Solved Can't kill multiple open Internet ports

Status
Not open for further replies.
V

Virtual Madness

Posts: 16   +0
Hi guys,

I’m new to the Forum, so please be gentle.

Okay, I’m hoping the Techie genius of all time ends up reading this to help me out with a mind-boggling problem. I’m not a novice, but I’m not an expert either when it comes to Hardware/Software and the nuts and bolts of it all, but I can find my way around okay, at least I thought I could.

A few months ago, my hard disk failed in my laptop (it was about 10-years old!), so I used dd rescue (via a Linux Live CD) to recover as much as possible to an external hard drive (my normal back-up method was about 2-weeks out-of-date annoyingly, so I needed to recover documents etc).

I bought a new hard disk and re-installed everything (Windows XP SP3 and other programs relevant to my everyday needs), along with customization of settings etc. Everything was hunky dory and back to normal for a while, but then, after visiting a well known ‘Cash Back’ website on a particular occasion, I noticed that iexplore.exe ‘hung’ in Task Manager. I could visit other websites, such as a well-known auction site amongst others, and wouldn’t see the problem i.e. after closing the browser (IE8 in this instance), iexplore.exe would end as you would expect.

Initially thinking it was a virus, spyware or malware etc. I ran just about every scan I could find (using both commercial, freeware and even on-line scan packages), but couldn’t find a single thing/infection. I then tried using Mozilla Firefox and Opera Browsers, just to see how they would react. Exactly the same problem/outcome i.e. okay with a majority of websites, but not when visiting the cash back website where I first noticed the problem (it’s started happening with other websites I’m visiting now).

Process Explorer, Task Kill, UVK and even the Windows cmd prompt cannot kill the ‘hanging’ .exe file – it’s a reboot situation to clear it. I’ve re-set and re-installed IE8, ran ComboFix, HJT and loads more, but just can’t find the problem. Emsisoft’s ASquared also confirms weird behaviour with the open ports i.e. before visiting the websites that cause the problem, the open ports are as you would expect – when I visit one of the websites that cause the issue, many (sometimes 20+) instances of iexplore.exe ports will open, cmd prompt ‘netstat –a’ doesn’t show anything out of the ordinary either. Oh by the way, when I submit the results on-line to Emsisoft ASquared, it comes back with results confirming that malicious programs use a certain port that I seem to have open, but the malicious type and port that’s open, changes every single time I submit a scan – it’s completely random.

After many, many nights of head scratching, I’m simply lost with this one – yes, I’ve disabled all add-on’s (regardless of browser type) and tried to browse with the bare bones (in IE8, Mozilla Firefox and Opera), but the same problem occurs - the browser will hang and nothing will kill it except for a reboot.

Oh and last night as a last ditch attempt, I reset and even went on to flash the firmware of the BT Business Broadband 2wire 2700HGV Hub – no change, the problem continues in the same manner as before.

Sorry for the long-winded post, but it’s a bit of background info. for the genius I’m hoping will ultimately end up resolving this for me - if he’s out there listening?

Many thanks in advance,
Virtual Madness.
 
Dear Virtual Madness, I will gently Welcome you to TechSpot!
Welcome_crash.gif

(Image courtesy animationplayhouse.com)

I don't know that you've chosen the best forum for your problem. So I will give you a choice:

#1. If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

When you have finished, leave the logs for review in your next reply .
NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

A condition to #1- you must remove all those programs you ran trying to fix the problem even if some of them are included in the above. Then you will download the scans in the steps and we'll start there. A program I would most likely use following the above will show open ports and they can be closed through that program.

or #2: I can have this thread moved to a more appropriate forum in TechSpot.

It is your choice. Let me know.
===================================
My Guidelines: please read and follow:
  • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
  • Read my instructions carefully. If you don't understand or have a problem, ask me.
  • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
  • Follow the order of the tasks I give you. Order is crucial in cleaning process.
  • File sharing programs should be uninstalled or disabled during the cleaning process..
  • Observe these:
    [o] Don't use any other cleaning programs or scans while I'm helping you.
    [o] Don't use a Registry cleaner or make any changes in the Registry.
    [o] Don't download and install new programs- except those I give you.
  • Please let me know if there is any change in the system.

If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
=====================================
 
Logs as requested:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7796

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

25/09/2011 15:47:53
mbam-log-2011-09-25 (15-47-53).txt

Scan type: Quick scan
Objects scanned: 161751
Time elapsed: 12 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-09-25 16:21:12
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 SAMSUNG_HM160HC rev.LQ100-10
Running: g74ixvmi.exe; Driver: C:\DOCUME~1\VIRTUAL MADNESS~1\LOCALS~1\Temp\pwdoqkoc.sys


---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip UrlFilter.sys (URL Filter/IObit.com)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp UrlFilter.sys (URL Filter/IObit.com)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp UrlFilter.sys (URL Filter/IObit.com)
AttachedDevice \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)
AttachedDevice \Driver\Tcpip \Device\RawIp UrlFilter.sys (URL Filter/IObit.com)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- EOF - GMER 1.0.15 ----
 
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Virtual Madness at 16:39:43 on 2011-09-25
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1271.687 [GMT 1:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: PC Tools Firewall Plus *Enabled*
FW: Symantec Endpoint Protection *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Prey\platform\windows\cronsvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe
C:\Program Files\Kerkia\Minimem\minimem.exe
C:\Program Files\IObit\Advanced SystemCare 4\Suo10_SmartRAM.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Program Files\IObit\Advanced SystemCare 4\ASC.exe
C:\Program Files\IObit\Advanced SystemCare 4\ASCTray.exe
C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe
C:\Program Files\IObit\IObit Malware Fighter\IMF.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\Browser Guard\BGUI.exe
C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe
C:\Program Files\Trend Micro\Browser Guard\tmiegsrv.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uWindow Title = Internet Explorer
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: TMIEGBHO Class: {f1ad4a42-ba52-47bc-89df-3f68f24c017f} - c:\program files\trend micro\browser guard\TMAMS.dll
TB: TMBGBAR TOOLBAR: {c8137a8d-415d-450c-a1b1-d0c519d45296} - c:\program files\trend micro\browser guard\tmieg.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Advanced SystemCare 4] c:\program files\iobit\advanced systemcare 4\ASCTray.exe
uRun: [Minimem] c:\program files\kerkia\minimem\minimem.exe
uRun: [SmartRAM] "c:\program files\iobit\advanced systemcare 4\Suo10_SmartRAM.exe" /m
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [CleanMem Mini Monitor] c:\program files\cleanmem\Mini_Monitor.exe /startup
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [IObit Malware Fighter] "c:\program files\iobit\iobit malware fighter\IMF.exe" /autostart
mRun: [00PCTFW] "c:\program files\pc tools firewall plus\FirewallGUI.exe" -s
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Trend Micro RUBotted V2.0 Beta] c:\program files\trend micro\rubotted\RUBottedGUI.exe
mRun: [Trend Micro Browser Guard] "c:\program files\trend micro\browser guard\BGUI.EXE"
mRun: [IE Privacy Keeper] "c:\program files\unh solutions\ie privacy keeper\IEPrivacyKeeper.exe" -startup
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{b0bf7057-6869-4e4b-920c-ea2a58da07f0}\Icon3E5562ED7.ico
uPolicies-explorer: NoResolveTrack = 1 (0x1)
mPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)
IE: {D799B0E4-BEDE-41d2-AEE0-1E3A1C4EF918} - c:\program files\unh solutions\ie privacy keeper\IEPrivacyKeeper.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/betapit/PCPitStop.CAB
DPF: {5033E708-9A94-4EF7-A50E-DF0F3A2E636F} - hxxp://crmprod.private.de:8001/sap/bc/bsp/sap/public/Calendar/BSP_SAPCalendar.CAB
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
Hosts: 10.6.2.204 crmprod.private.de crmprod
Hosts: 10.6.2.205 portalprod.private.de portalprod
Hosts: 10.6.2.64 sapbwserver.private.de sapbwserver
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\virtual madness\application data\mozilla\firefox\profiles\ct56r620.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-9-14 64512]
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2011-8-23 56336]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 MpKslaa6e473e;MpKslaa6e473e;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{966147f1-75d1-41d9-ae12-a2299c8ca246}\mpkslaa6e473e.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{966147f1-75d1-41d9-ae12-a2299c8ca246}\MpKslaa6e473e.sys [?]
R1 MpKslb954000d;MpKslb954000d;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{541eb5eb-27ad-4694-99f3-d21af5015fbd}\MpKslb954000d.sys [2011-9-25 28752]
R1 MpKsld19c13e2;MpKsld19c13e2;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{541eb5eb-27ad-4694-99f3-d21af5015fbd}\MpKsld19c13e2.sys [2011-9-25 28752]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2011-8-5 251560]
R1 RapportCerberus_29574;RapportCerberus_29574;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\baseline\RapportCerberus32_29574.sys [2011-8-23 216912]
R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2011-8-23 70416]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2011-8-23 161936]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-12 116608]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-7-8 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-7-8 108392]
R2 CronService;Cron Service for Prey;c:\prey\platform\windows\cronsvc.exe [2011-2-15 19968]
R2 Crypto;Crypto;c:\windows\system32\drivers\Crypto.sys [2011-7-28 521786]
R2 IMFservice;IMF Service;c:\program files\iobit\iobit malware fighter\IMFsrv.exe [2011-7-28 820568]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-8-18 2151640]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [2011-8-5 160576]
R2 PCToolsFirewallPlus;PC Tools Firewall Plus;c:\program files\pc tools firewall plus\FWService.exe [2011-8-5 286000]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2011-8-23 919352]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-9-17 2477304]
R3 DniVap;SafeNet WAN Miniport (VA);c:\windows\system32\drivers\vap.sys [2011-7-28 36188]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-9-9 105592]
R3 FileMonitor;FileMonitor;c:\program files\iobit\iobit malware fighter\drivers\wxp_x86\FileMonitor.sys [2011-7-28 239600]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110924.007\NAVENG.SYS [2011-9-25 86136]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110924.007\NAVEX15.SYS [2011-9-25 1576312]
R3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter.sys [2011-8-5 89472]
R3 pctNdisMP;PC Tools Driver;c:\windows\system32\drivers\pctNdis.sys [2011-8-5 57536]
R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [2011-8-5 125248]
R3 RegFilter;RegFilter;c:\program files\iobit\iobit malware fighter\drivers\wxp_x86\RegFilter.sys [2011-7-28 30368]
R3 UrlFilter;UrlFilter;c:\program files\iobit\iobit malware fighter\drivers\wxp_x86\UrlFilter.sys [2011-7-28 16080]
S1 MpKsl281501be;MpKsl281501be;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{7c32d5c0-8dd1-469a-ba80-53f6d3d172ed}\mpksl281501be.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{7c32d5c0-8dd1-469a-ba80-53f6d3d172ed}\MpKsl281501be.sys [?]
S1 MpKsl39e47489;MpKsl39e47489;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b0c6aa3a-d905-4a8d-a1df-ca06be3f46c3}\mpksl39e47489.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b0c6aa3a-d905-4a8d-a1df-ca06be3f46c3}\MpKsl39e47489.sys [?]
S1 MpKsl452da61e;MpKsl452da61e;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{edd040be-b104-47d1-87db-9baf04b68a0b}\mpksl452da61e.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{edd040be-b104-47d1-87db-9baf04b68a0b}\MpKsl452da61e.sys [?]
S2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\iobit\advanced systemcare 4\ASCService.exe [2011-7-28 328536]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 RUBotSrv;Trend Micro RUBotted Service;c:\program files\trend micro\rubotted\RUBotSrv.exe [2011-9-7 439632]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-7-14 23888]
S3 dkab_device;dkab_device;c:\windows\system32\dkabcoms.exe -service --> c:\windows\system32\DKabcoms.exe -service [?]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-8-18 15232]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\microsoft fix it center\Matsvc.exe [2011-6-13 267568]
S3 pctNdis;PC Tools Firewall Intermediate Filter Service;c:\windows\system32\drivers\pctNdis.sys [2011-8-5 57536]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-14 394952]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-12 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-09-25 15:17:59 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{541eb5eb-27ad-4694-99f3-d21af5015fbd}\MpKsld19c13e2.sys
2011-09-25 14:33:24 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-25 14:33:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-25 10:18:00 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{541eb5eb-27ad-4694-99f3-d21af5015fbd}\MpKslb954000d.sys
2011-09-25 10:15:28 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{541eb5eb-27ad-4694-99f3-d21af5015fbd}\offreg.dll
2011-09-25 10:14:54 7269712 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{541eb5eb-27ad-4694-99f3-d21af5015fbd}\mpengine.dll
2011-09-21 23:21:43 -------- d-----w- c:\documents and settings\virtual madness\local settings\application data\Norman Malware Cleaner
2011-09-21 22:46:50 -------- d-----w- c:\program files\Active Ports
2011-09-21 22:18:50 -------- d-----w- c:\documents and settings\all users\application data\Tweaking.com
2011-09-21 22:18:32 -------- d-----w- c:\program files\Tweaking.com
2011-09-21 06:18:20 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-09-21 06:18:20 -------- d-----w- c:\windows\system32\wbem\Repository
2011-09-20 21:45:49 -------- d-----w- C:\MGtools
2011-09-20 21:06:04 -------- d-----w- c:\windows\2Wire.0000
2011-09-17 21:38:12 -------- d-----w- c:\program files\TweakNow PowerPack 2011
2011-09-17 21:38:12 -------- d-----w- c:\documents and settings\virtual madness\application data\TweakNow PowerPack 2011
2011-09-17 20:13:04 -------- d-----w- c:\program files\TweakNow RegCleaner 2011
2011-09-17 20:13:04 -------- d-----w- c:\documents and settings\virtual madness\application data\TweakNow RegCleaner 2011
2011-09-16 22:54:51 -------- d-----w- c:\documents and settings\virtual madness\local settings\application data\Opera
2011-09-15 16:05:37 -------- dc-h--w- c:\windows\ie8
2011-09-14 20:54:38 -------- d-----w- c:\documents and settings\virtual madness\local settings\application data\WMTools Downloaded Files
2011-09-14 17:43:15 -------- d-----w- c:\program files\iolo
2011-09-14 17:43:15 -------- d-----w- c:\documents and settings\virtual madness\application data\iolo
2011-09-14 17:43:15 -------- d-----w- c:\documents and settings\all users\application data\iolo
2011-09-14 11:49:49 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-09-14 09:56:16 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-09-14 09:50:09 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-09-14 09:49:47 -------- d-----w- c:\program files\Lavasoft
2011-09-13 22:20:38 -------- d-----w- c:\windows\CleanMem
2011-09-13 22:20:38 -------- d-----w- c:\program files\CleanMem
2011-09-11 23:19:55 -------- d-----w- c:\program files\Trusteer
2011-09-10 18:34:11 -------- d-sha-r- C:\cmdcons
2011-09-10 18:31:50 98816 ----a-w- c:\windows\sed.exe
2011-09-10 18:31:50 518144 ----a-w- c:\windows\SWREG.exe
2011-09-10 18:31:50 256000 ----a-w- c:\windows\PEV.exe
2011-09-10 18:31:50 208896 ----a-w- c:\windows\MBR.exe
2011-09-08 16:33:01 -------- d-----w- c:\documents and settings\virtual madness\application data\.clamwin
2011-09-08 16:32:21 -------- d-----w- c:\program files\ClamWin
2011-09-08 16:32:21 -------- d-----w- c:\documents and settings\all users\.clamwin
2011-09-08 16:08:03 -------- d-----w- C:\ToolBar SD
2011-09-08 15:16:21 -------- d-----w- c:\documents and settings\virtual madness\local settings\application data\FixItCenter
2011-09-08 15:10:20 -------- d-----w- c:\windows\MATS
2011-09-08 15:10:17 -------- d-----w- c:\program files\Microsoft Fix it Center
2011-09-08 14:35:22 -------- d--h--w- c:\windows\msdownld.tmp
2011-09-07 19:34:54 -------- d-----w- c:\documents and settings\all users\application data\Trend Micro
2011-09-07 19:34:00 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-09-07 19:30:14 -------- d-----w- c:\documents and settings\virtual madness\local settings\application data\Browser Guard
2011-09-07 19:24:05 -------- d-----w- c:\program files\WinPcap
2011-09-07 13:34:59 297728 -c--a-w- c:\windows\system32\dllcache\ac97sis.sys
2011-09-07 13:33:57 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2011-09-07 10:26:28 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-09-07 10:26:28 19416 ----a-w- c:\program files\mozilla firefox\AccessibleMarshal.dll
2011-09-07 10:26:27 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-09-07 10:26:27 125912 ----a-w- c:\program files\mozilla firefox\crashreporter.exe
2011-09-07 08:09:18 -------- d-----w- c:\program files\MSXML 4.0
2011-09-06 18:51:35 -------- d-----w- c:\documents and settings\virtual madness\local settings\application data\IsolatedStorage
2011-09-06 18:46:39 -------- d-----w- c:\documents and settings\virtual madness\local settings\application data\HP
2011-09-06 18:09:17 626960 ----a-r- c:\windows\system32\hpvaut32.dll
2011-09-06 18:09:17 44544 ----a-r- c:\windows\system32\MSXML4a.dll
2011-09-06 18:09:16 487424 ----a-r- c:\windows\system32\hpvcp70.dll
2011-09-06 18:09:16 344064 ----a-r- c:\windows\system32\hpvcr70.dll
2011-09-06 18:08:23 -------- d-----w- c:\program files\common files\Hewlett-Packard
2011-09-06 18:01:58 -------- d-----w- c:\program files\common files\HP
2011-09-06 18:01:48 35840 ----a-w- c:\windows\system32\drivers\AFS2K.SYS
2011-09-06 17:54:14 -------- d-----w- c:\program files\HP
2011-09-06 17:52:44 94208 ----a-r- c:\windows\system32\HPZipt12.dll
2011-09-06 17:52:42 61699 ----a-r- c:\windows\system32\HPZinw12.exe
2011-09-06 17:52:42 57344 ----a-r- c:\windows\system32\HPZisn12.dll
2011-09-06 17:52:41 65795 ----a-r- c:\windows\system32\HPZipm12.exe
2011-09-06 17:52:40 266296 ----a-r- c:\windows\system32\HPZidr12.dll
2011-09-06 17:52:40 196608 ----a-r- c:\windows\system32\HPZipr12.dll
2011-09-06 17:52:38 16496 ----a-r- c:\windows\system32\drivers\HPZipr12.sys
2011-09-06 17:52:26 51056 ----a-r- c:\windows\system32\drivers\hpzid412.sys
2011-09-06 17:50:58 21488 ----a-r- c:\windows\system32\drivers\HPZius12.sys
2011-09-06 17:50:30 262144 ----a-r- c:\windows\system32\HPZc3212.dll
2011-09-06 17:50:29 77824 ----a-r- c:\windows\system32\hpovst08.dll
2011-09-06 17:50:28 565248 ----a-r- c:\windows\system32\hpotscl.dll
2011-09-06 17:50:26 274432 ----a-r- c:\windows\system32\hpgwiamd.dll
2011-09-06 17:50:20 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2011-09-06 17:50:20 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2011-09-06 17:46:41 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2011-09-06 17:46:41 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2011-09-05 17:04:56 183696 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2011-09-05 17:04:56 183696 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2011-09-05 13:43:28 785368 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-09-05 13:43:27 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-09-05 13:43:27 478168 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-09-05 13:43:27 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-09-05 13:43:27 1846232 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-09-05 13:43:27 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-08-31 22:27:53 -------- dc----w- c:\documents and settings\all users\application data\{7AE4A0A3-2DDC-42D5-B8B0-D26BFAAA07F5}
2011-08-31 22:23:57 -------- d-----w- c:\documents and settings\all users\application data\Webroot
2011-08-31 19:48:10 7269712 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-08-30 10:16:43 -------- d-----w- c:\program files\Microsoft Security Client
.
==================== Find3M ====================
.
2011-09-25 15:32:38 29 ----a-w- c:\windows\system32\TempWmicBatchFile.bat
2011-09-17 19:02:10 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-09-17 19:02:10 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-09-12 20:25:00 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-23 07:04:58 56336 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-09 19:56:03 61440 ----a-w- c:\windows\system32\CleanMem.exe
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
.
============= FINISH: 16:44:27.84 ===============
 
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 25/07/2011 18:28:41
System Uptime: 25/09/2011 10:59:48 (6 hours ago)
.
Motherboard: Dell Inc. | | 0U6962
Processor: Intel(R) Celeron(R) M processor 1.40GHz | Microprocessor | 1396/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 149 GiB total, 126.783 GiB free.
D: is CDROM ()
I: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Dell Wireless 1370 WLAN Mini-PCI Card
Device ID: PCI\VEN_14E4&DEV_4318&SUBSYS_00051028&REV_02\4&2FA23535&0&18F0
Manufacturer: Broadcom
Name: Dell Wireless 1370 WLAN Mini-PCI Card
PNP Device ID: PCI\VEN_14E4&DEV_4318&SUBSYS_00051028&REV_02\4&2FA23535&0&18F0
Service: BCM43XX
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CVirtA
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: PC Tools Driver
Device ID: ROOT\S4E_PCTNDISMP\0001
Manufacturer: PC Tools
Name: Deterministic Networks WAN Virtual miniport - PC Tools Driver
PNP Device ID: ROOT\S4E_PCTNDISMP\0001
Service: pctNdisMP
.
==== System Restore Points ===================
.
RP231: 20/09/2011 20:06:42 - Software Distribution Service 3.0
RP232: 20/09/2011 21:31:45 - Before Netwire Driver Re-install
RP233: 21/09/2011 07:14:18 - Restore Operation
RP234: 21/09/2011 17:52:15 - Software Distribution Service 3.0
RP235: 21/09/2011 23:16:36 - Before Tweaking Install
RP236: 21/09/2011 23:40:11 - Before aports install
RP237: 22/09/2011 00:20:39 - Before Norman Spyware Install
RP238: 22/09/2011 15:22:42 - Before Tweak Power Pack Usage
RP239: 23/09/2011 08:02:03 - Software Distribution Service 3.0
RP240: 24/09/2011 08:27:04 - Software Distribution Service 3.0
RP241: 25/09/2011 11:14:25 - Software Distribution Service 3.0
RP242: 25/09/2011 15:19:52 - Before Tech Spot Clean Up
.
==== Installed Programs ======================
.
1300
1300_Help
1300Tour
1300Trb
ACS2000
Ad-Aware
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader X (10.1.1)
Advanced SystemCare 4
AiO_Scan
AIOMinimal
AiOSoftware
Blood Pressure Tracker
Browser Guard v3.0
C-Major Audio
CCleaner
Cisco Systems VPN Client 5.0.07.0290
ClamWin Free Antivirus 0.97.2
CleanMem
Compatibility Pack for the 2007 Office system
Conexant D110 MDC V.92 Modem
Copy
CreativeProjects
Dell Driver Download Manager
Dell ResourceCD
Dell Software Uninstall
Dell Wireless WLAN Card
Director
DocProc
Emsisoft HiJackFree 4.5
Fax
FileASSASSIN
Game Booster
GoldMine 6.0
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Photo & Imaging 3.1
HP PSC & OfficeJet 3.0
HP Software Update
hpmdtab
HPSystemDiagnostics
IE Privacy Keeper
InstantShare
Intel(R) Graphics Media Accelerator Driver for Mobile
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet for Wired Connections
IObit Malware Fighter
LiveUpdate 3.3 (Symantec Corporation)
Malwarebytes' Anti-Malware version 1.51.2.1300
Memories Disc Creator 2.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Fix it Center
Microsoft Office 2000 SR-1 Professional
Microsoft Security Client
Microsoft Security Essentials
Microsoft User-Mode Driver Framework Feature Pack 1.0
Minimem
Mouse Suite for Laptop Computers
Mozilla Firefox 6.0.1 (x86 en-GB)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Oubliette 1.9.5
Overland
PC Tools Firewall Plus 7.0
PhotoGallery
PrintScreen
QFolder
QuickProjects
QuickSet
Rapport
Readme
Scan
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB982381)
SkinsHP1
SkinsHP2
Spybot - Search & Destroy
SpywareBlaster 4.4
SUPERAntiSpyware
Symantec Endpoint Protection
Synaptics Pointing Device Driver
System Checkup 3.0
TrayApp
Trend Micro RUBotted 2.0 Beta
Tweaking.com - Simple Performance Boost
TweakNow PowerPack 2011 SP3a
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows XP (KB2467659)
UVK
WebFldrs XP
WebReg
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinPatrol
WinPcap 4.1.1
ZipCentral 4.01
.
==== Event Viewer Messages From Past Week ========
.
25/09/2011 16:17:34, error: Service Control Manager [7031] - The Microsoft Antimalware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.
25/09/2011 16:17:26, error: Service Control Manager [7034] - The IMF Service service terminated unexpectedly. It has done this 1 time(s).
25/09/2011 16:17:12, error: Service Control Manager [7034] - The Advanced SystemCare Service service terminated unexpectedly. It has done this 1 time(s).
25/09/2011 16:16:52, error: Service Control Manager [7034] - The Trend Micro RUBotted Service service terminated unexpectedly. It has done this 1 time(s).
25/09/2011 16:16:43, error: Service Control Manager [7031] - The Symantec Endpoint Protection service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.
22/09/2011 16:02:29, error: Service Control Manager [7000] - The SABProcEnum service failed to start due to the following error: The system cannot find the file specified.
22/09/2011 02:06:45, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.111.2744.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7604.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
22/09/2011 01:09:36, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the LiveUpdate service to connect.
22/09/2011 01:09:36, error: Service Control Manager [7000] - The LiveUpdate service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
22/09/2011 01:09:34, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service LiveUpdate with arguments "" in order to run the server: {03E0E6C2-363B-11D3-B536-00902771A435}
21/09/2011 23:11:15, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMF Service service to connect.
21/09/2011 23:11:15, error: Service Control Manager [7000] - The IMF Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
21/09/2011 21:55:49, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: APPDRV eeCtrl Fips intelppm MpFilter RapportKELL SASDIFSV SASKUTIL SPBBCDrv SRTSP SRTSPX SYMTDI
20/09/2011 22:37:44, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 0014A53D9F60. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
20/09/2011 14:05:19, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000098' while processing the file 'wpshelper.sys' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
19/09/2011 15:29:42, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Dnscache service.
19/09/2011 10:35:41, error: EventLog [6004] - A driver packet received from the I/O subsystem was invalid. The data is the packet.
18/09/2011 13:40:44, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC80.CRT. Reference error message: The referenced assembly is not installed on your system. .
18/09/2011 13:40:44, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Trend Micro\Browser Guard\TMBGCFG2.dll. Reference error message: The operation completed successfully. .
18/09/2011 13:40:44, error: SideBySide [32] - Dependent Assembly Microsoft.VC80.CRT could not be found and Last Error was The referenced assembly is not installed on your system.
18/09/2011 13:00:01, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
18/09/2011 12:55:25, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
18/09/2011 12:55:17, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD APPDRV eeCtrl Fips intelppm IPSec MpFilter MRxSmb NetBIOS NetBT pctgntdi RapportKELL RasAcd Rdbss SASDIFSV SASKUTIL SPBBCDrv SRTSP SRTSPX SYMTDI Tcpip WPS
18/09/2011 12:55:17, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Lavasoft Ad-Aware Service service to connect.
18/09/2011 12:55:17, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
18/09/2011 12:55:17, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
18/09/2011 12:55:17, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
18/09/2011 12:55:17, error: Service Control Manager [7000] - The Lavasoft Ad-Aware Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
.
==== End Of File ===========================
 
When a system has multiple programs running that do the same thing, it creates the following:
1. The purpose of any of the programs might be compromised so that none do the job intended.
2. An unnecessary amount of resources are used which can slow the system down.
--------------------------------------
Multiple security programs may conflict so that none of them does what it is suppose to:
1.Multiple antivirus programs will make a system more vulnerable so that none of them can decide which will do what and viruses, Trojans, Worms, etc can pass through on to the system.
2. Multiple firewalls can conflict so that the ports being monitored aren't 'listening'. This may allow scanners, hackers, crackers,et al to pass through a port bring malware with it.

Multiple system monitors for cleaning, registry removal, memory optimizing all running at the same time will:
1. Use large amount of the system resources.
2. Possibly in the attempt to decide which program will do what, entries may be removed in error or entries that should be removed aren't.

That being said, here is your system:
Antivirus:
ClamWin
Symantec Endpoint Protection
Lavasoft Ad-Watch Live! Anti-Virus
Microsoft Security Essentials

Firewall:
Zone Alarm> vsdatant.sys> Related to ZoneAlarm Firewall Driver.
PC Tools Firewall Plus
Symantec Endpoint Protectio
Microsoft Security Essentials

Anrtimalware: 2 or more is okay. They should use different manners to monitor:
Spybot-S&D IE Protection
Trend Micro Browser Guard/ BHO and TB
SUPERAntiSpyware
IObit Malware Fighter
IE Privacy Keeper
Malwarebytes
SuperAdBlocker
Norman Malware Cleaner
Lavasoft Ad-Aware
Microsoft Security Client\Antimalwar
Emsisoft HiJackFree 4.5
HiJackThis

System Cleaners/Optomizers:
Advanced SystemCare
IOLO> PC Tuneup
CleanMem
Microsoft Fix it Center
CCleaner
FileASSASSIN> unlock
System Checkup 3.0
---------------------------------------------
Please get this down to:
One antivirus
One Firewall
Three of the antimalware programs
One system 'cleaner.'
===========================================
Please reboot the system when through
===========================================
When the above has been handled:
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
--------------------------------------
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop
  • Double click combofix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once installed, you should see a blue screen prompt that says:
    The Recovery Console was successfully installed.
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • .Close any open browsers.
  • .Double click combofix.exe
    cf-icon.jpg
    & follow the prompts to run.
  • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
Re-enable your Antivirus software.

Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
==================================
Edit: A reminder that it is the user who is the first line of security. No matter how much or how many security programs you put on a system, you are the first block of malware. So if you do careless things on the internet, you will see the results happen on your system.
 
Hi Bobbye,

Thankyou for your advice...all done as requested, along with the ComboFix log.

One thing I've just noticed though, despite using the 'uninstall' facility to remove Microsoft Security Essentials, it's still showing as an AV in the ComboFix log (I'm going to keep Symantec Endpoint Protection as the primary and only AV)???

Look forward to hearing from you ref. the next step.

Best regards,
Virtual Madness

***************************
ComboFix 11-09-27.01 - virtual madness 27/09/2011 23:21:56.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1271.765 [GMT 1:00]
Running from: c:\documents and settings\virtual madness\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: PC Tools Firewall Plus *Disabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}
FW: Symantec Endpoint Protection *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\virtual madness\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\virtual madness\Local Settings\Application Data\ApplicationHistory\ProcessDll.exe.cd116cf9.ini
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
.
.
((((((((((((((((((((((((( Files Created from 2011-08-27 to 2011-09-27 )))))))))))))))))))))))))))))))
.
.
2011-09-27 20:55 . 2011-09-27 21:31 -------- d-----w- c:\windows\SxsCaPendDel
2011-09-26 20:54 . 2011-09-26 20:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2011-09-26 20:40 . 2011-09-26 20:40 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Trusteer
2011-09-26 17:30 . 2010-09-10 21:32 167936 ----a-w- c:\windows\system32\drivers\wpshelper.sys
2011-09-26 17:29 . 2009-09-17 17:38 92488 ----a-w- c:\windows\system32\drivers\SysPlant.sys
2011-09-26 17:28 . 2011-09-26 17:28 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-09-26 17:28 . 2011-09-26 17:28 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-09-26 17:23 . 2011-09-26 17:28 -------- d-----w- c:\program files\Symantec
2011-09-26 16:03 . 2011-09-26 16:03 -------- d-----w- c:\windows\system32\wbem\Repository
2011-09-25 19:33 . 2011-09-25 19:33 -------- d-----w- c:\documents and settings\virtual madness\Application Data\SUPERAntiSpyware.com
2011-09-25 19:32 . 2011-09-25 19:32 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-09-25 18:11 . 2011-09-25 18:11 -------- d-----w- c:\windows\Sun
2011-09-25 18:10 . 2011-09-25 18:10 -------- d-----w- c:\program files\Common Files\Java
2011-09-25 18:09 . 2011-09-25 18:09 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-09-25 18:09 . 2011-09-25 18:08 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-25 18:09 . 2011-09-25 18:08 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-25 18:08 . 2011-09-25 18:08 -------- d-----w- c:\program files\Java
2011-09-25 18:00 . 2011-09-25 18:00 56336 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2011-09-21 23:21 . 2011-09-21 23:21 -------- d-----w- c:\documents and settings\virtual madness\Local Settings\Application Data\Norman Malware Cleaner
2011-09-21 22:18 . 2011-09-21 22:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Tweaking.com
2011-09-20 21:06 . 2011-09-21 06:17 -------- d-----w- c:\windows\2Wire.0000
2011-09-17 21:38 . 2011-09-17 22:41 -------- d-----w- c:\program files\TweakNow PowerPack 2011
2011-09-17 21:38 . 2011-09-17 21:38 -------- d-----w- c:\documents and settings\virtual madness\Application Data\TweakNow PowerPack 2011
2011-09-17 20:13 . 2011-09-17 22:36 -------- d-----w- c:\documents and settings\virtual madness\Application Data\TweakNow RegCleaner 2011
2011-09-16 22:54 . 2011-09-16 22:54 -------- d-----w- c:\documents and settings\virtual madness\Local Settings\Application Data\Opera
2011-09-15 16:05 . 2011-09-15 16:10 -------- dc-h--w- c:\windows\ie8
2011-09-14 20:54 . 2011-09-14 20:54 -------- d-----w- c:\documents and settings\virtual madness\Local Settings\Application Data\WMTools Downloaded Files
2011-09-14 17:43 . 2011-09-27 21:01 -------- d-----w- c:\documents and settings\All Users\Application Data\iolo
2011-09-14 09:56 . 2011-09-14 09:56 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-09-11 23:19 . 2011-09-11 23:19 -------- d-----w- c:\program files\Trusteer
2011-09-08 14:35 . 2011-09-15 16:19 -------- d--h--w- c:\windows\msdownld.tmp
2011-09-07 19:34 . 2011-09-07 19:33 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-09-07 19:30 . 2011-09-07 19:35 -------- d-----w- c:\documents and settings\virtual madness\Local Settings\Application Data\Browser Guard
2011-09-07 13:34 . 2001-08-17 11:20 297728 -c--a-w- c:\windows\system32\dllcache\ac97sis.sys
2011-09-07 13:33 . 2001-08-17 13:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2011-09-07 10:26 . 2011-09-07 10:26 19416 ----a-w- c:\program files\Mozilla Firefox\AccessibleMarshal.dll
2011-09-07 10:26 . 2011-09-07 10:26 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-09-07 10:26 . 2011-09-07 10:26 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-09-07 10:26 . 2011-09-07 10:26 125912 ----a-w- c:\program files\Mozilla Firefox\crashreporter.exe
2011-09-07 08:09 . 2011-09-07 08:09 -------- d-----w- c:\program files\MSXML 4.0
2011-09-06 18:52 . 2011-09-06 18:52 -------- d-----w- c:\documents and settings\virtual madness\Application Data\HP
2011-09-06 18:52 . 2011-09-06 18:52 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2011-09-06 18:51 . 2011-09-06 18:51 -------- d-----w- c:\documents and settings\virtual madness\Local Settings\Application Data\IsolatedStorage
2011-09-06 18:46 . 2011-09-06 18:46 -------- d-----w- c:\documents and settings\virtual madness\Local Settings\Application Data\HP
2011-09-06 18:09 . 2003-06-23 10:44 626960 ----a-r- c:\windows\system32\hpvaut32.dll
2011-09-06 18:09 . 2003-06-23 10:44 44544 ----a-r- c:\windows\system32\MSXML4a.dll
2011-09-06 18:09 . 2003-06-23 10:44 487424 ----a-r- c:\windows\system32\hpvcp70.dll
2011-09-06 18:09 . 2003-06-23 10:44 344064 ----a-r- c:\windows\system32\hpvcr70.dll
2011-09-06 18:08 . 2011-09-06 18:08 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2011-09-06 18:01 . 2011-09-06 18:01 -------- d-----w- c:\program files\Common Files\HP
2011-09-06 18:01 . 2004-10-08 01:16 35840 ----a-w- c:\windows\system32\drivers\AFS2K.SYS
2011-09-06 17:54 . 2011-09-06 18:09 -------- d-----w- c:\program files\HP
2011-09-06 17:52 . 2003-08-11 06:44 94208 ----a-r- c:\windows\system32\HPZipt12.dll
2011-09-06 17:52 . 2003-08-11 06:44 61699 ----a-r- c:\windows\system32\HPZinw12.exe
2011-09-06 17:52 . 2003-08-11 06:44 57344 ----a-r- c:\windows\system32\HPZisn12.dll
2011-09-06 17:52 . 2003-08-11 06:44 65795 ----a-r- c:\windows\system32\HPZipm12.exe
2011-09-06 17:52 . 2003-08-11 06:44 266296 ----a-r- c:\windows\system32\HPZidr12.dll
2011-09-06 17:52 . 2003-08-11 06:44 196608 ----a-r- c:\windows\system32\HPZipr12.dll
2011-09-06 17:52 . 2003-08-11 06:44 16496 ----a-r- c:\windows\system32\drivers\HPZipr12.sys
2011-09-06 17:52 . 2003-08-11 06:44 51056 ----a-r- c:\windows\system32\drivers\hpzid412.sys
2011-09-06 17:50 . 2003-08-11 06:44 21488 ----a-r- c:\windows\system32\drivers\HPZius12.sys
2011-09-06 17:50 . 2003-08-11 06:44 262144 ----a-r- c:\windows\system32\HPZc3212.dll
2011-09-06 17:50 . 2003-08-11 06:44 77824 ----a-r- c:\windows\system32\hpovst08.dll
2011-09-06 17:50 . 2003-08-11 06:44 565248 ----a-r- c:\windows\system32\hpotscl.dll
2011-09-06 17:50 . 2003-08-11 06:44 274432 ----a-r- c:\windows\system32\hpgwiamd.dll
2011-09-06 17:50 . 2008-04-13 18:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2011-09-06 17:50 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2011-09-06 17:46 . 2008-04-13 18:45 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2011-09-06 17:46 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2011-09-05 17:04 . 2011-09-05 17:04 183696 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-09-05 17:04 . 2011-09-05 17:04 183696 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2011-09-05 13:43 . 2011-09-07 10:26 785368 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-09-05 13:43 . 2011-09-07 10:26 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-09-05 13:43 . 2011-09-07 10:26 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-09-05 13:43 . 2011-09-07 10:26 478168 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-09-05 13:43 . 2011-09-07 10:26 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-09-05 13:43 . 2011-09-07 10:26 1846232 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-08-31 22:36 . 2011-08-31 22:36 -------- d-----w- c:\windows\system32\config\systemprofile\PrivacIE
2011-08-31 22:36 . 2011-08-31 22:36 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Trusteer
2011-08-31 22:33 . 2011-09-01 07:55 -------- d-----w- c:\program files\Microsoft Silverlight
2011-08-31 22:27 . 2011-09-01 07:55 -------- dc----w- c:\documents and settings\All Users\Application Data\{7AE4A0A3-2DDC-42D5-B8B0-D26BFAAA07F5}
2011-08-31 22:23 . 2011-09-01 07:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-27 22:42 . 2011-08-19 19:03 29 ----a-w- c:\windows\system32\TempWmicBatchFile.bat
2011-09-27 00:03 . 2004-08-12 13:31 26112 ----a-w- c:\windows\system32\userinit.exe
2011-09-12 20:25 . 2011-07-28 07:53 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-09 09:12 . 2004-08-12 13:18 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-07-15 13:29 . 2004-08-12 13:22 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2004-08-12 13:24 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-09-07 10:26 . 2011-09-07 10:26 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Advanced SystemCare 4"="c:\program files\IObit\Advanced SystemCare 4\ASCTray.exe" [2011-08-09 417112]
"Minimem"="c:\program files\Kerkia\Minimem\minimem.exe" [2011-01-09 95744]
"SmartRAM"="c:\program files\IObit\Advanced SystemCare 4\Suo10_SmartRAM.exe" [2011-08-09 373080]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-09-27 4611456]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2010-11-17 329096]
"00PCTFW"="c:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2011-04-07 2672600]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-07-08 115560]
"IE Privacy Keeper"="c:\program files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe" [2005-12-03 1015808]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-7-7 233472]
VPN Client.lnk - c:\windows\Installer\{B0BF7057-6869-4E4B-920C-EA2A58DA07F0}\Icon3E5562ED7.ico [2011-7-29 6144]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 11:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2003-06-25 10:24 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2006-06-06 16:06 77824 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2006-06-06 16:10 118784 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2006-06-06 16:09 94208 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\DKabcoms.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [05/08/2011 00:37 251560]
R1 RapportCerberus_29574;RapportCerberus_29574;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_29574.sys [25/09/2011 19:01 216912]
R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [25/09/2011 19:00 70416]
R2 Crypto;Crypto;c:\windows\system32\drivers\Crypto.sys [28/07/2011 19:44 521786]
R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [05/08/2011 00:37 160576]
R3 DniVap;SafeNet WAN Miniport (VA);c:\windows\system32\drivers\vap.sys [28/07/2011 19:40 36188]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [26/09/2011 18:38 105592]
R3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter.sys [05/08/2011 00:35 89472]
R3 pctNdisMP;PC Tools Driver;c:\windows\system32\drivers\pctNdis.sys [05/08/2011 00:35 57536]
R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [05/08/2011 00:34 125248]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [14/07/2009 12:51 23888]
S3 pctNdis;PC Tools Firewall Intermediate Filter Service;c:\windows\system32\drivers\pctNdis.sys [05/08/2011 00:35 57536]
S3 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [25/09/2011 19:00 56336]
S3 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [25/09/2011 19:00 161936]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: {{D799B0E4-BEDE-41d2-AEE0-1E3A1C4EF918} - c:\program files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe
TCP: DhcpNameServer = 192.168.178.254
DPF: {5033E708-9A94-4EF7-A50E-DF0F3A2E636F} - hxxp://crmprod.private.de:8001/sap/bc/bsp/sap/public/Calendar/BSP_SAPCalendar.CAB
FF - ProfilePath - c:\documents and settings\virtual madness\Application Data\Mozilla\Firefox\Profiles\ct56r620.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-Symantec Antvirus
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-27 23:43
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(756)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(3560)
c:\windows\system32\WININET.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\SUPERAntiSpyware\SASCORE.EXE
c:\program files\IObit\Advanced SystemCare 4\ASCService.exe
c:\prey\platform\windows\cronsvc.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\program files\PC Tools Firewall Plus\FWService.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\program files\Trusteer\Rapport\bin\RapportService.exe
.
**************************************************************************
.
Completion time: 2011-09-27 23:52:40 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-27 22:52
.
Pre-Run: 138,798,661,632 bytes free
Post-Run: 138,668,171,264 bytes free
.
- - End Of File - - AF27B1BB68CD9C1903F6EBB45830768D
 
System looking better- would still like for you to go through all the programs you gathered to fix the problem. They don't need to keep loading.

I can remove Microsoft Security Essentials in the Combofix header since you ran the uninstaller. I will also include any left-over entries in script through Combofix. Since Symantec Endpoint Protection "Integrated antivirus, antispyware, firewall, and intrusion prevention as well as device control and application control" you should also uninstall the PC Tools Firewall.

From PC Tools Firewall support: Try using the program uninstaller first:
To uninstall PC Tools Firewall Plus:

Click on Start -> All Programs / Programs -> PC Tools Firewall Plus (folder) -> Uninstall PC Tools Firewall Plus. Follow the prompts to remove the application from your computer.
Click to expand...
-----------------------
If you have any problem with that:
You may uninstall PC Tools Firewall Plus through the control panel:
1. Open the Windows Control Panel by clicking on Start -> Settings -> Control Panel.
2. In the Control Panel, click or double-click on Add or Remove programs / Add/Remove Programs.
3. In the list of currently installed programs/software, click on the PC Tools Firewall Plus item to select it.
4. Click the Remove button and follow the remaining prompts to remove the application from your computer.
Click to expand...
After uninstalling any program, you should always delete it's program folder: Right click on Taskbar> Explore> Computer> double click Local Drive> Programs> do a right click> Delete on the folder.
====================================
Please go ahead with the PCTools Firewall removal. There are several entries running.
========================================
You still have excess 'system cleaners/optimizers:
1. Advise remove Advanced System Care: none of the software maker sites or pages are considered safe per WOT.
2. You are also running TweakNow PowerPack 2011 and TweakNow RegCleaner 2011. We don't recommend anyone using a registry cleaner.
3. Iolo is still running.
------------------------------
What you need to consider is that all these programs that are suppose to be cleaning and optimizing are using system resources. Rarely is it the case of them being enough of a trade off in what they do to make them worth the resources they use. Historically, a memory optimizer uses more resources than what it's suppose to be optimizing!
======================
Are you still using the HP printer you installed in 2003?
=====================
What do you have from Webroot> There is some appdata for 'Webroot.'
======================
Did you set these up?
Hosts: 10.6.2.204 crmprod.private.de crmprod
Hosts: 10.6.2.205 portalprod.private.de portalprod
Hosts: 10.6.2.64 sapbwserver.private.de sapbwserver
.
Click to expand...
 
Hi Bobbye,

It’s starting to become apparent that you’re the genius I’ve been trying to track down :wave:

Bobbye said:
I can remove Microsoft Security Essentials in the Combofix header since you ran the uninstaller. I will also include any left-over entries in script through Combofix.
Click to expand...

Yes, please :)

Bobbye said:
Since Symantec Endpoint Protection "Integrated antivirus, antispyware, firewall, and intrusion prevention as well as device control and application control" you should also uninstall the PC Tools Firewall.
Click to expand...

Done :)

Bobbye said:
1. Advise remove Advanced System Care: none of the software maker sites or pages are considered safe per WOT.
Click to expand...

Done :)

Bobbye said:
2. You are also running TweakNow PowerPack 2011 and TweakNow RegCleaner 2011. We don't recommend anyone using a registry cleaner.
Click to expand...

TweakNow PowerPack uninstalled as requested, but I didn’t realise I was still running TweakNow RegCleaner – I thought I had uninstalled it previously, but obviously not!?!? Can you advise of the best way to remove please, as it doesn’t appear in the Add/Remove Programs List or Program Folder (I found a Folder In Application Data, so I deleted that as a starting point)?

Bobbye said:
3. Iolo is still running.
Click to expand...

Again, I thought I had uninstalled it previously, but obviously not!?!? Can you advise of the best way to remove please, as it doesn’t appear in the Add/Remove Programs List or Program Folder (again, I found a Folder In Application Data, so I deleted that as a starting point)?

Bobbye said:
Are you still using the HP printer you installed in 2003?
Click to expand...

Yes, it’s an old ‘all-in-one’ Printer Scanner and Copier – I’ll get something newer one day I’m sure :)

Bobbye said:
What do you have from Webroot> There is some appdata for 'Webroot.'
Click to expand...

Again, I thought I had uninstalled it previously, but obviously not!?!? Can you advise of the best way to remove please, as it doesn’t appear in the Add/Remove Programs List or Program Folder (again, I found a Folder In Application Data that you noticed, so I deleted that as a starting point)?

Bobbye said:
Did you set these up?

Hosts: 10.6.2.204 crmprod.private.de crmprod
Hosts: 10.6.2.205 portalprod.private.de portalprod
Hosts: 10.6.2.64 sapbwserver.private.de sapbwserver
Click to expand...

Yes, they're work related IP addresses that I connect to via a Secure VPN – the content isn’t too sensitive though, just access to product information that I can pass on to customers.

Finally, not too sure if it was the right thing to do or not, but I downloaded from the link in your previous post a fresh copy of ComboFix and run it again – I just thought providing you with an up-to-date log would give you a snapshot of the system after taking into account the above.

I also uninstalled it (Combofix /Uninstall from the cmd prompt) and turned back on System Restore etc.

Look forward to hearing from you again (at your convienence) ref. going through the last of the clean up process :)

Very best regards,
Virtual Madness.
 
As per the previous post, the latest ComboFix Log for you reference:

ComboFix 11-09-29.06 - virtual madness 29/09/2011 23:30:18.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1271.810 [GMT 1:00]
Running from: c:\documents and settings\virtual madness\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
.
((((((((((((((((((((((((( Files Created from 2011-08-28 to 2011-09-29 )))))))))))))))))))))))))))))))
.
.
2011-09-27 20:55 . 2011-09-27 21:31 -------- d-----w- c:\windows\SxsCaPendDel
2011-09-26 20:54 . 2011-09-26 20:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2011-09-26 20:40 . 2011-09-26 20:40 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Trusteer
2011-09-26 17:30 . 2011-06-22 18:05 167936 ----a-w- c:\windows\system32\drivers\wpshelper.sys
2011-09-26 17:29 . 2009-09-17 17:38 92488 ----a-w- c:\windows\system32\drivers\SysPlant.sys
2011-09-26 17:28 . 2011-09-26 17:28 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-09-26 17:28 . 2011-09-26 17:28 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-09-26 17:23 . 2011-09-26 17:28 -------- d-----w- c:\program files\Symantec
2011-09-26 16:03 . 2011-09-26 16:03 -------- d-----w- c:\windows\system32\wbem\Repository
2011-09-25 19:33 . 2011-09-25 19:33 -------- d-----w- c:\documents and settings\virtual madness\Application Data\SUPERAntiSpyware.com
2011-09-25 19:32 . 2011-09-25 19:32 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-09-25 18:11 . 2011-09-25 18:11 -------- d-----w- c:\windows\Sun
2011-09-25 18:10 . 2011-09-25 18:10 -------- d-----w- c:\program files\Common Files\Java
2011-09-25 18:09 . 2011-09-25 18:09 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-09-25 18:09 . 2011-09-25 18:08 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-25 18:09 . 2011-09-25 18:08 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-25 18:08 . 2011-09-25 18:08 -------- d-----w- c:\program files\Java
2011-09-25 18:00 . 2011-09-25 18:00 56336 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2011-09-21 23:21 . 2011-09-21 23:21 -------- d-----w- c:\documents and settings\virtual madness\Local Settings\Application Data\Norman Malware Cleaner
2011-09-20 21:06 . 2011-09-21 06:17 -------- d-----w- c:\windows\2Wire.0000
2011-09-17 21:38 . 2011-09-29 19:40 -------- d-----w- c:\documents and settings\virtual madness\Application Data\TweakNow PowerPack 2011
2011-09-17 20:13 . 2011-09-17 22:36 -------- d-----w- c:\documents and settings\virtual madness\Application Data\TweakNow RegCleaner 2011
2011-09-16 22:54 . 2011-09-16 22:54 -------- d-----w- c:\documents and settings\virtual madness\Local Settings\Application Data\Opera
2011-09-15 16:05 . 2011-09-15 16:10 -------- dc-h--w- c:\windows\ie8
2011-09-14 20:54 . 2011-09-14 20:54 -------- d-----w- c:\documents and settings\virtual madness\Local Settings\Application Data\WMTools Downloaded Files
2011-09-14 09:56 . 2011-09-14 09:56 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-09-11 23:19 . 2011-09-11 23:19 -------- d-----w- c:\program files\Trusteer
2011-09-08 14:35 . 2011-09-15 16:19 -------- d--h--w- c:\windows\msdownld.tmp
2011-09-07 19:34 . 2011-09-07 19:33 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-09-07 19:30 . 2011-09-07 19:35 -------- d-----w- c:\documents and settings\virtual madness\Local Settings\Application Data\Browser Guard
2011-09-07 13:34 . 2001-08-17 11:20 297728 -c--a-w- c:\windows\system32\dllcache\ac97sis.sys
2011-09-07 13:33 . 2001-08-17 13:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2011-09-07 10:26 . 2011-09-07 10:26 19416 ----a-w- c:\program files\Mozilla Firefox\AccessibleMarshal.dll
2011-09-07 10:26 . 2011-09-07 10:26 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-09-07 10:26 . 2011-09-07 10:26 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-09-07 10:26 . 2011-09-07 10:26 125912 ----a-w- c:\program files\Mozilla Firefox\crashreporter.exe
2011-09-07 08:09 . 2011-09-07 08:09 -------- d-----w- c:\program files\MSXML 4.0
2011-09-06 18:52 . 2011-09-06 18:52 -------- d-----w- c:\documents and settings\virtual madness\Application Data\HP
2011-09-06 18:52 . 2011-09-06 18:52 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2011-09-06 18:51 . 2011-09-06 18:51 -------- d-----w- c:\documents and settings\virtual madness\Local Settings\Application Data\IsolatedStorage
2011-09-06 18:46 . 2011-09-06 18:46 -------- d-----w- c:\documents and settings\virtual madness\Local Settings\Application Data\HP
2011-09-06 18:09 . 2003-06-23 10:44 626960 ----a-r- c:\windows\system32\hpvaut32.dll
2011-09-06 18:09 . 2003-06-23 10:44 44544 ----a-r- c:\windows\system32\MSXML4a.dll
2011-09-06 18:09 . 2003-06-23 10:44 487424 ----a-r- c:\windows\system32\hpvcp70.dll
2011-09-06 18:09 . 2003-06-23 10:44 344064 ----a-r- c:\windows\system32\hpvcr70.dll
2011-09-06 18:08 . 2011-09-06 18:08 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2011-09-06 18:01 . 2011-09-06 18:01 -------- d-----w- c:\program files\Common Files\HP
2011-09-06 18:01 . 2004-10-08 01:16 35840 ----a-w- c:\windows\system32\drivers\AFS2K.SYS
2011-09-06 17:54 . 2011-09-06 18:09 -------- d-----w- c:\program files\HP
2011-09-06 17:52 . 2003-08-11 06:44 94208 ----a-r- c:\windows\system32\HPZipt12.dll
2011-09-06 17:52 . 2003-08-11 06:44 61699 ----a-r- c:\windows\system32\HPZinw12.exe
2011-09-06 17:52 . 2003-08-11 06:44 57344 ----a-r- c:\windows\system32\HPZisn12.dll
2011-09-06 17:52 . 2003-08-11 06:44 65795 ----a-r- c:\windows\system32\HPZipm12.exe
2011-09-06 17:52 . 2003-08-11 06:44 266296 ----a-r- c:\windows\system32\HPZidr12.dll
2011-09-06 17:52 . 2003-08-11 06:44 196608 ----a-r- c:\windows\system32\HPZipr12.dll
2011-09-06 17:52 . 2003-08-11 06:44 16496 ----a-r- c:\windows\system32\drivers\HPZipr12.sys
2011-09-06 17:52 . 2003-08-11 06:44 51056 ----a-r- c:\windows\system32\drivers\hpzid412.sys
2011-09-06 17:50 . 2003-08-11 06:44 21488 ----a-r- c:\windows\system32\drivers\HPZius12.sys
2011-09-06 17:50 . 2003-08-11 06:44 262144 ----a-r- c:\windows\system32\HPZc3212.dll
2011-09-06 17:50 . 2003-08-11 06:44 77824 ----a-r- c:\windows\system32\hpovst08.dll
2011-09-06 17:50 . 2003-08-11 06:44 565248 ----a-r- c:\windows\system32\hpotscl.dll
2011-09-06 17:50 . 2003-08-11 06:44 274432 ----a-r- c:\windows\system32\hpgwiamd.dll
2011-09-06 17:50 . 2008-04-13 18:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2011-09-06 17:50 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2011-09-06 17:46 . 2008-04-13 18:45 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2011-09-06 17:46 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2011-09-05 17:04 . 2011-09-05 17:04 183696 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-09-05 17:04 . 2011-09-05 17:04 183696 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2011-09-05 13:43 . 2011-09-07 10:26 785368 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-09-05 13:43 . 2011-09-07 10:26 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-09-05 13:43 . 2011-09-07 10:26 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-09-05 13:43 . 2011-09-07 10:26 478168 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-09-05 13:43 . 2011-09-07 10:26 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-09-05 13:43 . 2011-09-07 10:26 1846232 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-08-31 22:36 . 2011-08-31 22:36 -------- d-----w- c:\windows\system32\config\systemprofile\PrivacIE
2011-08-31 22:33 . 2011-09-01 07:55 -------- d-----w- c:\program files\Microsoft Silverlight
2011-08-31 22:27 . 2011-09-01 07:55 -------- dc----w- c:\documents and settings\All Users\Application Data\{7AE4A0A3-2DDC-42D5-B8B0-D26BFAAA07F5}
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-29 22:32 . 2011-08-19 19:03 29 ----a-w- c:\windows\system32\TempWmicBatchFile.bat
2011-09-27 00:03 . 2004-08-12 13:31 26112 ----a-w- c:\windows\system32\userinit.exe
2011-09-12 20:25 . 2011-07-28 07:53 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-09 09:12 . 2004-08-12 13:18 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-07-15 13:29 . 2004-08-12 13:22 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2004-08-12 13:24 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-09-07 10:26 . 2011-09-07 10:26 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Minimem"="c:\program files\Kerkia\Minimem\minimem.exe" [2011-01-09 95744]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-09-27 4611456]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2010-11-17 329096]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-07-08 115560]
"IE Privacy Keeper"="c:\program files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe" [2005-12-03 1015808]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-7-7 233472]
VPN Client.lnk - c:\windows\Installer\{B0BF7057-6869-4E4B-920C-EA2A58DA07F0}\Icon3E5562ED7.ico [2011-7-29 6144]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\DKabcoms.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R1 RapportCerberus_29574;RapportCerberus_29574;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_29574.sys [25/09/2011 19:01 216912]
R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [25/09/2011 19:00 70416]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [22/07/2011 17:27 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/07/2011 22:55 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [12/08/2011 00:38 116608]
R2 CronService;Cron Service for Prey;c:\prey\platform\windows\cronsvc.exe [15/02/2011 17:01 19968]
R2 Crypto;Crypto;c:\windows\system32\drivers\Crypto.sys [28/07/2011 19:44 521786]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [25/09/2011 18:59 919352]
R3 DniVap;SafeNet WAN Miniport (VA);c:\windows\system32\drivers\vap.sys [28/07/2011 19:40 36188]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [26/09/2011 18:38 105592]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 13:16 130384]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [14/07/2009 12:51 23888]
S3 dkab_device;dkab_device;c:\windows\system32\DKabcoms.exe -service --> c:\windows\system32\DKabcoms.exe -service [?]
S3 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [25/09/2011 19:00 56336]
S3 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [25/09/2011 19:00 161936]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [12/08/2004 14:30 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 13:16 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: {{D799B0E4-BEDE-41d2-AEE0-1E3A1C4EF918} - c:\program files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe
TCP: DhcpNameServer = 192.168.178.254
DPF: {5033E708-9A94-4EF7-A50E-DF0F3A2E636F} - hxxp://crmprod.private.de:8001/sap/bc/bsp/sap/public/Calendar/BSP_SAPCalendar.CAB
FF - ProfilePath - c:\documents and settings\virtual madness\Application Data\Mozilla\Firefox\Profiles\ct56r620.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-29 23:36
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1916)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(2376)
c:\windows\system32\WININET.dll
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-09-29 23:39:34
ComboFix-quarantined-files.txt 2011-09-29 22:39
.
Pre-Run: 138,686,439,424 bytes free
Post-Run: 138,671,296,512 bytes free
.
- - End Of File - - AA0AB03A3B12FD3A867956A79CC0FEDA
 
Well you surely made my day with all those Smiley faces! Although I do not resemble a genius in any way, I do ask questions- we all have processes on the system either that we no longer use or didn't know we had. I will include script for removal of those 'left overs':

By the way, all peripherals I've had have been from HP. I think I might have the same all in one HP you do- it's been the best workhorse for years! Plain and simple> print, scan and copy!
============================================
Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
Code: 
File::
c:\windows\system32\TempWmicBatchFile.bat
c:\windows\system32\drivers\pctNdis.sys
c:\windows\system32\vsdatant.sys
DDS::
mRun: [00PCTFW] "c:\program files\pc tools firewall plus\FirewallGUI.exe" -s
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/betapit/PCPitStop.CAB
uRun: [Advanced SystemCare 4] c:\program files\iobit\advanced systemcare 4\ASCTray.exe
mRun: [00PCTFW] "c:\program files\pc tools firewall plus\FirewallGUI.exe" -s
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
Folder::
c:\windows\msdownld.tmp
c:\documents and settings\virtual madness\Application Data\TweakNow RegCleaner 2011
c:\documents and settings\All Users\Application Data\{7AE4A0A3-2DDC-42D5-B8B0-D26BFAAA07F5}
c:\program files\TweakNow RegCleaner 2011
c:\program files\iolo
c:\documents and settings\virtual madness\application data\iolo
c:\documents and settings\all users\application data\iolo
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"00PCTFW"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
SecCenter::
{BCF43643-A118-4432-AEDE-D861FCBCFCDF}
Driver::
pctNdis
vsdatant
FCopy::
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
Removes processes for:
TweakNow RegCleaner 2011
Webroot appdata: {7AE4A0A3-2DDC-42D5-B8B0-D26BFAAA07F5}
PCTools Firewall
Zone Alarm
Iolo
Advanced System Care
Root Repeal
Microsoft Security Center
.
Check Add/Remove to make sure the above are gone.
Be sure to check program folders and delete any for the programs removed.
peace_dove_bigger_normal.jpg
 
Hi Bobbye,

Thanks again for all your help with this and by the way, I agree, the old HP 'all-in-one' is a very good work horse and it hasn't let me down yet :)

Okay, again I done as you asked, but this time, just when everything seemed to be going so well, I made a bit of an error!!! Hope it hasn't messed up all your good work???

I ran the CF Script as you suggested, but when copying and pasting, I forgot to change 'virtual madness' in the code you had written, for my real name in a couple of the paths...Of course, it ran, but didn't do anything where 'virtual madness' was included in the script, as you would expect.

After it had finished, I saved the log as ComboFix Log 1 - see next post...

I ran it for a second time, this time being sure to change 'virtual madness' for my real name - it made some further changes, as I had hoped, then I saved the log as ComboFix Log 2 - see following posts.

Sorry for any inconvienence and confusion caused and I hope the script has still performed as you intended?

Pending your further instructions/advice after review, I have also just noticed that I still have references to the uninstalled Ad Aware and Root Repeal programs:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""

AND

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

Shall I just leave them and/or ignore, or can you remove them for me as well?

Look forward to hearing from you as always.

Very best regards,
Virtual Madness :)
 
ComboFix Log 1:

ComboFix 11-10-01.03 - virtual madness 01/10/2011 20:26:28.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1271.809 [GMT 1:00]
Running from: c:\documents and settings\virtual madness\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\virtual madness\Desktop\CFScript.txt.txt
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
FILE ::
"c:\windows\system32\drivers\pctNdis.sys"
"c:\windows\system32\TempWmicBatchFile.bat"
"c:\windows\system32\vsdatant.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\{7AE4A0A3-2DDC-42D5-B8B0-D26BFAAA07F5}
c:\documents and settings\All Users\Application Data\{7AE4A0A3-2DDC-42D5-B8B0-D26BFAAA07F5}\{8B287B75-DF8D-40C8-9620-8E4492C38EF1}
c:\documents and settings\All Users\Application Data\{7AE4A0A3-2DDC-42D5-B8B0-D26BFAAA07F5}\instance.dat
c:\documents and settings\All Users\Application Data\{7AE4A0A3-2DDC-42D5-B8B0-D26BFAAA07F5}\mia.lib
c:\documents and settings\All Users\Application Data\{7AE4A0A3-2DDC-42D5-B8B0-D26BFAAA07F5}\OFFLINE\{7AE4A0A3-2DDC-42D5-B8B0-D26BFAAA07F5}
c:\documents and settings\All Users\Application Data\{7AE4A0A3-2DDC-42D5-B8B0-D26BFAAA07F5}\WRInstall.dat
c:\documents and settings\All Users\Application Data\{7AE4A0A3-2DDC-42D5-B8B0-D26BFAAA07F5}\WRInstall.lan
c:\documents and settings\All Users\Application Data\{7AE4A0A3-2DDC-42D5-B8B0-D26BFAAA07F5}\WRInstall.par
c:\documents and settings\All Users\Application Data\{7AE4A0A3-2DDC-42D5-B8B0-D26BFAAA07F5}\WRInstall.res
c:\windows\msdownld.tmp
c:\windows\system32\TempWmicBatchFile.bat
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_VSDATANT
.
.
((((((((((((((((((((((((( Files Created from 2011-09-01 to 2011-10-01 )))))))))))))))))))))))))))))))
.
.
2011-09-27 20:55 . 2011-09-27 21:31 -------- d-----w- c:\windows\SxsCaPendDel
2011-09-26 20:54 . 2011-09-26 20:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2011-09-26 20:40 . 2011-09-26 20:40 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Trusteer
2011-09-26 17:30 . 2010-09-10 21:32 167936 ----a-w- c:\windows\system32\drivers\wpshelper.sys
2011-09-26 17:29 . 2009-09-17 17:38 92488 ----a-w- c:\windows\system32\drivers\SysPlant.sys
2011-09-26 17:28 . 2011-09-26 17:28 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-09-26 17:28 . 2011-09-26 17:28 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-09-26 17:23 . 2011-09-26 17:28 -------- d-----w- c:\program files\Symantec
2011-09-26 16:03 . 2011-09-26 16:03 -------- d-----w- c:\windows\system32\wbem\Repository
2011-09-25 19:33 . 2011-09-25 19:33 -------- d-----w- c:\documents and settings\virtual madness\Application Data\SUPERAntiSpyware.com
2011-09-25 19:32 . 2011-09-25 19:32 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-09-25 18:11 . 2011-09-25 18:11 -------- d-----w- c:\windows\Sun
2011-09-25 18:10 . 2011-09-25 18:10 -------- d-----w- c:\program files\Common Files\Java
2011-09-25 18:09 . 2011-09-25 18:09 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-09-25 18:09 . 2011-09-25 18:08 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-25 18:09 . 2011-09-25 18:08 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-25 18:08 . 2011-09-25 18:08 -------- d-----w- c:\program files\Java
2011-09-25 18:00 . 2011-09-25 18:00 56336 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2011-09-21 23:21 . 2011-09-21 23:21 -------- d-----w- c:\documents and settings\virtual madness\Local Settings\Application Data\Norman Malware Cleaner
2011-09-20 21:06 . 2011-09-21 06:17 -------- d-----w- c:\windows\2Wire.0000
2011-09-17 21:38 . 2011-09-29 19:40 -------- d-----w- c:\documents and settings\virtual madness\Application Data\TweakNow PowerPack 2011
2011-09-17 20:13 . 2011-09-17 22:36 -------- d-----w- c:\documents and settings\virtual madness\Application Data\TweakNow RegCleaner 2011
2011-09-16 22:54 . 2011-09-16 22:54 -------- d-----w- c:\documents and settings\virtual madness\Local Settings\Application Data\Opera
2011-09-15 16:05 . 2011-09-15 16:10 -------- dc-h--w- c:\windows\ie8
2011-09-14 20:54 . 2011-09-14 20:54 -------- d-----w- c:\documents and settings\virtual madness\Local Settings\Application Data\WMTools Downloaded Files
2011-09-14 09:56 . 2011-09-14 09:56 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-09-11 23:19 . 2011-09-11 23:19 -------- d-----w- c:\program files\Trusteer
2011-09-07 19:34 . 2011-09-07 19:33 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-09-07 19:30 . 2011-09-07 19:35 -------- d-----w- c:\documents and settings\virtual madness\Local Settings\Application Data\Browser Guard
2011-09-07 13:34 . 2001-08-17 11:20 297728 -c--a-w- c:\windows\system32\dllcache\ac97sis.sys
2011-09-07 13:33 . 2001-08-17 13:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2011-09-07 10:26 . 2011-09-29 07:09 19416 ----a-w- c:\program files\Mozilla Firefox\AccessibleMarshal.dll
2011-09-07 10:26 . 2011-09-29 00:26 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-09-07 10:26 . 2011-09-29 07:09 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-09-07 10:26 . 2011-09-29 07:09 125912 ----a-w- c:\program files\Mozilla Firefox\crashreporter.exe
2011-09-07 08:09 . 2011-09-07 08:09 -------- d-----w- c:\program files\MSXML 4.0
2011-09-06 18:52 . 2011-09-06 18:52 -------- d-----w- c:\documents and settings\virtual madness\Application Data\HP
2011-09-06 18:52 . 2011-09-06 18:52 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2011-09-06 18:51 . 2011-09-06 18:51 -------- d-----w- c:\documents and settings\virtual madness\Local Settings\Application Data\IsolatedStorage
2011-09-06 18:46 . 2011-09-06 18:46 -------- d-----w- c:\documents and settings\virtual madness\Local Settings\Application Data\HP
2011-09-06 18:09 . 2003-06-23 10:44 626960 ----a-r- c:\windows\system32\hpvaut32.dll
2011-09-06 18:09 . 2003-06-23 10:44 44544 ----a-r- c:\windows\system32\MSXML4a.dll
2011-09-06 18:09 . 2003-06-23 10:44 487424 ----a-r- c:\windows\system32\hpvcp70.dll
2011-09-06 18:09 . 2003-06-23 10:44 344064 ----a-r- c:\windows\system32\hpvcr70.dll
2011-09-06 18:08 . 2011-09-06 18:08 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2011-09-06 18:01 . 2011-09-06 18:01 -------- d-----w- c:\program files\Common Files\HP
2011-09-06 18:01 . 2004-10-08 01:16 35840 ----a-w- c:\windows\system32\drivers\AFS2K.SYS
2011-09-06 17:54 . 2011-09-06 18:09 -------- d-----w- c:\program files\HP
2011-09-06 17:52 . 2003-08-11 06:44 94208 ----a-r- c:\windows\system32\HPZipt12.dll
2011-09-06 17:52 . 2003-08-11 06:44 61699 ----a-r- c:\windows\system32\HPZinw12.exe
2011-09-06 17:52 . 2003-08-11 06:44 57344 ----a-r- c:\windows\system32\HPZisn12.dll
2011-09-06 17:52 . 2003-08-11 06:44 65795 ----a-r- c:\windows\system32\HPZipm12.exe
2011-09-06 17:52 . 2003-08-11 06:44 266296 ----a-r- c:\windows\system32\HPZidr12.dll
2011-09-06 17:52 . 2003-08-11 06:44 196608 ----a-r- c:\windows\system32\HPZipr12.dll
2011-09-06 17:52 . 2003-08-11 06:44 16496 ----a-r- c:\windows\system32\drivers\HPZipr12.sys
2011-09-06 17:52 . 2003-08-11 06:44 51056 ----a-r- c:\windows\system32\drivers\hpzid412.sys
2011-09-06 17:50 . 2003-08-11 06:44 21488 ----a-r- c:\windows\system32\drivers\HPZius12.sys
2011-09-06 17:50 . 2003-08-11 06:44 262144 ----a-r- c:\windows\system32\HPZc3212.dll
2011-09-06 17:50 . 2003-08-11 06:44 77824 ----a-r- c:\windows\system32\hpovst08.dll
2011-09-06 17:50 . 2003-08-11 06:44 565248 ----a-r- c:\windows\system32\hpotscl.dll
2011-09-06 17:50 . 2003-08-11 06:44 274432 ----a-r- c:\windows\system32\hpgwiamd.dll
2011-09-06 17:50 . 2008-04-13 18:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2011-09-06 17:50 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2011-09-06 17:46 . 2008-04-13 18:45 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2011-09-06 17:46 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2011-09-05 17:04 . 2011-09-05 17:04 183696 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-09-05 17:04 . 2011-09-05 17:04 183696 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2011-09-05 13:43 . 2011-09-29 07:09 773080 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-09-05 13:43 . 2011-09-29 07:09 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-09-05 13:43 . 2011-09-29 07:09 478168 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-09-05 13:43 . 2011-09-29 07:09 1833944 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-09-05 13:43 . 2011-09-29 07:09 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-09-05 13:43 . 2011-09-29 00:26 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-27 00:03 . 2004-08-12 13:31 26112 ----a-w- c:\windows\system32\userinit.exe
2011-09-12 20:25 . 2011-07-28 07:53 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-09 09:12 . 2004-08-12 13:18 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-07-15 13:29 . 2004-08-12 13:22 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2004-08-12 13:24 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-09-29 07:09 . 2011-09-07 10:26 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Minimem"="c:\program files\Kerkia\Minimem\minimem.exe" [2011-01-09 95744]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-09-27 4611456]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2010-11-17 329096]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-07-08 115560]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"IE Privacy Keeper"="c:\program files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe" [2005-12-03 1015808]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-7-7 233472]
VPN Client.lnk - c:\windows\Installer\{B0BF7057-6869-4E4B-920C-EA2A58DA07F0}\Icon3E5562ED7.ico [2011-7-29 6144]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\DKabcoms.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R1 RapportCerberus_29574;RapportCerberus_29574;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_29574.sys [25/09/2011 19:01 216912]
R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [25/09/2011 19:00 70416]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [22/07/2011 17:27 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/07/2011 22:55 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [12/08/2011 00:38 116608]
R2 CronService;Cron Service for Prey;c:\prey\platform\windows\cronsvc.exe [15/02/2011 17:01 19968]
R2 Crypto;Crypto;c:\windows\system32\drivers\Crypto.sys [28/07/2011 19:44 521786]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [25/09/2011 18:59 919352]
R3 DniVap;SafeNet WAN Miniport (VA);c:\windows\system32\drivers\vap.sys [28/07/2011 19:40 36188]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [26/09/2011 18:38 105592]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 13:16 130384]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [14/07/2009 12:51 23888]
S3 dkab_device;dkab_device;c:\windows\system32\DKabcoms.exe -service --> c:\windows\system32\DKabcoms.exe -service [?]
S3 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [25/09/2011 19:00 56336]
S3 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [25/09/2011 19:00 161936]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [12/08/2004 14:30 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 13:16 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: {{D799B0E4-BEDE-41d2-AEE0-1E3A1C4EF918} - c:\program files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe
TCP: DhcpNameServer = 192.168.178.254
DPF: {5033E708-9A94-4EF7-A50E-DF0F3A2E636F} - hxxp://crmprod.private.de:8001/sap/bc/bsp/sap/public/Calendar/BSP_SAPCalendar.CAB
FF - ProfilePath - c:\documents and settings\virtual madness\Application Data\Mozilla\Firefox\Profiles\mmjzlu96.CashBack\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-01 20:38
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1928)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(2580)
c:\windows\system32\WININET.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\program files\Symantec\Symantec Endpoint Protection\DoScan.exe
c:\windows\system32\wscntfy.exe
c:\program files\Trusteer\Rapport\bin\RapportService.exe
c:\program files\Symantec\Symantec Endpoint Protection\SavUI.exe
.
**************************************************************************
.
Completion time: 2011-10-01 20:43:07 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-01 19:43
ComboFix2.txt 2011-09-29 22:55
.
Pre-Run: 138,733,740,032 bytes free
Post-Run: 138,649,792,512 bytes free
.
- - End Of File - - 867839407C6DE396ABB1005B99189EC9
 
ComboFix Log 2:

ComboFix 11-10-01.03 - virtual madness 01/10/2011 20:53:11.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1271.655 [GMT 1:00]
Running from: c:\documents and settings\virtual madness\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\virtual madness\Desktop\CFScript.txt.txt
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
FILE ::
"c:\windows\system32\drivers\pctNdis.sys"
"c:\windows\system32\TempWmicBatchFile.bat"
"c:\windows\system32\vsdatant.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\virtual madness\Application Data\TweakNow RegCleaner 2011
c:\documents and settings\virtual madness\Application Data\TweakNow RegCleaner 2011\Backup\DiskCleaner_17%a09%a2011_21%b21%b4.zip
c:\documents and settings\virtual madness\Application Data\TweakNow RegCleaner 2011\Backup\QuickOptimizer_17%a09%a2011_21%b17%b2.twn
c:\documents and settings\virtual madness\Application Data\TweakNow RegCleaner 2011\Backup\RegCleaner_17%a09%a2011_21%b16%b4.dat
c:\documents and settings\virtual madness\Application Data\TweakNow RegCleaner 2011\Backup\RegCleaner_17%a09%a2011_21%b28%b2.dat
c:\documents and settings\virtual madness\Application Data\TweakNow RegCleaner 2011\Backup\RegCleaner_17%a09%a2011_21%b55%b0.dat
c:\windows\system32\TempWmicBatchFile.bat
.
.
((((((((((((((((((((((((( Files Created from 2011-09-01 to 2011-10-01 )))))))))))))))))))))))))))))))
.
.
2011-09-27 20:55 . 2011-09-27 21:31 -------- d-----w- c:\windows\SxsCaPendDel
2011-09-26 20:54 . 2011-09-26 20:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2011-09-26 20:40 . 2011-09-26 20:40 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Trusteer
2011-09-26 17:30 . 2010-09-10 21:32 167936 ----a-w- c:\windows\system32\drivers\wpshelper.sys
2011-09-26 17:29 . 2009-09-17 17:38 92488 ----a-w- c:\windows\system32\drivers\SysPlant.sys
2011-09-26 17:28 . 2011-09-26 17:28 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-09-26 17:28 . 2011-09-26 17:28 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-09-26 17:23 . 2011-09-26 17:28 -------- d-----w- c:\program files\Symantec
2011-09-26 16:03 . 2011-09-26 16:03 -------- d-----w- c:\windows\system32\wbem\Repository
2011-09-25 19:33 . 2011-09-25 19:33 -------- d-----w- c:\documents and settings\virtual madness\Application Data\SUPERAntiSpyware.com
2011-09-25 19:32 . 2011-09-25 19:32 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-09-25 18:11 . 2011-09-25 18:11 -------- d-----w- c:\windows\Sun
2011-09-25 18:10 . 2011-09-25 18:10 -------- d-----w- c:\program files\Common Files\Java
2011-09-25 18:09 . 2011-09-25 18:09 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-09-25 18:09 . 2011-09-25 18:08 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-25 18:09 . 2011-09-25 18:08 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-25 18:08 . 2011-09-25 18:08 -------- d-----w- c:\program files\Java
2011-09-25 18:00 . 2011-09-25 18:00 56336 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2011-09-21 23:21 . 2011-09-21 23:21 -------- d-----w- c:\documents and settings\virtual madness\Local Settings\Application Data\Norman Malware Cleaner
2011-09-20 21:06 . 2011-09-21 06:17 -------- d-----w- c:\windows\2Wire.0000
2011-09-17 21:38 . 2011-09-29 19:40 -------- d-----w- c:\documents and settings\virtual madness\Application Data\TweakNow PowerPack 2011
2011-09-16 22:54 . 2011-09-16 22:54 -------- d-----w- c:\documents and settings\virtual madness\Local Settings\Application Data\Opera
2011-09-15 16:05 . 2011-09-15 16:10 -------- dc-h--w- c:\windows\ie8
2011-09-14 20:54 . 2011-09-14 20:54 -------- d-----w- c:\documents and settings\virtual madness\Local Settings\Application Data\WMTools Downloaded Files
2011-09-14 09:56 . 2011-09-14 09:56 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-09-11 23:19 . 2011-09-11 23:19 -------- d-----w- c:\program files\Trusteer
2011-09-07 19:34 . 2011-09-07 19:33 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-09-07 19:30 . 2011-09-07 19:35 -------- d-----w- c:\documents and settings\virtual madness\Local Settings\Application Data\Browser Guard
2011-09-07 13:34 . 2001-08-17 11:20 297728 -c--a-w- c:\windows\system32\dllcache\ac97sis.sys
2011-09-07 13:33 . 2001-08-17 13:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2011-09-07 10:26 . 2011-09-29 07:09 19416 ----a-w- c:\program files\Mozilla Firefox\AccessibleMarshal.dll
2011-09-07 10:26 . 2011-09-29 00:26 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-09-07 10:26 . 2011-09-29 07:09 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-09-07 10:26 . 2011-09-29 07:09 125912 ----a-w- c:\program files\Mozilla Firefox\crashreporter.exe
2011-09-07 08:09 . 2011-09-07 08:09 -------- d-----w- c:\program files\MSXML 4.0
2011-09-06 18:52 . 2011-09-06 18:52 -------- d-----w- c:\documents and settings\virtual madness\Application Data\HP
2011-09-06 18:52 . 2011-09-06 18:52 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2011-09-06 18:51 . 2011-09-06 18:51 -------- d-----w- c:\documents and settings\virtual madness\Local Settings\Application Data\IsolatedStorage
2011-09-06 18:46 . 2011-09-06 18:46 -------- d-----w- c:\documents and settings\virtual madness\Local Settings\Application Data\HP
2011-09-06 18:09 . 2003-06-23 10:44 626960 ----a-r- c:\windows\system32\hpvaut32.dll
2011-09-06 18:09 . 2003-06-23 10:44 44544 ----a-r- c:\windows\system32\MSXML4a.dll
2011-09-06 18:09 . 2003-06-23 10:44 487424 ----a-r- c:\windows\system32\hpvcp70.dll
2011-09-06 18:09 . 2003-06-23 10:44 344064 ----a-r- c:\windows\system32\hpvcr70.dll
2011-09-06 18:08 . 2011-09-06 18:08 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2011-09-06 18:01 . 2011-09-06 18:01 -------- d-----w- c:\program files\Common Files\HP
2011-09-06 18:01 . 2004-10-08 01:16 35840 ----a-w- c:\windows\system32\drivers\AFS2K.SYS
2011-09-06 17:54 . 2011-09-06 18:09 -------- d-----w- c:\program files\HP
2011-09-06 17:52 . 2003-08-11 06:44 94208 ----a-r- c:\windows\system32\HPZipt12.dll
2011-09-06 17:52 . 2003-08-11 06:44 61699 ----a-r- c:\windows\system32\HPZinw12.exe
2011-09-06 17:52 . 2003-08-11 06:44 57344 ----a-r- c:\windows\system32\HPZisn12.dll
2011-09-06 17:52 . 2003-08-11 06:44 65795 ----a-r- c:\windows\system32\HPZipm12.exe
2011-09-06 17:52 . 2003-08-11 06:44 266296 ----a-r- c:\windows\system32\HPZidr12.dll
2011-09-06 17:52 . 2003-08-11 06:44 196608 ----a-r- c:\windows\system32\HPZipr12.dll
2011-09-06 17:52 . 2003-08-11 06:44 16496 ----a-r- c:\windows\system32\drivers\HPZipr12.sys
2011-09-06 17:52 . 2003-08-11 06:44 51056 ----a-r- c:\windows\system32\drivers\hpzid412.sys
2011-09-06 17:50 . 2003-08-11 06:44 21488 ----a-r- c:\windows\system32\drivers\HPZius12.sys
2011-09-06 17:50 . 2003-08-11 06:44 262144 ----a-r- c:\windows\system32\HPZc3212.dll
2011-09-06 17:50 . 2003-08-11 06:44 77824 ----a-r- c:\windows\system32\hpovst08.dll
2011-09-06 17:50 . 2003-08-11 06:44 565248 ----a-r- c:\windows\system32\hpotscl.dll
2011-09-06 17:50 . 2003-08-11 06:44 274432 ----a-r- c:\windows\system32\hpgwiamd.dll
2011-09-06 17:50 . 2008-04-13 18:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2011-09-06 17:50 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2011-09-06 17:46 . 2008-04-13 18:45 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2011-09-06 17:46 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2011-09-05 17:04 . 2011-09-05 17:04 183696 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-09-05 17:04 . 2011-09-05 17:04 183696 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2011-09-05 13:43 . 2011-09-29 07:09 773080 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-09-05 13:43 . 2011-09-29 07:09 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-09-05 13:43 . 2011-09-29 07:09 478168 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-09-05 13:43 . 2011-09-29 07:09 1833944 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-09-05 13:43 . 2011-09-29 07:09 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-09-05 13:43 . 2011-09-29 00:26 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-27 00:03 . 2004-08-12 13:31 26112 ----a-w- c:\windows\system32\userinit.exe
2011-09-12 20:25 . 2011-07-28 07:53 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-09 09:12 . 2004-08-12 13:18 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-07-15 13:29 . 2004-08-12 13:22 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2004-08-12 13:24 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-09-29 07:09 . 2011-09-07 10:26 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-10-01_19.36.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-10-01 19:41 . 2011-10-01 19:41 16384 c:\windows\temp\Perflib_Perfdata_c90.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Minimem"="c:\program files\Kerkia\Minimem\minimem.exe" [2011-01-09 95744]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-09-27 4611456]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2010-11-17 329096]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-07-08 115560]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"IE Privacy Keeper"="c:\program files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe" [2005-12-03 1015808]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-7-7 233472]
VPN Client.lnk - c:\windows\Installer\{B0BF7057-6869-4E4B-920C-EA2A58DA07F0}\Icon3E5562ED7.ico [2011-7-29 6144]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\DKabcoms.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R1 RapportCerberus_29574;RapportCerberus_29574;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_29574.sys [25/09/2011 19:01 216912]
R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [25/09/2011 19:00 70416]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [22/07/2011 17:27 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/07/2011 22:55 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [12/08/2011 00:38 116608]
R2 CronService;Cron Service for Prey;c:\prey\platform\windows\cronsvc.exe [15/02/2011 17:01 19968]
R2 Crypto;Crypto;c:\windows\system32\drivers\Crypto.sys [28/07/2011 19:44 521786]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [25/09/2011 18:59 919352]
R3 DniVap;SafeNet WAN Miniport (VA);c:\windows\system32\drivers\vap.sys [28/07/2011 19:40 36188]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [26/09/2011 18:38 105592]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 13:16 130384]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [14/07/2009 12:51 23888]
S3 dkab_device;dkab_device;c:\windows\system32\DKabcoms.exe -service --> c:\windows\system32\DKabcoms.exe -service [?]
S3 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [25/09/2011 19:00 56336]
S3 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [25/09/2011 19:00 161936]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [12/08/2004 14:30 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 13:16 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: {{D799B0E4-BEDE-41d2-AEE0-1E3A1C4EF918} - c:\program files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe
TCP: DhcpNameServer = 192.168.178.254
DPF: {5033E708-9A94-4EF7-A50E-DF0F3A2E636F} - hxxp://crmprod.private.de:8001/sap/bc/bsp/sap/public/Calendar/BSP_SAPCalendar.CAB
FF - ProfilePath - c:\documents and settings\virtual madness\Application Data\Mozilla\Firefox\Profiles\mmjzlu96.CashBack\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-01 21:00
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1928)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2011-10-01 21:03:34
ComboFix-quarantined-files.txt 2011-10-01 20:03
ComboFix2.txt 2011-10-01 19:43
ComboFix3.txt 2011-09-29 22:55
.
Pre-Run: 138,656,047,104 bytes free
Post-Run: 138,636,845,056 bytes free
.
- - End Of File - - C5EF05E8F2ED58C782B4BBE19403B4F7
 
Okay, I had the rootrepeal.sys registry entry in the first script:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]

But I did not include AdAware:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

For that: Click on Start> Run> type in services.msc[/]b> enter> scroll to the:
Service Name: aawservice
Service Display Name: Ad-Aware 2007 Service
Double click to open> Set Startup type to Disable> Stop the Service.
========================================
Prevyx is calling rootrepeal.sys a virus. It describes as this:
File Behavior

ROOTREPEAL.SYS has been the subject of the following behavior:

* Created as a new Background Service on the machine
* Deleted as a process from disk
* Loaded and Executed as a System Driver File
* Created as a process on disk
Click to expand...
However it does modify this saying:
It is possible that your PC could be infected. The file name ROOTREPEAL.SYS is used by both safe and unsafe programs.
Click to expand...

I was surprised to see the entry as there were no other entries for it. Since it remained on the system, let's check it out for a virus:
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESETOnlineScan
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    [o] Double click on the
    esetSmartInstallDesktopIcon.png
    on your desktop.
  • Check 'Yes I accept terms of use.'
  • Click Start button
  • Accept any security warnings from your browser.
    esetonlinescannersettings_thumb.jpg
  • Uncheck 'Remove found threats'
  • Check 'Scan archives/
  • Leave remaining settings as is.
  • Press the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
  • When the scan completes, press List of found threats
  • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
  • Push the Back button
  • Push Finish

Please post the entire log with heading resembling this:
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
esets_scanner_update returned -1 esets_gle=1
Click to expand...

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
 
Hi Bobbeye,

Thanks again for your prompt reply.

I ran the ESET on-line scanner as you suggested - after a couple of hours of scanning this morning, it finaly ended saying no threats were found, so of course, no log report was produced.

Prior to running the scan, I also followed your instructions with regards to stopping the Ad-Adware Service, but it didn't appear in the list??? FYI, I've posted below details of all of the services and their current state.

By the way, just before I post the list, I still have the following entries which is strange, as there is no other reference to them anywhere else??? I didn't notice the 'IMF' one when posting the ComboFix Logs before (I obviously wasn't looking hard enough :)), and isn't the 'MsMpSvc' entry something to do with Microsoft's antimalware stuff (which again, I thought you and I had removed??).

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

Services:

Edit: Unneeded list of Services deleted by Bobbye

Looking forward to your expert advice :)

Very best regards,
Virtual Madness
 
Sorry, me again Bobbye...

I also neglected to mention in earlier posts, but over the last few weeks, whilst trying to self diagnose (wish I had just posted her in the first place!!!), somewhere along the way, something else has changed with my login sequence. Before all this started, when I turned on my Laptop, it would start in the normal way stating 'Windows is starting up' etc - it would then prompt for my password in the normal way. Now (I'm not extactly sure when it started, but it was a while ago), it also goes through a process of showing different paths before getting to the password stage. I know the wording 'RPCSS is starting' is included. When logging off, a similar thing happens, but this time it will say something along the lines of 'Machine Policies' and 'Playing Log Off Sound' etc?

I'm guesing whilst installing different freeware and/or googling different 'fixes', I've activated a setting that shows what is happening behind the scences, when normally, such info. is hidden at the Welcome/Login stage. It doesn't matter if it stays there/continues from here on in, it's just taking a little getting used to, that's all...

Cheers Bobbye.

Kindest regards,
Virtual Madness
 
You are getting way too involved for our purposes.

I listed your excess Security programs. I instructed you to remove the excess and get them down to the number I quoted. That was your job. I did remove excess entries when it appeared you had remove the program- that was my job.

This showed running in the DDS log:
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-8-18 2151640]
The Combofix log didn't have it and the header no longer showed it. You apparently decided to uninstall AdAware instead if just disabling the AdWatch Live AV

I told you that I had not included AdAware in the script- it is a registry process-,please be sure to use Windows Explorer> right click on Start> Explore> My Computer> Double click on Local Drive (C)> Programs.> look for AdAware or Lavasoft folder and do a right click> Delete .

You can remove it here:
Custom CFScript

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
Code: 
File::
Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . No log needed.
====================
and isn't the 'MsMpSvc' entry something to do with Microsoft's antimalware stuff (which again, I thought you and I had removed??).
Click to expand...

This is not an issue. Microsoft Security Client\Antimalware was sent as an update as far as I know. It is not part of MSE- also as far as I know: http://support.microsoft.com/kb/2394433

You are taking log entries out of context. Just like pulling one sentence out of an article, it can be very misleading.

You initial problem was closing ports. I have not heard anything about that so you must have resolved it.

This is IMF: IObit Malware Fighter
R2 IMFservice;IMF Service;c:\program files\iobit\iobit malware fighter\IMFsrv.exe [2011-7-28 820568]

When you were trying to fix the problem before you got here, did you run RootRepeal?
 
My apologies, I didn't mean to get so involved...it's just that I've spent so long trying to resolve the issue that I got completely rapped up in your guidance - which seemed to be making such a difference (everything was getting so much faster and repsonse times were so much better etc. etc.).

Don't worry about the odd left over entry and the weired logging on and off scenario - I can live with that now.

More importantly, I've just tried logging onto the website where I first noticed the issue - you'll be pleased to know everything seems to be cured - no more iexplore.exe hanging (for the first time in what seems like ages)!!!!!! I guess it was the mutliple malware programs I had running and a combination of tweaks which led to a conflict that ultimately caused the original problem.

Anyway, it seems to be resolved now you've cleaned up my system, so I'm not going to take up anymore of your time and let you get on and help others.

I'll run the last ComboFix script you've provided and leave it at that.

By the way, yes, I did run RootRepeal before visiting TechSpot - it was recommended by someone as a potential fix.

Thanks again, and sorry for dragging it on.
Virtual Madness
 
You're welcome! It's not that I minded helping you, but my main function in this forum is Virus and Malware removal. That is a time consuming activity. I try to give other tips as we go along if appropriate and I'm going to leave some for you.
--------------------------------
First, let's remove all of the tools we used and the files and folders they created
  • Uninstall ComboFix and all Backups of the files it deleted
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    CF_Uninstall-1.jpg
  • Download OTCleanIt by OldTimer and save it to your Desktop.
  • Double click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
-----
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
------------------------------------------
  • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
  • Go to Start > All Programs > Accessories > System Tools
  • Click "System Restore".
  • Choose "Create a Restore Point" on the first screen then click "Next".
  • Give the Restore Point a name> click "Create".
  • Go back and follow the path to > System Tools.
    [*]Choose Disc Cleanup
    [*]Click "OK" to select the partition or drive you want.
    [*]Click the "More Options" Tab.
    [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


Empty the Recycle Bin
====================================
As was discussed, too much of the same type of security can be a bad thing. Better is to use different types of security and work on the settings in the system:

Tips for added security and safer browsing: (Links are in Bold Blue)
  1. Browser Security
    [o] Safe Settings (Please ignore the suggestion to use the Registry Editor in this section "Creating a Custom Security Zone")
    [o] ZonedOut. This manages the Zones in Internet Explorer. (For IE7 and IE8, Windows 2000 thru Vista. No Windows 7)
    [o] Replace the Host Files
    [o] Google Toolbar Pop Up Blocker
    I consider a Site Advisor to be one of the most important assets there are to a safe system.
    [o]Web of Trust (WOT) Site Advisor. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.
  2. Have layered Security:
    [o]Antivirus :(only one): Previously discussed
    [o]Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
    [o]Comodo
    [o]Zone Alarm
  3. Antimalware: I recommend all of the following:
    [o]Spywareblaster: SpywareBlaster protects against bad ActiveX.
    [o]Spybot Search & Destroy
  4. Updates: Stay current:
    [o] the Microsoft Download Sitefrequently. All updates marked Critical and the current SP updates.
    [o]Adobe Reader Install current, uninstall old.
    [o]Java Updates Install current, uninstall old.
  5. Tracking Cookies
    Reset Cookie:
    [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
    [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
    I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
    AdBlock Plus
    Easy List
    [o]For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
  6. Do regular Maintenance
    Clean the temporary internet files often:
    [o] Temporary File Cleaner]
    or
    [o] ATF Cleaner by Atribune
  7. Restore Points:
    [o]See System Restore Guide
  8. Safe Email Handling
    [o] Don't open email from anyone you don't know.
    [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
    [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.
Please let me know if you find any bad link.
================================
And a word of caution regarding this:
I did run RootRepeal before visiting TechSpot - it was recommended by someone as a potential fix.
Click to expand...
Programs of this nature, should only be run if appropriate for the particular malware and then only with the directions of a helper. This is the one time you don't want to listen to friends!
 
Hi Bobbye,

Thanks again for all of your help - I carried out the final stages that you've mentioned above (running OldTimer etc). Everything seems to be in order now and running like new.

As I mentioned before, I still have the bizzare start up routine after pressing the Power Button (Blue Screen with 'Windows is starting up' etc. with RPSCC is starting...underneath (in white letters) along with a few other lines of text that flash by quickly. The Logging off sequence, as mentioned before, is still weird as well, showing the words 'Playing Log Off Sound' etc, again in white letters. Oh well, unless you can point me in the right direction within the forum (and I don't expect you to, you've done more than enough), I guess I'll find someone who will have some idea of what it's all about in the end - but it's something that can be lived with if all else failes :)

Oh yes, and finally, no matter how times I run the CFScripts you gave me, or manually delete the entries within the registry, the following lines still keep coming back from somewhere after a reboot (despite the programs or any potential 'leftover components' not showing up anywhere else in the root directory!?!):

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]

But hey, so what, things are 100 times better than they were :)

Cheers Bobbye!
 
Thread got away from me- sorry.

Try this: Boot into Safe Mode
  • Restart your computer and start pressing the F8 key on your keyboard.
  • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
--------------------
Now rerun the script as follows:
Custom CFScript

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
Code: 
File::
Registry::
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFser vice
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================
Make sure the program folders for AdAware, Iobit Malware Fighter and RootRepeal are removed.
=====================
Boot back into Normal Mode.
[=====================
For the other logoff problem: Note the time on the computer clock as you log off:
First, logoff to force the problem. Then do the following:

Please download VEW and save it to your Desktop:

Setting up the program

Double-click VEW.exe to run.

  • Select log to query, select
  • Application
  • System

    Under Select type to list, select:
  • Critical (Vista only)
  • Error

    Click the radio button for Number of events
  • Type 20 in the 1 to 20 box
  • Then click the Run button.
  • Notepad will open with the output log.

    Load the log
  • In Notepad, click Edit> Select all
  • Then press Edit > Copy
  • Press Ctrl+V on your keyboard to paste the log to your next reply.

(Courtesy rev-Olie)

Please tell me what the log off time was and I'll try to see if I can find a corresponding error. This is out of the malware realm and depending on what I see, I may refer you to a more appropriate forum to troubleshoot it.
 
Hi Bobbye,

Okay, I did as you suggested ref. running the latest CFScript you provided (in Safemode) - no change, the entries are still there:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFser vice
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys

As a further test, I ran a search in Reg Edit and found similar entries in the following locations:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\IMFservice
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\rootrepeal.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Minimal\IMFservice
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Minimal\rootrepeal.sys

There are no other entries anywhere else in the Registry Keys and no left over folders in Program Files or Application Data etc. etc.

It's weird, because as a further test of my own (after running your CFScript), I decided to manually delete all of the above entries - after a reboot, they all appeared again in exactly the same place...very strange...

Oh well, I can live with it, they obviously don't want to be removed and you've made a big difference to the performance of my Laptop anyway - as well as sorting out those stubborn open internet ports that were refusing to close before you got involved!

Finally, I got to the bottom of the logging on/logging off scenario myself just before you had the chance to reply - it turns out whilst trying to sort out the open internet ports problem before approaching you guys initially, I had down loaded and installed a freeware package called 'tweaking.com_simple_performance_boost_setup'. It had a check box named 'show start up information'...To resolve the issue, I re-installed the package - but this time I un-checked the box, ran it, then completely uninstalled it from my Laptop - problem sorted at last!

Thanks again for all of your help Bobbye - if you want to go ahead and close this thread now, by all means do so. If there is anything else you do want or need to add though, again by all means do.

Very best regards,
Virtual Madness
 
If you notice, the 3 entries are in the CONTROLSETS: I found information on these here: http://support.microsoft.com/kb/302829/ko

About #11 starts the pertinent information:
Under normal circumstances, CONTROLSET001 and CONTROLSET002 are displayed. The Select key normally indicates that CONTROLSET001 is the Current and Default value. CONTROLSET002 is usually the LastKnownGood value. The Failed value often has a value of 0.For additional information about using the Select key and ControlSets, click the article number below to view the article in the Microsoft Knowledge Base:
102984 (http://support.microsoft.com/kb/102984/EN-US/ ) REG: ControlSet\Select Subkey Entries
Click to expand...

If you decide to attempt any of the suggestions, always remember Backup the Registry before making any changes:
========================================
I'm glad we were able to handle the other problems: Go through the removal steps for the cleaning tools. And here are some tips for you:

Tips for added security and safer browsing: (Links are in Bold Blue)
  1. Browser Security
    [o] Safe Settings (Please ignore the suggestion to use the Registry Editor in this section "Creating a Custom Security Zone")
    [o] ZonedOut. This manages the Zones in Internet Explorer. (For IE7 and IE8, Windows 2000 thru Vista. No Windows 7)
    [o] Replace the Host Files
    [o] Google Toolbar Pop Up Blocker
    [o]Web of Trust (WOT) Site Advisor. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.
  2. Have layered Security:
    [o]Antivirus :(only one):Both of the following programs are free and known to be good:
    [o]Avira-AntiVir-Personal-Free-Antivirus
    [o]Avast-Free Antivirus
    [o]Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
    [o]Comodo
    [o]Zone Alarm
  3. Antimalware: I recommend all of the following:
    [o]Spywareblaster: SpywareBlaster protects against bad ActiveX.
    [o]Spybot Search & Destroy
  4. Updates: Stay current:
    [o] the Microsoft Download Sitefrequently. All updates marked Critical and the current SP updates.
    [o]Adobe Reader Install current, uninstall old.
    [o]Java Updates Install current, uninstall old.
  5. Tracking Cookies
    Reset Cookie:
    [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
    [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
    I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
    AdBlock Plus
    Easy List
    [o]For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
  6. Do regular Maintenance
    Clean the temporary internet files often:
    [o] Temporary File Cleaner]
    or
    [o] ATF Cleaner by Atribune
  7. Restore Points:
    [o]See System Restore Guide
  8. Safe Email Handling
    [o] Don't open email from anyone you don't know.
    [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
    [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.
Please let me know if you find any bad link.
==========================================
You ask about how you got infected: An excerpt from Tony Klein´s guide:

So how did I get infected in the first place? You usually get infected due to one of these issues:
1. Your security settings are too low.
2. Your security programs are not regularly updated.
3. You don't have a full set of security programs installed and running in resident mode.
4. You visit dangerous sites or open attachments from without checking them first.
http://www.spywareinfoforum.com/index.php?showtopic=60955
Click to expand...

An another approach:14 ways to get Infected without trying

A little bit of humour but also based on fact.

1) Look for cracks, subdivided in illegal software and .....

2) Practice unsafe hex, browse the web for free pOrn

3) Look for software that adds smileys to your posts, mail etc

4) Look for kewl skins, screensavers etc

5) Look for spyware removers, concentrate on the kind that makes you pay before it removes anything

6) Install a P2P program and repeat all of the above

7) You always want the best; use p2p to download anti-virus/firewall software.

8) Do NOT pay for anything, the internet is a place where you can steal anything from everyone without even saying as much as thank you

9) Don't have/use/update antivirus/security software

10) Look for pokergames, slotmachines and other gambling outfits

11) Look for ringtones and other stuff to bling your phone

12) Click on those unexpected links and attachments in email, because you're curious...

13) Do loan your laptop to the next door neighbour for the weekend and give him your Admin account login so he can get his project done with no hassles

14) Let the Babysitter use your laptop for 'schoolwork' :
Click to expand...

Thanks to Metallica for most of those and CalamityJane, bitman, Lonny, shelf life.
 
Status
Not open for further replies.

Similar threads

B
Google search Captchas
Replies
3
Views
1K
bazz2004
B
Bubbajim
Biden backs bill that could kill TikTok in the US, TikTok fights back
Replies
22
Views
355
toooooot
T
midian182
Modern, bloated websites are causing low-end devices to struggle
Replies
16
Views
257
daffy duck
D

Latest posts

Back