32 - (no file)

MSConfigStartUp-apprz - (no file)

MSConfigStartUp-crvg - (no file)

MSConfigStartUp-emMON - emMON.exe

MSConfigStartUp-hgqhp - (no file)

MSConfigStartUp-syszo - (no file)

MSConfigStartUp-TomTomHOME - c:\program files\TomTom HOME 2\TomTomHOMERunner.exe

MSConfigStartUp-yaemu - (no file)

AddRemove-CdaC13Ba - c:\windows\CDAC13BA.EXE

AddRemove-HijackThis - c:\files\hijackthis\HijackThis.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-05-28 12:26

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

.

c:\windows\system32\SET14.tmp 327896 bytes executable

.

scan completed successfully

hidden files: 1

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1757981266-261478967-839522115-1004\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(680)

c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

.

- - - - - - - > 'explorer.exe'(1472)

c:\windows\system32\WININET.dll

c:\documents and settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll

c:\program files\SugarSync\SugarSyncShellExt.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\mshtml.dll

c:\windows\system32\msls31.dll

c:\windows\system32\hnetcfg.dll

c:\windows\system32\msi.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\LEXBCES.EXE

c:\windows\system32\LEXPPS.EXE

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Avira\AntiVir Desktop\avshadow.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\System32\drivers\CDAC11BA.EXE

c:\progra~1\NETGEAR\MEDIAS~1\ImmsService.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\CyberLink\Shared Files\RichVideo.exe

c:\windows\System32\MsPMSPSv.exe

c:\program files\Windows Media Player\WMPNetwk.exe

c:\windows\Logi_MwX.Exe

c:\program files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE

.

**************************************************************************

.

Completion time: 2012-05-28 12:43:17 - machine was rebooted

ComboFix-quarantined-files.txt 2012-05-28 16:42

.

Pre-Run: 24,526,090,240 bytes free

Post-Run: 25,562,787,840 bytes free

.

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=30

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

.

- - End Of File - - 72EF66A1DCA2D95B05D0E813F00FB995

Barrie

Community member

Date of registration:
Jan 31st 2006

Version:
none

Operating System:
Mac OS X 10.8.3

  • Send private message

31

Monday, May 28th 2012, 9:41pm

Hi,


Good to hear things are looking better now, just sorry it has taken so long. And log looks OK. Regarding Malware often it is quicker to format and reinstall Windows than try and clean the infection.

Quoted

Quote by jp1216
Only issue remaining is the CHKDSK blue screen on boot up. Something for that one?

This almost always means there's some physical disk errors that it's trying to resolve, but can't (since that's what a chkdsk checks for, not software).

To save me a long post have a look here, this will explain how to stop CHDSK with the command “chkntfs /x c:”
Personally as you have backed up all your files and will be moving to a new machine soon I would not worry to much, but that is your decision.


Barrie
Cordialement - Grüße and Regards.

[Avira Tech Blog - Avira VL Virusscan.jotti -HijackThis - - Avira tools - Online shop - Avira safe mode scan
Sorry NO support via PM > Kein Support über PN > Aucun support par message privé.

This post has been edited 1 times, last edit by "Barrie" (May 28th 2012, 10:46pm)


  • "jp1216" started this thread

Date of registration:
May 23rd 2012

Version:
Avira Free Antivirus

Operating System:
WinXP SP3

  • Send private message

32

Tuesday, May 29th 2012, 12:51am

Thanks again for your help. Like I said - I will be replacing this 11 year old desktop this week. Just wanted to figure this bug out. Drives me crazy.... I will continue to use Avira and this forum in the future.

Barrie

Community member

Date of registration:
Jan 31st 2006

Version:
none

Operating System:
Mac OS X 10.8.3

  • Send private message

33

Tuesday, May 29th 2012, 8:29am

Hi,

You are most welcome, but it has been you that has done all the work and put in the hours to fix the PC. I have just given hints.


Barrie
Cordialement - Grüße and Regards.

[Avira Tech Blog - Avira VL Virusscan.jotti -HijackThis - - Avira tools - Online shop - Avira safe mode scan
Sorry NO support via PM > Kein Support über PN > Aucun support par message privé.