Windows Vista and XP oscsock error

F1_Guys
F1_Guys used Ask the Experts™
on
Hey everyone. im having an issue on both, a XP machine and a vista machine. The xp machine keeps coming up with an error on startup saying - oscsock is not the right version for the program you are trying to run, however, it doesnt specify the program. It also has bb up the top of the error message like as in the poram name. The vista machine was connected to the network with the xp machine, and all of a sudden that vista machine started having the same errors and it began to restart all the services, restarting windows explorer and shutting down everything. I ran a malware scan in safe mode, found one infected file, i removed it, but the issue is still happening.

Can anyone give me an insight as to how i can resolve this issue?

Thank you for your time


Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
Try running the Kaspersky free online virus scanner which is a good way to find out if you have any viruses or spyware without having to uninstall your existing antivirus software>
http://www.kaspersky.co.uk/virusscanner
Commented:
The fact that the error has appeared on both machines does make it look like an infection ....
Suggest you install and run Trend HijackThis 2.02 on one of the machines:
http://majorgeeks.com/Trend_Micro_HijackThis_d5554.html

Create a folder where you would like the HijackThis file to reside and run it from there, not from the Desktop or a temporary folder.
Run the scan & save the logfile.  Then click the "Attach Code Snippet" box, paste the logfile into the "Code Snippet" page and then i'll get it analysed.

For the Malware check, did you run Malwarebytes ?    If no, i recommend downloading then updating Malwarebytes' Anti-Malware:
http://www.malwarebytes.org/mbam.php
When updated, reboot into Safe Mode by selecting F8 at bootup & run a scan on at least one of the machines.

Commented:
As yet i can find no information on the "oscsock" error, except relating it to an infection.   If this is the case, the above scanners will be fine.
 
Should you at any time be unable to reach the Desktops of either machine, we can try running ComboFix by downloading ComboFix.exe file to a 3rd computer, then transfer it to one of the infected machines using a USB stick.  Can rename the ComboFix file to something else such as ComboFix5, or equivalent.
Will post you instructions, only if we need to run ComboFix ... please keep us updated ..

Acronis in Gartner 2019 MQ for datacenter backup

It is an honor to be featured in Gartner 2019 Magic Quadrant for Datacenter Backup and Recovery Solutions. Gartner’s MQ sets a high standard and earning a place on their grid is a great affirmation that Acronis is delivering on our mission to protect all data, apps, and systems.

Author

Commented:
Thanks for the responses. i have updates malware bytes, ran it in safe mode, still no infections. i will do the hijackthis and submit the results.

Author

Commented:
This is the hijackthis results. as we speak, my task scheduler engine service has stopped working and retarting, same with my windows explorer
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:36:12 PM, on 18/07/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
 
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Majdi\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QGCGYISE\HiJackThis[1].exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Majdi\Desktop\HiJackThis[1].exe
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_au&c=91&bd=Pavilion&pf=cnnb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_au&c=91&bd=Pavilion&pf=cnnb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_au&c=91&bd=Pavilion&pf=cnnb
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix: 
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_827e372d\aestsrv.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: HP Service (hpsrv) - Hewlett-Packard Corporation - C:\Windows\system32\Hpservice.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton Internet Security - Unknown owner - C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe (file missing)
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Program Files\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_827e372d\STacSV.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software GmbH - C:\Windows\System32\TuneUpDefragService.exe
 
--
End of file - 5874 bytes

Open in new window

Commented:

The only HJT entry that may be a problem is this one>

O23 - Service: Recovery Service for Windows - Unknown owner - C:\Program Files\SMINST\BLService.exe

I'll continue to research your HJT log file ... meanwhile please note ... if you are running an HP computer, HP have recently released a patch for this particular problem that updates the Microsoft Bitlocker program.  Details in the following article>

How to Fix BLService.exe error on HP Computers
http://www.pchell.com/support/blservice_error.shtml

Author

Commented:
Okay thanks. ill try to run that patch and see how i go. its really bizzar how all the services that restart, and its not just once, its contantly doing it every 2 minutes, then it will stop for a few hours
Commented:
Okay.  Well, the HijackThis logfile looks clean but only provides a guideline by which to work.

Incidently is Safe mode stable?  If it is stable and the HP patch doesn't do the trick, you could try running Process Explorer & see if there are any unusual Startup items.
Double click any offending file. If it is a svchost.exe, then Select the Services Tab.
You can see what services are in that svchost.exe.   Or select the Threads tab to see what .exe or .dll is using the CPU ...

Process Explorer version 11.31:
http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/ProcessExplorer.mspx

If still no good, we could assume that there is some hidden nasty and run ComboFix.  Will post instructions with advice, ~if~ we need them ...

Author

Commented:
okay, i have just noticed. if i disable my internet, remove the lan cable or switch off the wireless, no errors appear. as soon as my computer is connected to the internet, the errors appear. the patch didnt work either. what am i looking for in the start up items?

Author

Commented:
This is what keeps popping up bringing along the services being restarted.
oscSock.jpg
Commented:

Apologies for the delay ... have been unable to find anything meaningful on "oscSock" and must therefore conclude that it could be a viral or malware infection.

Suggestion therefore is to try running Combofix.
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Before using ComboFix please disable any realtime Anti-virus, Anti-spyware, Shields, etc. that you may have running, and remember to re-enable them later, upon completion.

Also it may well be necessary to rename ComboFix.exe to Combo-Fix.exe (for example), BEFORE saving it to your desktop, an infection can often prevent Combo from running.  
If you have difficulties running it, try downloading to another machine(the one you are using to post here, for example), then into a USB memory stick (or equivalent).  Rename it and connect to the problematic machine.

Double click "combofix.exe" and follow the prompts.
When it's finished it will have produced a Logfile, probably at C:\ComboFix.txt.
You could post that log together with a HijackThis log, in a reply for us.
Please do not mouseclick Combofix's window while it is running, because it may stall.  It is absolutely normal for you to see a blue screen with flashing cursor, and this can last for up to 30 mins.  Just let it run.

Ideally ComboFix should be run in normal mode, although it will work in safe mode if you're unable to reach normal mode.

Combofix will also disconnect your internet connection while it is scanning, but will restore your connection upon completion.   If for some reason ComboFix is interrupted and completes prematurely, your internet connection can be restored with a computer restart.

Commented:
Also with your Shields down, you should physically disconnect from the internet of course.

Author

Commented:
This is the combo fix log file and the hijackthis log file.

Thanks

ComboFix 09-07-19.04 - Majdi 20/07/2009 22:53.1.2 - NTFSx86
Microsoft® Windows Vista" Home Premium   6.0.6002.2.1252.61.1033.18.3068.2097 [GMT 10:00]
Running from: c:\users\Majdi\Desktop\CF123.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
 
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
 
c:\$recycle.bin\S-1-5-21-1235102316-2483415046-2378013473-500
c:\$recycle.bin\S-1-5-21-1998002852-3921608640-3065260709-500
c:\recycler\S-1-5-21-3672097890-9167875337-046186229-2737
c:\recycler\S-1-5-21-8127874476-7776894838-590774046-4669
c:\recycler\S-1-5-21-8127874476-7776894838-590774046-4669\svchost.exe
c:\recycler\S-1-5-21-8887238097-7516263531-530381145-2283
c:\recycler\S-1-5-21-8968316736-2776506472-897155135-5669
c:\windows\Installer\1b765.msi
c:\windows\Installer\1b769.msi
c:\windows\Installer\1b76d.msi
c:\windows\Installer\1b771.msi
c:\windows\Installer\1b775.msi
c:\windows\Installer\40593a.msi
c:\windows\system32\ATIODCLI.exe
c:\windows\system32\ATIODE.exe
C:\ydhlk.exe
 
.
(((((((((((((((((((((((((   Files Created from 2009-06-20 to 2009-07-20  )))))))))))))))))))))))))))))))
.
 
2009-07-18 08:29 . 2009-07-18 08:34	401720	----a-w-	c:\program files\HiJackThis[1].exe
2009-07-17 08:28 . 2009-06-26 05:01	2301208	----a-w-	c:\programdata\avg8\update\backup\avguiadv.dll
2009-07-17 08:28 . 2009-06-26 05:01	1107224	----a-w-	c:\programdata\avg8\update\backup\avgssie.dll
2009-07-17 08:28 . 2009-06-26 05:01	353048	----a-w-	c:\programdata\avg8\update\backup\avgxch32.dll
2009-07-15 04:39 . 2009-06-15 14:53	156672	----a-w-	c:\windows\system32\t2embed.dll
2009-07-15 04:39 . 2009-06-15 14:52	23552	----a-w-	c:\windows\system32\lpk.dll
2009-07-15 04:39 . 2009-06-15 14:52	72704	----a-w-	c:\windows\system32\fontsub.dll
2009-07-15 04:39 . 2009-06-15 14:51	10240	----a-w-	c:\windows\system32\dciman32.dll
2009-07-15 04:39 . 2009-06-15 12:42	289792	----a-w-	c:\windows\system32\atmfd.dll
2009-07-14 17:17 . 2009-07-15 13:20	174399	----a-w-	C:\qenci.exe
2009-07-14 17:17 . 2009-07-15 13:18	660	----a-w-	C:\retn.exe
2009-07-12 13:17 . 2009-07-12 13:17	--------	d-----w-	c:\windows\system32\dllcache
2009-07-12 13:17 . 2004-08-10 19:00	4224	----a-w-	c:\windows\system32\dllcache\beep.sys
2009-07-12 13:16 . 2004-08-10 19:00	16384	----a-w-	c:\windows\system32\tskill.exe
2009-07-12 12:38 . 2009-07-12 12:47	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2009-07-12 06:21 . 2009-07-12 06:21	--------	d-----w-	c:\program files\Common Files\PX Storage Engine
2009-07-12 06:21 . 2009-07-12 06:21	--------	d-----w-	c:\program files\Common Files\DivX Shared
2009-07-12 06:21 . 2009-07-12 06:22	--------	d-----w-	c:\program files\DivX
2009-07-12 06:16 . 2009-07-12 06:16	--------	d-----w-	c:\program files\Belarc
2009-07-09 13:07 . 2009-07-09 13:07	--------	d-----w-	c:\program files\Citrix
2009-07-07 11:50 . 2009-07-07 11:50	3403032	----a-w-	c:\programdata\avg8\update\backup\avgui.exe
2009-07-07 11:50 . 2009-06-26 05:01	2052376	----a-w-	c:\programdata\avg8\update\backup\avgcorex.dll
2009-07-07 11:50 . 2009-06-26 05:01	2314496	----a-w-	c:\programdata\avg8\update\backup\avgdiagex.exe
2009-07-07 11:50 . 2009-06-26 05:01	3298072	----a-w-	c:\programdata\avg8\update\backup\setup.exe
2009-07-07 11:50 . 2009-06-26 05:01	1204504	----a-w-	c:\programdata\avg8\update\backup\avgabout.dll
2009-07-07 11:50 . 2009-06-26 05:01	337176	----a-w-	c:\programdata\avg8\update\backup\avglogx.dll
2009-07-07 11:50 . 2009-06-26 05:01	829208	----a-w-	c:\programdata\avg8\update\backup\avgcfgx.dll
2009-07-06 11:41 . 2009-07-06 11:41	--------	d-----w-	c:\users\Majdi\AppData\Local\QuickPlay
2009-07-06 08:03 . 2008-02-15 09:21	459264	----a-w-	c:\windows\system32\drivers\uxkx1.sys
2009-07-05 07:47 . 2006-09-12 10:00	74240	----a-w-	c:\programdata\CanonBJ\IJPrinter\CNMWindows\Canon iP3300\LanguageModules\0409\CNMsr84.dll
2009-07-05 07:47 . 2006-09-12 10:00	73216	----a-w-	c:\programdata\CanonBJ\IJPrinter\CNMWindows\Canon iP3300\LanguageModules\0411\CNMlr84.dll
2009-07-05 07:47 . 2006-09-12 10:00	42496	----a-w-	c:\programdata\CanonBJ\IJPrinter\CNMWindows\Canon iP3300\LanguageModules\0411\CNMsr84.dll
2009-07-05 07:47 . 2006-09-12 10:00	334848	----a-w-	c:\programdata\CanonBJ\IJPrinter\CNMWindows\Canon iP3300\LanguageModules\0409\CNMur84.dll
2009-07-05 07:47 . 2006-09-12 10:00	249344	----a-w-	c:\programdata\CanonBJ\IJPrinter\CNMWindows\Canon iP3300\LanguageModules\0411\CNMur84.dll
2009-07-05 07:47 . 2006-09-12 10:00	130048	----a-w-	c:\programdata\CanonBJ\IJPrinter\CNMWindows\Canon iP3300\LanguageModules\0409\CNMlr84.dll
2009-07-05 07:47 . 2009-07-05 07:47	--------	d--h--w-	c:\programdata\CanonBJ
2009-07-05 07:46 . 2006-09-12 10:00	197632	----a-w-	c:\windows\system32\CNMLM84.DLL
2009-07-04 11:20 . 2009-07-04 11:20	--------	d-----w-	c:\users\Majdi\AppData\Roaming\UltraVNC
2009-07-04 11:19 . 2009-07-04 11:19	--------	d-----w-	c:\program files\UltraVNC
2009-07-01 13:46 . 2009-07-01 13:46	--------	d-----w-	c:\program files\ffdshow
2009-07-01 13:46 . 2009-06-20 09:28	85504	----a-w-	c:\windows\system32\ff_vfw.dll
2009-07-01 13:46 . 2009-06-14 06:21	60273	----a-w-	c:\windows\system32\pthreadGC2.dll
2009-06-30 12:47 . 2009-07-02 13:24	--------	d-----w-	C:\Movies
2009-06-29 13:23 . 2009-06-29 13:23	--------	d-----w-	c:\programdata\TomTom
2009-06-29 13:22 . 2009-06-29 13:22	--------	d-----w-	c:\users\Majdi\AppData\Roaming\TomTom
2009-06-29 13:22 . 2009-06-29 13:22	--------	d-----w-	c:\users\Majdi\AppData\Local\TomTom
2009-06-29 13:22 . 2009-06-29 13:22	--------	d-----w-	c:\program files\TomTom International B.V
2009-06-29 13:22 . 2009-06-29 13:22	--------	d-----w-	c:\program files\TomTom HOME 2
2009-06-29 12:34 . 2009-06-29 12:34	--------	d-----w-	c:\program files\TomTom DesktopSuite
2009-06-28 12:55 . 2005-05-26 05:34	2297552	----a-w-	c:\windows\system32\d3dx9_26.dll
2009-06-28 11:03 . 2009-07-13 12:47	--------	d--h--w-	c:\windows\msdownld.tmp
2009-06-28 10:05 . 2009-06-28 13:18	--------	d-----w-	c:\users\Majdi\AppData\Local\Microsoft Games
2009-06-28 09:53 . 2009-06-28 09:53	--------	d-----w-	c:\users\Majdi\AppData\Roaming\funkitron
2009-06-27 07:28 . 2009-07-09 12:55	--------	d-----w-	c:\users\Majdi\AppData\Local\Deployment
2009-06-27 07:28 . 2009-06-27 07:28	--------	d-----w-	c:\users\Majdi\AppData\Local\Apps
2009-06-27 07:14 . 2009-06-27 07:14	354560	----a-w-	c:\windows\system32\TuneUpDefragService.exe
2009-06-27 07:14 . 2008-04-04 04:51	28416	----a-w-	c:\windows\system32\uxtuneup.dll
2009-06-27 07:14 . 2008-04-04 04:51	16640	----a-w-	c:\windows\system32\authuitu.dll
2009-06-27 03:29 . 2009-07-17 16:14	--------	d-----w-	c:\users\Majdi\AppData\Roaming\LimeWire
2009-06-26 09:11 . 2009-06-26 09:11	--------	d-----w-	c:\program files\Microsoft Silverlight
2009-06-26 09:08 . 2009-06-26 09:08	--------	d-----w-	c:\program files\LSI SoftModem
2009-06-26 09:00 . 2009-05-09 05:34	71680	----a-w-	c:\windows\system32\iesetup.dll
2009-06-26 09:00 . 2009-05-09 05:50	915456	----a-w-	c:\windows\system32\wininet.dll
2009-06-26 08:51 . 2009-06-26 08:51	--------	d-----w-	c:\users\Majdi\AppData\Local\Microsoft Help
2009-06-26 05:02 . 2009-06-26 05:01	327688	----a-w-	c:\programdata\avg8\update\backup\avgldx86.sys
2009-06-26 05:02 . 2009-06-25 13:54	12552	----a-w-	c:\programdata\avg8\update\backup\avgrkx86.sys
2009-06-26 05:02 . 2009-06-25 13:54	107272	----a-w-	c:\programdata\avg8\update\backup\avgtdix.sys
2009-06-26 05:02 . 2009-06-25 13:54	10520	----a-w-	c:\programdata\avg8\update\backup\avgrsstx.dll
2009-06-26 05:02 . 2009-06-25 13:54	27656	----a-w-	c:\programdata\avg8\update\backup\avgmfx86.sys
2009-06-26 05:02 . 2009-06-25 13:54	484120	----a-w-	c:\programdata\avg8\update\backup\avgrsx.exe
2009-06-26 01:50 . 2009-06-26 01:49	1454360	----a-w-	c:\programdata\avg8\update\backup\avgupd.dll
2009-06-26 01:50 . 2009-06-26 01:49	1085208	----a-w-	c:\programdata\avg8\update\backup\avgupd.exe
2009-06-26 01:50 . 2009-06-25 13:54	746264	----a-w-	c:\programdata\avg8\update\backup\avginet.dll
2009-06-26 01:50 . 2009-06-25 13:54	582936	----a-w-	c:\programdata\avg8\update\backup\avgiproxy.exe
2009-06-25 16:07 . 2009-06-25 16:07	529224	----a-w-	c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-06-25 15:48 . 2009-06-25 15:48	--------	d-----w-	c:\users\Majdi\AppData\Local\Citrix
2009-06-25 15:28 . 2009-06-25 15:28	--------	d-----w-	c:\program files\CCleaner
2009-06-25 15:09 . 2009-06-25 15:09	--------	d-----w-	c:\users\Majdi\AppData\Roaming\TuneUp Software
2009-06-25 15:09 . 2009-06-25 15:09	--------	d-----w-	c:\programdata\TuneUp Software
2009-06-25 15:09 . 2009-06-27 07:14	--------	d-----w-	c:\program files\TuneUp Utilities 2008
2009-06-25 15:08 . 2009-06-25 15:08	--------	d-----w-	c:\program files\Common Files\Wise Installation Wizard
2009-06-25 14:14 . 2009-07-12 12:47	3561743	----a-w-	c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-25 13:59 . 2009-06-25 13:59	--------	d-----w-	c:\users\Majdi\AppData\Roaming\Malwarebytes
2009-06-25 13:59 . 2009-06-17 01:27	19096	----a-w-	c:\windows\system32\drivers\mbam.sys
2009-06-25 13:59 . 2009-06-17 01:27	38160	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-25 13:59 . 2009-06-25 13:59	--------	d-----w-	c:\programdata\Malwarebytes
2009-06-25 13:55 . 2009-07-15 03:14	--------	d--h--w-	C:\$AVG8.VAULT$
2009-06-25 13:54 . 2009-06-26 05:01	11952	----a-w-	c:\windows\system32\avgrsstx.dll
2009-06-25 13:54 . 2009-06-26 05:01	12552	----a-w-	c:\windows\system32\drivers\avgrkx86.sys
2009-06-25 13:54 . 2009-06-26 05:01	108552	----a-w-	c:\windows\system32\drivers\avgtdix.sys
2009-06-25 13:54 . 2009-07-07 11:50	335752	----a-w-	c:\windows\system32\drivers\avgldx86.sys
2009-06-25 13:54 . 2009-06-26 05:01	27784	----a-w-	c:\windows\system32\drivers\avgmfx86.sys
2009-06-25 13:54 . 2009-07-20 12:39	--------	d-----w-	c:\windows\system32\drivers\Avg
2009-06-25 13:54 . 2009-06-25 13:54	--------	d-----w-	c:\program files\AVG
2009-06-25 13:54 . 2009-06-25 13:54	--------	d-----w-	c:\programdata\avg8
2009-06-25 13:47 . 2009-07-09 12:55	108856	----a-w-	c:\users\Majdi\g2ax_expert_downloadhelper_win32_x86.exe
2009-06-25 13:35 . 2009-07-02 11:56	--------	d-----w-	c:\users\Majdi\AppData\Local\Adobe
2009-06-25 13:03 . 2009-06-25 13:03	--------	d-----w-	c:\program files\Common Files\xing shared
2009-06-25 13:02 . 2009-06-27 07:30	--------	d-----w-	c:\users\Majdi\AppData\Local\Google
2009-06-25 13:02 . 2009-06-25 13:48	--------	d-----w-	c:\program files\Google
2009-06-25 13:02 . 2009-06-25 13:03	--------	d-----w-	c:\program files\Common Files\Real
2009-06-25 13:02 . 2009-06-25 13:02	--------	d-----w-	c:\program files\Real
2009-06-25 13:01 . 2009-06-25 13:01	--------	d-----w-	c:\users\Majdi\AppData\Roaming\vlc
2009-06-25 12:54 . 2009-06-25 12:54	--------	d-----w-	c:\program files\VideoLAN
2009-06-25 12:52 . 2009-06-25 12:52	--------	d-----w-	c:\program files\LimeWire
2009-06-25 12:51 . 2009-06-25 13:06	--------	d-----w-	c:\program files\DVD Shrink
2009-06-25 12:51 . 2009-06-25 12:51	--------	d-----w-	c:\programdata\DVD Shrink
2009-06-25 12:28 . 2009-06-25 12:28	--------	d-----w-	c:\program files\Microsoft
2009-06-25 12:28 . 2009-06-25 12:28	--------	d-----w-	c:\program files\Windows Live SkyDrive
2009-06-24 14:55 . 2009-06-24 14:55	--------	d-----w-	c:\users\Public\CyberLink
2009-06-24 14:44 . 2009-06-24 14:44	--------	d-----w-	c:\users\Majdi\AppData\Roaming\Motorola
2009-06-24 14:42 . 2009-06-24 14:42	--------	d-----w-	c:\users\Majdi\AppData\Local\CyberLink
2009-06-24 14:42 . 2009-06-24 14:42	--------	d-----w-	c:\users\Majdi\AppData\Local\PowerCinema
2009-06-24 14:26 . 2009-07-20 12:47	--------	d-----w-	c:\users\Majdi\Tracing
2009-06-24 12:53 . 2009-06-24 12:53	--------	d-----w-	c:\program files\Windows Live
2009-06-24 12:43 . 2009-06-24 12:43	--------	d-----w-	c:\users\Majdi\AppData\Roaming\WildTangent
2009-06-24 12:27 . 2009-06-24 12:27	--------	d-----w-	c:\program files\Common Files\Windows Live
2009-06-24 08:56 . 2009-06-24 08:56	--------	d-----w-	c:\windows\system32\ca-ES
2009-06-24 08:56 . 2009-06-24 08:56	--------	d-----w-	c:\windows\system32\eu-ES
2009-06-24 08:56 . 2009-06-24 08:56	--------	d-----w-	c:\windows\system32\vi-VN
2009-06-24 08:51 . 2009-06-24 08:51	--------	d-----w-	c:\windows\system32\SPReview
2009-06-24 08:36 . 2009-04-10 13:28	928768	----a-w-	c:\windows\system32\scavenge.dll
2009-06-24 08:36 . 2009-04-10 13:27	57856	----a-w-	c:\windows\system32\compcln.exe
2009-06-24 08:34 . 2009-04-10 13:28	98816	----a-w-	c:\windows\system32\mfps.dll
2009-06-24 08:31 . 2009-06-24 08:31	--------	d-----w-	c:\windows\system32\EventProviders
 
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-19 16:00 . 2009-05-20 10:19	12	----a-w-	c:\windows\bthservsdp.dat
2009-07-19 06:54 . 2009-07-19 06:54	5412	----a-w-	c:\program files\hijackthis.log
2009-07-15 04:59 . 2006-11-02 11:18	--------	d-----w-	c:\program files\Windows Mail
2009-07-15 04:59 . 2009-01-17 11:39	--------	d-----w-	c:\programdata\Microsoft Help
2009-07-06 11:41 . 2009-01-17 12:19	--------	d-----w-	c:\programdata\CyberLink
2009-06-28 09:51 . 2009-01-17 11:23	--------	d-----w-	c:\programdata\WildTangent
2009-06-26 09:05 . 2009-01-17 11:42	--------	d-----w-	c:\program files\Microsoft Works
2009-06-24 15:05 . 2009-01-17 11:41	--------	d-----w-	c:\program files\Microsoft.NET
2009-06-24 15:03 . 2009-01-17 11:45	--------	d-----w-	c:\program files\Microsoft Small Business
2009-06-24 14:47 . 2009-01-17 10:55	--------	d--h--w-	c:\program files\InstallShield Installation Information
2009-06-24 14:07 . 2009-01-17 13:33	--------	d-----w-	c:\program files\SMINST
2009-06-24 08:56 . 2006-11-02 12:37	--------	d-----w-	c:\program files\Windows Sidebar
2009-06-24 08:56 . 2006-11-02 12:37	--------	d-----w-	c:\program files\Windows Photo Gallery
2009-06-24 08:56 . 2006-11-02 12:37	--------	d-----w-	c:\program files\Windows Journal
2009-06-24 08:56 . 2006-11-02 12:37	--------	d-----w-	c:\program files\Windows Collaboration
2009-06-24 08:56 . 2006-11-02 12:37	--------	d-----w-	c:\program files\Windows Calendar
2009-06-24 08:56 . 2006-11-02 12:37	--------	d-----w-	c:\program files\Windows Defender
2009-06-24 08:55 . 2006-11-02 10:25	665600	----a-w-	c:\windows\inf\drvindex.dat
2009-06-24 08:25 . 2009-01-17 10:57	--------	d-----w-	c:\programdata\Norton
2009-06-24 06:08 . 2009-01-17 12:50	--------	d-----w-	c:\program files\Java
2009-06-24 05:49 . 2009-06-24 05:49	0	--sha-r-	c:\windows\system32\drivers\103C_HP_cNB_Pavilion dv6 Notebook PC_Y5335KV_0U_QCNF9201DQ5_E510505-371_4A_I3628_SQuanta_V18.37_F.21_T090423_WV3-1_L409_M3069_J250_7Intel_867A_92.53_#090520_N10EC8168;80864237_(VF040PA#ABG)_XMOBILE_CN10_Z_2Rev 1.MRK
2009-06-03 10:43 . 2009-06-03 10:43	407040	----a-w-	c:\windows\system32\drivers\stwrt.sys
2009-06-03 10:43 . 2009-06-03 10:43	405504	----a-w-	c:\windows\system32\stcplx.dll
2009-06-03 10:43 . 2009-05-20 10:27	536576	----a-w-	c:\windows\system32\idtmini1.exe
2009-06-03 10:43 . 2009-05-20 10:27	450652	----a-w-	c:\windows\sttray.exe
2009-06-03 10:43 . 2009-05-20 10:27	3567616	----a-w-	c:\windows\system32\stlang.dll
2009-06-03 10:43 . 2009-05-20 10:27	175104	----a-w-	c:\windows\system32\staco.dll
2009-06-03 10:43 . 2009-05-20 10:27	914432	----a-w-	c:\windows\system32\stapo.dll
2009-06-03 10:43 . 2009-05-20 10:27	483840	----a-w-	c:\windows\system32\stapi32.dll
2009-05-24 20:50 . 2009-05-24 20:50	164864	----a-w-	c:\windows\system32\drivers\Rtlh86.sys
2009-05-20 10:59 . 2009-05-20 10:59	53319	----a-w-	c:\programdata\Temp\{D36DD326-7280-11D8-97C8-000129760CBE}\PostBuild.exe
2009-05-20 10:59 . 2009-05-20 10:59	53319	----a-w-	c:\programdata\Temp\{051B9612-4D82-42AC-8C63-CD2DCEDC1CB3}\PostBuild.exe
2009-05-20 10:58 . 2009-05-20 10:58	36864	----a-w-	c:\programdata\Temp\{9867824A-C86D-4A83-8F3C-E7A86BE0AFD3}\PostBuild.exe
2009-05-20 10:57 . 2009-05-20 10:57	36864	----a-w-	c:\programdata\Temp\{23F3DA62-2D9E-4A69-B8D5-BE8E9E148092}\PostBuild.exe
2009-05-20 10:57 . 2009-05-20 10:57	53319	----a-w-	c:\programdata\Temp\{4FC670EB-5F02-4B07-90DB-022B86BFEFD0}\PostBuild.exe
2009-05-20 10:57 . 2009-01-17 12:19	1066544	----a-w-	c:\windows\system32\MFC71.dll
2009-05-20 10:57 . 2009-01-17 12:19	36864	----a-w-	c:\programdata\Temp\{5DB1DF0C-AABC-4362-8A6D-CEFDFB036E41}\PostBuild.exe
2009-05-20 10:56 . 2009-05-20 10:56	36864	----a-w-	c:\programdata\Temp\{01FB4998-33C4-4431-85ED-079E3EEFE75D}\PostBuild.exe
2009-05-20 10:55 . 2009-05-20 10:55	36864	----a-w-	c:\programdata\Temp\{67626E09-5366-4480-8F1E-93FADF50CA15}\PostBuild.exe
2009-05-20 10:53 . 2009-05-20 10:53	36864	----a-w-	c:\programdata\Temp\{B2EE25B9-5B00-4ACF-94F0-92433C28C39E}\PostBuild.exe
2009-05-20 10:52 . 2009-05-20 10:52	36864	----a-w-	c:\programdata\Temp\{DCCAD079-F92C-44DA-B258-624FC6517A5A}\PostBuild.exe
2009-05-20 10:50 . 2009-05-20 10:50	0	----a-w-	c:\windows\ativpsrm.bin
2009-05-01 21:02 . 2009-05-01 21:02	90112	----a-w-	c:\windows\system32\dpl100.dll
2009-05-01 21:02 . 2009-05-01 21:02	823296	----a-w-	c:\windows\system32\divx_xx0c.dll
2009-05-01 21:02 . 2009-05-01 21:02	823296	----a-w-	c:\windows\system32\divx_xx07.dll
2009-05-01 21:02 . 2009-05-01 21:02	815104	----a-w-	c:\windows\system32\divx_xx0a.dll
2009-05-01 21:02 . 2009-05-01 21:02	811008	----a-w-	c:\windows\system32\divx_xx16.dll
2009-05-01 21:02 . 2009-05-01 21:02	802816	----a-w-	c:\windows\system32\divx_xx11.dll
2009-05-01 21:02 . 2009-05-01 21:02	685056	----a-w-	c:\windows\system32\DivX.dll
2009-01-17 12:16 . 2009-01-17 12:05	8192	--sha-w-	c:\windows\Users\Default\NTUSER.DAT
.
 
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
 
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup
 
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):11,09,22,88,aa,f4,c9,01
 
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1998002852-3921608640-3065260709-1003]
"EnableNotificationsRef"=dword:00000001
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{ACEA18D1-B680-4FB7-9F93-836B97C7B3EC}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{60C7F3E6-06E6-468E-92DE-3A0B72B6EE90}"= c:\program files\CyberLink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{0A0D34B0-E448-4AAA-A344-31671A31BEC3}"= c:\program files\Hewlett-Packard\Media\DVD\HPTouchSmartMusic.exe:HP TouchSmart Music
"{3F7DF1C3-76E2-4470-816D-9D4752248709}"= c:\program files\Hewlett-Packard\Media\DVD\HPTouchSmartPhoto.exe:HP TouchSmart Photo
"{A79B5CD9-D3FF-4727-B6FC-610377BBE829}"= c:\program files\Hewlett-Packard\Media\DVD\HPTouchSmartVideo.exe:HP TouchSmart Video
"{25DE908E-DCF2-4149-8EB7-866F07860FA1}"= c:\program files\Hewlett-Packard\Media\DVD\TSMAgent.exe:HP TouchSmart Media Resident Program
"{BBC4085E-141E-45A8-9531-343B4CD9FD67}"= c:\program files\Hewlett-Packard\Media\DVD\Kernel\CLML\CLMLSvc.exe:CyberLink Media Service
"{4FD95A8E-42F2-4902-812E-5D34270CEE94}"= c:\program files\Hewlett-Packard\Media\DVD\HPDVDSmart.exe:HP MediaSmart DVD
"{EEFB71AC-E4A5-4D86-8355-5D19053E454C}"= c:\program files\Hewlett-Packard\TouchSmart\Media\HPTouchSmartMusic.exe:HP TouchSmart Music
"{4EF93A48-E18B-4815-88DE-420FDD8939BB}"= c:\program files\Hewlett-Packard\TouchSmart\Media\HPTouchSmartPhoto.exe:HP TouchSmart Photo
"{5A19DF0D-1CFE-431E-A58D-F3D68B47B163}"= c:\program files\Hewlett-Packard\TouchSmart\Media\HPTouchSmartVideo.exe:HP TouchSmart Video
"{59DAB3C4-3644-4588-9898-D1FC889D3D92}"= c:\program files\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe:HP TouchSmart Media Resident Program
"{176CAEA7-F1BE-4373-8034-E7998C65F406}"= c:\program files\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe:CyberLink Media Service
"{3149FFA6-A508-4EDA-9947-C98634F7C4D8}"= c:\program files\Hewlett-Packard\Media\TV\QP.exe:Quick Play
"{7C4B63E6-D20D-49C2-94B6-93A2657851D8}"= c:\program files\Hewlett-Packard\Media\TV\QPService.exe:Quick Play Resident Program
"TCP Query User{074F6AB6-2142-4D48-8CEC-1E4A7080BB4F}c:\\program files\\hp games\\polar pool\\polarpool.exe"= UDP:c:\program files\hp games\polar pool\polarpool.exe:PolarPool
"UDP Query User{5D23E5FE-3B5B-4097-9BB9-11281B488B5A}c:\\program files\\hp games\\polar pool\\polarpool.exe"= TCP:c:\program files\hp games\polar pool\polarpool.exe:PolarPool
"{1817132B-BC5B-4E21-A370-5E78B0B501E5}"= UDP:c:\windows\explorer.exe:Explorer
"{C9C6DE1B-0ECB-4222-B33A-C389735C4C5D}"= TCP:c:\windows\explorer.exe:Explorer
"{F2F5844C-71C8-4007-9A86-F58826F5328B}"= c:\program files\AVG\AVG8\avgam.exe:avgam.exe
"{2F862574-F1E3-4510-8E0C-D98E20ACA82F}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{BAB2A442-CD5F-4957-A6F7-51AFD3A54D1C}"= c:\program files\AVG\AVG8\avgnsx.exe:avgnsx.exe
"{B2440584-E674-46A3-8EB0-DE8A6AEBC0C0}"= UDP:c:\windows\System32\wermgr.exe:wermgr
"{6707AF4B-0564-42EA-BD54-C0ED405FB464}"= TCP:c:\windows\System32\wermgr.exe:wermgr
"{708FB410-FEC0-432C-A71F-F27925EF4084}"= UDP:c:\windows\System32\winlogon.exe:winlogon
"{03650254-0AFE-4353-8F8A-126B465A792C}"= TCP:c:\windows\System32\winlogon.exe:winlogon
"{EEC11BEB-8C05-4BA0-8F27-E6BF70E7D638}"= UDP:c:\windows\System32\winlogon.exe:winlogon
"{9ADA8A52-D2BA-4A5A-805F-A1912E605380}"= TCP:c:\windows\System32\winlogon.exe:winlogon
"{A1ADA119-8FCF-4381-A99E-5A6A487080EB}"= UDP:c:\windows\System32\wininit.exe:wininit
"{F1A329A8-3617-416D-B964-0F551085FE3D}"= TCP:c:\windows\System32\wininit.exe:wininit
"{30E26768-A88A-4A5D-9A2E-0E52FE1F563A}"= UDP:c:\windows\System32\wininit.exe:wininit
"{65221D19-A415-49FD-8386-D29D23A4ACA3}"= TCP:c:\windows\System32\wininit.exe:wininit
"{DF1987D5-A2BD-43B6-9BB8-6529FC59CAB3}"= UDP:c:\windows\System32\lsass.exe:lsass
"{685B3572-37E0-4F5D-98A2-21B41947616B}"= TCP:c:\windows\System32\lsass.exe:lsass
"{2DFD6EF8-44B6-41B5-A0F8-35082504D0DE}"= UDP:c:\windows\System32\lsass.exe:lsass
"{9ED05ED9-7161-473B-9D54-8355BE92F6A8}"= TCP:c:\windows\System32\lsass.exe:lsass
"{7D153AFF-539B-4708-A466-1CB8B3A50716}"= UDP:c:\program files\UltraVNC\vncviewer.exe:vncviewer.exe
"{868773BB-EF94-4FF3-8195-7FFA722FAB4A}"= TCP:c:\program files\UltraVNC\vncviewer.exe:vncviewer.exe
"{27379C86-DCCC-48BE-AB20-BAE2F5C01A2A}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{6DC5332F-4014-41A8-A035-7356ACF2848C}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"DoNotAllowExceptions"= 0 (0x0)
 
R0 AvgRkx86;avgrkx86.sys;c:\windows\System32\drivers\avgrkx86.sys [25/06/2009 11:54 PM 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [25/06/2009 11:54 PM 335752]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [25/06/2009 11:54 PM 108552]
R2 {55662437-DA8C-40c0-AADA-2C816A897A49};Power Control [2009/05/20 03:53];c:\program files\Hewlett-Packard\Media\DVD\000.fcl [29/11/2008 11:04 AM 87536]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_827e372d\AEstSrv.exe [2/03/2009 6:43 PM 81920]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [26/06/2009 3:01 PM 298776]
R2 hpsrv;HP Service;c:\windows\System32\hpservice.exe [19/03/2008 9:24 AM 19456]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [17/01/2009 11:33 PM 365952]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [3/06/2009 10:46 PM 92008]
R3 enecir;ENE CIR Receiver;c:\windows\System32\drivers\enecir.sys [5/09/2008 3:47 AM 54784]
R3 JMCR;JMCR;c:\windows\System32\drivers\jmcr.sys [23/10/2008 7:42 PM 107360]
R3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\System32\drivers\NETw5v32.sys [17/11/2008 3:40 PM 3668480]
S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [17/01/2009 9:11 PM 222512]
S3 uxkx1;ASUS My Cinema U3100 Mini DVBT;c:\windows\System32\drivers\uxkx1.sys [6/07/2009 6:03 PM 459264]
S4 Norton Internet Security;Norton Internet Security;"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe" /s "Norton Internet Security" /m "c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll" /prefetch:1 --> c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe [?]
S4 TVCapSvc;TV Background Capture Service (TVBCS);c:\program files\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe [27/11/2008 10:13 AM 296320]
S4 TVSched;TV Task Scheduler (TVTS);c:\program files\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe [27/11/2008 10:13 AM 116096]
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs	REG_MULTI_SZ   	BthServ
HPZ12	REG_MULTI_SZ   	Pml Driver HPZ12 Net Driver HPZ12
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
UxTuneUp
 
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
 
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
 
2009-07-20 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-02-29 23:59]
 
2009-07-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1998002852-3921608640-3065260709-1003Core.job
- c:\users\Majdi\AppData\Local\Google\Update\GoogleUpdate.exe [2009-06-27 07:28]
 
2009-07-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1998002852-3921608640-3065260709-1003UA.job
- c:\users\Majdi\AppData\Local\Google\Update\GoogleUpdate.exe [2009-06-27 07:28]
 
2009-07-20 c:\windows\Tasks\User_Feed_Synchronization-{AA58485A-6EE0-4272-A137-B16EDFAF8A1F}.job
- c:\windows\system32\msfeedssync.exe [2009-06-26 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_au&c=91&bd=Pavilion&pf=cnnb
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.
 
**************************************************************************
 
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-20 22:57
Windows 6.0.6002 Service Pack 2 NTFS
 
scanning hidden processes ...  
 
scanning hidden autostart entries ... 
 
scanning hidden files ...  
 
scan completed successfully
hidden files: 0
 
**************************************************************************
 
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
 
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{55662437-DA8C-40c0-AADA-2C816A897A49}]
"ImagePath"="\??\c:\program files\Hewlett-Packard\Media\DVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
 
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2009-07-20 22:58
ComboFix-quarantined-files.txt  2009-07-20 12:58
 
Pre-Run: 149,638,840,320 bytes free
Post-Run: 149,628,772,352 bytes free
 
347	--- E O F ---	2009-07-15 04:59
 
################################################################################################################################################
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:03:32 PM, on 20/07/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
 
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\notepad.exe
C:\Windows\Explorer.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HiJackThis[1].exe
 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_au&c=91&bd=Pavilion&pf=cnnb
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix: 
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\Windows\System32\avgrsstx.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_827e372d\aestsrv.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: HP Service (hpsrv) - Hewlett-Packard Corporation - C:\Windows\system32\Hpservice.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Program Files\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_827e372d\STacSV.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software GmbH - C:\Windows\System32\TuneUpDefragService.exe
 
--
End of file - 4850 bytes

Open in new window

Commented:
First, are you still receiving the oscsock error after running Combo?

Your HijackThis log looks clean except for this doubtful entry>
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Program Files\SMINST\BLService.exe

Found a reference to BLService.exe inthe link below, and reference is made to a HP printer issue.  It offers two solutions you may wish to try:

1:  Run MSCONFIG and disable "Recovery Service for Windows" or, rename BLService.exe.

Details>
"BLService.exe ERROR":
http://forum.notebookreview.com/showthread.php?t=306788

Will report on your Combo log later ...

Commented:
ComboFix log:   Preliminary check doesn't show any remaining infections, but i'll spend more time on it later (it's a longgg report).   Clearly there have been a few "Other Deletions" and entry C:\ydhlk.exe may well be a nasty.

Hopefully you're not running two antivirus programs, it's not quite clear from the log?

Commented:
ComboFix log seems ok, nothing requiring a re-run with Script .. will await your response ...

Author

Commented:
After the combofix, the oscSock error isnt appearing. i rebooted a few times and still nothing, so its looking good. i am running avg as my av, i removed norton anti-virus when i first got the laptop. is there anything else for me to check or remove?

Author

Commented:
Thank you for the great responses. when i first saw this error i thought there would be no luck in fixing it, but you did a wonderful job. thatnks for the time and effort. A grade!!

Commented:
You are very welcome, thank you!

>i am running avg as my av<        <--that's a popular choice.
>i removed norton anti-virus<        <-- that's also a popular choice!!
Apart from the av programs, your System seems fine.

There is no scanner that can *guarantee* keeping a System clean, so may i just suggest that you run Malwarebytes' Anti-Malware (and perhaps also SuperantiSpyware) every few weeks (your choice) ...

Also the Kaspersky free online virus scanner every month or two, which is a good way to find out if you have any viruses or spyware without having to uninstall your existing antivirus software>
http://www.kaspersky.co.uk/virusscanner

There's also Trend Micro's free, online virus scanner:            
http://housecall.trendmicro.com/uk/
Ideal for scanning online, using "Safe Mode with networking".      
 
Good luck ...

Commented:
An afterthought ... you can uninstall ComboFix if you wish, as follows >

Start > Run > then type "ComboFix /u" (with no quotes, and space between x and / )
Then hit enter.  This will uninstall ComboFix, reset your clock settings, re-hide system hidden files, re-hide the file extensions and reset System Restore.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial