# Serious Malware/Virus attack



## simmer14 (Sep 3, 2011)

Good evening techno crusaders.

I have what can only be described as a serious attack of malware or virus on my Windows XP Home SP2 machine running IE 8.

I first became aware of this when my google search links were being redirected to advertising sites. 
I then tried to run a virus scan using AVG free edition but found the home screen displayed the message "No Active Components" and therefore I can't run a scan. I can't even uninstall AVG to either reinstall or try another antivirus.

I managed to run Malwarebytes after a few attempts and 2 objects were found to be infected in the System 32 folder (I noticed as the scan performed) but before the scan finishes I get a Microsoft Error report and the scan fails to complete. 

I then tried a system restore but found that, having gone through the motions, the system restore was always incomplete.

Next, I tried TDSSKiller which found 2 infections. 
The first is a malicious object: 'Rootkit.Win.ZAccess.c' 
Service
Service name: redbook
Service start: System (0x1)
File: C:\WINDOWS\system32\DRIVERS\redbook.sys
MD5: a206ad651a6ee59abae178736d314edc


The second is a suspicious threat: 'Hidden File'
Service
Service Name: 96f0c49e
Service type: Kernel driver (0x1)
Service start: Demand (0x3)
File: C:\WINDOWS\2663706774:1762605921.exe
MD5: 8f2bb1827cac01aee6a16e30a1260199

On continuing the only message in the final box states:
System scan Completed
Infection: cured
C:\WINDOWS\system32\DRIVERS\redbook.sys - will be cured after reboot

But after rebooting they are still there when I run TDSSKiller again and the malicious object has a different filename!!

As I have been working away at this I have now lost my Active Desktop and I am not able to recover it.

I have downloaded, as instructed by this site, HijackThis, DDS and GMER but when placing them onto the desktop of the infected pc the files are not executable (Even the icon has changed!!) And this is the same with the AVG removal tool I tried. So, I can't run the programs in order to post the logs.

Can anyone help????? Please??????


----------



## simmer14 (Sep 3, 2011)

Ok friends. After reading through some threads on here with similar problems I ran rkill and then managed to run DDS. Here are the resultant logs.

This log file is located at C:\rkill.log. 
Please post this only if requested to by the person helping you. 
Otherwise you can close this log when you wish. 
Rkill was run on 04/09/2011 at 20:27:23. 
Operating System: Microsoft Windows XP

Processes terminated by Rkill or while it was running:

Rkill completed on 04/09/2011 at 20:27:29.

.
DDS (Ver_2011-08-26.01) - NTFSx86 
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Run by Mick at 20:31:20 on 2011-09-04
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2559.1872 [GMT 1:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
svchost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\2663706774:1762605921.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Browser mouse\1.3\mouse32a.exe
C:\Program Files\Multimedia keyboard utility\1.3\KbdAp32A.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyServer = http=hxxp://www-cache.freeserve.net:8080;ftp=http://www-cache.freeserve.net:8080
uInternet Settings,ProxyOverride = <local>;*.local
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
TB: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /S
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
mRun: [FLMK08KB] c:\program files\multimedia keyboard utility\1.3\MMKEYBD.EXE
mRun: [FLMMEDIONMOUSE] c:\program files\browser mouse\1.3\mouse32a.exe
mRun: [PinnacleDriverCheck] c:\windows\system32\PSDrvCheck.exe -CheckReg
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [<NO NAME>] 
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\mick\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\updater.lnk - c:\program files\common files\updater\wupdater.exe
IE: Free YouTube to Mp3 Converter - c:\documents and settings\mick\application data\dvdvideosoftiehelpers\youtubetomp3.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: mswsock.dll
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37670.7014583333
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DD3641E5-A9CF-11D1-9AA1-444553540000} - hxxp://secure.sunterra.com/europe/downloads/svideo3.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
DPF: {FD18DD5E-B398-452A-B22A-B54636BA9F0D} - hxxp://www.blinkz.com/test/ImageUploader2.cab
TCP: DhcpNameServer = 194.168.4.100 192.168.0.1
TCP: Interfaces\{ED7BE40C-DEA6-4734-A0C3-6FB6B96022F7} : DhcpNameServer = 194.168.4.100 192.168.0.1
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Handler: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - c:\program files\vshare\vshare_toolbar.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = :\windows\system32\srrst
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\mick\application data\mozilla\firefox\profiles\bc4owdxj.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/|http://www.google.co.uk/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4b12cdeb&v=7.005.030.004&i=23&tp=ab&iy=&ychte=uk&lng=en-GB&q=
FF - component: c:\program files\avg\avg10\firefox4\components\avgssff4.dll
FF - component: c:\program files\avg\avg10\firefox4\components\avgssff5.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\[email protected]\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\[email protected]\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\[email protected]\components\xpavgtbapi.dll
FF - component: c:\program files\common files\spigot\wtxpcom\components\WidgiToolbarFF.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1487.6512\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\katie's itunes\mozilla plugins\npitunes.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: AVG Security Toolbar em:version=7.007.026.001 em:displayname=AVG Security Toolbar em:iconURL=chrome://tavgp/skin/logo.ico em:creator=AVG Technologies em:description=AVG Security Toolbar em:homepageURL=http://www.avg.com >: [email protected] - c:\program files\avg\avg10\toolbar\firefox\[email protected]
FF - Ext: Java Quick Starter: [email protected] - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\avg\avg10\Firefox4
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: vShare: [email protected] - %profile%\extensions\[email protected]
FF - Ext: DVDVideoSoft Menu: {ACAA314B-EEBA-48e4-AD47-84E31C44796C} - %profile%\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C}
FF - Ext: Firebug: [email protected] - %profile%\extensions\[email protected]
.
============= SERVICES / DRIVERS ===============
.
R0 ACTIVdrv;ACTIV Device Pen Driver;c:\windows\system32\drivers\ActivDrv.sys [2004-2-12 67424]
R2 ddnt;ddnt;c:\windows\system32\drivers\ddnt.sys [2005-1-20 7072]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-3-24 366640]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-3-24 22712]
S2 ActivDRVcontrol;ACTIVdriver Control;c:\program files\activ software\activdriver\activdrvservice.exe --> c:\program files\activ software\activdriver\ActivDRVservice.exe [?]
S2 Ca536av;Icatch(VII) Video Camera Device;c:\windows\system32\drivers\Ca536av.sys [2008-3-4 514859]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\fsusbexservice.exe --> c:\windows\system32\FsUsbExService.Exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\googleupdate.exe /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
S2 srv32C;srv32C;c:\windows\system32\svchost.exe -k netsvcs [2002-11-12 14336]
S3 ActivDRV_USB;ActivDRV_USB.Sys USB ACTIVboard;c:\windows\system32\drivers\ActivDRV_USB.sys [2003-1-20 17232]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2011-5-13 1025352]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2009-10-28 36608]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\googleupdate.exe /medsvc --> c:\program files\google\update\GoogleUpdate.exe [?]
S4 Gpposveircpa;Gpposveircpa; [x]
.
=============== Created Last 30 ================
.
2011-08-26 01:33:43 -------- d-----w- c:\program files\Perfect Uninstaller
2011-08-25 23:25:14 -------- d-----w- C:\TDSSKiller_Quarantine
2011-08-25 17:35:17 -------- d-----w- c:\documents and settings\all users\application data\AVG Security Toolbar
2011-08-25 12:07:43 43408 --sha-w- c:\windows\system32\c_61643.nl_
2011-08-24 12:31:34 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-08-24 12:31:34 -------- d-----w- c:\windows\system32\wbem\Repository
2011-08-23 19:40:44 -------- d-----w- c:\documents and settings\mick\application data\Piop
2011-08-22 20:51:24 0 ----a-w- c:\windows\Otixi.bin
2011-08-22 20:51:22 -------- d-----w- c:\documents and settings\mick\local settings\application data\{BC238A35-B348-43A7-800F-26A7C93622A7}
.
==================== Find3M ====================
.
2011-09-04 19:00:37 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-09-04 00:02:24 57472 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-08-26 02:07:23 52736 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-08-25 23:31:43 138368 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-25 23:26:06 74752 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-08-25 23:16:03 64896 ----a-w- c:\windows\system32\drivers\serial.sys
2011-07-06 18:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 18:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 20:32:41.40 ===============


----------



## simmer14 (Sep 3, 2011)

And this is the DDS Attach log

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 04/12/2002 23:32:09
System Uptime: 04/09/2011 20:00:33 (0 hours ago)
.
Motherboard: Gigabyte Technology Co., Ltd. | | GA-8STXCFS
Processor: Intel(R) Pentium(R) 4 CPU 2.53GHz | Socket 478 | 2545/133mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 112 GiB total, 8.987 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP2354: 10/07/2011 03:13:30 - System Checkpoint
RP2355: 11/07/2011 12:06:51 - System Checkpoint
RP2356: 12/07/2011 14:39:36 - Removed AVG 2011
RP2357: 13/07/2011 15:00:28 - System Checkpoint
RP2358: 14/07/2011 17:37:26 - Software Distribution Service 3.0
RP2359: 15/07/2011 17:58:52 - System Checkpoint
RP2360: 18/07/2011 21:12:51 - System Checkpoint
RP2361: 19/07/2011 19:20:48 - Removed AVG 2011
RP2362: 20/07/2011 19:45:53 - System Checkpoint
RP2363: 21/07/2011 20:30:25 - System Checkpoint
RP2364: 27/07/2011 20:39:08 - System Checkpoint
RP2365: 27/07/2011 21:09:38 - Removed Google Earth.
RP2366: 28/07/2011 21:18:24 - System Checkpoint
RP2367: 02/08/2011 17:59:56 - System Checkpoint
RP2368: 03/08/2011 19:24:17 - System Checkpoint
RP2369: 08/08/2011 12:55:41 - Removed AVG 2011
RP2370: 08/08/2011 12:59:25 - Removed AVG 2011
RP2371: 09/08/2011 10:37:44 - Removed AVG 2011
RP2372: 11/08/2011 12:39:26 - System Checkpoint
RP2373: 12/08/2011 18:46:38 - Software Distribution Service 3.0
RP2374: 14/08/2011 15:29:00 - System Checkpoint
RP2375: 15/08/2011 22:08:28 - System Checkpoint
RP2376: 18/08/2011 19:47:56 - System Checkpoint
RP2377: 21/08/2011 20:52:11 - System Checkpoint
RP2378: 23/08/2011 20:50:44 - Restore Operation
RP2379: 23/08/2011 23:55:44 - Restore Operation
RP2380: 24/08/2011 00:29:26 - Removed AVG 2011
RP2381: 24/08/2011 00:39:57 - Removed AVG 2011
RP2382: 24/08/2011 07:30:24 - Software Distribution Service 3.0
RP2383: 24/08/2011 13:22:11 - Restore Operation
RP2384: 25/08/2011 11:32:12 - Software Distribution Service 3.0
RP2385: 25/08/2011 18:31:33 - Installed AVG 2011
RP2386: 25/08/2011 18:31:51 - Removed AVG 2011
RP2387: 25/08/2011 18:33:25 - Installed AVG 2011
RP2388: 25/08/2011 18:37:18 - Removed AVG 2011
RP2389: 25/08/2011 19:17:19 - Restore Operation
RP2390: 25/08/2011 19:26:23 - Restore Operation
RP2391: 26/08/2011 02:19:21 - Revo Uninstaller's restore point - AVG 2011
RP2392: 26/08/2011 03:01:53 - Software Distribution Service 3.0
RP2393: 03/09/2011 16:17:40 - Software Distribution Service 3.0
RP2394: 03/09/2011 23:04:50 - Restore Operation
RP2395: 03/09/2011 23:35:22 - Software Distribution Service 3.0
RP2396: 04/09/2011 00:07:17 - Software Distribution Service 3.0
RP2397: 04/09/2011 01:42:03 - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
.
ABBYY FineReader 5.0 Sprint
ACTIVdriver
ACTIVdriver v2.6.1
ACTIVprimary
ACTIVprimary English (UK) v1.2 (Build 2)
ACTIVprimary Resources
ACTIVprimary Resources English (UK) v1.2.1
Adobe Acrobat 5.0
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe GoLive 5.0
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Photoshop Elements
Adobe Stock Photos 1.0
Adobe SVG Viewer 3.0
Any Video Converter 3.2.1
Apple Software Update
Ask Toolbar
Audacity 1.2.6
Avery DesignPro
Belarc Advisor 8.1
BlueSoleil
Bonjour
Browser mouse 1.3
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities Digital Photo Professional 2.2
Canon Utilities EOS Utility
Canon Utilities PhotoStitch
Canon Utilities ZoomBrowser EX
Corel Snapfire
Critical Update for Windows Media Player 11 (KB959772)
Crystal Rain Forest V2
Digimax Viewer 2.1
Doremi FLV to MP3 Converter 1.6
Express Rip
EZBack-it-up 2.0.1
ezeVue Installer
ezeVue Media Manager
ezeVue Media Player
FaxTools
FLV Player 2.0, build 23
Free Audio CD Burner version 1.4
Free YouTube to MP3 Converter version 3.8
Fun Learning Maths Skills
Google Earth
Google Update Helper
Google Updater
GraphicView 32
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HTC Driver Installer
InterActual Player
iTunes
Java 2 Runtime Environment, SE v1.4.1_01
Java Auto Updater
Java Web Start
Java(TM) 6 Update 23
Lexmark X5100 Series
Macromedia Extension Manager
Macromedia Flash MX
Macromedia Flash Player
Macromedia FreeHand 10
Malwarebytes' Anti-Malware version 1.51.1.1800
Maths Toolbox 3
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Encarta Encyclopedia Standard - WE 2002
Microsoft Image Composer 1.5
Microsoft Office 2000 Premium
Microsoft Office 2000 SR-1 Disc 2
Microsoft Picture It! Photo 2002
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual J# 2.0 Redistributable Package
Microsoft Word 2002
Microsoft Works 2002 Setup Launcher
Microsoft Works 6.0
Microsoft Works Suite Add-in for Microsoft Word
MicroStaff WINASPI
Mozilla Firefox (3.6.15)
MSP3885-E 56K PCI Modem
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
Multimedia keyboard utility 1.3
My Web Search (Outlook, Outlook Express, and IncrediMail)
NCH Toolbox
Nero
Nero Suite
NoteWorthy Composer 2
NVIDIA Windows 2000/XP Display Drivers
PacMania 2
PageBreeze Free HTML Editor
Perfect Uninstaller v6.3.3.9
Pinnacle Hollywood FX for Studio
PowerDVD
Prism Video File Converter
QuickTime
RealPlayer
Recordpad
Registrar Registry Manager 6.02
Registrar Registry Manager 6.02 (Lite Edition)
Registry Mechanic 8.0
Revo Uninstaller 1.80
SA21xx Device Manager
SAMSUNG Mobile Modem Driver Set
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung New PC Studio
Samsung New PC Studio USB Driver Installer
Search Assistant - My Web Search
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Shockwave
SmartSound Quicktracks Plugin
Sony USB Driver
SopCast 2.0.4
Spin4Dough
Spotify
Spybot - Search & Destroy
Spybot - Search & Destroy 1.4
Studio 9
Switch Sound File Converter
Try Corel Snapfire muvee autoProducer add on
Uninstall 1.0.0.1
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB972636)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB925720)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Veetle TV 0.9.18
vShare Plugin
WAV MP3 Converter 3.8 build 968
WavePad Uninstall
WebFldrs XP
Windows Blaster Worm Removal Tool (KB833330)
Windows Driver Package - MobileTop (sshpmdm) Modem (02/23/2007 2.5.0.0)
Windows Driver Package - MobileTop (sshpusb) USB (02/23/2007 2.5.0.0)
Windows Driver Package - Sunplus (Ca50xav) Image (01/27/2005 2.2.0.7)
Windows Driver Package - Sunplus (Ca536av) Image (08/05/2003 2.2.0.5)
Windows Driver Package - Sunplus (USBCamera) Image (05/13/2003 1.2.0.0)
Windows Driver Package - Sunplus (USBCamera) USB (05/14/2003 1.2.0.0)
Windows Driver Package - Sunplus (usbhub) USB (07/31/2002 2.0.0.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows Movie Maker 2.0
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
WinZip
Works Suite OS Pack
Works Synchronization
YouTube Downloader 2.6.5
YouTube Downloader Toolbar v4.5
.
==== Event Viewer Messages From Past Week ========
.
04/09/2011 20:30:30, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
03/09/2011 23:32:36, error: Service Control Manager [7023] - The Workstation service terminated with the following error: The system cannot find the file specified.
03/09/2011 23:32:36, error: Service Control Manager [7001] - The Computer Browser service depends on the Workstation service which failed to start because of the following error: The system cannot find the file specified.
03/09/2011 23:22:23, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD BANTExt Fips intelppm IPSec MRxSmb NetBIOS NetBT PCLEPCI RasAcd Rdbss Tcpip
03/09/2011 23:22:23, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
03/09/2011 23:22:23, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
03/09/2011 23:22:23, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
03/09/2011 23:22:23, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
03/09/2011 23:22:23, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
03/09/2011 23:22:07, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
03/09/2011 23:21:38, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
03/09/2011 23:21:35, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
03/09/2011 22:52:08, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
03/09/2011 22:52:06, error: Service Control Manager [7000] - The Canon Camera Access Library 8 service failed to start due to the following error: The system cannot find the file specified.
03/09/2011 22:51:59, error: Service Control Manager [7023] - The srv32C service terminated with the following error: The specified module could not be found.
03/09/2011 22:51:59, error: Service Control Manager [7001] - The Print Spooler service depends on the LexBce Server service which failed to start because of the following error: The system cannot find the file specified.
03/09/2011 22:51:59, error: Service Control Manager [7001] - The Fax service depends on the Print Spooler service which failed to start because of the following error: The dependency service or group failed to start.
03/09/2011 22:51:59, error: Service Control Manager [7000] - The Upload Manager service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process.
03/09/2011 22:51:59, error: Service Control Manager [7000] - The ProtexisLicensing service failed to start due to the following error: The system cannot find the file specified.
03/09/2011 22:51:59, error: Service Control Manager [7000] - The Java Quick Starter service failed to start due to the following error: The system cannot find the file specified.
03/09/2011 22:51:59, error: Service Control Manager [7000] - The Icatch(VII) Video Camera Device service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
03/09/2011 22:51:59, error: Service Control Manager [7000] - The Google Update Service (gupdate) service failed to start due to the following error: The system cannot find the file specified.
03/09/2011 22:51:59, error: Service Control Manager [7000] - The FsUsbExService service failed to start due to the following error: The system cannot find the file specified.
03/09/2011 22:51:59, error: Service Control Manager [7000] - The Bonjour Service service failed to start due to the following error: The system cannot find the file specified.
03/09/2011 22:51:59, error: Service Control Manager [7000] - The BlueSoleil Hid Service service failed to start due to the following error: The system cannot find the file specified.
03/09/2011 22:51:59, error: Service Control Manager [7000] - The ACTIVdriver Control service failed to start due to the following error: The system cannot find the file specified.
03/09/2011 22:51:58, error: Service Control Manager [7000] - The LexBce Server service failed to start due to the following error: The system cannot find the file specified.
03/09/2011 22:51:58, error: Service Control Manager [7000] - The InCD Helper service failed to start due to the following error: The system cannot find the file specified.
03/09/2011 21:53:02, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the HTTP SSL service to connect.
03/09/2011 21:53:02, error: Service Control Manager [7000] - The HTTP SSL service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
03/09/2011 20:51:05, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000243' while processing the file 'mrxsmb.sys' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
03/09/2011 19:29:09, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
03/09/2011 19:28:50, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: agp440
03/09/2011 19:01:27, error: Service Control Manager [7000] - The Windows Installer service failed to start due to the following error: The system cannot find the file specified.
03/09/2011 19:01:27, error: DCOM [10005] - DCOM got error "%2" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
03/09/2011 19:00:12, error: Service Control Manager [7034] - The NVIDIA Driver Helper Service service terminated unexpectedly. It has done this 1 time(s).
.
==== End Of File ===========================


----------



## kevinf80 (Mar 21, 2006)

Run the following :-

*Step 1*

Please download DummyCreator.zip and unzip it to your Desktop.


Double click to Run the tool. Windows 7 or Vista user right click and Run as Administartor.
Copy and paste the following into the edit box:

*C:\WINDOWS\2663706774*

Press *Create* button and post the content of the Result.txt.
*Important:* Restart the computer.

*Step 2*

Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from either of the following links :-

*Link 1*
*Link 2*


 Ensure that Combofix is saved directly to the Desktop * <--- Very important*

Before saving Combofix to the Desktop re-name to Gotcha.exe as below:










 Disable all security programs as they will have a negative effect on Combofix, instructions available *Here* if required. Be aware the list may not have all programs listed, if you need more help please ask.

 Close any open browsers and any other programs you might have running

 Double click the







icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)

 Instructions for running Combofix available *Here* if required.

 If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.

 When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

*******Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze* ******

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read *Here* why disabling autoruns is recommended.

*EXTRA NOTES*

 If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
 If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
 If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Post the two logs in next reply please...

Kevin


----------



## simmer14 (Sep 3, 2011)

Hi Kevin. Many thanks for picking this up. I really appreciate your help. Before I go ahead with any of this can I log on as myself? I'm sure I have admin rights (in fact when booting up into safe mode there's only administrator and myself whereas in normal mode there's myself and other family members).

I'm running xp home SP2


----------



## simmer14 (Sep 3, 2011)

Furthermore this is incredible as I notice you're in Sland!!! Same as myself!!!


----------



## kevinf80 (Mar 21, 2006)

Boot from the account with the issue if it has admin rights. I live Doxford Park


----------



## simmer14 (Sep 3, 2011)

Grangetown mate. Gonna do that now.


----------



## simmer14 (Sep 3, 2011)

DummyCreator by Farbar 
Ran by Mick (administrator) on 04-09-2011 at 22:53:19
**************************************************************
C:\WINDOWS\2663706774 [04-09-2011 22:53:19]
== End of log ==


----------



## kevinf80 (Mar 21, 2006)

mmm, I used to live 345 Ryhope Road G/Town until 1997...


----------



## simmer14 (Sep 3, 2011)

I'm in Rainford Av, since 2001.


----------



## kevinf80 (Mar 21, 2006)

Yep know it well,


----------



## simmer14 (Sep 3, 2011)

Right, Kevin. Completed step 1 and posted log above.

Then disabled all av and malware. Ran combofix which started but then got a message in a window:

"Terminal Error - Missing File
C:\WINDOWS\regedit.exe is missing
Copy one from another machine"

With the only option of an 'ok' button to close the window and combofix closes altogether


----------



## kevinf80 (Mar 21, 2006)

Please download *SystemLook* from one of the links below and save it to your Desktop.
*Download Mirror #1
Download Mirror #2*

Double-click *SystemLook.exe* to run it.
Copy the content of the following codebox into the main textfield:


```
:filefind
regedit.exe
```

Click the *Look* button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
*Note:* The log can also be found on your Desktop entitled *SystemLook.txt*


----------



## simmer14 (Sep 3, 2011)

SystemLook 30.07.11 by jpshortstuff
Log created at 00:29 on 05/09/2011 by Mick
Administrator - Elevation successful
========== filefind ==========
Searching for "regedit.exe"
C:\unzipped\regedit\regedit.exe --a--c- 146432 bytes [07:00 04/08/2004] [07:00 04/08/2004] 783AFC80383C176B22DBF8333343992D
C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\regedit.exe --a--c- 146432 bytes [23:38 18/09/2009] [00:12 14/04/2008] 058710B720282CA82B909912D3EF28DB
-= EOF =-


----------



## kevinf80 (Mar 21, 2006)

Give the following a run:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open *notepad* and copy/paste the text in the Codebox below into it:


```
KillAll::
FCopy::
C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\regedit.exe | C:\windows\regedit.exe
```
Save this as *CFScript.txt*, and as Type: *All Files* *(*.*)* in the same location as ComboFix.exe



















Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at *C:\ComboFix.txt* which I will require in your next reply.


----------



## simmer14 (Sep 3, 2011)

Ok mate. Firstly a second apology. I've just realised what an idiot you're working with here. Last night I kept refreshing the screen to see if you'd replied but after about 40 mins thought you'd gone to bed. I didn't realise that you'd posted and it had started a new page. See what you're dealing with here??? It was late mind you!!!


Anyway, I've just dragged that CFScirpt file onto the combofix icon. A small window opened (blackbackground with green text - extracting files and such) Then it closed and the combofix blue screen opened immediately followed by a message saying there was a newer version and did I want to update. I declined this. Combofix said it was preparing to run.....there was a short, fairly high pitched 'beep' and then the same terminal error message which I exolained in post #13 appeared. Again I clicked 'ok' and the combofix window closed.

I also checked in the root of the c drive for the log file you mentioned but it isn't there.

Is it worth updating to the newer version of combofix when prompted?


----------



## kevinf80 (Mar 21, 2006)

Leave CF for now and do this:

Click on the Start button, then click on Run...

In the empty "Open:" box provided, type *cmd* and press Enter

This will launch a Command Prompt window (looks like DOS).

Copy the entire blue text below to the clipboard by highlighting all of it and pressing Ctrl+C (or after highlighting, right-click and select Copy).

*copy C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\regedit.exe C:\ /y*

In the Command Prompt window, paste the copied text by right-clicking and selecting Paste.

Press Enter.

When successfully completed, you should get this message within the Command Prompt: "
1 file(s) copied"


----------



## simmer14 (Sep 3, 2011)

After I paste into the cmd prompt window I get 'The system cannot find the file specified.'

Followed by the C:\Documentsand Settings\Mick>


----------



## simmer14 (Sep 3, 2011)

I've just navigated through that path and had a look for that file and there is a 'regedit' file in the folder. It looks like an exe file and has an exploding-rubik-cube type icon. So if that is the file which we're trying to copy then it is there but cmd is saying can't find it!!!


----------



## simmer14 (Sep 3, 2011)

Kevin, I've just noticed in the text you've asked me to copy to cmd that the filename has a space after the 'r' i.e. 'r egedit.exe' Could this be a reason?


----------



## simmer14 (Sep 3, 2011)

Right mate. I copied it into notepad and altered it, then copied again into cmd and IT WORKED!!! 

1 file copied


----------



## kevinf80 (Mar 21, 2006)

Ooops, missed that typo. Continue as follows :-

Okay, let's run Avenger to replace the file.

Download The Avenger by Swandog46 from *here*.

Unzip/extract it to a folder on your desktop.

Double click on avenger.exe to run The Avenger.

Click OK.

Make sure that the box next to Scan for rootkits *HAS* a tick in it and that the box next to Automatically disable any rootkits found does *NOT* have a tick in it.

Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.


```
Files to Move:
C:\regedit.exe | C:\WINDOWS\regedit.exe
```
In the avenger window, click the Paste Script from Clipboard, button.
Click the Execute button.
You will be asked Are you sure you want to execute the current script?.
Click Yes.
You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. *Reboot now?.
Click Yes.
Your PC will now be rebooted.

After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
Please post this log in your next reply.


----------



## simmer14 (Sep 3, 2011)

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
File move operation "C:\regedit.exe|C:\WINDOWS\regedit.exe" completed successfully.
Completed script processing.
*******************
Finished! Terminate.


----------



## kevinf80 (Mar 21, 2006)

Okey Dokey, re-run Combofix, if it asks to update please allow it, if it asks to install the recovery console allow that too.

let me see the log if successful...


----------



## simmer14 (Sep 3, 2011)

Well, I've got my original desktop back. Brilliant! Haven't tried anything else yet. Here's the log:

ComboFix 11-09-05.05 - Mick 05/09/2011 22:39:37.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2559.2236 [GMT 1:00]
Running from: c:\documents and settings\Mick\Desktop\Gotcha.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Betty\My Documents\~WRL3382.tmp
c:\documents and settings\Katie\WINDOWS
c:\documents and settings\Lisa\WINDOWS
c:\documents and settings\Mick\My Documents\~WRL0290.tmp
c:\documents and settings\Mick\My Documents\~WRL0653.tmp
c:\documents and settings\Mick\My Documents\~WRL0834.tmp
c:\documents and settings\Mick\My Documents\~WRL1139.tmp
c:\documents and settings\Mick\My Documents\~WRL2315.tmp
c:\documents and settings\Mick\WINDOWS
C:\khq
c:\program files\Internet Explorer\SET568.tmp
c:\windows\$NtUninstallKB44433$
c:\windows\$NtUninstallKB44433$\161423727
c:\windows\$NtUninstallKB44433$\2532361374\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
c:\windows\$NtUninstallKB44433$\2532361374\click.tlb
c:\windows\$NtUninstallKB44433$\2532361374\L\akygdmgo
c:\windows\$NtUninstallKB44433$\2532361374\loader.tlb
c:\windows\$NtUninstallKB44433$\2532361374\U\@00000001
c:\windows\$NtUninstallKB44433$\2532361374\U\@000000c0
c:\windows\$NtUninstallKB44433$\2532361374\U\@000000cb
c:\windows\$NtUninstallKB44433$\2532361374\U\@000000cf
c:\windows\$NtUninstallKB44433$\2532361374\U\@80000000
c:\windows\$NtUninstallKB44433$\2532361374\U\@800000c0
c:\windows\$NtUninstallKB44433$\2532361374\U\@800000cb
c:\windows\$NtUninstallKB44433$\2532361374\U\@800000cf
c:\windows\2663706774
c:\windows\explorer(2).exe
c:\windows\system32\_003611_.tmp.dll
c:\windows\system32\_003612_.tmp.dll
c:\windows\system32\_003613_.tmp.dll
c:\windows\system32\_003614_.tmp.dll
c:\windows\system32\_003619_.tmp.dll
c:\windows\system32\_003620_.tmp.dll
c:\windows\system32\_003621_.tmp.dll
c:\windows\system32\_003622_.tmp.dll
c:\windows\system32\_003623_.tmp.dll
c:\windows\system32\_003624_.tmp.dll
c:\windows\system32\_003625_.tmp.dll
c:\windows\system32\_003626_.tmp.dll
c:\windows\system32\_003627_.tmp.dll
c:\windows\system32\_003629_.tmp.dll
c:\windows\system32\_003630_.tmp.dll
c:\windows\system32\_003632_.tmp.dll
c:\windows\system32\_003633_.tmp.dll
c:\windows\system32\_003634_.tmp.dll
c:\windows\system32\_003636_.tmp.dll
c:\windows\system32\_003639_.tmp.dll
c:\windows\system32\_003640_.tmp.dll
c:\windows\system32\_003642_.tmp.dll
c:\windows\system32\_003643_.tmp.dll
c:\windows\system32\_003644_.tmp.dll
c:\windows\system32\_003645_.tmp.dll
c:\windows\system32\_003646_.tmp.dll
c:\windows\system32\_003647_.tmp.dll
c:\windows\system32\_003649_.tmp.dll
c:\windows\system32\_003650_.tmp.dll
c:\windows\system32\_003651_.tmp.dll
c:\windows\system32\_003652_.tmp.dll
c:\windows\system32\_003653_.tmp.dll
c:\windows\system32\_003654_.tmp.dll
c:\windows\system32\_003655_.tmp.dll
c:\windows\system32\_003658_.tmp.dll
c:\windows\system32\_003659_.tmp.dll
c:\windows\system32\_003660_.tmp.dll
c:\windows\system32\_003661_.tmp.dll
c:\windows\system32\_003662_.tmp.dll
c:\windows\system32\_003663_.tmp.dll
c:\windows\system32\_003664_.tmp.dll
c:\windows\system32\_003666_.tmp.dll
c:\windows\system32\_003667_.tmp.dll
c:\windows\system32\_003668_.tmp.dll
c:\windows\system32\_003669_.tmp.dll
c:\windows\system32\_003670_.tmp.dll
c:\windows\system32\_003671_.tmp.dll
c:\windows\system32\_003673_.tmp.dll
c:\windows\system32\_003676_.tmp.dll
c:\windows\system32\_003677_.tmp.dll
c:\windows\system32\_003681_.tmp.dll
c:\windows\system32\_003682_.tmp.dll
c:\windows\system32\_003684_.tmp.dll
c:\windows\system32\_003687_.tmp.dll
c:\windows\system32\_003689_.tmp.dll
c:\windows\system32\_003690_.tmp.dll
c:\windows\system32\_003691_.tmp.dll
c:\windows\system32\_003692_.tmp.dll
c:\windows\system32\_003695_.tmp.dll
c:\windows\system32\_003696_.tmp.dll
c:\windows\system32\_003697_.tmp.dll
c:\windows\system32\_003698_.tmp.dll
c:\windows\system32\_003699_.tmp.dll
c:\windows\system32\_003704_.tmp.dll
c:\windows\system32\_003706_.tmp.dll
c:\windows\system32\_003707_.tmp.dll
c:\windows\system32\_005946_.tmp.dll
c:\windows\system32\_005947_.tmp.dll
c:\windows\system32\_005948_.tmp.dll
c:\windows\system32\_005949_.tmp.dll
c:\windows\system32\_005956_.tmp.dll
c:\windows\system32\_005957_.tmp.dll
c:\windows\system32\_005958_.tmp.dll
c:\windows\system32\_005959_.tmp.dll
c:\windows\system32\_005961_.tmp.dll
c:\windows\system32\_005962_.tmp.dll
c:\windows\system32\_005965_.tmp.dll
c:\windows\system32\_005966_.tmp.dll
c:\windows\system32\_005968_.tmp.dll
c:\windows\system32\_005969_.tmp.dll
c:\windows\system32\_005970_.tmp.dll
c:\windows\system32\_005972_.tmp.dll
c:\windows\system32\_005975_.tmp.dll
c:\windows\system32\_005976_.tmp.dll
c:\windows\system32\_005980_.tmp.dll
c:\windows\system32\_005981_.tmp.dll
c:\windows\system32\_005983_.tmp.dll
c:\windows\system32\_005986_.tmp.dll
c:\windows\system32\_005988_.tmp.dll
c:\windows\system32\_005989_.tmp.dll
c:\windows\system32\_005990_.tmp.dll
c:\windows\system32\_005991_.tmp.dll
c:\windows\system32\_005992_.tmp.dll
c:\windows\system32\_005995_.tmp.dll
c:\windows\system32\_005996_.tmp.dll
c:\windows\system32\_005997_.tmp.dll
c:\windows\system32\_005998_.tmp.dll
c:\windows\system32\_005999_.tmp.dll
c:\windows\system32\_006004_.tmp.dll
c:\windows\system32\_006006_.tmp.dll
c:\windows\system32\1027840520.dat
c:\windows\system32\c_61643.nls
c:\windows\system32\cache329
c:\windows\system32\cache329\B_329_0_1_501600.gif
c:\windows\system32\cache329\B_329_0_1_503400.gif
c:\windows\system32\cache329\B_329_0_1_504800.gif
c:\windows\system32\cache329\B_329_0_1_517200.gif
c:\windows\system32\cache329\B_329_0_1_517500.gif
c:\windows\system32\cache329\B_329_0_1_566900.gif
c:\windows\system32\cache329\B_329_2_1_501600.gif
c:\windows\system32\cache329\B_329_2_1_503400.gif
c:\windows\system32\cache329\B_329_2_1_504800.gif
c:\windows\system32\cache329\B_522700.htm
c:\windows\system32\cache329\B_531700.htm
c:\windows\system32\cache329\B_537000.htm
c:\windows\system32\cache329\B_670200.htm
c:\windows\system32\cache329\t_B_522700.htm
c:\windows\system32\cache329\t_B_531700.htm
c:\windows\system32\cache329\t_B_537000.htm
c:\windows\system32\cache329\t_B_670200.htm
c:\windows\system32\ctfmon(2).exe
c:\windows\system32\usp10(2).dll
.
Infected copy of c:\windows\system32\drivers\netbt.sys was found and disinfected 
Restored copy from - The cat found it  
Infected copy of c:\windows\system32\wuauclt.exe was found and disinfected 
Restored copy from - c:\windows\system32\dllcache\wuauclt.exe 
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_96f0c49e
.
.
((((((((((((((((((((((((( Files Created from 2011-08-05 to 2011-09-05 )))))))))))))))))))))))))))))))
.
.
2011-09-05 21:29 . 2004-08-03 22:14 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-09-05 20:13 . 2008-04-14 00:12 146432 ------w- c:\windows\regedit.exe
2011-09-05 17:27 . 2011-09-05 17:28 -------- d-----w- C:\Gotcha
2011-09-03 22:23 . 2011-09-03 22:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-08-26 01:33 . 2011-09-03 22:02 -------- d-----w- c:\program files\Perfect Uninstaller
2011-08-25 23:25 . 2011-08-25 23:25 -------- d-----w- C:\TDSSKiller_Quarantine
2011-08-25 17:35 . 2011-09-03 22:03 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2011-08-25 12:07 . 2011-09-04 19:01 43408 --sha-w- c:\windows\system32\c_61643.nl_
2011-08-24 12:58 . 2011-08-24 12:58 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-08-24 12:31 . 2011-08-24 12:31 -------- d-----w- c:\windows\system32\wbem\Repository
2011-08-24 01:48 . 2011-08-24 12:24 -------- d-----w- c:\documents and settings\LocalService\Application Data\Adobe(2)
2011-08-23 23:14 . 2011-08-24 12:25 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Adobe(2)
2011-08-23 20:36 . 2011-08-23 20:36 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
2011-08-23 19:40 . 2011-08-23 19:41 -------- d-----w- c:\documents and settings\Mick\Application Data\Piop
2011-08-22 20:51 . 2011-08-23 19:32 0 ----a-w- c:\windows\Otixi.bin
2011-08-22 20:51 . 2011-08-24 12:27 -------- d-----w- c:\documents and settings\Mick\Local Settings\Application Data\{BC238A35-B348-43A7-800F-26A7C93622A7}
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-04 19:00 . 2009-08-14 20:56 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-09-04 00:02 . 2009-08-14 20:56 57472 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-08-26 02:07 . 2009-08-14 20:56 52736 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-08-25 23:31 . 2009-08-14 20:56 138368 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-25 23:26 . 2009-08-14 20:56 74752 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-08-25 23:16 . 2009-08-14 20:56 64896 ----a-w- c:\windows\system32\drivers\serial.sys
2011-07-06 18:52 . 2009-03-24 21:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-06 18:52 . 2009-03-24 21:20 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points  ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-07-26 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-08-26 09:32 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2011-07-26 09:15 2532680 ----a-w- c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-26 279944]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-07-26 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-07-26 2532680]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-26 279944]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2009-06-30 2836376]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"SoundMan"="SOUNDMAN.EXE" [2002-03-21 46592]
"FLMK08KB"="c:\program files\Multimedia keyboard utility\1.3\MMKEYBD.EXE" [2004-05-15 207360]
"FLMMEDIONMOUSE"="c:\program files\Browser mouse\1.3\mouse32a.exe" [2004-05-15 356352]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-10 406016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2011-04-18 2334560]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-03 15360]
.
c:\documents and settings\Mick\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2002-12-11 110592]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2002-12-11 110592]
updater.lnk - c:\program files\Common Files\updater\wupdater.exe [N/A]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\srv32C]
@="service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=c:\windows\pss\BlueSoleil.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digimax Viewer 2.1.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digimax Viewer 2.1.lnk
backup=c:\windows\pss\Digimax Viewer 2.1.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Image Transfer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Image Transfer.lnk
backup=c:\windows\pss\Image Transfer.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ActivDRVAutostart]
2004-06-15 17:04 392192 -c--a-w- c:\program files\ACTIV Software\ACTIVdriver\ACTIVcontrol.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoStartNPSAgent]
2008-12-13 17:51 98304 ----a-w- c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2004-09-13 10:51 1450096 ------w- c:\program files\Ahead\InCD\InCD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X5100 Series]
2002-12-03 17:29 86102 ----a-w- c:\program files\Lexmark X5100 Series\lxbabmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
2001-08-22 22:52 331830 ----a-w- c:\program files\Microsoft Works\wkssb.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2002-08-30 13:06 372736 ----a-r- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-05-27 09:50 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
2006-05-31 10:47 1003520 ----a-w- c:\program files\Real\RealPlayer\realplay.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-10-31 19:42 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
2001-10-05 01:34 24576 ----a-w- c:\program files\Microsoft Works\wkfud.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\Katie's Itunes\\iTunes.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\Registry Mechanic\\Update.exe"=
"c:\\Program Files\\Outlook Express\\msimn.exe"=
"c:\\Program Files\\AVG\\AVG10\\Toolbar\\ToolbarBroker.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\MFAData\\SelfUpd\\avgmfapx.exe"=
"c:\\Documents and Settings\\Mick\\Desktop\\kts.com.exe"=
"c:\\Program Files\\Perfect Uninstaller\\PU.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Documents and Settings\\Mick\\Desktop\\STOPzilla_Setup.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Documents and Settings\\Mick\\Desktop\\simma.com.exe"=
.
R0 ACTIVdrv;ACTIV Device Pen Driver;c:\windows\system32\drivers\ActivDrv.sys [12/02/2004 19:37 67424]
R2 ddnt;ddnt;c:\windows\system32\drivers\ddnt.sys [20/01/2005 20:33 7072]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [24/03/2009 22:20 22712]
S2 ActivDRVcontrol;ACTIVdriver Control;c:\program files\ACTIV Software\ACTIVdriver\ActivDRVservice.exe --> c:\program files\ACTIV Software\ACTIVdriver\ActivDRVservice.exe [?]
S2 Ca536av;Icatch(VII) Video Camera Device;c:\windows\system32\drivers\Ca536av.sys [04/03/2008 20:33 514859]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe --> c:\windows\system32\FsUsbExService.Exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [24/03/2009 22:20 366640]
S2 srv32C;srv32C;c:\windows\system32\svchost.exe -k netsvcs [12/11/2002 08:09 14336]
S3 ActivDRV_USB;ActivDRV_USB.Sys USB ACTIVboard;c:\windows\system32\drivers\ActivDRV_USB.sys [20/01/2003 04:14 17232]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [13/05/2011 20:03 1025352]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [28/10/2009 20:05 36608]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe /medsvc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S4 Gpposveircpa;Gpposveircpa; [x]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
srv32C
.
Contents of the 'Scheduled Tasks' folder
.
2010-12-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 11:34]
.
2011-09-05 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-11-01 21:00]
.
2011-08-26 c:\windows\Tasks\prismDowngrade.job
- c:\program files\NCH Software\Prism\prism.exe [2011-02-06 21:13]
.
2011-09-04 c:\windows\Tasks\prismShakeIcon.job
- c:\program files\NCH Software\Prism\prism.exe [2011-02-06 21:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyServer = http=hxxp://www-cache.freeserve.net:8080;ftp=http://www-cache.freeserve.net:8080
uInternet Settings,ProxyOverride = <local>;*.local
IE: Free YouTube to Mp3 Converter - c:\documents and settings\Mick\Application Data\DVDVideoSoftIEHelpers\youtubetomp3.htm
TCP: DhcpNameServer = 194.168.4.100 192.168.0.1
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
DPF: {FD18DD5E-B398-452A-B22A-B54636BA9F0D} - hxxp://www.blinkz.com/test/ImageUploader2.cab
FF - ProfilePath - c:\documents and settings\Mick\Application Data\Mozilla\Firefox\Profiles\bc4owdxj.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/|http://www.google.co.uk/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4b12cdeb&v=7.005.030.004&i=23&tp=ab&iy=&ychte=uk&lng=en-GB&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: AVG Security Toolbar em:version=7.007.026.001 em:displayname=AVG Security Toolbar em:iconURL=chrome://tavgp/skin/logo.ico em:creator=AVG Technologies em:description=AVG Security Toolbar em:homepageURL=http://www.avg.com >: [email protected] - c:\program files\AVG\AVG10\Toolbar\Firefox\[email protected]
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\AVG\AVG10\Firefox4
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: vShare: [email protected] - %profile%\extensions\[email protected]
FF - Ext: DVDVideoSoft Menu: {ACAA314B-EEBA-48e4-AD47-84E31C44796C} - %profile%\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C}
FF - Ext: Firebug: [email protected] - %profile%\extensions\[email protected]
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Microsoft Works Update Detection - c:\program files\Microsoft Works\WkDetect.exe
SafeBoot-05769274.sys
SafeBoot-08263828.sys
SafeBoot-10289331.sys
SafeBoot-18401405.sys
SafeBoot-22911990.sys
SafeBoot-23240774.sys
SafeBoot-48994980.sys
SafeBoot-52982231.sys
SafeBoot-59275803.sys
SafeBoot-67157614.sys
SafeBoot-94027799.sys
MSConfigStartUp-PC Connection Agent - c:\program files\Microsoft ActiveSync\WCESCOMM.EXE
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
MSConfigStartUp-Microsoft Works Update Detection - c:\program files\Microsoft Works\WkDetect.exe
MSConfigStartUp-svcosvt - c:\windows\system32\svcosvt.exe
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
MSConfigStartUp-Yahoo! Pager - c:\program files\Yahoo!\Messenger\ypager.exe
AddRemove-193bb64c00732e4d5ff2a48ccd900ee4 - c:\program files\Sherston\Crystal Rain Forest V2\_uninst\uninstaller.exe
AddRemove-Registrar Registry Manager 6.02 (Lite Edition) - c:\program files\Registrar Registry Manager\unwise.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-05 23:12
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\.redbook]
"ImagePath"="\*"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\srv32C]
"servicedll"="\\?\globalroot\Device\HarddiskVolume1\DOCUME~1\Mick\LOCALS~1\Temp\srv32C.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3264)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Browser mouse\1.3\MOUDL32A.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
c:\windows\SOUNDMAN.EXE
c:\program files\Multimedia keyboard utility\1.3\KbdAp32A.exe
c:\windows\system32\devldr32.exe
.
**************************************************************************
.
Completion time: 2011-09-05 23:25:31 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-05 22:25
.
Pre-Run: 9,739,513,856 bytes free
Post-Run: 10,964,856,832 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /HAL=halaacpi.dll /NoExecute=OptIn
.
- - End Of File - - DF6A011D1F7966BA2F1DC9C653E80B14


----------



## kevinf80 (Mar 21, 2006)

Continue as follows :-

*Step 1*

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open *notepad* and copy/paste the text in the Codebox below into it:


```
ClearJavaCache::
KillAll::
ADS::
C:\WINDOWS\2663706774
File::
c:\windows\system32\c_61643.nl_
c:\windows\Otixi.bin
Folder::
c:\documents and settings\Mick\Local Settings\Application Data\{BC238A35-B348-43A7-800F-26A7C93622A7}
c:\program files\AskBarDis
C:\WINDOWS\2663706774
Driver::
Gpposveircpa
srv32C
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
[-HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"=-
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"=-
[-HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\srv32C]
```
Save this as *CFScript.txt*, and as Type: *All Files* *(*.*)* in the same location as ComboFix.exe



















Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at *C:\ComboFix.txt* which I will require in your next reply.

*Step 2*

Download







TFC to your desktop, from either of the following links
*Link 1*
*Link 2*

 Save any open work. TFC will close all open application windows.
 Double-click TFC.exe to run the program. Vista or Windows 7 users right click and select Run as Administartor
 If prompted, click "Yes" to reboot.
Save any open work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. TFC may re-boot your system, if not *Re-boot it yourself to complete cleaning process* *<---- Very Important *

*Step 3*

*Run ESET Online Scan*

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
*ESET OnlineScan*
Click the







button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

Click on







to download the ESET Smart Installer. *Save* it to your desktop.
Double click on the







icon on your desktop.

Check








Click the







button.
Accept any security warnings from your browser.
Check








*Leave the tick out of remove found threats*
Push the *Start* button.
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, push








Push







, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Push the







button.
Push








You can refer to *this animation* by *neomage* if needed.
Frequently asked questions available *Here* *Please read them before running the scan.*

Also be aware this scan can take between one and several hours to complete depending on the size of your system.

ESET log can be found here *"C:\Program Files\ESET\EsetOnlineScanner\log.txt".*

Post logs from Combofix and ESET in next reply....

Kevin


----------



## simmer14 (Sep 3, 2011)

ComboFix 11-09-06.03 - Mick 06/09/2011 19:28:14.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2559.2194 [GMT 1:00]
Running from: c:\documents and settings\Mick\Desktop\Gotcha.exe
Command switches used :: c:\documents and settings\Mick\Desktop\CFScript.txt
.
FILE ::
"c:\windows\Otixi.bin"
"c:\windows\system32\c_61643.nl_"
.
.
((((((((((((((((((((((((( Files Created from 2011-08-06 to 2011-09-06 )))))))))))))))))))))))))))))))
.
.
2011-09-05 21:29 . 2004-08-03 22:14 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-09-05 20:13 . 2008-04-14 00:12 146432 ------w- c:\windows\regedit.exe
2011-09-05 17:27 . 2011-09-05 17:28 -------- d-----w- C:\Gotcha
2011-09-03 22:23 . 2011-09-03 22:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-08-26 01:33 . 2011-09-03 22:02 -------- d-----w- c:\program files\Perfect Uninstaller
2011-08-25 23:25 . 2011-08-25 23:25 -------- d-----w- C:\TDSSKiller_Quarantine
2011-08-25 17:35 . 2011-09-03 22:03 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2011-08-25 12:07 . 2011-09-04 19:01 43408 --sha-w- c:\windows\system32\c_61643.nl_
2011-08-24 12:58 . 2011-08-24 12:58 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-08-24 12:31 . 2011-08-24 12:31 -------- d-----w- c:\windows\system32\wbem\Repository
2011-08-24 01:48 . 2011-08-24 12:24 -------- d-----w- c:\documents and settings\LocalService\Application Data\Adobe(2)
2011-08-23 23:14 . 2011-08-24 12:25 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Adobe(2)
2011-08-23 20:36 . 2011-08-23 20:36 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
2011-08-23 19:40 . 2011-08-23 19:41 -------- d-----w- c:\documents and settings\Mick\Application Data\Piop
2011-08-22 20:51 . 2011-08-23 19:32 0 ----a-w- c:\windows\Otixi.bin
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-04 19:00 . 2009-08-14 20:56 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-09-04 00:02 . 2009-08-14 20:56 57472 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-08-26 02:07 . 2009-08-14 20:56 52736 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-08-25 23:31 . 2009-08-14 20:56 138368 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-25 23:26 . 2009-08-14 20:56 74752 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-08-25 23:16 . 2009-08-14 20:56 64896 ----a-w- c:\windows\system32\drivers\serial.sys
2011-07-06 18:52 . 2009-03-24 21:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-06 18:52 . 2009-03-24 21:20 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-07-26 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2011-07-26 09:15 2532680 ----a-w- c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-07-26 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-07-26 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"SoundMan"="SOUNDMAN.EXE" [2002-03-21 46592]
"FLMK08KB"="c:\program files\Multimedia keyboard utility\1.3\MMKEYBD.EXE" [2004-05-15 207360]
"FLMMEDIONMOUSE"="c:\program files\Browser mouse\1.3\mouse32a.exe" [2004-05-15 356352]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-10 406016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-03 15360]
.
c:\documents and settings\Mick\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2002-12-11 110592]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2002-12-11 110592]
updater.lnk - c:\program files\Common Files\updater\wupdater.exe [N/A]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=c:\windows\pss\BlueSoleil.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digimax Viewer 2.1.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digimax Viewer 2.1.lnk
backup=c:\windows\pss\Digimax Viewer 2.1.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Image Transfer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Image Transfer.lnk
backup=c:\windows\pss\Image Transfer.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ActivDRVAutostart]
2004-06-15 17:04 392192 -c--a-w- c:\program files\ACTIV Software\ACTIVdriver\ACTIVcontrol.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoStartNPSAgent]
2008-12-13 17:51 98304 ----a-w- c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG_TRAY]
2011-04-18 16:40 2334560 ----a-w- c:\program files\AVG\AVG10\avgtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2004-09-13 10:51 1450096 ------w- c:\program files\Ahead\InCD\InCD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X5100 Series]
2002-12-03 17:29 86102 ----a-w- c:\program files\Lexmark X5100 Series\lxbabmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2011-07-06 18:52 449584 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
2001-08-22 22:52 331830 ----a-w- c:\program files\Microsoft Works\wkssb.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2002-08-30 13:06 372736 ----a-r- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-05-27 09:50 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
2006-05-31 10:47 1003520 ----a-w- c:\program files\Real\RealPlayer\realplay.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-10-31 19:42 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
2001-10-05 01:34 24576 ----a-w- c:\program files\Microsoft Works\wkfud.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\Katie's Itunes\\iTunes.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\Registry Mechanic\\Update.exe"=
"c:\\Program Files\\Outlook Express\\msimn.exe"=
"c:\\Program Files\\AVG\\AVG10\\Toolbar\\ToolbarBroker.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\MFAData\\SelfUpd\\avgmfapx.exe"=
"c:\\Documents and Settings\\Mick\\Desktop\\kts.com.exe"=
"c:\\Program Files\\Perfect Uninstaller\\PU.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Documents and Settings\\Mick\\Desktop\\STOPzilla_Setup.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Documents and Settings\\Mick\\Desktop\\simma.com.exe"=
.
R0 ACTIVdrv;ACTIV Device Pen Driver;c:\windows\system32\drivers\ActivDrv.sys [12/02/2004 19:37 67424]
R2 ddnt;ddnt;c:\windows\system32\drivers\ddnt.sys [20/01/2005 20:33 7072]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [24/03/2009 22:20 22712]
S2 ActivDRVcontrol;ACTIVdriver Control;c:\program files\ACTIV Software\ACTIVdriver\ActivDRVservice.exe --> c:\program files\ACTIV Software\ACTIVdriver\ActivDRVservice.exe [?]
S2 Ca536av;Icatch(VII) Video Camera Device;c:\windows\system32\drivers\Ca536av.sys [04/03/2008 20:33 514859]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe --> c:\windows\system32\FsUsbExService.Exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [24/03/2009 22:20 366640]
S3 ActivDRV_USB;ActivDRV_USB.Sys USB ACTIVboard;c:\windows\system32\drivers\ActivDRV_USB.sys [20/01/2003 04:14 17232]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [13/05/2011 20:03 1025352]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [28/10/2009 20:05 36608]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe /medsvc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
.
Contents of the 'Scheduled Tasks' folder
.
2010-12-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 11:34]
.
2011-09-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-11-01 21:00]
.
2011-08-26 c:\windows\Tasks\prismDowngrade.job
- c:\program files\NCH Software\Prism\prism.exe [2011-02-06 21:13]
.
2011-09-04 c:\windows\Tasks\prismShakeIcon.job
- c:\program files\NCH Software\Prism\prism.exe [2011-02-06 21:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyServer = http=hxxp://www-cache.freeserve.net:8080;ftp=http://www-cache.freeserve.net:8080
uInternet Settings,ProxyOverride = <local>;*.local
IE: Free YouTube to Mp3 Converter - c:\documents and settings\Mick\Application Data\DVDVideoSoftIEHelpers\youtubetomp3.htm
TCP: DhcpNameServer = 194.168.4.100 192.168.0.1
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
DPF: {FD18DD5E-B398-452A-B22A-B54636BA9F0D} - hxxp://www.blinkz.com/test/ImageUploader2.cab
FF - ProfilePath - c:\documents and settings\Mick\Application Data\Mozilla\Firefox\Profiles\bc4owdxj.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/|http://www.google.co.uk/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4b12cdeb&v=7.005.030.004&i=23&tp=ab&iy=&ychte=uk&lng=en-GB&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: AVG Security Toolbar em:version=7.007.026.001 em:displayname=AVG Security Toolbar em:iconURL=chrome://tavgp/skin/logo.ico em:creator=AVG Technologies em:description=AVG Security Toolbar em:homepageURL=http://www.avg.com >: [email protected] - c:\program files\AVG\AVG10\Toolbar\Firefox\[email protected]
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\AVG\AVG10\Firefox4
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: vShare: [email protected] - %profile%\extensions\[email protected]
FF - Ext: DVDVideoSoft Menu: {ACAA314B-EEBA-48e4-AD47-84E31C44796C} - %profile%\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C}
FF - Ext: Firebug: [email protected] - %profile%\extensions\[email protected]
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-06 19:48
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\.redbook]
"ImagePath"="\*"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3132)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\program files\Browser mouse\1.3\MOUDL32A.DLL
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
c:\windows\SOUNDMAN.EXE
c:\program files\Multimedia keyboard utility\1.3\KbdAp32A.exe
c:\windows\system32\devldr32.exe
.
**************************************************************************
.
Completion time: 2011-09-06 19:58:45 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-06 18:58
.
Pre-Run: 10,935,070,720 bytes free
Post-Run: 10,905,591,808 bytes free
.
- - End Of File - - 455349D8A373447F1BEC2D5C46B6B074


----------



## kevinf80 (Mar 21, 2006)

Did you run ESET....


----------



## simmer14 (Sep 3, 2011)

Currently running it mate. It's actually on 99% and found 19 infections. I did uncheck the 'remove infected files' box as requested. Had a quick look at the animation you posted and that had the box checked. Am I still ok with that?


----------



## kevinf80 (Mar 21, 2006)

Yep that is fine, I like to see what the AV scan shows, if you let it run loose it could remove a critical file.... Still some issues with the CF log....


----------



## simmer14 (Sep 3, 2011)

Crikey! Over an hour to do that last 1% and the threats jumped to 70odd.

C:\Program Files\AVG\AVG10\avgchsvx.exe Win32/Patched.HN trojan
C:\Program Files\AVG\AVG10\avgrsx.exe Win32/Patched.HN trojan
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe.old Win32/Patched.HN trojan
C:\Program Files\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll a variant of Win32/Adware.Toolbar.Dealio application
C:\Qoobox\Quarantine\C\WINDOWS\assembly\GAC_MSIL\desktop.ini.vir Win32/Sirefef.CH trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\wuauclt.exe.vir Win32/Patched.HN trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\netbt.sys.vir Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2377\A0270670.dll a variant of Win32/Kryptik.RZJ trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2378\A0270737.dll a variant of Win32/Kryptik.RZD trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2383\A0276746.sys Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2383\A0276747.ini Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2383\A0276770.sys Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2383\A0276771.ini Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2384\A0276794.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2384\A0276795.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2384\A0276796.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2384\A0276797.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2384\A0276798.ini Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2384\A0276799.sys Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2386\A0276892.old Win32/Patched.HN trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2387\A0276915.ini Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2387\A0276936.old Win32/Patched.HN trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2388\A0276963.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2388\A0276964.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2388\A0276971.ini Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2388\A0276972.sys Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2389\A0277023.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2389\A0277024.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2389\A0277025.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2389\A0277026.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2390\A0279046.sys Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2390\A0279047.ini Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2390\A0279054.sys Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2390\A0279055.ini Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2390\A0281062.sys Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2390\A0281063.ini Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2391\A0281074.sys Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2391\A0281075.ini Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2392\A0281099.sys Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2392\A0281100.ini Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2393\A0283111.sys Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2393\A0283112.ini Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2393\A0283116.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2393\A0284111.sys Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2393\A0284112.ini Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2393\A0284118.sys Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2393\A0284119.ini Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2394\A0284129.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2394\A0284153.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2394\A0284165.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2394\A0284166.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2394\A0284218.sys Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2394\A0284219.ini Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2394\A0284230.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2394\A0284236.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2396\A0284267.dll Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2397\A0286295.sys Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2397\A0286296.ini Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2397\A0286304.sys Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2397\A0286305.ini Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2398\A0286374.sys Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2398\A0286375.ini Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2398\A0286382.sys Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2398\A0286383.ini Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2398\A0286533.sys Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2398\A0286534.ini Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2399\A0286540.ini Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2399\A0286709.sys Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2399\A0286710.ini Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2399\A0286983.sys Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{8D18DC7F-BE95-4DFD-B465-1E3DD61EB122}\RP2399\A0287121.exe Win32/Patched.HN trojan
C:\TDSSKiller_Quarantine\26.08.2011_00.23.17\susp0000\svc0000\tsk0000.dta Win32/Sirefef.CT trojan
C:\WINDOWS\system32\c_61643.nl_ Win32/Sirefef.CR trojan


----------



## kevinf80 (Mar 21, 2006)

OK, continue as follows :-

Please download *OTM by OldTimer*.
*Alternative Mirror 1*
*Alternative Mirror 2* 
Save it to your desktop. 
Double click *OTM.exe* to start the tool. Vista or Windows 7 users right click and select Run as Administrator

*Copy* the text between the dotted lines below to the clipboard by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose *Copy*):

-------------------------------------------------------------------
* 
:Files
ipconfig /flushdns /c
C:\Program Files\AVG\AVG10\avgchsvx.exe
C:\Program Files\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe.old
C:\Program Files\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll
C:\WINDOWS\system32\c_61643.nl_
c:\windows\Otixi.bin
:Commands
[ResetHosts]
[ClearAllRestorePoints]
[EmptyTemp]
[Reboot]
*
---------------------------------------------------------------------

 Return to OTMoveIt3, right click in the *"Paste Instructions for Items to be Moved"* window (under the yellow bar) and choose *Paste*.
Click the red







button.
*Copy* everything in the Results window (under the green bar) to the clipboard by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close *OTM*
*Note:* If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose *Yes.*

If the machine reboots, the Results log can be found here:

*c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log*

Where mmddyyyy_hhmmss is the date of the tool run.

Next,

We need to see some additional information about what is happening in your machine.* 
Please perform the following scan:

Download *DDS* by sUBs from one of the following links.* Save it to your desktop.
*DDS.com*
*DDS.scr*
*DDS.pif*

Double click on the *DDS* icon, allow it to run.
A small box will open, with an explanation about the tool.* *
When done, DDS will open two (2) logs
* * * * *1. DDS.txt
* * * * *2. Attach.txt
 Save both reports to your desktop.
 The instructions here ask you to attach the Attach.txt.








*
*Instead of attaching, please copy/past both logs into your next reply.*
Close the program window, and delete the program from your desktop.
Please note:* You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection. 
Run the scan, enable your A/V and reconnect to the internet.* 
Information on A/V control *HERE*

Let me see the following in next reply :-


 Log from OTM
 DDS.txt
 Attach.txt

Kevin...


----------



## simmer14 (Sep 3, 2011)

Ok. It started to run after clicking 'moveit' but then threw up:

OTM: OTM.exe - Unable to Locate Component
This application has failed to start because xpcom.dll was not found. Re-installing the application may fix this problem.


----------



## simmer14 (Sep 3, 2011)

And now it's started running again after I clicked 'ok'


----------



## simmer14 (Sep 3, 2011)

Well, I'm not sure what that message was about but after it finished and rebooted it left me this in notepad.

All processes killed
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Mick\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Mick\Desktop\cmd.txt deleted successfully.
C:\Program Files\AVG\AVG10\avgchsvx.exe moved successfully.
C:\Program Files\AVG\AVG10\avgrsx.exe moved successfully.
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe.old moved successfully.
LoadLibrary failed for C:\Program Files\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll
C:\Program Files\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll moved successfully.
C:\WINDOWS\system32\c_61643.nl_ moved successfully.
c:\windows\Otixi.bin moved successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

Restore points cleared and new OTM Restore Point set!

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Betty
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Katie
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Lisa
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: Mick
->Temp folder emptied: 65752 bytes
->Temporary Internet Files folder emptied: 7614845 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 456 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: Owner
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 7.00 mb

OTM by OldTimer - Version 3.1.18.0 log created on 09072011_000713
Files moved on Reboot...
Registry entries deleted on Reboot...


----------



## simmer14 (Sep 3, 2011)

.
DDS (Ver_2011-08-26.01) - NTFSx86 
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Run by Mick at 0:20:20 on 2011-09-07
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2559.2152 [GMT 1:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Browser mouse\1.3\mouse32a.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Multimedia keyboard utility\1.3\KbdAp32A.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyServer = http=hxxp://www-cache.freeserve.net:8080;ftp=http://www-cache.freeserve.net:8080
uInternet Settings,ProxyOverride = <local>;*.local
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
mRun: [FLMK08KB] c:\program files\multimedia keyboard utility\1.3\MMKEYBD.EXE
mRun: [FLMMEDIONMOUSE] c:\program files\browser mouse\1.3\mouse32a.exe
mRun: [PinnacleDriverCheck] c:\windows\system32\PSDrvCheck.exe -CheckReg
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\mick\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\updater.lnk - c:\program files\common files\updater\wupdater.exe
IE: Free YouTube to Mp3 Converter - c:\documents and settings\mick\application data\dvdvideosoftiehelpers\youtubetomp3.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37670.7014583333
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DD3641E5-A9CF-11D1-9AA1-444553540000} - hxxp://secure.sunterra.com/europe/downloads/svideo3.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
DPF: {FD18DD5E-B398-452A-B22A-B54636BA9F0D} - hxxp://www.blinkz.com/test/ImageUploader2.cab
TCP: DhcpNameServer = 194.168.4.100 192.168.0.1
TCP: Interfaces\{ED7BE40C-DEA6-4734-A0C3-6FB6B96022F7} : DhcpNameServer = 194.168.4.100 192.168.0.1
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\mick\application data\mozilla\firefox\profiles\bc4owdxj.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/|http://www.google.co.uk/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4b12cdeb&v=7.005.030.004&i=23&tp=ab&iy=&ychte=uk&lng=en-GB&q=
FF - component: c:\program files\avg\avg10\firefox4\components\avgssff4.dll
FF - component: c:\program files\avg\avg10\firefox4\components\avgssff5.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\[email protected]\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\[email protected]\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\[email protected]\components\xpavgtbapi.dll
FF - component: c:\program files\common files\spigot\wtxpcom\components\WidgiToolbarFF.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1487.6512\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\katie's itunes\mozilla plugins\npitunes.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: AVG Security Toolbar em:version=7.007.026.001 em:displayname=AVG Security Toolbar em:iconURL=chrome://tavgp/skin/logo.ico em:creator=AVG Technologies em:description=AVG Security Toolbar em:homepageURL=http://www.avg.com >: [email protected] - c:\program files\avg\avg10\toolbar\firefox\[email protected]
FF - Ext: Java Quick Starter: [email protected] - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\avg\avg10\Firefox4
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: vShare: [email protected] - %profile%\extensions\[email protected]
FF - Ext: DVDVideoSoft Menu: {ACAA314B-EEBA-48e4-AD47-84E31C44796C} - %profile%\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C}
FF - Ext: Firebug: [email protected] - %profile%\extensions\[email protected]
.
============= SERVICES / DRIVERS ===============
.
R0 ACTIVdrv;ACTIV Device Pen Driver;c:\windows\system32\drivers\ActivDrv.sys [2004-2-12 67424]
R2 ddnt;ddnt;c:\windows\system32\drivers\ddnt.sys [2005-1-20 7072]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-3-24 22712]
S2 ActivDRVcontrol;ACTIVdriver Control;c:\program files\activ software\activdriver\activdrvservice.exe --> c:\program files\activ software\activdriver\ActivDRVservice.exe [?]
S2 Ca536av;Icatch(VII) Video Camera Device;c:\windows\system32\drivers\Ca536av.sys [2008-3-4 514859]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\fsusbexservice.exe --> c:\windows\system32\FsUsbExService.Exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\googleupdate.exe /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-3-24 366640]
S3 ActivDRV_USB;ActivDRV_USB.Sys USB ACTIVboard;c:\windows\system32\drivers\ActivDRV_USB.sys [2003-1-20 17232]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2011-5-13 1025352]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2009-10-28 36608]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\googleupdate.exe /medsvc --> c:\program files\google\update\GoogleUpdate.exe [?]
.
=============== Created Last 30 ================
.
2011-09-06 23:07:13 -------- d-----w- C:\_OTM
2011-09-06 19:20:33 -------- d-----w- c:\program files\ESET
2011-09-05 21:29:07 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-09-05 21:23:42 -------- d-sha-r- C:\cmdcons
2011-09-05 20:13:55 146432 ------w- c:\windows\regedit.exe
2011-09-05 17:27:58 -------- d-----w- C:\Gotcha
2011-09-04 23:08:52 98816 ----a-w- c:\windows\sed.exe
2011-09-04 23:08:52 518144 ----a-w- c:\windows\SWREG.exe
2011-09-04 23:08:52 256000 ----a-w- c:\windows\PEV.exe
2011-09-04 23:08:52 208896 ----a-w- c:\windows\MBR.exe
2011-08-26 01:33:43 -------- d-----w- c:\program files\Perfect Uninstaller
2011-08-25 23:25:14 -------- d-----w- C:\TDSSKiller_Quarantine
2011-08-25 17:35:17 -------- d-----w- c:\documents and settings\all users\application data\AVG Security Toolbar
2011-08-24 12:31:34 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-08-24 12:31:34 -------- d-----w- c:\windows\system32\wbem\Repository
2011-08-23 19:40:44 -------- d-----w- c:\documents and settings\mick\application data\Piop
.
==================== Find3M ====================
.
2011-09-04 19:00:37 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-09-04 00:02:24 57472 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-08-26 02:07:23 52736 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-08-25 23:31:43 138368 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-25 23:26:06 74752 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-08-25 23:16:03 64896 ----a-w- c:\windows\system32\drivers\serial.sys
2011-07-06 18:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 18:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 0:21:52.56 ===============


----------



## simmer14 (Sep 3, 2011)

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 04/12/2002 23:32:09
System Uptime: 07/09/2011 00:12:39 (0 hours ago)
.
Motherboard: Gigabyte Technology Co., Ltd. | | GA-8STXCFS
Processor: Intel(R) Pentium(R) 4 CPU 2.53GHz | Socket 478 | 2545/133mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 112 GiB total, 14.874 GiB free.
D: is CDROM ()
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
.
ABBYY FineReader 5.0 Sprint
ACTIVdriver
ACTIVdriver v2.6.1
ACTIVprimary
ACTIVprimary English (UK) v1.2 (Build 2)
ACTIVprimary Resources
ACTIVprimary Resources English (UK) v1.2.1
Adobe Acrobat 5.0
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe GoLive 5.0
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Photoshop Elements
Adobe Stock Photos 1.0
Adobe SVG Viewer 3.0
Any Video Converter 3.2.1
Apple Software Update
Audacity 1.2.6
Avery DesignPro
Belarc Advisor 8.1
BlueSoleil
Bonjour
Browser mouse 1.3
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities Digital Photo Professional 2.2
Canon Utilities EOS Utility
Canon Utilities PhotoStitch
Canon Utilities ZoomBrowser EX
Corel Snapfire
Critical Update for Windows Media Player 11 (KB959772)
Digimax Viewer 2.1
Doremi FLV to MP3 Converter 1.6
ESET Online Scanner v3
Express Rip
EZBack-it-up 2.0.1
ezeVue Installer
ezeVue Media Manager
ezeVue Media Player
FaxTools
FLV Player 2.0, build 23
Free Audio CD Burner version 1.4
Free YouTube to MP3 Converter version 3.8
Fun Learning Maths Skills
Google Earth
Google Update Helper
Google Updater
GraphicView 32
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HTC Driver Installer
InterActual Player
iTunes
Java 2 Runtime Environment, SE v1.4.1_01
Java Auto Updater
Java Web Start
Java(TM) 6 Update 23
Lexmark X5100 Series
Macromedia Extension Manager
Macromedia Flash MX
Macromedia Flash Player
Macromedia FreeHand 10
Malwarebytes' Anti-Malware version 1.51.1.1800
Maths Toolbox 3
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Encarta Encyclopedia Standard - WE 2002
Microsoft Image Composer 1.5
Microsoft Office 2000 Premium
Microsoft Office 2000 SR-1 Disc 2
Microsoft Picture It! Photo 2002
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual J# 2.0 Redistributable Package
Microsoft Word 2002
Microsoft Works 2002 Setup Launcher
Microsoft Works 6.0
Microsoft Works Suite Add-in for Microsoft Word
MicroStaff WINASPI
Mozilla Firefox (3.6.15)
MSP3885-E 56K PCI Modem
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
Multimedia keyboard utility 1.3
My Web Search (Outlook, Outlook Express, and IncrediMail)
NCH Toolbox
Nero
Nero Suite
NoteWorthy Composer 2
NVIDIA Windows 2000/XP Display Drivers
PacMania 2
PageBreeze Free HTML Editor
Perfect Uninstaller v6.3.3.9
Pinnacle Hollywood FX for Studio
PowerDVD
Prism Video File Converter
QuickTime
RealPlayer
Recordpad
Registrar Registry Manager 6.02
Registry Mechanic 8.0
Revo Uninstaller 1.80
SA21xx Device Manager
SAMSUNG Mobile Modem Driver Set
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung New PC Studio
Samsung New PC Studio USB Driver Installer
Search Assistant - My Web Search
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Shockwave
SmartSound Quicktracks Plugin
Sony USB Driver
SopCast 2.0.4
Spotify
Studio 9
Switch Sound File Converter
Try Corel Snapfire muvee autoProducer add on
Uninstall 1.0.0.1
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB972636)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB925720)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Veetle TV 0.9.18
vShare Plugin
WAV MP3 Converter 3.8 build 968
WavePad Uninstall
WebFldrs XP
Windows Blaster Worm Removal Tool (KB833330)
Windows Driver Package - MobileTop (sshpmdm) Modem (02/23/2007 2.5.0.0)
Windows Driver Package - MobileTop (sshpusb) USB (02/23/2007 2.5.0.0)
Windows Driver Package - Sunplus (Ca50xav) Image (01/27/2005 2.2.0.7)
Windows Driver Package - Sunplus (Ca536av) Image (08/05/2003 2.2.0.5)
Windows Driver Package - Sunplus (USBCamera) Image (05/13/2003 1.2.0.0)
Windows Driver Package - Sunplus (USBCamera) USB (05/14/2003 1.2.0.0)
Windows Driver Package - Sunplus (usbhub) USB (07/31/2002 2.0.0.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows Movie Maker 2.0
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
WinZip
Works Suite OS Pack
Works Synchronization
YouTube Downloader 2.6.5
YouTube Downloader Toolbar v4.5
.
==== Event Viewer Messages From Past Week ========
.
06/09/2011 18:38:29, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s).
06/09/2011 18:38:29, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).
04/09/2011 21:11:03, error: Service Control Manager [7000] - The MBAMService service failed to start due to the following error: Access is denied.
04/09/2011 21:10:57, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000243' while processing the file 'netbt.sys' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
04/09/2011 21:00:59, error: atapi [11] - The driver detected a controller error on \Device\Ide\IdePort0.
04/09/2011 20:51:59, error: Service Control Manager [7034] - The MBAMService service terminated unexpectedly. It has done this 1 time(s).
04/09/2011 20:30:30, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
03/09/2011 23:32:36, error: Service Control Manager [7023] - The Workstation service terminated with the following error: The system cannot find the file specified.
03/09/2011 23:32:36, error: Service Control Manager [7001] - The Computer Browser service depends on the Workstation service which failed to start because of the following error: The system cannot find the file specified.
03/09/2011 23:22:23, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD BANTExt Fips intelppm IPSec MRxSmb NetBIOS NetBT PCLEPCI RasAcd Rdbss Tcpip
03/09/2011 23:22:23, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
03/09/2011 23:22:23, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
03/09/2011 23:22:23, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
03/09/2011 23:22:23, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
03/09/2011 23:22:23, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
03/09/2011 23:22:07, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
03/09/2011 23:21:38, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
03/09/2011 23:21:35, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
03/09/2011 22:51:59, error: Service Control Manager [7000] - The Google Update Service (gupdate) service failed to start due to the following error: The system cannot find the file specified.
03/09/2011 21:04:38, error: Service Control Manager [7000] - The HTTP SSL service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
03/09/2011 21:04:33, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the HTTP SSL service to connect.
03/09/2011 20:51:05, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000243' while processing the file 'mrxsmb.sys' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
03/09/2011 19:29:09, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
03/09/2011 19:28:50, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: agp440
03/09/2011 19:00:41, error: Service Control Manager [7000] - The Windows Installer service failed to start due to the following error: The system cannot find the file specified.
03/09/2011 19:00:41, error: DCOM [10005] - DCOM got error "%2" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
03/09/2011 19:00:12, error: Service Control Manager [7034] - The NVIDIA Driver Helper Service service terminated unexpectedly. It has done this 1 time(s).
03/09/2011 16:16:09, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
03/09/2011 16:16:09, error: Service Control Manager [7000] - The Canon Camera Access Library 8 service failed to start due to the following error: The system cannot find the file specified.
03/09/2011 16:16:08, error: Service Control Manager [7023] - The srv32C service terminated with the following error: The specified module could not be found.
03/09/2011 16:16:08, error: Service Control Manager [7001] - The Print Spooler service depends on the LexBce Server service which failed to start because of the following error: The system cannot find the file specified.
03/09/2011 16:16:08, error: Service Control Manager [7001] - The Fax service depends on the Print Spooler service which failed to start because of the following error: The dependency service or group failed to start.
03/09/2011 16:16:08, error: Service Control Manager [7000] - The Upload Manager service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process.
03/09/2011 16:16:08, error: Service Control Manager [7000] - The ProtexisLicensing service failed to start due to the following error: The system cannot find the file specified.
03/09/2011 16:16:08, error: Service Control Manager [7000] - The LexBce Server service failed to start due to the following error: The system cannot find the file specified.
03/09/2011 16:16:08, error: Service Control Manager [7000] - The Java Quick Starter service failed to start due to the following error: The system cannot find the file specified.
03/09/2011 16:16:08, error: Service Control Manager [7000] - The InCD Helper service failed to start due to the following error: The system cannot find the file specified.
03/09/2011 16:16:08, error: Service Control Manager [7000] - The Icatch(VII) Video Camera Device service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
03/09/2011 16:16:08, error: Service Control Manager [7000] - The FsUsbExService service failed to start due to the following error: The system cannot find the file specified.
03/09/2011 16:16:08, error: Service Control Manager [7000] - The Bonjour Service service failed to start due to the following error: The system cannot find the file specified.
03/09/2011 16:16:08, error: Service Control Manager [7000] - The BlueSoleil Hid Service service failed to start due to the following error: The system cannot find the file specified.
03/09/2011 16:16:08, error: Service Control Manager [7000] - The ACTIVdriver Control service failed to start due to the following error: The system cannot find the file specified.
.
==== End Of File ===========================


----------



## kevinf80 (Mar 21, 2006)

As far as i`m aware xpcom.dll is from FireFox, not sure why that alert came up. Post the logs from DDS, see what that shows us. Sleepy time for me, will have to follow on later. zzzzzzzz


----------



## simmer14 (Sep 3, 2011)

Ok mate. I'm off too.

Once again, many thanks for your efforts on this.


----------



## kevinf80 (Mar 21, 2006)

We cross posted, Run the AVG removal tool from here http://www.avg.com/us-en/utilities to get rid of all remnants.

To keep safe when online you need a good *Antivirus/Antspyware/Antimalware/Anti-Rootkit* combination application. *Microsoft Security Essentials* covers all of those bases, but better still it is free. Go *Here* and hit the "Download it free today" tab, follow the prompts. Once installed it will want to update and carry out a quick scan, allow that to happen.
Go *Here* for information that will show you how to install and use MSE.

Let me know if MSE finds anything, also give update on any issues or concerns... Defo off to be now....


----------



## simmer14 (Sep 3, 2011)

Hi Kevin.

I've unistalled AVG using the removal tool in your link. No problem. I also uninstalled malwarebytes using its own uninstaller. (I'd already had it disabled prior to this)

I then downloaded MSE and tried to run it but it halted saying I needed to install some filter manager or other. It directed me to that so I installed it and ran it which then required a reboot. 

I then went to run MSE again and it seemed to progress further but then I'm getting an installation error each time.

'An error has prevented the Security Essentials setup wizard from completing successfully. Please restart your computer and try again.

Error Code: 0x8004FF01 '

Not sure if any of those 72 infections which ESET found could be preventing? Any ideas?


----------



## simmer14 (Sep 3, 2011)

A bit more info regarding installing MSE, Kevin.

I followed the error code to microsoft's site and looked at their solution steps.

Step 1 - uninstall all av and spyware programs. 
[Sure I've done all this now]

Step 2 - Ensure that the Windows Installer service is running. 
[I followed the steps in the microsoft solution guide to start the installer. When I right-clicked Windows Installer, 'start' was an option to click so I did but then got the message

Could not start the Windows Installer service on the Local Computer.
Error 2: The system cannot find the file specified. ]

Do I need to download and install Windows Installer 3.1?


----------



## kevinf80 (Mar 21, 2006)

Do this first, see if there is a backup file already on your system:

Please download *SystemLook* from one of the links below and save it to your Desktop.
*Download Mirror #1
Download Mirror #2*

Double-click *SystemLook.exe* to run it.
Copy the content of the following codebox into the main textfield:


```
:filefind
msiexec.exe
```

Click the *Look* button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
*Note:* The log can also be found on your Desktop entitled *SystemLook.txt*

Let me see the log.....


----------



## simmer14 (Sep 3, 2011)

apologies for the delay.

SystemLook 30.07.11 by jpshortstuff
Log created at 23:30 on 07/09/2011 by Mick
Administrator - Elevation successful
========== filefind ==========
Searching for "msiexec.exe"
C:\WINDOWS\$MSI31Uninstall_KB893803$\msiexec.exe -----c- 64512 bytes [21:22 26/04/2005] [02:41 29/08/2002] 0FF60CC9E72EFC863B40B906E3372D81
C:\WINDOWS\$NtServicePackUninstall$\msiexec.exe -----c- 78848 bytes [19:18 20/08/2009] [14:00 21/03/2005] F5F0146580E7023ADB963879840777F8
C:\WINDOWS\ServicePackFiles\i386\msiexec.exe --a--c- 77312 bytes [11:30 03/07/2004] [23:56 03/08/2004] 4236AE241F193F58ADAB141CECCFD5F4
C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\msiexec.exe --a--c- 78848 bytes [23:34 18/09/2009] [00:12 14/04/2008] 5879D691E842574A20FE63817CB76DF9
C:\WINDOWS\SoftwareDistribution\Download\9ded4ee34a35fced0033d3e152a36e0e\msiexec.exe --a--c- 77312 bytes [07:56 04/08/2004] [07:56 04/08/2004] 4236AE241F193F58ADAB141CECCFD5F4
-= EOF =-


----------



## kevinf80 (Mar 21, 2006)

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open *notepad* and copy/paste the text in the Codebox below into it:


```
KillAll::
FCopy::
C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\msiexec.exe | C:\Windows\System32\msiexec.exe
```
Save this as *CFScript.txt*, and as Type: *All Files* *(*.*)* in the same location as ComboFix.exe



















Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at *C:\ComboFix.txt* which I will require in your next reply.

See if MSE will install


----------



## simmer14 (Sep 3, 2011)

Hi Kevin. Time for the next shift!!!

ComboFix 11-09-08.03 - Mick 08/09/2011 18:16:32.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2559.2173 [GMT 1:00]
Running from: c:\documents and settings\Mick\Desktop\Gotcha.exe
Command switches used :: c:\documents and settings\Mick\Desktop\CFScript.txt
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\tsoc.log
.
.
((((((((((((((((((((((((( Files Created from 2011-08-08 to 2011-09-08 )))))))))))))))))))))))))))))))
.
.
2011-09-06 23:07 . 2011-09-06 23:07 -------- d-----w- C:\_OTM
2011-09-05 21:29 . 2004-08-03 22:14 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-09-05 20:13 . 2008-04-14 00:12 146432 ------w- c:\windows\regedit.exe
2011-09-05 17:27 . 2011-09-05 17:28 -------- d-----w- C:\Gotcha
2011-09-03 22:23 . 2011-09-03 22:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-08-26 01:33 . 2011-09-03 22:02 -------- d-----w- c:\program files\Perfect Uninstaller
2011-08-25 23:25 . 2011-08-25 23:25 -------- d-----w- C:\TDSSKiller_Quarantine
2011-08-25 17:35 . 2011-09-07 15:42 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2011-08-24 12:58 . 2011-08-24 12:58 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-08-24 12:31 . 2011-08-24 12:31 -------- d-----w- c:\windows\system32\wbem\Repository
2011-08-24 01:48 . 2011-08-24 12:24 -------- d-----w- c:\documents and settings\LocalService\Application Data\Adobe(2)
2011-08-23 23:14 . 2011-08-24 12:25 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Adobe(2)
2011-08-23 20:36 . 2011-08-23 20:36 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
2011-08-23 19:40 . 2011-08-23 19:41 -------- d-----w- c:\documents and settings\Mick\Application Data\Piop
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-04 19:00 . 2009-08-14 20:56 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-09-04 00:02 . 2009-08-14 20:56 57472 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-08-26 02:07 . 2009-08-14 20:56 52736 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-08-25 23:31 . 2009-08-14 20:56 138368 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-25 23:26 . 2009-08-14 20:56 74752 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-08-25 23:16 . 2009-08-14 20:56 64896 ----a-w- c:\windows\system32\drivers\serial.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"SoundMan"="SOUNDMAN.EXE" [2002-03-21 46592]
"FLMK08KB"="c:\program files\Multimedia keyboard utility\1.3\MMKEYBD.EXE" [2004-05-15 207360]
"FLMMEDIONMOUSE"="c:\program files\Browser mouse\1.3\mouse32a.exe" [2004-05-15 356352]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-10 406016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-03 15360]
.
c:\documents and settings\Mick\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2002-12-11 110592]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2002-12-11 110592]
updater.lnk - c:\program files\Common Files\updater\wupdater.exe [N/A]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=c:\windows\pss\BlueSoleil.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digimax Viewer 2.1.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digimax Viewer 2.1.lnk
backup=c:\windows\pss\Digimax Viewer 2.1.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Image Transfer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Image Transfer.lnk
backup=c:\windows\pss\Image Transfer.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ActivDRVAutostart]
2004-06-15 17:04 392192 -c--a-w- c:\program files\ACTIV Software\ACTIVdriver\ACTIVcontrol.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoStartNPSAgent]
2008-12-13 17:51 98304 ----a-w- c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2004-09-13 10:51 1450096 ------w- c:\program files\Ahead\InCD\InCD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X5100 Series]
2002-12-03 17:29 86102 ----a-w- c:\program files\Lexmark X5100 Series\lxbabmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
2001-08-22 22:52 331830 ----a-w- c:\program files\Microsoft Works\wkssb.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2002-08-30 13:06 372736 ----a-r- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-05-27 09:50 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
2006-05-31 10:47 1003520 ----a-w- c:\program files\Real\RealPlayer\realplay.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-10-31 19:42 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
2001-10-05 01:34 24576 ----a-w- c:\program files\Microsoft Works\wkfud.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\Katie's Itunes\\iTunes.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\Registry Mechanic\\Update.exe"=
"c:\\Program Files\\Outlook Express\\msimn.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\MFAData\\SelfUpd\\avgmfapx.exe"=
"c:\\Documents and Settings\\Mick\\Desktop\\kts.com.exe"=
"c:\\Program Files\\Perfect Uninstaller\\PU.exe"=
"c:\\Documents and Settings\\Mick\\Desktop\\STOPzilla_Setup.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Documents and Settings\\Mick\\Desktop\\simma.com.exe"=
.
R0 ACTIVdrv;ACTIV Device Pen Driver;c:\windows\system32\drivers\ActivDrv.sys [12/02/2004 19:37 67424]
R2 ddnt;ddnt;c:\windows\system32\drivers\ddnt.sys [20/01/2005 20:33 7072]
S2 ActivDRVcontrol;ACTIVdriver Control;c:\program files\ACTIV Software\ACTIVdriver\ActivDRVservice.exe --> c:\program files\ACTIV Software\ACTIVdriver\ActivDRVservice.exe [?]
S2 Ca536av;Icatch(VII) Video Camera Device;c:\windows\system32\drivers\Ca536av.sys [04/03/2008 20:33 514859]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe --> c:\windows\system32\FsUsbExService.Exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S3 ActivDRV_USB;ActivDRV_USB.Sys USB ACTIVboard;c:\windows\system32\drivers\ActivDRV_USB.sys [20/01/2003 04:14 17232]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe --> c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [?]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [28/10/2009 20:05 36608]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe /medsvc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
.
Contents of the 'Scheduled Tasks' folder
.
2010-12-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 11:34]
.
2011-09-08 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-11-01 21:00]
.
2011-08-26 c:\windows\Tasks\prismDowngrade.job
- c:\program files\NCH Software\Prism\prism.exe [2011-02-06 21:13]
.
2011-09-04 c:\windows\Tasks\prismShakeIcon.job
- c:\program files\NCH Software\Prism\prism.exe [2011-02-06 21:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyServer = http=hxxp://www-cache.freeserve.net:8080;ftp=http://www-cache.freeserve.net:8080
uInternet Settings,ProxyOverride = <local>;*.local
IE: Free YouTube to Mp3 Converter - c:\documents and settings\Mick\Application Data\DVDVideoSoftIEHelpers\youtubetomp3.htm
TCP: DhcpNameServer = 194.168.4.100 192.168.0.1
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - 
DPF: {FD18DD5E-B398-452A-B22A-B54636BA9F0D} - hxxp://www.blinkz.com/test/ImageUploader2.cab
FF - ProfilePath - c:\documents and settings\Mick\Application Data\Mozilla\Firefox\Profiles\bc4owdxj.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/|http://www.google.co.uk/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4b12cdeb&v=7.005.030.004&i=23&tp=ab&iy=&ychte=uk&lng=en-GB&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: vShare: [email protected] - %profile%\extensions\[email protected]
FF - Ext: DVDVideoSoft Menu: {ACAA314B-EEBA-48e4-AD47-84E31C44796C} - %profile%\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C}
FF - Ext: Firebug: [email protected] - %profile%\extensions\[email protected]
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-AVG_TRAY - c:\program files\AVG\AVG10\avgtray.exe
MSConfigStartUp-Malwarebytes' Anti-Malware - c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-08 18:42
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\.redbook]
"ImagePath"="\*"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1772)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\program files\Browser mouse\1.3\MOUDL32A.DLL
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
c:\windows\SOUNDMAN.EXE
c:\program files\Multimedia keyboard utility\1.3\KbdAp32A.exe
c:\windows\system32\devldr32.exe
.
**************************************************************************
.
Completion time: 2011-09-08 18:50:42 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-08 17:50
ComboFix2.txt 2011-09-06 18:58
.
Pre-Run: 17,128,452,096 bytes free
Post-Run: 17,134,317,568 bytes free
.
- - End Of File - - 865E991ABC61A67ECAA2DE54AB831B32


----------



## simmer14 (Sep 3, 2011)

Just tried to run MSE and iT fails at the same stage with the same error code: 0x8004FF01


----------



## kevinf80 (Mar 21, 2006)

Not sure why not but the file we were after never copied across.. OK download windows installer from *Here* and install it. Re-boot and try MSE again, if it fails to install make sure the Windows Installer service is running and try again... If you are successful update and do a quick scan....


----------



## simmer14 (Sep 3, 2011)

AAAAAGGGGGGHHHHHHHH!!!!!!!

Still no joy. Installed Windows Installer ok and rebooted. Tried to install MSE but got this error code. 0x80070656

Is this turning into an epic?

Also just checked Windows Installer and it's running.


----------



## kevinf80 (Mar 21, 2006)

Try Avast Free from here http://www.avast.com/free-antivirus-download if that installs, update and do a scan..... Not quite an epic yet, think i`ve been into the 90`s with replies before.....


----------



## simmer14 (Sep 3, 2011)

Do you want me to try this, Kevin? I like the idea of having all av, spyware etc rolled into one.


In Windows XP, click *Start*, click *Run*, type *cmd*, and then press *Enter*. 
-or-
In Windows Vista, click *Start*. In the *Start Search* box, type *command prompt*. Right-click *Command Prompt*, and then click *Run as administrator*.
-or-
In Windows 7, click *Start*. In the *Search programs and files* box, type *command prompt*. Right-click *Command Prompt*, and then click *Run as administrator*.
Type *MSIEXEC /REGSERVER*, and then press *Enter*.
Note: There is no indication that this command has succeeded or failed.

Install Microsoft Security Essentials again. If this does not resolve the issue, continue to the next step.


----------



## kevinf80 (Mar 21, 2006)

As per KB324516, I guess its worth a shot....


----------



## simmer14 (Sep 3, 2011)

Nah. Same error code: 0x80070656

This is what I was directed to by the error and had a go at.

http://www.microsoft.com/en-us/security_essentials/Support/cf5220bd-3da8-4694-ac42-f5396ef5ff0b.aspx

Would have preferred MSE as previously mentioned but you're the boss. If you think I should just go for Avast then I'm ok with that.

Maybe I need to install SP3?


----------



## kevinf80 (Mar 21, 2006)

MSE should install with SP2, there could be several reasons why it wont go for us. I`m just a bit concerned that you have no AV installed, hence my request for Avast. It is no good installing SP3 yet, I`d like the AV installed and see it return a clean log....


----------



## simmer14 (Sep 3, 2011)

Ok Kevin. I've successfully installed Avast. I'm going to set it away to do a full scan overnight and I'll post the log tomorrow. Going to turn in now.

Cheers for all your help again matey.


----------



## kevinf80 (Mar 21, 2006)

Sounds good to me, i`m ready for the the land of nod myself.... been a longggggggg day....


----------



## simmer14 (Sep 3, 2011)

Hi Kevin.

Full system scan completed with Avast. There were 10 viruses found in all and I moved all to the chest but for one which would not allow me. See attachment below.

I also set away a Boot-time scan but when i came back after 2 and a half hours it was still on only 2%!!! So I cancelled in order to post tonight. I'll probably run another Boot-time scan overnight.

One question, remember when I ran ESET and it picked up 70odd infections. Obviously Avast has only found 10 unless there are a lot more revealed in the full boot-time scan. What are your thoughts on those identifed by ESET?

I have also turned my firewall back on.


----------



## kevinf80 (Mar 21, 2006)

All of those entries except for one are already contained, it was the same with ESET, the majority we contained in the system restore cahe. I cannot make out the exact address for the file that is marked as "access denied" it ends in Desktop(2).ini

Can you let me see the full address for entry in your reply. That is what we have to deal with to kill of this infection altogether...

Kevin


----------



## simmer14 (Sep 3, 2011)

C:\WINDOWS\assembly\GAC_MSIL\Desktop(2).ini

I can't really make out if the final character in "GAC_MSIL" is actually an "L" or an "I".

I even navigated to the 'assembly' folder but it doesn't contain any other folders.


----------



## kevinf80 (Mar 21, 2006)

I am quite sure its an *L*

Do the following :-


Download *The Avenger* by Swandog46 from *here*.
Unzip/extract it to a folder on your Desktop
Double click on *avenger.exe* to run *The Avenger*.
Click *OK*.
Make sure that the box next to *Scan for rootkits* has a tick in it and that the box next to *Automatically disable any rootkits found* does not have a tick in it.
Copy *all* of the text in the below Codebox to the clibpboard by highlighting it and then pressing *Ctrl+C*.


```
Files to delete:
C:\WINDOWS\assembly\GAC_MSIL\Desktop(2).ini
```

In the avenger window, click the *Paste Script from Clipboard*,







button.
Click the *Execute* button.
You will be asked *Are you sure you want to execute the current script?*.
Click *Yes*.
You will now be asked *First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?*.
Click *Yes*.
Your PC will now be rebooted.
_*Note:* If the above script contains Drivers to delete: or Drivers to disable:, then *The Avenger* will require *TWO RE-BOOTS* to complete its operation._
_If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour._
After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\*avenger.txt* (typically C:\*avenger.txt*).
Please post this log in your next reply...

Next,

We need to see some additional information about what is happening in your machine.* 
Please perform the following scan:

Download *DDS* by sUBs from one of the following links.* Save it to your desktop.
*DDS.com*
*DDS.scr*
*DDS.pif*

Double click on the *DDS* icon, allow it to run.
A small box will open, with an explanation about the tool.* *
When done, DDS will open two (2) logs
* * * * *1. DDS.txt
* * * * *2. Attach.txt
 Save both reports to your desktop.
 The instructions here ask you to attach the Attach.txt.








*
*Instead of attaching, please copy/past both logs into your next reply.*
Close the program window, and delete the program from your desktop.
Please note:* You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection. 
Run the scan, enable your A/V and reconnect to the internet.* 
Information on A/V control *HERE*

Post the log from Avenger and DDS.txt in reply...


----------



## simmer14 (Sep 3, 2011)

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
File "C:\WINDOWS\assembly\GAC_MSIL\Desktop(2).ini" deleted successfully.
Completed script processing.
*******************
Finished! Terminate.


----------



## kevinf80 (Mar 21, 2006)

DDS.txt ?


----------



## simmer14 (Sep 3, 2011)

.
DDS (Ver_2011-08-26.01) - NTFSx86 
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Run by Mick at 20:44:20 on 2011-09-09
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2559.2131 [GMT 1:00]
.
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Browser mouse\1.3\mouse32a.exe
C:\Program Files\Multimedia keyboard utility\1.3\KbdAp32A.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\devldr32.exe
svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyServer = http=hxxp://www-cache.freeserve.net:8080;ftp=http://www-cache.freeserve.net:8080
uInternet Settings,ProxyOverride = <local>;*.local
mURLSearchHooks: H - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
mRun: [FLMK08KB] c:\program files\multimedia keyboard utility\1.3\MMKEYBD.EXE
mRun: [FLMMEDIONMOUSE] c:\program files\browser mouse\1.3\mouse32a.exe
mRun: [PinnacleDriverCheck] c:\windows\system32\PSDrvCheck.exe -CheckReg
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\mick\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\updater.lnk - c:\program files\common files\updater\wupdater.exe
IE: Free YouTube to Mp3 Converter - c:\documents and settings\mick\application data\dvdvideosoftiehelpers\youtubetomp3.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37670.7014583333
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DD3641E5-A9CF-11D1-9AA1-444553540000} - hxxp://secure.sunterra.com/europe/downloads/svideo3.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
DPF: {FD18DD5E-B398-452A-B22A-B54636BA9F0D} - hxxp://www.blinkz.com/test/ImageUploader2.cab
TCP: DhcpNameServer = 194.168.4.100 192.168.0.1
TCP: Interfaces\{ED7BE40C-DEA6-4734-A0C3-6FB6B96022F7} : DhcpNameServer = 194.168.4.100 192.168.0.1
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - 
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\mick\application data\mozilla\firefox\profiles\bc4owdxj.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/|http://www.google.co.uk/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4b12cdeb&v=7.005.030.004&i=23&tp=ab&iy=&ychte=uk&lng=en-GB&q=
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1487.6512\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\katie's itunes\mozilla plugins\npitunes.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: [email protected] - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: vShare: [email protected] - %profile%\extensions\[email protected]
FF - Ext: DVDVideoSoft Menu: {ACAA314B-EEBA-48e4-AD47-84E31C44796C} - %profile%\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C}
FF - Ext: Firebug: [email protected] - %profile%\extensions\[email protected]
.
============= SERVICES / DRIVERS ===============
.
R0 ACTIVdrv;ACTIV Device Pen Driver;c:\windows\system32\drivers\ActivDrv.sys [2004-2-12 67424]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-9-8 442200]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-9-8 320856]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-9-8 20568]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-9-8 44768]
R2 ddnt;ddnt;c:\windows\system32\drivers\ddnt.sys [2005-1-20 7072]
S2 ActivDRVcontrol;ACTIVdriver Control;c:\program files\activ software\activdriver\activdrvservice.exe --> c:\program files\activ software\activdriver\ActivDRVservice.exe [?]
S2 Ca536av;Icatch(VII) Video Camera Device;c:\windows\system32\drivers\Ca536av.sys [2008-3-4 514859]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\googleupdate.exe /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
S3 ActivDRV_USB;ActivDRV_USB.Sys USB ACTIVboard;c:\windows\system32\drivers\ActivDRV_USB.sys [2003-1-20 17232]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\toolbarbroker.exe --> c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [?]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2009-10-28 36608]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\googleupdate.exe /medsvc --> c:\program files\google\update\GoogleUpdate.exe [?]
.
=============== Created Last 30 ================
.
2011-09-08 22:42:39 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-09-08 22:41:47 41184 ----a-w- c:\windows\avastSS.scr
2011-09-08 22:40:55 -------- d-----w- c:\program files\AVAST Software
2011-09-08 22:40:55 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
2011-09-06 23:07:13 -------- d-----w- C:\_OTM
2011-09-05 21:29:07 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-09-05 21:23:42 -------- d-sha-r- C:\cmdcons
2011-09-05 20:13:55 146432 ------w- c:\windows\regedit.exe
2011-09-05 17:27:58 -------- d-----w- C:\Gotcha
2011-09-04 23:08:52 98816 ----a-w- c:\windows\sed.exe
2011-09-04 23:08:52 518144 ----a-w- c:\windows\SWREG.exe
2011-09-04 23:08:52 256000 ----a-w- c:\windows\PEV.exe
2011-09-04 23:08:52 208896 ----a-w- c:\windows\MBR.exe
2011-08-25 23:25:14 -------- d-----w- C:\TDSSKiller_Quarantine
2011-08-25 17:35:17 -------- d-----w- c:\documents and settings\all users\application data\AVG Security Toolbar
2011-08-24 12:31:34 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-08-24 12:31:34 -------- d-----w- c:\windows\system32\wbem\Repository
2011-08-23 19:40:44 -------- d-----w- c:\documents and settings\mick\application data\Piop
.
==================== Find3M ====================
.
2011-09-04 19:00:37 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-09-04 00:02:24 57472 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-08-26 02:07:23 52736 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-08-25 23:31:43 138368 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-25 23:26:06 74752 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-08-25 23:16:03 64896 ----a-w- c:\windows\system32\drivers\serial.sys
.
============= FINISH: 20:46:23.92 ===============


----------



## simmer14 (Sep 3, 2011)

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 04/12/2002 23:32:09
System Uptime: 09/09/2011 20:36:03 (0 hours ago)
.
Motherboard: Gigabyte Technology Co., Ltd. | | GA-8STXCFS
Processor: Intel(R) Pentium(R) 4 CPU 2.53GHz | Socket 478 | 2545/133mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 112 GiB total, 15.395 GiB free.
D: is CDROM ()
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
.
ABBYY FineReader 5.0 Sprint
ACTIVdriver
ACTIVdriver v2.6.1
ACTIVprimary
ACTIVprimary English (UK) v1.2 (Build 2)
ACTIVprimary Resources
ACTIVprimary Resources English (UK) v1.2.1
Adobe Acrobat 5.0
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe GoLive 5.0
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Photoshop Elements
Adobe Stock Photos 1.0
Adobe SVG Viewer 3.0
Any Video Converter 3.2.1
Apple Software Update
Audacity 1.2.6
avast! Free Antivirus
Avery DesignPro
Belarc Advisor 8.1
BlueSoleil
Bonjour
Browser mouse 1.3
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities Digital Photo Professional 2.2
Canon Utilities EOS Utility
Canon Utilities PhotoStitch
Canon Utilities ZoomBrowser EX
Corel Snapfire
Critical Update for Windows Media Player 11 (KB959772)
Digimax Viewer 2.1
Doremi FLV to MP3 Converter 1.6
Express Rip
EZBack-it-up 2.0.1
ezeVue Installer
ezeVue Media Manager
ezeVue Media Player
FaxTools
FLV Player 2.0, build 23
Free Audio CD Burner version 1.4
Free YouTube to MP3 Converter version 3.8
Fun Learning Maths Skills
Google Earth
Google Update Helper
Google Updater
GraphicView 32
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HTC Driver Installer
InterActual Player
iTunes
Java 2 Runtime Environment, SE v1.4.1_01
Java Auto Updater
Java Web Start
Java(TM) 6 Update 23
Lexmark X5100 Series
Macromedia Extension Manager
Macromedia Flash MX
Macromedia Flash Player
Macromedia FreeHand 10
Maths Toolbox 3
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Encarta Encyclopedia Standard - WE 2002
Microsoft Image Composer 1.5
Microsoft Office 2000 Premium
Microsoft Office 2000 SR-1 Disc 2
Microsoft Picture It! Photo 2002
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual J# 2.0 Redistributable Package
Microsoft Word 2002
Microsoft Works 2002 Setup Launcher
MicroStaff WINASPI
Mozilla Firefox (3.6.15)
MSP3885-E 56K PCI Modem
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
Multimedia keyboard utility 1.3
My Web Search (Outlook, Outlook Express, and IncrediMail)
Nero
Nero Suite
NoteWorthy Composer 2
NVIDIA Windows 2000/XP Display Drivers
PacMania 2
Pinnacle Hollywood FX for Studio
PowerDVD
QuickTime
RealPlayer
Recordpad
Registrar Registry Manager 6.02
Revo Uninstaller 1.80
SA21xx Device Manager
Search Assistant - My Web Search
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Shockwave
SmartSound Quicktracks Plugin
Sony USB Driver
SopCast 2.0.4
Spotify
Studio 9
Try Corel Snapfire muvee autoProducer add on
Uninstall 1.0.0.1
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB972636)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB914882)
Update for Windows XP (KB925720)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Veetle TV 0.9.18
vShare Plugin
WAV MP3 Converter 3.8 build 968
WavePad Uninstall
WebFldrs XP
Windows Blaster Worm Removal Tool (KB833330)
Windows Driver Package - MobileTop (sshpmdm) Modem (02/23/2007 2.5.0.0)
Windows Driver Package - MobileTop (sshpusb) USB (02/23/2007 2.5.0.0)
Windows Driver Package - Sunplus (Ca50xav) Image (01/27/2005 2.2.0.7)
Windows Driver Package - Sunplus (Ca536av) Image (08/05/2003 2.2.0.5)
Windows Driver Package - Sunplus (USBCamera) Image (05/13/2003 1.2.0.0)
Windows Driver Package - Sunplus (USBCamera) USB (05/14/2003 1.2.0.0)
Windows Driver Package - Sunplus (usbhub) USB (07/31/2002 2.0.0.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows Movie Maker 2.0
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
WinZip
Works Suite OS Pack
Works Synchronization
YouTube Downloader 2.6.5
YouTube Downloader Toolbar v4.5
.
==== Event Viewer Messages From Past Week ========
.
08/09/2011 23:19:41, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
06/09/2011 18:38:29, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s).
06/09/2011 18:38:29, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).
05/09/2011 22:34:17, error: Service Control Manager [7023] - The srv32C service terminated with the following error: The specified module could not be found.
05/09/2011 22:34:17, error: Service Control Manager [7000] - The Upload Manager service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process.
05/09/2011 22:34:17, error: Service Control Manager [7000] - The ProtexisLicensing service failed to start due to the following error: The system cannot find the file specified.
05/09/2011 22:34:17, error: Service Control Manager [7000] - The MBAMService service failed to start due to the following error: Access is denied.
05/09/2011 22:34:17, error: Service Control Manager [7000] - The LexBce Server service failed to start due to the following error: The system cannot find the file specified.
05/09/2011 22:34:17, error: Service Control Manager [7000] - The Java Quick Starter service failed to start due to the following error: The system cannot find the file specified.
05/09/2011 22:34:17, error: Service Control Manager [7000] - The InCD Helper service failed to start due to the following error: The system cannot find the file specified.
05/09/2011 22:34:17, error: Service Control Manager [7000] - The Icatch(VII) Video Camera Device service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
05/09/2011 22:34:17, error: Service Control Manager [7000] - The Google Update Service (gupdate) service failed to start due to the following error: The system cannot find the file specified.
05/09/2011 22:34:17, error: Service Control Manager [7000] - The FsUsbExService service failed to start due to the following error: The system cannot find the file specified.
05/09/2011 22:34:17, error: Service Control Manager [7000] - The Canon Camera Access Library 8 service failed to start due to the following error: The system cannot find the file specified.
05/09/2011 22:34:17, error: Service Control Manager [7000] - The Bonjour Service service failed to start due to the following error: The system cannot find the file specified.
05/09/2011 22:34:17, error: Service Control Manager [7000] - The BlueSoleil Hid Service service failed to start due to the following error: The system cannot find the file specified.
05/09/2011 22:34:17, error: Service Control Manager [7000] - The ACTIVdriver Control service failed to start due to the following error: The system cannot find the file specified.
05/09/2011 21:57:27, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
05/09/2011 21:56:54, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: agp440
05/09/2011 00:03:10, error: Service Control Manager [7001] - The Print Spooler service depends on the LexBce Server service which failed to start because of the following error: The system cannot find the file specified.
05/09/2011 00:03:10, error: Service Control Manager [7001] - The Fax service depends on the Print Spooler service which failed to start because of the following error: The dependency service or group failed to start.
04/09/2011 21:10:57, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000243' while processing the file 'netbt.sys' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
04/09/2011 21:00:59, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
04/09/2011 21:00:59, error: atapi [11] - The driver detected a controller error on \Device\Ide\IdePort0.
04/09/2011 20:51:59, error: Service Control Manager [7034] - The MBAMService service terminated unexpectedly. It has done this 1 time(s).
04/09/2011 20:01:38, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
03/09/2011 23:38:01, error: Service Control Manager [7023] - The Workstation service terminated with the following error: The system cannot find the file specified.
03/09/2011 23:38:01, error: Service Control Manager [7001] - The Computer Browser service depends on the Workstation service which failed to start because of the following error: The system cannot find the file specified.
03/09/2011 23:31:26, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
03/09/2011 23:23:11, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
03/09/2011 23:22:23, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD BANTExt Fips intelppm IPSec MRxSmb NetBIOS NetBT PCLEPCI RasAcd Rdbss Tcpip
03/09/2011 23:22:23, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
03/09/2011 23:22:23, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
03/09/2011 23:22:23, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
03/09/2011 23:22:23, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
03/09/2011 23:22:23, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
03/09/2011 23:22:07, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
03/09/2011 21:53:02, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the HTTP SSL service to connect.
03/09/2011 21:53:02, error: Service Control Manager [7000] - The HTTP SSL service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
03/09/2011 20:51:05, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000243' while processing the file 'mrxsmb.sys' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
03/09/2011 19:01:27, error: Service Control Manager [7000] - The Windows Installer service failed to start due to the following error: The system cannot find the file specified.
03/09/2011 19:01:27, error: DCOM [10005] - DCOM got error "%2" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
03/09/2011 19:00:12, error: Service Control Manager [7034] - The NVIDIA Driver Helper Service service terminated unexpectedly. It has done this 1 time(s).
.
==== End Of File ===========================


----------



## kevinf80 (Mar 21, 2006)

OK, nearly done. I want you to upload some files for analysis....

*Upload a File to Virustotal*
Please visit *Virustotal*

 Click the *Browse...* button
 Navigate to the file *c:\windows\system32\drivers\mrxsmb.sys*
 Click the *Open* button
 Click the *Send* button
 If you get a message saying File has already been analyzed: click Reanalyze file now
 Copy and paste the results back here please.
 Repeat the above steps for the following files

*c:\windows\system32\drivers\mrxsmb.sys
c:\windows\system32\drivers\redbook.sys
c:\windows\system32\drivers\i8042prt.sys
c:\windows\system32\drivers\afd.sys
c:\windows\system32\drivers\ipsec.sys
c:\windows\system32\drivers\serial.sys*

Let me see the results in next reply......

Kevin..


----------



## simmer14 (Sep 3, 2011)

AhnLab-V32011.09.09.012011.09.09-AntiVir7.11.14.1612011.09.09-Antiy-AVL2.0.3.72011.09.09-Avast4.8.1351.02011.09.09-Avast55.0.677.02011.09.09-AVG10.0.0.11902011.09.09-BitDefender7.22011.09.09-ByteHero1.0.0.12011.08.22-CAT-QuickHealNone2011.09.09-ClamAV0.97.0.02011.09.09-Commtouch5.3.2.62011.09.09-Comodo100522011.09.09-DrWeb5.0.2.033002011.09.09-Emsisoft5.1.0.112011.09.09-eSafe7.0.17.02011.09.07-eTrust-Vet36.1.85482011.09.09-F-Prot4.6.2.1172011.09.09-F-Secure9.0.16440.02011.09.09-Fortinet4.3.370.02011.09.09-GData222011.09.09-IkarusT3.1.1.107.02011.09.09-Jiangmin13.0.9002011.09.09-K7AntiVirus9.112.51142011.09.09-Kaspersky9.0.0.8372011.09.09-McAfee5.400.0.11582011.09.09-McAfee-GW-Edition2010.1D2011.09.09-MicrosoftNone2011.09.09-NOD3264502011.09.09-Norman6.07.112011.09.09-nProtect2011-09-09.012011.09.09-Panda10.0.3.52011.09.09-PCTools8.0.0.52011.09.09-Prevx3.02011.09.09-Rising23.74.03.032011.09.09-Sophos4.69.02011.09.09-SUPERAntiSpyware4.40.0.10062011.09.09-Symantec20111.2.0.822011.09.09-TheHacker6.7.0.1.2912011.09.08-TrendMicro9.500.0.10082011.09.09-TrendMicro-HouseCall9.500.0.10082011.09.09-VBA323.12.16.42011.09.09-VIPRE104222011.09.09-ViRobot2011.9.9.46652011.09.09-VirusBuster14.0.205.22011.09.09-Additional information
Show all 
*MD5 :* fb6c89bb3ce282b08bdb1e3c179e1c39*SHA1 :* c91cf168e24c9ce6a313cc03d72a8a278946f47c*SHA256:* 0558617db859228332f4b7e44875ab3cdba370e78c23bb5e80b159aaa7087b3e*ssdeep:* 12288:MY36lnUHkJs0MO128JtpuY9ccSI8tAZH:MPEkt128JXj9cdI8W*File size :* 454016 bytes*First seen:* 2010-04-17 01:25:46*Last seen :* 2011-09-09 19:53:19*TrID:* 
Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)*sigcheck:* 
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Windows NT SMB Minirdr
original name: MRXSMB.Sys
internal name: MRxSmb.sys
file version.: 5.1.2600.3675 (xpsp_sp2_gdr.100224-1404)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
*PEInfo: PE structure information

*[[ basic data ]]
entrypointaddress: 0x67A83
timedatestamp....: 0x4B851C1F (Wed Feb 24 12:31:27 2010)
machinetype......: 0x14c (I386)

[[ 11 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x400, 0x1BBDB, 0x1BC00, 6.70, e91e07448874a739047baabf794bad91
SECUR, 0x1C000, 0x295, 0x300, 5.26, f7ded17a6a65bb9b647c0d4cf1744888
.rdata, 0x1C300, 0x2AD8, 0x2B00, 4.76, b2ea8c2cdb6b96c3e31f720ae058cc1f
.data, 0x1EE00, 0x5200, 0x5200, 0.92, 54ef365b97bd0c3b89bf799b5ae1df5c
PAGE, 0x24000, 0x420B7, 0x42100, 6.67, dc05cdbc4670ec6d32fa5be1dc490e6c
PAGE4BRO, 0x66100, 0x13F4, 0x1400, 6.47, 74852ea396dbbce1ccb7c303bfc5f3ac
PAGE5NET, 0x67500, 0x428, 0x480, 6.28, 78ea77bbfadeea58578f15049d22175d
PAGE, 0x67980, 0x48, 0x80, 0.85, a99205c236429bdec2c015f203abf0a4
INIT, 0x67A00, 0x2A98, 0x2B00, 5.88, ae5b1bc4d1b60f2e5e40d7b7c6abb120
.rsrc, 0x6A500, 0x3F8, 0x400, 3.45, a5c4a35210f0d1f0126e36a34cda37b9
.reloc, 0x6A900, 0x441C, 0x4480, 6.79, 701cad2a8af3ef75f7593eeb0a40c8cf

[[ 5 import(s) ]]
HAL.dll: ExReleaseFastMutex, KfAcquireSpinLock, KfReleaseSpinLock, ExAcquireFastMutex, KeGetCurrentIrql
ksecdd.sys: CredMarshalTargetInfo, SecMakeSPNEx, AcquireCredentialsHandleW, SecMakeSPN, FreeCredentialsHandle, DeleteSecurityContext, InitializeSecurityContextW, FreeContextBuffer, InitSecurityInterfaceW, QueryContextAttributesW, MapSecurityError, GetSecurityUserInfo
ntoskrnl.exe: IoAllocateMdl, RtlCompareMemory, DbgPrint, KeQueryTimeIncrement, KeTickCount, RtlEqualUnicodeString, FsRtlIsNameInExpression, RtlOemStringToCountedUnicodeString, RtlOemStringToUnicodeString, RtlxOemStringToUnicodeSize, RtlUpcaseUnicodeString, ExIsResourceAcquiredSharedLite, ExIsResourceAcquiredExclusiveLite, FsRtlDoesNameContainWildCards, RtlFreeOemString, RtlUpcaseUnicodeStringToOemString, RtlUnicodeStringToOemString, ZwFreeVirtualMemory, KeUnstackDetachProcess, KeStackAttachProcess, IoGetRequestorProcess, _alldiv, ProbeForWrite, ProbeForRead, RtlVerifyVersionInfo, VerSetConditionMask, ObfDereferenceObject, IofCompleteRequest, IoFreeIrp, KeWaitForSingleObject, IofCallDriver, IoAllocateIrp, IoGetRelatedDeviceObject, KeLeaveCriticalRegion, ExReleaseResourceLite, ExAcquireResourceExclusiveLite, KeEnterCriticalRegion, wcslen, _allmul, SeRegisterLogonSessionTerminatedRoutine, PoRegisterSystemState, SeUnregisterLogonSessionTerminatedRoutine, PoUnregisterSystemState, ZwSetValueKey, ExDeleteResourceLite, IoWMIRegistrationControl, MmBuildMdlForNonPagedPool, KeQuerySystemTime, MmUnmapLockedPages, KeGetCurrentThread, ExfInterlockedInsertTailList, ExInitializeNPagedLookasideList, ExFreePool, ExInitializeZone, KeInitializeSpinLock, InterlockedPopEntrySList, InterlockedPushEntrySList, ExDeleteNPagedLookasideList, RtlxUnicodeStringToOemSize, NlsMbOemCodePageTag, MmMapLockedPagesSpecifyCache, ExFreePoolWithTag, RtlCopySid, SeQueryInformationToken, IoGetRequestorProcessId, SeQuerySessionIdToken, FsRtlIsHpfsDbcsLegal, FsRtlIsFatDbcsLegal, IoBuildPartialMdl, RtlxUnicodeStringToAnsiSize, ExLocalTimeToSystemTime, RtlTimeFieldsToTime, RtlTimeToTimeFields, ExSystemTimeToLocalTime, RtlTimeToSecondsSince1970, RtlSecondsSince1970ToTime, RtlDecompressChunks, RtlCompareUnicodeString, MmSizeOfMdl, LsaFreeReturnBuffer, ExInitializeResourceLite, IoGetCurrentProcess, KeDelayExecutionThread, RtlRandom, ExInterlockedAddLargeStatistic, memmove, DbgBreakPoint, RtlAppendUnicodeStringToString, RtlAppendUnicodeToString, _except_handler3, IoCreateFile, RtlCopyUnicodeString, MmProbeAndLockPages, RtlIntegerToUnicodeString, RtlNtStatusToDosError, ZwDeviceIoControlFile, ZwCreateFile, ObfReferenceObject, RtlCompressChunks, RtlGetCompressionWorkSpaceSize, MmLockPagableDataSection, KeCancelTimer, ExQueueWorkItem, MmUnlockPagableImageSection, KeSetTimer, KeInitializeDpc, KeClearEvent, KeInitializeTimer, _local_unwind2, RtlEqualSid, RtlUpcaseUnicodeChar, KeBugCheckEx, RtlInitUnicodeString, ZwOpenKey, ZwQueryValueKey, ZwClose, RtlFreeUnicodeString, RtlInitAnsiString, ZwWriteFile, RtlMultiByteToUnicodeN, RtlOemToUnicodeN, SeSinglePrivilegeCheck, SeTokenIsAdmin, RtlUnicodeToOemN, RtlxAnsiStringToUnicodeSize, ZwFsControlFile, ZwSetInformationFile, ZwQueryInformationFile, RtlNtStatusToDosErrorNoTeb, RtlInitializeSid, RtlSubAuthoritySid, RtlSetOwnerSecurityDescriptor, RtlAbsoluteToSelfRelativeSD, ExReleaseFastMutexUnsafe, ExAcquireFastMutexUnsafe, IoGetTopLevelIrp, IoSetTopLevelIrp, ZwReadFile, RtlPrefixUnicodeString, PsGetProcessImageFileName, SeTokenIsRestricted, _wcsnicmp, IoGetDeviceObjectPointer, IoBuildDeviceIoControlRequest, FsRtlNotifyCleanup, FsRtlNotifyFullChangeDirectory, FsRtlNotifyUninitializeSync, FsRtlNotifyInitializeSync, IoGetRequestorSessionId, FsRtlNotifyFullReportChange, IoCreateSymbolicLink, RtlGenerate8dot3Name, RtlUnicodeStringToCountedOemString, IoDeleteSymbolicLink, wcscat, ZwOpenEvent, ExEventObjectType, IoWMIWriteEvent, NtClose, strncmp, _strnicmp, SeAccessCheck, ObGetObjectSecurity, RtlCreateSecurityDescriptor, RtlSetDaclSecurityDescriptor, SeSetSecurityDescriptorInfo, ObReleaseObjectSecurity, IoGetFileObjectGenericMapping, RtlMapGenericMask, SeExports, RtlLengthSid, RtlCreateAcl, RtlAddAccessAllowedAce, IoAcquireCancelSpinLock, IoReleaseCancelSpinLock, ExfInterlockedRemoveHeadList, IoAllocateErrorLogEntry, IoWriteErrorLogEntry, RtlUpcaseUnicodeToOemN, PsTerminateSystemThread, PsCreateSystemThread, ZwWaitForSingleObject, ExfInterlockedAddUlong, KeResetEvent, KeSetEvent, MmUnlockPages, IoFreeMdl, RtlLengthRequiredSid, RtlLengthSecurityDescriptor, RtlValidRelativeSecurityDescriptor, KeInitializeEvent, SeCaptureSubjectContext, SeLockSubjectContext, SeQueryAuthenticationIdToken, SeUnlockSubjectContext, IoRaiseInformationalHardError, SeReleaseSubjectContext, RtlAnsiStringToUnicodeString, NtDeviceIoControlFile, ExAllocatePoolWithTag, IoDeleteDevice, ObReferenceObjectByHandle, ZwCreateEvent, IoInitializeTimer, IoCreateDevice, IoIsOperationSynchronous, IoStartTimer, IoStopTimer, ExAcquireResourceSharedLite, wcscpy, IoIsSystemThread, ExRaiseStatus, MmMapLockedPages, RtlInitString, _stricmp, NtWriteFile, NtCreateFile, strncpy, _wcsicmp, RtlDeleteElementGenericTable, RtlEnumerateGenericTable, RtlNumberGenericTableElements, RtlInsertElementGenericTable, RtlLookupElementGenericTable, RtlEnumerateGenericTableWithoutSplaying, ExAllocatePoolWithQuotaTag, RtlExtendedMagicDivide, IoFileObjectType, KeBugCheck, RtlInitializeGenericTable, PsIsThreadTerminating
rdbss.sys: RxNameCacheScavengeNameCaches, RxNameCacheCreateEntry, RxNameCacheFetchEntry, RxNameCacheCheckEntry, RxNameCacheActivateEntry, RxNameCacheExpireEntry, RxNewMapUserBuffer, RxpAcquirePrefixTableLockExclusive, RxCeQueryTransportInformation, RxCeQueryAdapterStatus, RxFinalizeConnection, RxpReleasePrefixTableLock, RxIndicateChangeOfBufferingStateForSrvOpen, RxCeInitiateVCDisconnect, RxCeBuildConnection, RxCeBuildConnectionOverMultipleTransports, RxCeTearDownVC, RxCeTearDownConnection, RxCeQueryInformation, RxCeSend, RxPurgeAllFobxs, RxScavengeAllFobxs, RxCeBuildTransport, RxCeBuildAddress, RxCeTearDownAddress, RxCeTearDownTransport, RxLogEventWithAnnotation, RxDereferenceAndDeleteRxContext_Real, RxFinalizeNetRoot, RxSetMinirdrCancelRoutine, RxNameCacheInitialize, RxNameCacheInitializeEx, RxGetRDBSSProcess, RxNameCacheFinalize, RxNameCacheFinalizeEx, RxSetSrvCallDomainName, RxCancelTimerRequest, RxPostOneShotTimerRequest, RxLowIoGetBufferAddress, RxAcquireSharedFcbResourceInMRx, RxInferFileType, RxIndicateChangeOfBufferingState, RxFinishFcbInitialization, RxCreateNetFobx, RxPostToWorkerThread, RxCeSendDatagram, RxLockEnumerator, RxAcquireSharedFcbResourceInMRxEx, RxRegisterMinirdr, RxSpinDownMRxDispatcher, RxLogEventDirect, RxLogEventWithBufferDirect, RxFsdDispatch, RxpUnregisterMinirdr, RxLowIoCompletion, __RxSynchronizeBlockingOperationsMaybeDroppingFcbLock, RxResumeBlockedOperations_Serially, RxInitializeContext, RxGetFileSizeWithLock, RxReleaseFcbResourceInMRx, RxAcquireExclusiveFcbResourceInMRx, RxDispatchToWorkerThread, RxStopMinirdr, RxStartMinirdr, _RxFreePool, _RxAllocatePoolWithTag, RxSetDomainForMailslotBroadcast, RxReleaseFcbResourceForThreadInMRx, RxForceFinalizeAllVNetRoots, RxScavengeFobxsForNetRoot, RxCompleteRequest_Real, RxpDereferenceAndFinalizeNetFcb, RxPurgeRelatedFobxs, RxpDereferenceNetFcb, RxpTrackDereference, RxpReferenceNetFcb, RxpTrackReference
TDI.SYS: TdiDeregisterPnPHandlers, TdiRegisterPnPHandlers

*VT Community*


----------



## simmer14 (Sep 3, 2011)

AhnLab-V32011.09.09.012011.09.09-AntiVir7.11.14.1612011.09.09-Antiy-AVL2.0.3.72011.09.09-Avast4.8.1351.02011.09.09-Avast55.0.677.02011.09.09-AVG10.0.0.11902011.09.09-BitDefender7.22011.09.09-ByteHero1.0.0.12011.09.03-CAT-QuickHeal11.002011.09.09-ClamAV0.97.0.02011.09.09-Commtouch5.3.2.62011.09.09-Comodo100522011.09.09-DrWeb5.0.2.033002011.09.09-Emsisoft5.1.0.112011.09.09-eSafe7.0.17.02011.09.07-eTrust-Vet36.1.85482011.09.09-F-Prot4.6.2.1172011.09.09-F-Secure9.0.16440.02011.09.09-Fortinet4.3.370.02011.09.09-GData222011.09.09-IkarusT3.1.1.107.02011.09.09-Jiangmin13.0.9002011.09.09-K7AntiVirus9.112.51142011.09.09-Kaspersky9.0.0.8372011.09.09-McAfee5.400.0.11582011.09.09-McAfee-GW-Edition2010.1D2011.09.09-Microsoft1.76042011.09.09-NOD3264502011.09.09-Norman6.07.112011.09.09-nProtect2011-09-09.012011.09.09-Panda10.0.3.52011.09.09-PCTools8.0.0.52011.09.09-Prevx3.02011.09.09-Rising23.74.03.032011.09.09-Sophos4.69.02011.09.09-SUPERAntiSpyware4.40.0.10062011.09.09-Symantec20111.2.0.822011.09.09-TheHacker6.7.0.1.2932011.09.09-TrendMicro9.500.0.10082011.09.09-TrendMicro-HouseCall9.500.0.10082011.09.09-VBA323.12.16.42011.09.09-VIPRE104222011.09.09-ViRobot2011.9.9.46652011.09.09-VirusBuster14.0.205.22011.09.09-Additional information
Show all 
*MD5 :* b31b4588e4086d8d84adbf9845c2402b*SHA1 :* a466a835e645163135d78da365d05960fa2cbb19*SHA256:* 0b45979623b0ac774a9426c428954e7fb604fae0db187c402af6052906f4099a*ssdeep:* 768IDbEntQZ0AxwZuheJ6CuFAqaSeyLkmmK6L2j8N5o7pk75cfb5K:jntQZz2dqaStLkmAL2j
8N5oy65K*File size :* 57472 bytes*First seen:* 2009-02-26 17:44:52*Last seen :* 2011-09-09 19:56:55*TrID:* 
Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)*sigcheck:* 
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Redbook Audio Filter Driver
original name: redbook.sys
internal name: redbook.sys
file version.: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
*PEInfo: PE structure information

*[[ basic data ]]
entrypointaddress: 0xB685
timedatestamp....: 0x41107B46 (Wed Aug 04 05:59:34 2004)
machinetype......: 0x14c (I386)

[[ 9 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x380, 0x19E4, 0x1A00, 5.78, 4dbae4ee3912c0566e86e23bfb6e1fff
.rdata, 0x1D80, 0x664, 0x680, 4.24, 64fddd354222a594177caebb9f6e8462
.data, 0x2400, 0x440, 0x480, 5.97, 48a29bdca80f985d1bbb75d8df78b9ee
PAGE, 0x2880, 0x8650, 0x8680, 5.76, 9902d08d25c794efe61f7966ab95a72c
PAGERW, 0xAF00, 0x660, 0x680, 5.60, f999ea07043fae6beb4609b136a07c12
PAGECONS, 0xB580, 0xD0, 0x100, 5.11, e75c1b73974435fc7693ab6c07530a96
INIT, 0xB680, 0x7E0, 0x800, 5.38, 6aedd1ddfefaeada7595ae8a23e35ab9
.rsrc, 0xBE80, 0x1510, 0x1580, 3.36, 73c7b7c89408aa6148ed27316bddc677
.reloc, 0xD400, 0xC0E, 0xC80, 6.52, bf0b290485b94b79c65caaf1f3c35804

[[ 4 import(s) ]]
ntoskrnl.exe: RtlInitUnicodeString, IoGetDeviceInterfaces, wcslen, WmiQueryTraceInformation, IoWMIRegistrationControl, RtlCopyUnicodeString, ExAllocatePoolWithTag, IoGetDriverObjectExtension, IoAllocateDriverObjectExtension, IofCallDriver, IoDeleteDevice, IoDetachDevice, PsCreateSystemThread, KeInitializeSpinLock, IoInitializeRemoveLockEx, KeInitializeEvent, IoAttachDeviceToDeviceStack, IoCreateDevice, IoReleaseRemoveLockEx, KeSetEvent, KeWaitForSingleObject, IofCompleteRequest, IoAcquireRemoveLockEx, IoUnregisterPlugPlayNotification, IoReleaseRemoveLockAndWaitEx, IoRegisterPlugPlayNotification, ExfInterlockedInsertTailList, ZwCreateFile, ExfInterlockedRemoveHeadList, KeQueryTimeIncrement, KeTickCount, KeWaitForMultipleObjects, KeSetPriorityThread, KeGetCurrentThread, _alldiv, _allmul, IoReuseIrp, IoFreeMdl, IoFreeIrp, MmBuildMdlForNonPagedPool, IoAllocateMdl, IoAllocateIrp, KeClearEvent, IoBuildDeviceIoControlRequest, RtlQueryRegistryValues, ZwOpenKey, IoOpenDeviceRegistryKey, RtlWriteRegistryValue, ZwCreateKey, _aulldiv, PoCallDriver, PoStartNextPowerIrp, IoInitializeIrp, KeBugCheckEx, ExFreePoolWithTag, ObReferenceObjectByHandle, ZwClose, ObfDereferenceObject, IoGetRelatedDeviceObject, WmiTraceMessage, IoAllocateErrorLogEntry, PsTerminateSystemThread, IoWriteErrorLogEntry
HAL.dll: KfAcquireSpinLock, KfReleaseSpinLock
WMILIB.SYS: WmiCompleteRequest, WmiSystemControl
ks.sys: KsCreatePin, KsSynchronousIoControlDevice

*VT Community*


----------



## simmer14 (Sep 3, 2011)

AhnLab-V32011.09.09.012011.09.09-AntiVir7.11.14.1612011.09.09-Antiy-AVL2.0.3.72011.09.09-Avast4.8.1351.02011.09.09-Avast55.0.677.02011.09.09-AVG10.0.0.11902011.09.09-BitDefender7.22011.09.09-ByteHero1.0.0.12011.09.04-CAT-QuickHeal11.002011.09.09-ClamAV0.97.0.02011.09.09-Commtouch5.3.2.62011.09.09-Comodo100522011.09.09-DrWeb5.0.2.033002011.09.09-Emsisoft5.1.0.112011.09.09-eSafe7.0.17.02011.09.07-eTrust-Vet36.1.85482011.09.09-F-Prot4.6.2.1172011.09.09-F-Secure9.0.16440.02011.09.09-Fortinet4.3.370.02011.09.09-GData222011.09.09-IkarusT3.1.1.107.02011.09.09-Jiangmin13.0.9002011.09.09-K7AntiVirus9.112.51142011.09.09-Kaspersky9.0.0.8372011.09.09-McAfee5.400.0.11582011.09.09-McAfee-GW-Edition2010.1D2011.09.09-Microsoft1.76042011.09.09-NOD3264502011.09.09-Norman6.07.112011.09.09-nProtect2011-09-09.012011.09.09-Panda10.0.3.52011.09.09-PCTools8.0.0.52011.09.09-Prevx3.02011.09.09-Rising23.74.03.032011.09.09-Sophos4.69.02011.09.09-SUPERAntiSpyware4.40.0.10062011.09.09-Symantec20111.2.0.822011.09.09-TheHacker6.7.0.1.2932011.09.09-TrendMicro9.500.0.10082011.09.09-TrendMicro-HouseCall9.500.0.10082011.09.09-VBA323.12.16.42011.09.09-VIPRE104222011.09.09-ViRobot2011.9.9.46652011.09.09-VirusBuster14.0.205.22011.09.09-Additional information
Show all 
*MD5 :* 5502b58eef7486ee6f93f3f164dcb808*SHA1 :* 4021843cefb217b9bbb3147d549bf8970bfa9290*SHA256:* 7e56e49d6444f2f48037b859b491df95e1c90ec7ed4ef9c477cd2c49783e62e0*ssdeep:* 768:QNs7E8jO4Q4wWAS6qxnbjCyXVcRdKy2FLk/efiJ+59oTjJEo3G4:F48j3fA7qxpWR5ALk2f
iZjSoW4*File size :* 52736 bytes*First seen:* 2009-04-01 19:04:53*Last seen :* 2011-09-09 20:00:31*TrID:* 
Win64 Executable Generic (87.2%)
Win32 Executable Generic (8.6%)
Generic Win/DOS Executable (2.0%)
DOS Executable Generic (2.0%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)*sigcheck:* 
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: i8042 Port Driver
original name: i8042prt.sys
internal name: i8042prt.sys
file version.: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
*PEInfo: PE structure information

*[[ basic data ]]
entrypointaddress: 0x9385
timedatestamp....: 0x41107ECC (Wed Aug 04 06:14:36 2004)
machinetype......: 0x14c (I386)

[[ 8 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x380, 0x2F7D, 0x2F80, 6.29, d89b8a3d94f69b58b5a05eb52a49da5b
.rdata, 0x3300, 0x55C, 0x580, 4.13, f185f77f60f8e2008dea8ae193f7e513
.data, 0x3880, 0xD0, 0x100, 2.74, 0ec724d6f97ff023c63a177c0154eb48
PAGE, 0x3980, 0x4350, 0x4380, 6.45, b4219a3703852ac4a1ae65b33d90e215
PAGEMOUC, 0x7D00, 0x163F, 0x1680, 5.97, 5e2e15b1fa80fa8eb0b3afca781cf25e
INIT, 0x9380, 0xEEE, 0xF00, 6.03, 4cf27f9711cf864f96a9d4c1f6b2c21d
.rsrc, 0xA280, 0x2428, 0x2480, 3.43, dbd798b27f7a2eea17a93cc74c0fef4b
.reloc, 0xC700, 0x6A0, 0x700, 6.54, e546821824e1d7c91f1ff72fadd793ee

[[ 3 import(s) ]]
ntoskrnl.exe: IoBuildDeviceIoControlRequest, KeInitializeEvent, IoStartPacket, IoAcquireRemoveLockEx, memmove, ObfDereferenceObject, IoGetAttachedDeviceReference, ExAllocatePoolWithTag, WRITE_REGISTER_UCHAR, READ_REGISTER_UCHAR, MmMapIoSpace, KeInsertQueueDpc, KeSetTimer, KeSynchronizeExecution, IoReleaseCancelSpinLock, IoAcquireCancelSpinLock, IoAllocateController, IoDeleteController, MmUnmapIoSpace, KeDelayExecutionThread, RtlQueryRegistryValues, RtlAppendUnicodeToString, wcslen, RtlInitUnicodeString, KeInitializeTimer, KeInitializeSpinLock, IoCreateController, IoInvalidateDeviceState, PoStartNextPowerIrp, PoSetPowerState, KeBugCheckEx, ZwSetValueKey, ZwClose, ZwOpenKey, KeQueryTimeIncrement, KeTickCount, _allmul, IofCallDriver, DbgBreakPointWithStatus, KdDebuggerEnabled, KdDebuggerNotPresent, _except_handler3, IoConnectInterrupt, KeInitializeDpc, KeRemoveQueueDpc, RtlFreeUnicodeString, IoSetDeviceInterfaceState, IoDisconnectInterrupt, KeSetTimerEx, IoFreeIrp, _wcsupr, _alldiv, IoAllocateIrp, MmLockPagableDataSection, IoUnregisterPlugPlayNotification, IoFreeWorkItem, wcscmp, IoQueueWorkItem, IoAllocateWorkItem, KeInitializeTimerEx, IoRegisterPlugPlayNotification, IoInitializeRemoveLockEx, IoDeleteDevice, IoAttachDeviceToDeviceStack, IoCreateDevice, KeSetEvent, IoQueryDeviceDescription, IoRegisterDeviceInterface, ExQueueWorkItem, IoDetachDevice, ExReleaseFastMutexUnsafe, ExAcquireFastMutexUnsafe, IoReleaseRemoveLockAndWaitEx, IoWMIRegistrationControl, PoCallDriver, KeWaitForSingleObject, IoAllocateErrorLogEntry, IoWriteErrorLogEntry, KeCancelTimer, KefAcquireSpinLockAtDpcLevel, ExFreePoolWithTag, KefReleaseSpinLockFromDpcLevel, IoFreeController, IoStartNextPacket, IoReleaseRemoveLockEx, IoOpenDeviceRegistryKey, IofCompleteRequest
HAL.dll: KfAcquireSpinLock, READ_PORT_UCHAR, KfRaiseIrql, KfLowerIrql, WRITE_PORT_UCHAR, KfReleaseSpinLock, KeGetCurrentIrql, KeStallExecutionProcessor
WMILIB.SYS: WmiSystemControl, WmiCompleteRequest

*VT Community*


----------



## simmer14 (Sep 3, 2011)

AhnLab-V32011.09.09.012011.09.09-AntiVir7.11.14.1612011.09.09-Antiy-AVL2.0.3.72011.09.09-Avast4.8.1351.02011.09.09-Avast55.0.677.02011.09.09-AVG10.0.0.11902011.09.09-BitDefender7.22011.09.09-ByteHero1.0.0.12011.09.04-CAT-QuickHeal11.002011.09.09-ClamAV0.97.0.02011.09.09-Commtouch5.3.2.62011.09.09-Comodo100522011.09.09-DrWeb5.0.2.033002011.09.09-Emsisoft5.1.0.112011.09.09-eSafe7.0.17.02011.09.07-eTrust-Vet36.1.85482011.09.09-F-Prot4.6.2.1172011.09.09-F-Secure9.0.16440.02011.09.09-Fortinet4.3.370.02011.09.09-GData222011.09.09-IkarusT3.1.1.107.02011.09.09-Jiangmin13.0.9002011.09.09-K7AntiVirus9.112.51142011.09.09-Kaspersky9.0.0.8372011.09.09-McAfee5.400.0.11582011.09.09-McAfee-GW-Edition2010.1D2011.09.09Heuristic.LooksLike.Trojan.Patched.IMicrosoft1.76042011.09.09-NOD3264502011.09.09-Norman6.07.112011.09.09-nProtect2011-09-09.012011.09.09-Panda10.0.3.52011.09.09-PCTools8.0.0.52011.09.09-Prevx3.02011.09.09-Rising23.74.03.032011.09.09-Sophos4.69.02011.09.09-SUPERAntiSpyware4.40.0.10062011.09.09-Symantec20111.2.0.822011.09.09-TheHacker6.7.0.1.2932011.09.09-TrendMicro9.500.0.10082011.09.09-TrendMicro-HouseCall9.500.0.10082011.09.09-VBA323.12.16.42011.09.09-VIPRE104222011.09.09-ViRobot2011.9.9.46652011.09.09-VirusBuster14.0.205.22011.09.09-Additional information
Show all 
*MD5 :* 55e6e1c51b6d30e54335750955453702*SHA1 :* cb3260aef24ddf64547b839b5c87c08b77919404*SHA256:* 49be694fb65f195a65ec631558ba599345c6641a6a5aa2f1053611b715f4677a*ssdeep:* 3072:i4uBSNmsCLzLq1Yrs7M49f0FvlyHvpkXGSCk+RgNJJI:i/qYrs7MUfAyHBFSb+RwJ*File size :* 138368 bytes*First seen:* 2009-03-04 12:53:19*Last seen :* 2011-09-09 20:04:02*TrID:* 
Win64 Executable Generic (87.2%)
Win32 Executable Generic (8.6%)
Generic Win/DOS Executable (2.0%)
DOS Executable Generic (2.0%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)*sigcheck:* 
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Ancillary Function Driver for WinSock
original name: afd.sys
internal name: afd.sys
file version.: 5.1.2600.3427 (xpsp_sp2_gdr.080814-1233)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
*PEInfo: PE structure information

*[[ basic data ]]
entrypointaddress: 0x1DEC0
timedatestamp....: 0x48A4002E (Thu Aug 14 09:51:42 2008)
machinetype......: 0x14c (I386)

[[ 9 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x380, 0xFF4, 0x1000, 6.36, 2cee637bf81ec964e9e2e0519c8826ab
.rdata, 0x1380, 0xC2C, 0xC80, 4.48, 99f1c974a26e65d078513d277b77b130
.data, 0x2000, 0x800, 0x800, 2.91, 4638711bfb9c3e353918eda7c1c27cd1
PAGE, 0x2800, 0x89ED, 0x8A00, 6.53, 61c9120f46c66b76e9a2b5f6f86d85ea
PAGEAFD, 0xB200, 0x1063D, 0x10680, 6.58, b06c2d9db40ed5db754fd7a61b9dcf77
PAGESAN, 0x1B880, 0x221F, 0x2280, 6.37, 552e49cc5a91fb6874105880385d0bf1
INIT, 0x1DB00, 0x20CC, 0x2100, 6.16, a28df884de2c8da26fd4a242ab639e93
.rsrc, 0x1FC00, 0x408, 0x480, 3.16, 8583d44c9b52e2bd73764a6f343d0106
.reloc, 0x20080, 0x1BB4, 0x1C00, 6.77, c010be21c74831c668f5dc938615fc68

[[ 3 import(s) ]]
HAL.dll: KeAcquireQueuedSpinLock, KeAcquireInStackQueuedSpinLock, KfLowerIrql, KfRaiseIrql, KeGetCurrentIrql, KeReleaseQueuedSpinLock, KeReleaseInStackQueuedSpinLock
ntoskrnl.exe: IoFileObjectType, IoGetRelatedDeviceObject, IoBuildPartialMdl, KeQueryInterruptTime, MmMapLockedPages, IoAllocateMdl, InterlockedPopEntrySList, MmUnlockPages, MmProbeAndLockPages, ExRaiseAccessViolation, MmUserProbeAddress, ExRaiseDatatypeMisalignment, _except_handler3, MmIsThisAnNtAsSystem, MmQuerySystemSize, KeGetRecommendedSharedDataAlignment, KeInitializeSpinLock, DbgPrint, RtlCompareMemory, KeLeaveCriticalRegion, ExReleaseResourceLite, ExAcquireResourceSharedLite, KeEnterCriticalRegion, ExAcquireResourceExclusiveLite, ZwClose, ObOpenObjectByPointer, IoCreateFile, MmMapLockedPagesSpecifyCache, ExAllocatePoolWithQuotaTag, IoFreeIrp, PsReturnPoolQuota, ExAllocatePoolWithTagPriority, PsChargeProcessPoolQuota, RtlCopyUnicodeString, RtlCompareUnicodeString, MmResetDriverPaging, IoGetCurrentProcess, MmSizeOfMdl, MmBuildMdlForNonPagedPool, IoInitializeIrp, ExRaiseStatus, IoSetIoCompletion, PsGetProcessExitTime, SeUnlockSubjectContext, SeFreePrivileges, SeAppendPrivileges, SeAccessCheck, SeLockSubjectContext, RtlMapGenericMask, IoGetFileObjectGenericMapping, RtlEqualString, RtlInitString, PsGetCurrentThread, IoAllocateIrp, KeWaitForSingleObject, IoBuildDeviceIoControlRequest, KeInitializeEvent, KeSetEvent, ExEventObjectType, ProbeForWrite, KeResetEvent, IofCallDriver, ExInitializeResourceLite, ExDeleteResourceLite, ZwOpenKey, RtlInitUnicodeString, ZwCreateKey, ZwQueryValueKey, RtlAddAccessAllowedAce, RtlCreateAcl, RtlLengthSid, SeExports, ObReleaseObjectSecurity, SeSetSecurityDescriptorInfo, ExAllocatePoolWithTag, RtlLengthSecurityDescriptor, RtlSetDaclSecurityDescriptor, RtlCreateSecurityDescriptor, ObGetObjectSecurity, IoDeleteDevice, ExDeleteNPagedLookasideList, IoQueueWorkItem, ZwNotifyChangeKey, MmPageEntireDriver, IoFreeWorkItem, ExInitializeNPagedLookasideList, IoAllocateWorkItem, IoCreateDevice, DbgBreakPoint, KeReadStateEvent, KePulseEvent, MmAdvanceMdl, KeBugCheckEx, ExInterlockedFlushSList, KeSetTimerEx, KeInitializeDpc, KeInitializeTimer, MmLockPagableDataSection, KeSetTimer, MmUnlockPagableImageSection, KeRemoveQueueDpc, KeCancelTimer, _alldiv, RtlEqualUnicodeString, ExAllocatePoolWithQuota, MmUnmapLockedPages, IoCancelIrp, ExQueueWorkItem, FsRtlMdlReadComplete, KeDetachProcess, FsRtlMdlRead, KeAttachProcess, IoGetRequestorProcess, FsRtlCopyRead, ZwQueryInformationFile, _aullrem, PsGetCurrentProcessId, ObFindHandleForObject, NtClose, ObOpenObjectByName, IoThreadToProcess, KeTickCount, KeInitializeApc, KeInsertQueueApc, KeAcquireInStackQueuedSpinLockAtDpcLevel, KeReleaseInStackQueuedSpinLockFromDpcLevel, ObfReferenceObject, IoAcquireCancelSpinLock, IoReleaseCancelSpinLock, memmove, ExFreePoolWithTag, IofCompleteRequest, IoFreeMdl, ObfDereferenceObject, ObReferenceObjectByHandle, ExGetPreviousMode, InterlockedPushEntrySList
TDI.SYS: TdiReturnChainedReceives, TdiMatchPdoWithChainedReceiveContext, TdiDeregisterPnPHandlers, TdiRegisterPnPHandlers, TdiCopyMdlToBuffer, TdiCopyBufferToMdl

*VT Community*


----------



## simmer14 (Sep 3, 2011)

AhnLab-V32011.09.09.012011.09.09-AntiVir7.11.14.1612011.09.09-Antiy-AVL2.0.3.72011.09.09-Avast4.8.1351.02011.09.09-Avast55.0.677.02011.09.09-AVG10.0.0.11902011.09.09-BitDefender7.22011.09.09-ByteHero1.0.0.12011.08.22-CAT-QuickHealNone2011.09.09-ClamAV0.97.0.02011.09.09-Commtouch5.3.2.62011.09.09-Comodo100522011.09.09-DrWeb5.0.2.033002011.09.09-Emsisoft5.1.0.112011.09.09-eSafe7.0.17.02011.09.07-eTrust-Vet36.1.85482011.09.09-F-Prot4.6.2.1172011.09.09-F-Secure9.0.16440.02011.09.09-Fortinet4.3.370.02011.09.09-GData222011.09.09-IkarusT3.1.1.107.02011.09.09-Jiangmin13.0.9002011.09.09-K7AntiVirus9.112.51142011.09.09-Kaspersky9.0.0.8372011.09.09-McAfee5.400.0.11582011.09.09-McAfee-GW-Edition2010.1D2011.09.09-MicrosoftNone2011.09.09-NOD3264502011.09.09-Norman6.07.112011.09.09-nProtect2011-09-09.012011.09.09-Panda10.0.3.52011.09.09-PCTools8.0.0.52011.09.09-Prevx3.02011.09.09-Rising23.74.03.032011.09.09-Sophos4.69.02011.09.09-SUPERAntiSpyware4.40.0.10062011.09.09-Symantec20111.2.0.822011.09.09-TheHacker6.7.0.1.2932011.09.09-TrendMicro9.500.0.10082011.09.09-TrendMicro-HouseCall9.500.0.10082011.09.09-VBA323.12.16.42011.09.09-VIPRE104222011.09.09-ViRobot2011.9.9.46652011.09.09-VirusBuster14.0.205.22011.09.09-Additional information
Show all 
*MD5 :* 64537aa5c003a6afeee1df819062d0d1*SHA1 :* 58772669b9ff69fa48ea77af5c4268cdb0ee1f67*SHA256:* 5a6c11317def14b8c34a8c669eb75f7a8d46f05090c43d3dff602cfa13cc504e*ssdeep:* 1536:VyJhQBUdcFrTxXfxR0mGy3dk9duRMsq6nm:U6lFfxRjGnsq6nm*File size :* 74752 bytes*First seen:* 2009-02-22 05:45:16*Last seen :* 2011-09-09 20:06:36*TrID:* 
Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)*sigcheck:* 
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: IPSec Driver
original name: ipsec.sys
internal name: ipsec.sys
file version.: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
*PEInfo: PE structure information

*[[ basic data ]]
entrypointaddress: 0x10885
timedatestamp....: 0x41107EC3 (Wed Aug 04 06:14:27 2004)
machinetype......: 0x14c (I386)

[[ 7 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x300, 0xF39E, 0xF400, 6.56, a8129632e6596c2e3284f410e619883f
.rdata, 0xF700, 0x15C, 0x180, 3.33, a3b00e07e4508cbc415521a71272a1f2
.data, 0xF880, 0x9A4, 0xA00, 0.77, b1d679b023fcfa065ffa4e6574522bd3
PAGE, 0x10280, 0x5BD, 0x600, 5.98, d2b85d1c455845723892827bf1e09ccd
INIT, 0x10880, 0xB20, 0xB80, 6.02, 0e7946041f9a278227e64f0722f9d3e4
.rsrc, 0x11400, 0x3E0, 0x400, 3.34, 251d5aae0d07f2d208aca0c7df48e4a5
.reloc, 0x11800, 0xB84, 0xC00, 6.63, f2ecdfbea38d065b96d073bf86662630

[[ 3 import(s) ]]
ntoskrnl.exe: KeWaitForSingleObject, IofCallDriver, IoBuildDeviceIoControlRequest, KeInitializeEvent, IoGetDeviceObjectPointer, IofCompleteRequest, KeQuerySystemTime, RtlExtendedIntegerMultiply, ZwClose, MmIsThisAnNtAsSystem, ExInitializeNPagedLookasideList, IoDeleteDevice, IoDeleteSymbolicLink, KeDelayExecutionThread, IoAcquireCancelSpinLock, IoCreateSymbolicLink, IoCreateDevice, KefReleaseSpinLockFromDpcLevel, KefAcquireSpinLockAtDpcLevel, ObfDereferenceObject, RtlAnsiStringToUnicodeString, RtlIntegerToUnicodeString, IoReleaseCancelSpinLock, KeTickCount, KeBugCheckEx, wcslen, IoAllocateErrorLogEntry, IoWriteErrorLogEntry, MmBuildMdlForNonPagedPool, MmSizeOfMdl, ExDeleteNPagedLookasideList, KeInitializeSpinLock, ExAllocatePoolWithTag, ExFreePoolWithTag, ZwQueryValueKey, RtlInitUnicodeString, ZwOpenKey, InterlockedPushEntrySList, ExQueueWorkItem, _allshl, MmMapLockedPagesSpecifyCache, ExInitializeResourceLite, ExDeleteResourceLite, ZwDeviceIoControlFile, ZwLoadDriver, ZwCreateFile, RtlSplay, RtlDelete, KeCancelTimer, _alldiv, KeSetTimerEx, KeInitializeTimer, KeInitializeDpc, KeQueryTimeIncrement, memmove, ExInterlockedAddLargeStatistic, InterlockedPopEntrySList
HAL.dll: KfAcquireSpinLock, KfLowerIrql, KfReleaseSpinLock
NDIS.SYS: NdisInitializeTimer, NdisSetTimer, NdisCancelTimer, NdisWriteEventLogEntry

*VT Community*


----------



## simmer14 (Sep 3, 2011)

AhnLab-V32011.09.09.012011.09.09-AntiVir7.11.14.1612011.09.09-Antiy-AVL2.0.3.72011.09.09-Avast4.8.1351.02011.09.09-Avast55.0.677.02011.09.09-AVG10.0.0.11902011.09.09-BitDefender7.22011.09.09-ByteHeroNone2011.09.09-CAT-QuickHeal11.002011.09.09-ClamAV0.97.0.02011.09.09-Commtouch5.3.2.62011.09.09-Comodo100522011.09.09-DrWeb5.0.2.033002011.09.09-Emsisoft5.1.0.112011.09.09-eSafe7.0.17.02011.09.07-eTrust-Vet36.1.85482011.09.09-F-Prot4.6.2.1172011.09.09-F-Secure9.0.16440.02011.09.09-Fortinet4.3.370.02011.09.09-GData222011.09.09-IkarusT3.1.1.107.02011.09.09-Jiangmin13.0.9002011.09.09-K7AntiVirus9.112.51142011.09.09-Kaspersky9.0.0.8372011.09.09-McAfee5.400.0.11582011.09.09-McAfee-GW-Edition2010.1D2011.09.09-Microsoft1.76042011.09.09-NOD3264502011.09.09-Norman6.07.112011.09.09-nProtect2011-09-09.012011.09.09-Panda10.0.3.52011.09.09-PCTools8.0.0.52011.09.09-Prevx3.02011.09.09-Rising23.74.03.032011.09.09-Sophos4.69.02011.09.09-SUPERAntiSpyware4.40.0.10062011.09.09-Symantec20111.2.0.822011.09.09-TheHacker6.7.0.1.2932011.09.09-TrendMicro9.500.0.10082011.09.09-TrendMicro-HouseCall9.500.0.10082011.09.09-VBA323.12.16.42011.09.09-VIPRE104222011.09.09-ViRobot2011.9.9.46652011.09.09-VirusBuster14.0.205.22011.09.09-Additional information
Show all 
*MD5 :* cd9404d115a00d249f70a371b46d5a26*SHA1 :* 32273de2107668e25e500ba3d9c3f18d85c1855c*SHA256:* d9fc869fa9a6b9574a1fce70e7b919d8f79e02b28967e49f6def83a84520ecdf*ssdeep:* 768:1w/NAKGG7T5Z1xweFtX+6/iRK5cuZJkpBF1jzV9LleaUni4OH271Lsz7aQ4udr:1UNAKG0M
eLo0GzTpeNi5aozGC*File size :* 64896 bytes*First seen:* 2009-02-26 17:40:32*Last seen :* 2011-09-09 20:08:33*TrID:* 
Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)*sigcheck:* 
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Serial Device Driver
original name: serial.sys
internal name: serial.sys
file version.: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
*PEInfo: PE structure information

*[[ basic data ]]
entrypointaddress: 0xB03B
timedatestamp....: 0x41107F17 (Wed Aug 04 06:15:51 2004)
machinetype......: 0x14c (I386)

[[ 8 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x380, 0x2F2F, 0x2F80, 6.08, bb9b1e2650cd7e21a6efadb83651b5fb
.rdata, 0x3300, 0x1E4, 0x200, 3.16, 4ad7a40a698749a12e43d923acb9b2b9
.data, 0x3500, 0x118, 0x180, 2.12, a1455e81ce15ade964d38e78b87e810c
PAGESRP0, 0x3680, 0x3D0C, 0x3D80, 6.25, 18669e87ddf36321efccfa2af4363d2c
PAGESER, 0x7400, 0x3928, 0x3980, 6.18, 6ff13fced4536e744b19008d292efd19
INIT, 0xAD80, 0x2420, 0x2480, 6.19, 980b8f3eb29a5db95d26aeb32a88e0c5
.rsrc, 0xD200, 0x2370, 0x2380, 3.35, 9c57b7bba27662b5bd60bf17046f4d8c
.reloc, 0xF580, 0x7DC, 0x800, 6.65, f19840af2c89420749291f54d910f898

[[ 3 import(s) ]]
ntoskrnl.exe: IoCancelIrp, KeInitializeDpc, KeInitializeTimer, ExAllocatePoolWithTag, DbgBreakPoint, KeInitializeSpinLock, memmove, PoSetPowerState, KeWaitForSingleObject, ExAllocatePoolWithQuotaTag, _except_handler3, KeInsertQueueDpc, KeDelayExecutionThread, MmLockPagableSectionByHandle, MmQuerySystemSize, KeQuerySystemTime, KeSetEvent, KeSetTimer, IofCallDriver, PoCallDriver, IoWriteErrorLogEntry, IoAllocateErrorLogEntry, KeCancelTimer, IoInvalidateDeviceState, IoQueryDeviceDescription, ZwClose, IoDetachDevice, RtlAppendUnicodeStringToString, RtlAppendUnicodeToString, RtlDeleteRegistryValue, IoDeleteSymbolicLink, IoSetDeviceInterfaceState, IoRegisterDeviceInterface, RtlWriteRegistryValue, IoCreateSymbolicLink, wcslen, RtlInitUnicodeString, KeInitializeEvent, IoCreateDevice, RtlIntegerToUnicodeString, IoAttachDeviceToDeviceStack, IoConnectInterrupt, RtlQueryRegistryValues, ZwQueryValueKey, ZwSetValueKey, ZwEnumerateKey, IoReportDetectedDevice, ZwOpenKey, PoRequestPowerIrp, PoStartNextPowerIrp, KeClearEvent, KeTickCount, KeBugCheckEx, IoDeleteDevice, IoGetConfigurationInformation, IoWMIRegistrationControl, IoDisconnectInterrupt, KeRemoveQueueDpc, MmUnmapIoSpace, MmMapIoSpace, MmLockPagableDataSection, ExFreePoolWithTag, MmUnlockPagableImageSection, _allmul, IoAcquireCancelSpinLock, KeSynchronizeExecution, IoReleaseCancelSpinLock, IoOpenDeviceRegistryKey, IofCompleteRequest
HAL.dll: WRITE_PORT_BUFFER_UCHAR, KfReleaseSpinLock, HalTranslateBusAddress, HalGetInterruptVector, ExAcquireFastMutex, ExReleaseFastMutex, WRITE_PORT_UCHAR, KdComPortInUse, READ_PORT_UCHAR, KfRaiseIrql, KfLowerIrql, KfAcquireSpinLock
WMILIB.SYS: WmiSystemControl, WmiCompleteRequest

*VT Community*


----------



## kevinf80 (Mar 21, 2006)

Looking good, OK lets do a bit of cleaning up.....

*Step 1*

Remove Combofix now that we're done with it

Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")









 Please follow the prompts to uninstall Combofix.
 You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
The above procedure will delete the following:

 ComboFix and its associated files and folders.
 VundoFix backups, if present
 The C:_OtMoveIt folder, if present
 Reset the clock settings.
 Hide file extensions, if required.
 Hide System/Hidden files, if required.
 Reset System Restore.
*It is very important that you get a successful uninstall because of the extra functions done at the same time, let me know if this does not happen.*

*Step 2*


Download *OTC* by OldTimer and save it to your *desktop.* *Alternative mirror*
Double click







icon to start the program. 
If you are using Vista or Windows 7, please right-click and choose run as administrator
Then Click the big







button.
You will get a prompt saying "_Begining Cleanup Process_". Please select *Yes*.
Restart your computer when prompted.
This will remove tools we have used and itself. *Any tools/logs remaining on the Desktop can be deleted.*
Keep TFC







This an excellet tool for removing temporary files etc from you system. *Always remember to re-boot after a run.*

*Step 3*

We need to remove ESET Online Scanner.


 Click Start, click Run, type *control appwiz.cpl* in the Open box, and then press ENTER.
 Click to select *ESET Online Scanner* from the application list, and then click Remove. Only re-boot if prompted

Whilst in Add/Remove Programs also uninstall the following :-

*Java 2 Runtime Environment, SE v1.4.1_01
My Web Search*

*Step 4*

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. 
For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. 
The most current version of Sun Java is: Java Runtime Environment Version 6 Update 27.


 Go to *Sun Java*
 Select *Windows 7/XP/Vista/2000/2003/2008* If using 64 bit OS Select *Information about the 64-bit Java plug-in* and follow prompts
 Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
 Reboot your computer

*Step 5*

Re-Run TFC, remember to re-boot when it finishes.

*Step 6*

Set Avast to do a Boot scan, let me know how this pans out. I`m assuming the log will be clean but it is well worth the effort.

Kevin...


----------



## simmer14 (Sep 3, 2011)

OK Kevin,

Just completed step 1 and got the message that combofix uninstalled successfully. However, during the uninstall Avast popped up a number of times recommending to open programs/files in sandbox to which I okayed. 

I was then asked to disable avast before the unistalled completed.

Am I ok to go ahead to step 2 at this point?


----------



## kevinf80 (Mar 21, 2006)

Do not carry out any of the steps "Sandboxed" yes move on to step 2 and beyond,,,


----------



## simmer14 (Sep 3, 2011)

Not entirely sure what you mean by 'do not carry out any of the steps sandboxed'.

As far as I'm aware I've allowed them to be opened in sandbox. Was that ok?


----------



## kevinf80 (Mar 21, 2006)

If you run anything inside a Sandbox it means it has no effect on your computer, everything happens in the Sandbox. When you`re finished you in effect throw out the sand from the box and your computer remains unchanged.

When you carry out the steps I`ve asked Avast will pop up and give you options, do not select "Sandboxed" just select normal. When you complete these steps we want them to actually happen, if you select sandboxed they don`t... 

Does that make sense, do you understand. I dont have Avast in front of me, so am doing it from memory......


----------



## simmer14 (Sep 3, 2011)

ok, sorry about this. I've never used avast before. You are making sense. When uninstalling combofix I'm sure with some files avast popped up and the default was set to 'open in sandbox' to which I clicked 'ok'  So I think I've dropped a b*****k here. I'm trying to find out if they are stored in there somewhere - if I can find the sandbox!!!


----------



## kevinf80 (Mar 21, 2006)

Dont worry about step one, OTC in step 2 will remove all of the CF files/folders if they remain. Only one other step needs to be added at the end. I`ll give you that when you`ve completed the Boot scan with Avast...


----------



## simmer14 (Sep 3, 2011)

Right Kevin.

I've gone through the 1st 5 steps. This is what happened following the initial balls up I made with step 1.
I ran OTC which completed but didn't seem to remove any other icons from the desktop.
Next I opened add/remove programs to remove ESET ....it wasn't listed there.

I removed old java and installed updated version - no problem
I ran TFC - no problem.

Avast of course was switching itself back on after each reboot.

Then I noticed that combofix icon was also still on the desktop.
I decided to go through each step again disabling avast before each step particularly because of what happened the first time with combofix. This time it ran through sweetly. As did each of the other steps.

The only other thing to report before i do a boot scan is that the AVG remover file on the desktop cannot be removed manually - access is denied. 
Also, whenever I reboot now, when windows loads I'm getting a message that mmkeybd.exe file is missing. (keyboard is working fine though)

Anything I should know before I run the boot scan?

Cheers 

Mick


----------



## kevinf80 (Mar 21, 2006)

Do the following:


 Please download *Junction.zip* and save it to your desktop.
 Unzip it and put junction.exe in the *Windows* directory *(C:\Windows).* so you have * C:\Windows\Junction.exe*
 Now go to Start > Run to open a run box > Copy and paste the following command in the open run box and click OK:

*cmd /c junction -s c:\ >log.txt&log.txt& del log.txt*

 A command window will open and the system will be scanned.
 Wait until a log file opens.
 Copy and paste log in your next reply

If you get any alerts from AVAST allow Junction to run normally, not sandboxed...

Kevin


----------



## simmer14 (Sep 3, 2011)

Morning Kevin.

Ran both a full system scan and a boot scan which both returned zero virus. Get in!!!!!!

Here's the junction log.

Junction v1.06 - Windows junction creator and reparse point viewer
Copyright (C) 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com

Failed to open \\?\c:\\hiberfil.sys: The process cannot access the file because it is being used by another process.

Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.

...
Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp: Access is denied.

Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\EppSetupResult.ini: Access is denied.

Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_dw20shared_Install.log: Access is denied.

Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_dw20shared_Install{2FC49D18-314A-4903-A513-863DE6BE1698}.log: Access is denied.

Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_dw20shared_Install{6A759DEF-2CAD-4479-9A5B-7C27F1ABCB5A}.log: Access is denied.

Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_dw20shared_Install{A58BDC30-1456-427F-BCEB-02595AB59185}.log: Access is denied.

Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_dw20shared_Install{A9746318-731F-4B6E-89C1-CA558C1FCE3B}.log: Access is denied.

Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_dw20shared_Install{B21DC5D6-5D57-4395-B083-8BCC4780F190}.log: Access is denied.

Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_dw20shared_Install{EEF1495F-91F2-49BA-A7DA-DA9DDED978BA}.log: Access is denied.

Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_dw20shared_Install{FB06D918-E8F6-4451-990A-1A6E215A1867}.log: Access is denied.

Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_dw20shared_Uninstall.log: Access is denied.

Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_dw20shared_Uninstall{19DCD60A-2D9F-47B4-91E4-085C3577148A}.log: Access is denied.

Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_dw20shared_Uninstall{433AEAFC-8AC8-4503-8219-A3F4E91FC5F9}.log: Access is denied.

Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_dw20shared_Uninstall{49C52F58-3D8E-4251-9D53-6976369C1FB7}.log: Access is denied.

Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_dw20shared_Uninstall{5E386F11-F045-4138-9C0F-056C7FD75714}.log: Access is denied.

Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_dw20shared_Uninstall{B98711ED-AE13-4F72-856A-99C0D4137EC5}.log: Access is denied.

Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_dw20shared_Uninstall{F44468D9-611C-41E3-B283-BA4CB5D4B26F}.log: Access is denied.

Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_dw20shared_Uninstall{FD5F97B9-0F19-4DEB-8C0C-8FBDBDC959BF}.log: Access is denied.

Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_epp_Install.log: Access is denied.

Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_epp_Install{33DC3808-B2E2-42A3-9307-D19975439AF4}.log: Access is denied.

Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_epp_Install{3886EAC1-50A9-42C9-A163-3780640E6608}.log: Access is denied.

Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_epp_Install{460107AB-49C1-4B3C-8FA3-957C2FC5066A}.log: Access is denied.

Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_epp_Install{48FC466D-F149-4D4A-92DF-6167FA316858}.log: Access is denied.

Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_epp_Install{9A678B65-F9C5-4291-BDBB-98113D867370}.log: Access is denied.

Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_epp_Install{D73D97FD-C5DB-4502-9DE4-7EFCCDFDE402}.log: Access is denied.

Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_epp_Install{ECF955EA-F975-495D-8221-321848553BFB}.log: Access is denied.

...

...

...

...

...

...

...

...

.
Failed to open \\?\c:\\Documents and Settings\Mick\Desktop\395524u0.exe: Access is denied.

Failed to open \\?\c:\\Documents and Settings\Mick\Desktop\avg_remover_stf_x86_2011_1322.exe: Access is denied.

.
Failed to open \\?\c:\\Documents and Settings\Mick\Desktop\School\Basic guidelines for bloggers.doc: Access is denied.

Failed to open \\?\c:\\Documents and Settings\Mick\Desktop\School\blulog.JPG: Access is denied.

Failed to open \\?\c:\\Documents and Settings\Mick\Desktop\School\Centenary Badge reception.jpg: Access is denied.

Failed to open \\?\c:\\Documents and Settings\Mick\Desktop\School\centenary2.jpg: Access is denied.

Failed to open \\?\c:\\Documents and Settings\Mick\Desktop\School\e-Safety website links for Children.doc: Access is denied.

Failed to open \\?\c:\\Documents and Settings\Mick\Desktop\School\esafety%20poster.jpg: Access is denied.

Failed to open \\?\c:\\Documents and Settings\Mick\Desktop\School\ezeVue Media Manager Download & Installation Guide v2.pdf: Access is denied.

Failed to open \\?\c:\\Documents and Settings\Mick\Desktop\School\ja_tag_rugby.doc: Access is denied.

Failed to open \\?\c:\\Documents and Settings\Mick\Desktop\School\rugby.doc: Access is denied.

Failed to open \\?\c:\\Documents and Settings\Mick\Desktop\School\School Website Basics.doc: Access is denied.

Failed to open \\?\c:\\Documents and Settings\Mick\Desktop\School\Sounds: Access is denied.

Failed to open \\?\c:\\Documents and Settings\Mick\Desktop\School\Ted copy.jpg: Access is denied.

Failed to open \\?\c:\\Documents and Settings\Mick\Desktop\School\TES Resources: Access is denied.

.

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

Failed to open \\?\c:\\Program Files\NCH Swift Sound\ExpressRip\rip.exe: Access is denied.

...

...

...

..
Failed to open \\?\c:\\Program Files\Spybot - Search & Destroy\SpybotSD.exe: Access is denied.

.

...

...

...

...

...

..\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
\\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
Substitute Name: C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
.

...

...

...

...

...

...

...

...

...

...

...
Failed to open \\?\c:\\WINDOWS\system32\MRT.exe: Access is denied.

...

...

.
Failed to open \\?\c:\\WINDOWS\system32\wbem\Logs\FrameWork.log: Access is denied.

.


----------



## kevinf80 (Mar 21, 2006)

Run the following:


 please download *GrantPerms.zip* and save it to your desktop.
 Unzip the file and run GrantPerms.exe
 Copy and paste the following in the edit box:


```
c:\hiberfil.sys
c:\pagefile.sys
c:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp
c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\EppSetupResult.ini
c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_dw20shared_Install.log
c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_dw20shared_Install{2FC49D18-314A-4903-A513-863DE6BE1698}.log
c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_dw20shared_Install{6A759DEF-2CAD-4479-9A5B-7C27F1ABCB5A}.log
c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_dw20shared_Install{A58BDC30-1456-427F-BCEB-02595AB59185}.log
c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_dw20shared_Install{A9746318-731F-4B6E-89C1-CA558C1FCE3B}.log
c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_dw20shared_Install{B21DC5D6-5D57-4395-B083-8BCC4780F190}.log
c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_dw20shared_Install{EEF1495F-91F2-49BA-A7DA-DA9DDED978BA}.log
c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_dw20shared_Install{FB06D918-E8F6-4451-990A-1A6E215A1867}.log
c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_dw20shared_Uninstall.log
c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_dw20shared_Uninstall{19DCD60A-2D9F-47B4-91E4-085C3577148A}.log
c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_dw20shared_Uninstall{433AEAFC-8AC8-4503-8219-A3F4E91FC5F9}.log
c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_dw20shared_Uninstall{49C52F58-3D8E-4251-9D53-6976369C1FB7}.log
c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_dw20shared_Uninstall{5E386F11-F045-4138-9C0F-056C7FD75714}.log
c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_dw20shared_Uninstall{B98711ED-AE13-4F72-856A-99C0D4137EC5}.log
c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_dw20shared_Uninstall{F44468D9-611C-41E3-B283-BA4CB5D4B26F}.log
c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_dw20shared_Uninstall{FD5F97B9-0F19-4DEB-8C0C-8FBDBDC959BF}.log 
c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_epp_Install.log
c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_epp_Install{33DC3808-B2E2-42A3-9307-D19975439AF4}.log
c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_epp_Install{3886EAC1-50A9-42C9-A163-3780640E6608}.log
c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_epp_Install{460107AB-49C1-4B3C-8FA3-957C2FC5066A}.log
c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_epp_Install{48FC466D-F149-4D4A-92DF-6167FA316858}.log
c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_epp_Install{9A678B65-F9C5-4291-BDBB-98113D867370}.log
c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_epp_Install{D73D97FD-C5DB-4502-9DE4-7EFCCDFDE402}.log
c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_epp_Install{ECF955EA-F975-495D-8221-321848553BFB}.log
c:\Documents and Settings\Mick\Desktop\395524u0.exe
c:\Documents and Settings\Mick\Desktop\avg_remover_stf_x86_2011_1322.exe.
c:\Documents and Settings\Mick\Desktop\School\Basic guidelines for bloggers.doc
c:\Documents and Settings\Mick\Desktop\School\blulog.JPG
c:\Documents and Settings\Mick\Desktop\School\Centenary Badge reception.jpg
c:\Documents and Settings\Mick\Desktop\School\centenary2.jpg
c:\Documents and Settings\Mick\Desktop\School\e-Safety website links for Children.doc
c:\Documents and Settings\Mick\Desktop\School\esafety%20poster.jpg
c:\Documents and Settings\Mick\Desktop\School\ezeVue Media Manager Download & Installation Guide v2.pdf
c:\Documents and Settings\Mick\Desktop\School\ja_tag_rugby.doc
c:\Documents and Settings\Mick\Desktop\School\rugby.doc
c:\Documents and Settings\Mick\Desktop\School\School Website Basics.doc
c:\Documents and Settings\Mick\Desktop\School\Sounds
c:\Documents and Settings\Mick\Desktop\School\Ted copy.jpg
c:\Documents and Settings\Mick\Desktop\School\TES Resources 
c:\Program Files\NCH Swift Sound\ExpressRip\rip.exe
c:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
c:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f 7f11d50a3a
C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
c:\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a
C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
c:\WINDOWS\system32\MRT.exe
c:\WINDOWS\system32\wbem\Logs\FrameWork.log
```

 Now Click Unlock.
 When it is done click "OK".
 Now click List Permissions and post the result (Perms.txt) that pops up.
 A copy of Perms.txt will be saved in the same directory the tool is run.

Run another quick scan with Avast....

Kevin


----------



## simmer14 (Sep 3, 2011)

GrantPerms by Farbar 
Ran by Mick at 2011-09-10 13:44:13
===============================================
ERROR: Parsing the SD of <\\?\c:\hiberfil.sys> failed with: The process cannot access the file because it is being used by another process.

Operating system error message: The process cannot access the file because it is being used by another process.
ERROR: Parsing the SD of <\\?\c:\pagefile.sys> failed with: The process cannot access the file because it is being used by another process.

Operating system error message: The process cannot access the file because it is being used by another process.
\\?\c:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp
Owner: BUILTIN\Administrators
DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)

\\?\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\EppSetupResult.ini
Owner: BUILTIN\Administrators
DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)
NT AUTHORITY\LOCAL SERVICE FULL ALLOW (I)

\\?\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_dw20shared_Install.log
Owner: BUILTIN\Administrators
DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)
NT AUTHORITY\LOCAL SERVICE FULL ALLOW (I)

\\?\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_dw20shared_Install{2FC49D18-314A-4903-A513-863DE6BE1698}.log
Owner: BUILTIN\Administrators
DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)
NT AUTHORITY\LOCAL SERVICE FULL ALLOW (I)

\\?\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_dw20shared_Install{6A759DEF-2CAD-4479-9A5B-7C27F1ABCB5A}.log
Owner: BUILTIN\Administrators
DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)
NT AUTHORITY\LOCAL SERVICE FULL ALLOW (I)

\\?\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_dw20shared_Install{A58BDC30-1456-427F-BCEB-02595AB59185}.log
Owner: BUILTIN\Administrators
DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)
NT AUTHORITY\LOCAL SERVICE FULL ALLOW (I)

\\?\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_dw20shared_Install{A9746318-731F-4B6E-89C1-CA558C1FCE3B}.log
Owner: BUILTIN\Administrators
DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)
NT AUTHORITY\LOCAL SERVICE FULL ALLOW (I)

\\?\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_dw20shared_Install{B21DC5D6-5D57-4395-B083-8BCC4780F190}.log
Owner: BUILTIN\Administrators
DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)
NT AUTHORITY\LOCAL SERVICE FULL ALLOW (I)

\\?\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_dw20shared_Install{EEF1495F-91F2-49BA-A7DA-DA9DDED978BA}.log
Owner: BUILTIN\Administrators
DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)
NT AUTHORITY\LOCAL SERVICE FULL ALLOW (I)

\\?\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_dw20shared_Install{FB06D918-E8F6-4451-990A-1A6E215A1867}.log
Owner: BUILTIN\Administrators
DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)
NT AUTHORITY\LOCAL SERVICE FULL ALLOW (I)

\\?\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_dw20shared_Uninstall.log
Owner: BUILTIN\Administrators
DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)
NT AUTHORITY\LOCAL SERVICE FULL ALLOW (I)

\\?\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_dw20shared_Uninstall{19DCD60A-2D9F-47B4-91E4-085C3577148A}.log
Owner: BUILTIN\Administrators
DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)
NT AUTHORITY\LOCAL SERVICE FULL ALLOW (I)

\\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_dw20shared_Uninstall{433AEAFC-8AC8-4503-8219-A3F4E91FC5F9}.log
Owner: BUILTIN\Administrators
DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)
NT AUTHORITY\LOCAL SERVICE FULL ALLOW (I)

\\?\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_dw20shared_Uninstall{49C52F58-3D8E-4251-9D53-6976369C1FB7}.log
Owner: BUILTIN\Administrators
DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)
NT AUTHORITY\LOCAL SERVICE FULL ALLOW (I)

\\?\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_dw20shared_Uninstall{5E386F11-F045-4138-9C0F-056C7FD75714}.log
Owner: BUILTIN\Administrators
DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)
NT AUTHORITY\LOCAL SERVICE FULL ALLOW (I)

\\?\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_dw20shared_Uninstall{B98711ED-AE13-4F72-856A-99C0D4137EC5}.log
Owner: BUILTIN\Administrators
DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)
NT AUTHORITY\LOCAL SERVICE FULL ALLOW (I)

\\?\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_dw20shared_Uninstall{F44468D9-611C-41E3-B283-BA4CB5D4B26F}.log
Owner: BUILTIN\Administrators
DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)
NT AUTHORITY\LOCAL SERVICE FULL ALLOW (I)

ERROR: Parsing the SD of <\\?\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_dw20shared_Uninstall{FD5F97B9-0F19-4DEB-8C0C-8FBDBDC959BF}.log > failed with: The system cannot find the file specified.

Operating system error message: The system cannot find the file specified.
\\?\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_epp_Install.log
Owner: BUILTIN\Administrators
DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)
NT AUTHORITY\LOCAL SERVICE FULL ALLOW (I)

\\?\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_epp_Install{33DC3808-B2E2-42A3-9307-D19975439AF4}.log
Owner: BUILTIN\Administrators
DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)
NT AUTHORITY\LOCAL SERVICE FULL ALLOW (I)

\\?\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_epp_Install{3886EAC1-50A9-42C9-A163-3780640E6608}.log
Owner: BUILTIN\Administrators
DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)
NT AUTHORITY\LOCAL SERVICE FULL ALLOW (I)

\\?\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_epp_Install{460107AB-49C1-4B3C-8FA3-957C2FC5066A}.log
Owner: BUILTIN\Administrators
DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)
NT AUTHORITY\LOCAL SERVICE FULL ALLOW (I)

\\?\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_epp_Install{48FC466D-F149-4D4A-92DF-6167FA316858}.log
Owner: BUILTIN\Administrators
DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)
NT AUTHORITY\LOCAL SERVICE FULL ALLOW (I)

\\?\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_epp_Install{9A678B65-F9C5-4291-BDBB-98113D867370}.log
Owner: BUILTIN\Administrators
DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)
NT AUTHORITY\LOCAL SERVICE FULL ALLOW (I)

\\?\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_epp_Install{D73D97FD-C5DB-4502-9DE4-7EFCCDFDE402}.log
Owner: BUILTIN\Administrators
DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)
NT AUTHORITY\LOCAL SERVICE FULL ALLOW (I)

\\?\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_epp_Install{ECF955EA-F975-495D-8221-321848553BFB}.log
Owner: BUILTIN\Administrators
DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)
NT AUTHORITY\LOCAL SERVICE FULL ALLOW (I)

\\?\c:\Documents and Settings\Mick\Desktop\395524u0.exe
Owner: BUILTIN\Administrators
DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)

ERROR: Parsing the SD of <\\?\c:\Documents and Settings\Mick\Desktop\avg_remover_stf_x86_2011_1322.exe.> failed with: The system cannot find the file specified.

Operating system error message: The system cannot find the file specified.
\\?\c:\Documents and Settings\Mick\Desktop\School\Basic guidelines for bloggers.doc
Owner: BUILTIN\Administrators
DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)

\\?\c:\Documents and Settings\Mick\Desktop\School\blulog.JPG
Owner: BUILTIN\Administrators
DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)

\\?\c:\Documents and Settings\Mick\Desktop\School\Centenary Badge reception.jpg
Owner: BUILTIN\Administrators
DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)

\\?\c:\Documents and Settings\Mick\Desktop\School\centenary2.jpg
Owner: BUILTIN\Administrators
DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)

\\?\c:\Documents and Settings\Mick\Desktop\School\e-Safety website links for Children.doc
Owner: BUILTIN\Administrators
DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)

\\?\c:\Documents and Settings\Mick\Desktop\School\esafety%20poster.jpg
Owner: BUILTIN\Administrators
DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)

\\?\c:\Documents and Settings\Mick\Desktop\School\ezeVue Media Manager Download & Installation Guide v2.pdf
Owner: BUILTIN\Administrators
DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)

\\?\c:\Documents and Settings\Mick\Desktop\School\ja_tag_rugby.doc
Owner: BUILTIN\Administrators
DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)

\\?\c:\Documents and Settings\Mick\Desktop\School\rugby.doc
Owner: BUILTIN\Administrators
DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)

\\?\c:\Documents and Settings\Mick\Desktop\School\School Website Basics.doc
Owner: BUILTIN\Administrators
DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)

\\?\c:\Documents and Settings\Mick\Desktop\School\Sounds
Owner: BUILTIN\Administrators
DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)

\\?\c:\Documents and Settings\Mick\Desktop\School\Ted copy.jpg
Owner: BUILTIN\Administrators
DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)

ERROR: Parsing the SD of <\\?\c:\Documents and Settings\Mick\Desktop\School\TES Resources > failed with: The system cannot find the file specified.

Operating system error message: The system cannot find the file specified.
\\?\c:\Program Files\NCH Swift Sound\ExpressRip\rip.exe
Owner: BUILTIN\Administrators
DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)

\\?\c:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
Owner: BUILTIN\Administrators
DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)

ERROR: Parsing the SD of <\\?\c:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f 7f11d50a3a> failed with: The system cannot find the file specified.

Operating system error message: The system cannot find the file specified.
ERROR: Parsing the SD of <C:WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790> failed with: The system cannot find the path specified.

Operating system error message: The system cannot find the path specified.
ERROR: Parsing the SD of <C:WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790> failed with: The system cannot find the path specified.

Operating system error message: The system cannot find the path specified.
\\?\c:\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a
Owner: BUILTIN\Administrators
DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
BUILTIN\Users ADD FILE ALLOW (CI)(I)

\\?\C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
Owner: BUILTIN\Administrators
DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
BUILTIN\Users ADD FILE ALLOW (CI)(I)

\\?\C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
Owner: BUILTIN\Administrators
DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
BUILTIN\Users ADD FILE ALLOW (CI)(I)

\\?\c:\WINDOWS\system32\MRT.exe
Owner: BUILTIN\Administrators
DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)

\\?\c:\WINDOWS\system32\wbem\Logs\FrameWork.log
Owner: BUILTIN\Administrators
DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)

Got to pop and play rugby mate (hopefully perform a little better than England!!). Will run through that tonight/tomorrow.

Cheers. Have a good day


----------



## kevinf80 (Mar 21, 2006)

Just need the quick scan result and an update on how your system is responding, any specific issues?


----------



## simmer14 (Sep 3, 2011)

Scan results are fine. No problems reported. Still got a lot of downloaded icons/logs/programs on my desktop though. AVG remover will not delete. Message says

Cannot delete avg_remover_stf_x86_2011_1322:Access is denied.
Make sure the disk is not full or write-protected and that the file is not currently in use.


----------



## kevinf80 (Mar 21, 2006)

Run GrantPerms.exe again, Copy and paste the following in the edit box:


```
c:\Documents and Settings\Mick\Desktop\avg_remover_stf_x86_2011_1322.exe
```

Now Click Unlock.
When it is done click "OK".
Now click List Permissions and post the result (Perms.txt) that pops up.
A copy of Perms.txt will be saved in the same directory the tool is run.

If the log shows the permissions are restored re-boot and see if the file will delete... What is left on your Desktop?

Kevin


----------



## simmer14 (Sep 3, 2011)

..GrantPerms by Farbar 
Ran by Mick at 2011-09-10 20:23:34
===============================================
\\?\c:\Documents and Settings\Mick\Desktop\avg_remover_stf_x86_2011_1322.exe
Owner: BUILTIN\Administrators
DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


----------



## kevinf80 (Mar 21, 2006)

Can you delete the file now? what is left on your Desktop?


----------



## simmer14 (Sep 3, 2011)

GMER, AVG remover & log, TDSSkiller, Junction zip, grant perms, windows xp-kb914882-x86-enu, windows xp-kb942288-v3-x86, rkill, stopzilla, dummy creator, mse install, hijackthis setup

I imagine some are just files I can simply delete but do I need to delete any via procedures?


----------



## simmer14 (Sep 3, 2011)

That's it, kevin, it's gone. Strangely the message regarding the mmkeybd.exe missing file reappeared after reboot - it didn't last time.


----------



## kevinf80 (Mar 21, 2006)

Delete them all, let me know if you have problems


----------



## simmer14 (Sep 3, 2011)

Yep, they've all deleted fine, mate.


----------



## kevinf80 (Mar 21, 2006)

Excellent, just need to get SP3 installed. Go *Here* download the full installer for SP3, save it to your Desktop.

Do you still have TFC, if not here are instructions again, run TFC

Download







TFC to your desktop, from either of the following links
*Link 1*
*Link 2*

 Save any open work. TFC will close all open application windows.
 Double-click TFC.exe to run the program. Vista or Windows 7 users right click and select Run as Administartor
 If prompted, click "Yes" to reboot.
Save any open work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. TFC may re-boot your system, if not *Re-boot it yourself to complete cleaning process* *<---- Very Important *

Next,

We now need to reset your system restore points and create a new clean one. To do this "Turn off" System restore > Left click start > Right click My Computer > Left click Properties > Select System restore tab > put tick in Turn off System Restore box > apply > ok. To reverse as previous but remove the tick from Turn off System Restore > apply ok.

Create the new restore point > Start > all programs > accessories > system tools > system restore > create a restore point > In the Restore point description box give it a name for reference eg. Clean 1. The time and date are added automatically > then select create and follow the wizard out.

Next,

Re-boot into Safe Mode, when Desktop is stable run the SP3 installer. When finished re-boot to Normal Mode and let me know how your system is responding...

Kevin


----------



## simmer14 (Sep 3, 2011)

SP3 installed. No problems and no mmkeybd.exe message.


----------



## kevinf80 (Mar 21, 2006)

Nice one, you want to use your system for 24 hours or so and see how it goes, if no issues post back and we`ll close this one out. Been a bit of a saga but I think we`ve nailed it for sure....
You had zeroaccess rootkit infection, probably one to avoid in the future if possible. lol.


----------



## simmer14 (Sep 3, 2011)

Ha ha. Think I was holding out for 90 odd posts to take your record for most problematic virus!!

I'll be in touch in 24 hours or so mate. Thanks again.


----------



## kevinf80 (Mar 21, 2006)

Yep zeroaccess is a bad one fore sure, I`ve had a few of these recently, got one on the go at SpywareHammer unfortunately after running Combofix have ended up with an UNbootable system, Some you win, some you loose.....


----------



## simmer14 (Sep 3, 2011)

Hi Kevin,

Everything running fine mate. Only problem I have is this 'Microsoft Search Enhancement' window opening on startup but that was happening pre-virus.

PC is stable though.


----------



## kevinf80 (Mar 21, 2006)

Your latest logs are clean and you say that your system is running well, it would be an excellent idea to keep it that way. The following advice will go along way to keeping you secure so that you can enjoy safe and happy surfing.

Here are some tips to reduce the potential for malware infection in the future; I strongly recommend that you read them and take them to heart so that you don't have to endure the process of cleaning your computer again.

*Make proper use of your antivirus and firewall*

Antivirus and Firewall programs are integral to your computer security. However, just having them installed isn't enough. The definitions of these programs are frequently updated to detect the latest malware, if you don't keep up with these updates then you'll be vulnerable to infection. Many antivirus and firewall programs have automatic update features, make use of those if you can. If your program doesn't, then get in the habit of routinely performing manual updates, because it's important.

You should keep your antivirus and firewall guard enabled at all times, *NEVER* turn them off unless there's a specific reason to do so. Also, regularly performing a full system scan with your antivirus program is a good idea to make sure you're system remains clean. Once a week should be adequate. You can set the scan to run during a time when you don't plan to use the computer and just leave it to complete on its own.

Install and use *WinPatrol* This will inform you of any attempted unauthorized changes to your system.

WinPatrol features explained *Here*

You will have several programs installed, these maybe outdated and vulnerable to exploits also. To be certain, please run the free online scan by *Secunia*, available *Here* Before clicking the *Start* scan button, please check the box for the option *Enable thorough system inspection*. Just below the "Scan Options:" section, you'll see the status of what's currently processing....








...when the scan completes, the message "Detection completed successfully" will appear in the *Programs/Result* section. For each problem detected, Secunia will offer a "Solution" option. Please follow those instructions to download updated versions of the programs as recommended by Secunia.

*Use a safer web browser*

Internet Explorer is not the most secure tool for browsing the web. It has been known to be very susceptible to infection, and there are a few good free alternatives:

*Firefox*,

*Opera*, and

*Chrome*.

All of these are excellent faster, safer, more powerful and functional free alternatives to Internet Explorer. It's definitely worth the short period of adjustment to start using one of these. If you wish to continue using Internet Explorer, it would be a good idea to follow the tutorial *HERE* which will help you to make IE *MUCH* safer.

These *browser add-ons* will help to make your browser safer:

*Web of Trust* warns you about risky websites that try to scam visitors, deliver malware or send spam. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous ones:

Available for *Firefox* and *Internet Explorer*.

*Green* to go, 
*Yellow* for caution, and 
*Red* to stop.

Available for *Firefox* only. *NoScript* helps to block malicious scripts and in general gives you much better control over what types of things webpages can do to your computer while you're browsing.

These are just a couple of the most popular add-ons, if you're interested in more, take a look at *THIS* article.

Here a couple of links by two security experts that will give some excellent tips and advice.

*So how did I get infected in the first place by Tony Klein*

*How to prevent Malware by Miekiemoes*

Finally this link *HERE* will give a comprehensive upto date list of free Security programs. To include - Antivirus, Antispyware, Firewall, Antimalware, Online scanners and rescue CD`s.

Don`t forget, the best form of defense is common sense. If you don`t recognize it, don`t open it. If something looks to good to be true, then it aint.

Regarding "Microsoft Search Enhancement" ask the question under XP in the Operating System Forum :-

http://forums.techguy.org/21-windows-xp/

If no remaining malware issues hit the Mark Solved tab at the top of the thread,

Take care,

Kevin


----------



## simmer14 (Sep 3, 2011)

Thanks for everything, Kevin. Your time and patience. You're an absolute mackem legend!! 

I'm so pleased I stumbled across this site as I was on the verge of calling someone in the Echo and saying "format this!!"

If ever you're in Ashbrooke Rugby Club give me a shout (Simmer) and allow me to get you a few beers.

All the best to you matey.


----------



## kevinf80 (Mar 21, 2006)

You`re very welcome "Simmer" and you never know I might just drop in on you at some point. Regarding your issue you mentioned, have a read of this thread http://forums.majorgeeks.com/showthread.php?t=177339 similar fault with a fix.

Cheers,

Kevin


----------

