TechSpot

Can't kill multiple open Internet ports

By Virtual Madness
Sep 21, 2011
  1. Hi guys,

    I’m new to the Forum, so please be gentle.

    Okay, I’m hoping the Techie genius of all time ends up reading this to help me out with a mind-boggling problem. I’m not a novice, but I’m not an expert either when it comes to Hardware/Software and the nuts and bolts of it all, but I can find my way around okay, at least I thought I could.

    A few months ago, my hard disk failed in my laptop (it was about 10-years old!), so I used dd rescue (via a Linux Live CD) to recover as much as possible to an external hard drive (my normal back-up method was about 2-weeks out-of-date annoyingly, so I needed to recover documents etc).

    I bought a new hard disk and re-installed everything (Windows XP SP3 and other programs relevant to my everyday needs), along with customization of settings etc. Everything was hunky dory and back to normal for a while, but then, after visiting a well known ‘Cash Back’ website on a particular occasion, I noticed that iexplore.exe ‘hung’ in Task Manager. I could visit other websites, such as a well-known auction site amongst others, and wouldn’t see the problem i.e. after closing the browser (IE8 in this instance), iexplore.exe would end as you would expect.

    Initially thinking it was a virus, spyware or malware etc. I ran just about every scan I could find (using both commercial, freeware and even on-line scan packages), but couldn’t find a single thing/infection. I then tried using Mozilla Firefox and Opera Browsers, just to see how they would react. Exactly the same problem/outcome i.e. okay with a majority of websites, but not when visiting the cash back website where I first noticed the problem (it’s started happening with other websites I’m visiting now).

    Process Explorer, Task Kill, UVK and even the Windows cmd prompt cannot kill the ‘hanging’ .exe file – it’s a reboot situation to clear it. I’ve re-set and re-installed IE8, ran ComboFix, HJT and loads more, but just can’t find the problem. Emsisoft’s ASquared also confirms weird behaviour with the open ports i.e. before visiting the websites that cause the problem, the open ports are as you would expect – when I visit one of the websites that cause the issue, many (sometimes 20+) instances of iexplore.exe ports will open, cmd prompt ‘netstat –a’ doesn’t show anything out of the ordinary either. Oh by the way, when I submit the results on-line to Emsisoft ASquared, it comes back with results confirming that malicious programs use a certain port that I seem to have open, but the malicious type and port that’s open, changes every single time I submit a scan – it’s completely random.

    After many, many nights of head scratching, I’m simply lost with this one – yes, I’ve disabled all add-on’s (regardless of browser type) and tried to browse with the bare bones (in IE8, Mozilla Firefox and Opera), but the same problem occurs - the browser will hang and nothing will kill it except for a reboot.

    Oh and last night as a last ditch attempt, I reset and even went on to flash the firmware of the BT Business Broadband 2wire 2700HGV Hub – no change, the problem continues in the same manner as before.

    Sorry for the long-winded post, but it’s a bit of background info. for the genius I’m hoping will ultimately end up resolving this for me - if he’s out there listening?

    Many thanks in advance,
    Virtual Madness.
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Dear Virtual Madness, I will gently Welcome you to TechSpot!
    [​IMG]
    (Image courtesy animationplayhouse.com)

    I don't know that you've chosen the best forum for your problem. So I will give you a choice:

    #1. If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

    A condition to #1- you must remove all those programs you ran trying to fix the problem even if some of them are included in the above. Then you will download the scans in the steps and we'll start there. A program I would most likely use following the above will show open ports and they can be closed through that program.

    or #2: I can have this thread moved to a more appropriate forum in TechSpot.

    It is your choice. Let me know.
    ===================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.

    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
     
  3. Virtual Madness

    Virtual Madness TS Rookie Topic Starter Posts: 16

    Logs as requested:

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 7796

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    25/09/2011 15:47:53
    mbam-log-2011-09-25 (15-47-53).txt

    Scan type: Quick scan
    Objects scanned: 161751
    Time elapsed: 12 minute(s), 49 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  4. Virtual Madness

    Virtual Madness TS Rookie Topic Starter Posts: 16

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2011-09-25 16:21:12
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 SAMSUNG_HM160HC rev.LQ100-10
    Running: g74ixvmi.exe; Driver: C:\DOCUME~1\VIRTUAL MADNESS~1\LOCALS~1\Temp\pwdoqkoc.sys


    ---- Devices - GMER 1.0.15 ----

    Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
    Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

    AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Ip wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Ip UrlFilter.sys (URL Filter/IObit.com)
    AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Tcp UrlFilter.sys (URL Filter/IObit.com)
    AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Udp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Udp UrlFilter.sys (URL Filter/IObit.com)
    AttachedDevice \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\RawIp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)
    AttachedDevice \Driver\Tcpip \Device\RawIp UrlFilter.sys (URL Filter/IObit.com)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

    ---- EOF - GMER 1.0.15 ----
     
  5. Virtual Madness

    Virtual Madness TS Rookie Topic Starter Posts: 16

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702
    Run by Virtual Madness at 16:39:43 on 2011-09-25
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1271.687 [GMT 1:00]
    .
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
    AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
    FW: PC Tools Firewall Plus *Enabled*
    FW: Symantec Endpoint Protection *Disabled*
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost.exe -k DcomLaunch
    C:\WINDOWS\system32\svchost.exe -k rpcss
    C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
    C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
    C:\WINDOWS\system32\svchost.exe -k NetworkService
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
    C:\Prey\platform\windows\cronsvc.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    C:\Program Files\PC Tools Firewall Plus\FWService.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
    C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe
    C:\Program Files\Kerkia\Minimem\minimem.exe
    C:\Program Files\IObit\Advanced SystemCare 4\Suo10_SmartRAM.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
    C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
    c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    C:\Program Files\IObit\Advanced SystemCare 4\ASC.exe
    C:\Program Files\IObit\Advanced SystemCare 4\ASCTray.exe
    C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe
    C:\Program Files\IObit\IObit Malware Fighter\IMF.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Trend Micro\Browser Guard\BGUI.exe
    C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe
    C:\Program Files\Trend Micro\Browser Guard\tmiegsrv.exe
    C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.co.uk/
    uWindow Title = Internet Explorer
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: TMIEGBHO Class: {f1ad4a42-ba52-47bc-89df-3f68f24c017f} - c:\program files\trend micro\browser guard\TMAMS.dll
    TB: TMBGBAR TOOLBAR: {c8137a8d-415d-450c-a1b1-d0c519d45296} - c:\program files\trend micro\browser guard\tmieg.dll
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    uRun: [Advanced SystemCare 4] c:\program files\iobit\advanced systemcare 4\ASCTray.exe
    uRun: [Minimem] c:\program files\kerkia\minimem\minimem.exe
    uRun: [SmartRAM] "c:\program files\iobit\advanced systemcare 4\Suo10_SmartRAM.exe" /m
    uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
    uRun: [CleanMem Mini Monitor] c:\program files\cleanmem\Mini_Monitor.exe /startup
    mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
    mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
    mRun: [IObit Malware Fighter] "c:\program files\iobit\iobit malware fighter\IMF.exe" /autostart
    mRun: [00PCTFW] "c:\program files\pc tools firewall plus\FirewallGUI.exe" -s
    mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
    mRun: [Trend Micro RUBotted V2.0 Beta] c:\program files\trend micro\rubotted\RUBottedGUI.exe
    mRun: [Trend Micro Browser Guard] "c:\program files\trend micro\browser guard\BGUI.EXE"
    mRun: [IE Privacy Keeper] "c:\program files\unh solutions\ie privacy keeper\IEPrivacyKeeper.exe" -startup
    mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{b0bf7057-6869-4e4b-920c-ea2a58da07f0}\Icon3E5562ED7.ico
    uPolicies-explorer: NoResolveTrack = 1 (0x1)
    mPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)
    IE: {D799B0E4-BEDE-41d2-AEE0-1E3A1C4EF918} - c:\program files\unh solutions\ie privacy keeper\IEPrivacyKeeper.exe
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/betapit/PCPitStop.CAB
    DPF: {5033E708-9A94-4EF7-A50E-DF0F3A2E636F} - hxxp://crmprod.private.de:8001/sap/bc/bsp/sap/public/Calendar/BSP_SAPCalendar.CAB
    DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
    DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
    Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
    Notify: igfxcui - igfxdev.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    Hosts: 127.0.0.1 www.spywareinfo.com
    Hosts: 10.6.2.204 crmprod.private.de crmprod
    Hosts: 10.6.2.205 portalprod.private.de portalprod
    Hosts: 10.6.2.64 sapbwserver.private.de sapbwserver
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\virtual madness\application data\mozilla\firefox\profiles\ct56r620.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
    FF - prefs.js: network.proxy.type - 0
    FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-9-14 64512]
    R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2011-8-23 56336]
    R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
    R1 MpKslaa6e473e;MpKslaa6e473e;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{966147f1-75d1-41d9-ae12-a2299c8ca246}\mpkslaa6e473e.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{966147f1-75d1-41d9-ae12-a2299c8ca246}\MpKslaa6e473e.sys [?]
    R1 MpKslb954000d;MpKslb954000d;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{541eb5eb-27ad-4694-99f3-d21af5015fbd}\MpKslb954000d.sys [2011-9-25 28752]
    R1 MpKsld19c13e2;MpKsld19c13e2;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{541eb5eb-27ad-4694-99f3-d21af5015fbd}\MpKsld19c13e2.sys [2011-9-25 28752]
    R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2011-8-5 251560]
    R1 RapportCerberus_29574;RapportCerberus_29574;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\baseline\RapportCerberus32_29574.sys [2011-8-23 216912]
    R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2011-8-23 70416]
    R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2011-8-23 161936]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
    R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-12 116608]
    R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-7-8 108392]
    R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-7-8 108392]
    R2 CronService;Cron Service for Prey;c:\prey\platform\windows\cronsvc.exe [2011-2-15 19968]
    R2 Crypto;Crypto;c:\windows\system32\drivers\Crypto.sys [2011-7-28 521786]
    R2 IMFservice;IMF Service;c:\program files\iobit\iobit malware fighter\IMFsrv.exe [2011-7-28 820568]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-8-18 2151640]
    R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
    R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [2011-8-5 160576]
    R2 PCToolsFirewallPlus;PC Tools Firewall Plus;c:\program files\pc tools firewall plus\FWService.exe [2011-8-5 286000]
    R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2011-8-23 919352]
    R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-9-17 2477304]
    R3 DniVap;SafeNet WAN Miniport (VA);c:\windows\system32\drivers\vap.sys [2011-7-28 36188]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-9-9 105592]
    R3 FileMonitor;FileMonitor;c:\program files\iobit\iobit malware fighter\drivers\wxp_x86\FileMonitor.sys [2011-7-28 239600]
    R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110924.007\NAVENG.SYS [2011-9-25 86136]
    R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110924.007\NAVEX15.SYS [2011-9-25 1576312]
    R3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter.sys [2011-8-5 89472]
    R3 pctNdisMP;PC Tools Driver;c:\windows\system32\drivers\pctNdis.sys [2011-8-5 57536]
    R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [2011-8-5 125248]
    R3 RegFilter;RegFilter;c:\program files\iobit\iobit malware fighter\drivers\wxp_x86\RegFilter.sys [2011-7-28 30368]
    R3 UrlFilter;UrlFilter;c:\program files\iobit\iobit malware fighter\drivers\wxp_x86\UrlFilter.sys [2011-7-28 16080]
    S1 MpKsl281501be;MpKsl281501be;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{7c32d5c0-8dd1-469a-ba80-53f6d3d172ed}\mpksl281501be.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{7c32d5c0-8dd1-469a-ba80-53f6d3d172ed}\MpKsl281501be.sys [?]
    S1 MpKsl39e47489;MpKsl39e47489;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b0c6aa3a-d905-4a8d-a1df-ca06be3f46c3}\mpksl39e47489.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b0c6aa3a-d905-4a8d-a1df-ca06be3f46c3}\MpKsl39e47489.sys [?]
    S1 MpKsl452da61e;MpKsl452da61e;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{edd040be-b104-47d1-87db-9baf04b68a0b}\mpksl452da61e.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{edd040be-b104-47d1-87db-9baf04b68a0b}\MpKsl452da61e.sys [?]
    S2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\iobit\advanced systemcare 4\ASCService.exe [2011-7-28 328536]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 RUBotSrv;Trend Micro RUBotted Service;c:\program files\trend micro\rubotted\RUBotSrv.exe [2011-9-7 439632]
    S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-7-14 23888]
    S3 dkab_device;dkab_device;c:\windows\system32\dkabcoms.exe -service --> c:\windows\system32\DKabcoms.exe -service [?]
    S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-8-18 15232]
    S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\microsoft fix it center\Matsvc.exe [2011-6-13 267568]
    S3 pctNdis;PC Tools Firewall Intermediate Filter Service;c:\windows\system32\drivers\pctNdis.sys [2011-8-5 57536]
    S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-14 394952]
    S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-12 14336]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    .
    =============== Created Last 30 ================
    .
    2011-09-25 15:17:59 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{541eb5eb-27ad-4694-99f3-d21af5015fbd}\MpKsld19c13e2.sys
    2011-09-25 14:33:24 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-09-25 14:33:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-09-25 10:18:00 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{541eb5eb-27ad-4694-99f3-d21af5015fbd}\MpKslb954000d.sys
    2011-09-25 10:15:28 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{541eb5eb-27ad-4694-99f3-d21af5015fbd}\offreg.dll
    2011-09-25 10:14:54 7269712 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{541eb5eb-27ad-4694-99f3-d21af5015fbd}\mpengine.dll
    2011-09-21 23:21:43 -------- d-----w- c:\documents and settings\virtual madness\local settings\application data\Norman Malware Cleaner
    2011-09-21 22:46:50 -------- d-----w- c:\program files\Active Ports
    2011-09-21 22:18:50 -------- d-----w- c:\documents and settings\all users\application data\Tweaking.com
    2011-09-21 22:18:32 -------- d-----w- c:\program files\Tweaking.com
    2011-09-21 06:18:20 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2011-09-21 06:18:20 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-09-20 21:45:49 -------- d-----w- C:\MGtools
    2011-09-20 21:06:04 -------- d-----w- c:\windows\2Wire.0000
    2011-09-17 21:38:12 -------- d-----w- c:\program files\TweakNow PowerPack 2011
    2011-09-17 21:38:12 -------- d-----w- c:\documents and settings\virtual madness\application data\TweakNow PowerPack 2011
    2011-09-17 20:13:04 -------- d-----w- c:\program files\TweakNow RegCleaner 2011
    2011-09-17 20:13:04 -------- d-----w- c:\documents and settings\virtual madness\application data\TweakNow RegCleaner 2011
    2011-09-16 22:54:51 -------- d-----w- c:\documents and settings\virtual madness\local settings\application data\Opera
    2011-09-15 16:05:37 -------- dc-h--w- c:\windows\ie8
    2011-09-14 20:54:38 -------- d-----w- c:\documents and settings\virtual madness\local settings\application data\WMTools Downloaded Files
    2011-09-14 17:43:15 -------- d-----w- c:\program files\iolo
    2011-09-14 17:43:15 -------- d-----w- c:\documents and settings\virtual madness\application data\iolo
    2011-09-14 17:43:15 -------- d-----w- c:\documents and settings\all users\application data\iolo
    2011-09-14 11:49:49 16432 ----a-w- c:\windows\system32\lsdelete.exe
    2011-09-14 09:56:16 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2011-09-14 09:50:09 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2011-09-14 09:49:47 -------- d-----w- c:\program files\Lavasoft
    2011-09-13 22:20:38 -------- d-----w- c:\windows\CleanMem
    2011-09-13 22:20:38 -------- d-----w- c:\program files\CleanMem
    2011-09-11 23:19:55 -------- d-----w- c:\program files\Trusteer
    2011-09-10 18:34:11 -------- d-sha-r- C:\cmdcons
    2011-09-10 18:31:50 98816 ----a-w- c:\windows\sed.exe
    2011-09-10 18:31:50 518144 ----a-w- c:\windows\SWREG.exe
    2011-09-10 18:31:50 256000 ----a-w- c:\windows\PEV.exe
    2011-09-10 18:31:50 208896 ----a-w- c:\windows\MBR.exe
    2011-09-08 16:33:01 -------- d-----w- c:\documents and settings\virtual madness\application data\.clamwin
    2011-09-08 16:32:21 -------- d-----w- c:\program files\ClamWin
    2011-09-08 16:32:21 -------- d-----w- c:\documents and settings\all users\.clamwin
    2011-09-08 16:08:03 -------- d-----w- C:\ToolBar SD
    2011-09-08 15:16:21 -------- d-----w- c:\documents and settings\virtual madness\local settings\application data\FixItCenter
    2011-09-08 15:10:20 -------- d-----w- c:\windows\MATS
    2011-09-08 15:10:17 -------- d-----w- c:\program files\Microsoft Fix it Center
    2011-09-08 14:35:22 -------- d--h--w- c:\windows\msdownld.tmp
    2011-09-07 19:34:54 -------- d-----w- c:\documents and settings\all users\application data\Trend Micro
    2011-09-07 19:34:00 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys
    2011-09-07 19:30:14 -------- d-----w- c:\documents and settings\virtual madness\local settings\application data\Browser Guard
    2011-09-07 19:24:05 -------- d-----w- c:\program files\WinPcap
    2011-09-07 13:34:59 297728 -c--a-w- c:\windows\system32\dllcache\ac97sis.sys
    2011-09-07 13:33:57 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
    2011-09-07 10:26:28 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
    2011-09-07 10:26:28 19416 ----a-w- c:\program files\mozilla firefox\AccessibleMarshal.dll
    2011-09-07 10:26:27 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    2011-09-07 10:26:27 125912 ----a-w- c:\program files\mozilla firefox\crashreporter.exe
    2011-09-07 08:09:18 -------- d-----w- c:\program files\MSXML 4.0
    2011-09-06 18:51:35 -------- d-----w- c:\documents and settings\virtual madness\local settings\application data\IsolatedStorage
    2011-09-06 18:46:39 -------- d-----w- c:\documents and settings\virtual madness\local settings\application data\HP
    2011-09-06 18:09:17 626960 ----a-r- c:\windows\system32\hpvaut32.dll
    2011-09-06 18:09:17 44544 ----a-r- c:\windows\system32\MSXML4a.dll
    2011-09-06 18:09:16 487424 ----a-r- c:\windows\system32\hpvcp70.dll
    2011-09-06 18:09:16 344064 ----a-r- c:\windows\system32\hpvcr70.dll
    2011-09-06 18:08:23 -------- d-----w- c:\program files\common files\Hewlett-Packard
    2011-09-06 18:01:58 -------- d-----w- c:\program files\common files\HP
    2011-09-06 18:01:48 35840 ----a-w- c:\windows\system32\drivers\AFS2K.SYS
    2011-09-06 17:54:14 -------- d-----w- c:\program files\HP
    2011-09-06 17:52:44 94208 ----a-r- c:\windows\system32\HPZipt12.dll
    2011-09-06 17:52:42 61699 ----a-r- c:\windows\system32\HPZinw12.exe
    2011-09-06 17:52:42 57344 ----a-r- c:\windows\system32\HPZisn12.dll
    2011-09-06 17:52:41 65795 ----a-r- c:\windows\system32\HPZipm12.exe
    2011-09-06 17:52:40 266296 ----a-r- c:\windows\system32\HPZidr12.dll
    2011-09-06 17:52:40 196608 ----a-r- c:\windows\system32\HPZipr12.dll
    2011-09-06 17:52:38 16496 ----a-r- c:\windows\system32\drivers\HPZipr12.sys
    2011-09-06 17:52:26 51056 ----a-r- c:\windows\system32\drivers\hpzid412.sys
    2011-09-06 17:50:58 21488 ----a-r- c:\windows\system32\drivers\HPZius12.sys
    2011-09-06 17:50:30 262144 ----a-r- c:\windows\system32\HPZc3212.dll
    2011-09-06 17:50:29 77824 ----a-r- c:\windows\system32\hpovst08.dll
    2011-09-06 17:50:28 565248 ----a-r- c:\windows\system32\hpotscl.dll
    2011-09-06 17:50:26 274432 ----a-r- c:\windows\system32\hpgwiamd.dll
    2011-09-06 17:50:20 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
    2011-09-06 17:50:20 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
    2011-09-06 17:46:41 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
    2011-09-06 17:46:41 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
    2011-09-05 17:04:56 183696 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
    2011-09-05 17:04:56 183696 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
    2011-09-05 13:43:28 785368 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
    2011-09-05 13:43:27 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
    2011-09-05 13:43:27 478168 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
    2011-09-05 13:43:27 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
    2011-09-05 13:43:27 1846232 ----a-w- c:\program files\mozilla firefox\mozjs.dll
    2011-09-05 13:43:27 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
    2011-08-31 22:27:53 -------- dc----w- c:\documents and settings\all users\application data\{7AE4A0A3-2DDC-42D5-B8B0-D26BFAAA07F5}
    2011-08-31 22:23:57 -------- d-----w- c:\documents and settings\all users\application data\Webroot
    2011-08-31 19:48:10 7269712 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
    2011-08-30 10:16:43 -------- d-----w- c:\program files\Microsoft Security Client
    .
    ==================== Find3M ====================
    .
    2011-09-25 15:32:38 29 ----a-w- c:\windows\system32\TempWmicBatchFile.bat
    2011-09-17 19:02:10 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
    2011-09-17 19:02:10 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2011-09-12 20:25:00 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-08-23 07:04:58 56336 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
    2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-07-09 19:56:03 61440 ----a-w- c:\windows\system32\CleanMem.exe
    2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
    .
    ============= FINISH: 16:44:27.84 ===============
     
  6. Virtual Madness

    Virtual Madness TS Rookie Topic Starter Posts: 16

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 25/07/2011 18:28:41
    System Uptime: 25/09/2011 10:59:48 (6 hours ago)
    .
    Motherboard: Dell Inc. | | 0U6962
    Processor: Intel(R) Celeron(R) M processor 1.40GHz | Microprocessor | 1396/133mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 149 GiB total, 126.783 GiB free.
    D: is CDROM ()
    I: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Dell Wireless 1370 WLAN Mini-PCI Card
    Device ID: PCI\VEN_14E4&DEV_4318&SUBSYS_00051028&REV_02\4&2FA23535&0&18F0
    Manufacturer: Broadcom
    Name: Dell Wireless 1370 WLAN Mini-PCI Card
    PNP Device ID: PCI\VEN_14E4&DEV_4318&SUBSYS_00051028&REV_02\4&2FA23535&0&18F0
    Service: BCM43XX
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Cisco Systems VPN Adapter
    Device ID: ROOT\NET\0000
    Manufacturer: Cisco Systems
    Name: Cisco Systems VPN Adapter
    PNP Device ID: ROOT\NET\0000
    Service: CVirtA
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: PC Tools Driver
    Device ID: ROOT\S4E_PCTNDISMP\0001
    Manufacturer: PC Tools
    Name: Deterministic Networks WAN Virtual miniport - PC Tools Driver
    PNP Device ID: ROOT\S4E_PCTNDISMP\0001
    Service: pctNdisMP
    .
    ==== System Restore Points ===================
    .
    RP231: 20/09/2011 20:06:42 - Software Distribution Service 3.0
    RP232: 20/09/2011 21:31:45 - Before Netwire Driver Re-install
    RP233: 21/09/2011 07:14:18 - Restore Operation
    RP234: 21/09/2011 17:52:15 - Software Distribution Service 3.0
    RP235: 21/09/2011 23:16:36 - Before Tweaking Install
    RP236: 21/09/2011 23:40:11 - Before aports install
    RP237: 22/09/2011 00:20:39 - Before Norman Spyware Install
    RP238: 22/09/2011 15:22:42 - Before Tweak Power Pack Usage
    RP239: 23/09/2011 08:02:03 - Software Distribution Service 3.0
    RP240: 24/09/2011 08:27:04 - Software Distribution Service 3.0
    RP241: 25/09/2011 11:14:25 - Software Distribution Service 3.0
    RP242: 25/09/2011 15:19:52 - Before Tech Spot Clean Up
    .
    ==== Installed Programs ======================
    .
    1300
    1300_Help
    1300Tour
    1300Trb
    ACS2000
    Ad-Aware
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader X (10.1.1)
    Advanced SystemCare 4
    AiO_Scan
    AIOMinimal
    AiOSoftware
    Blood Pressure Tracker
    Browser Guard v3.0
    C-Major Audio
    CCleaner
    Cisco Systems VPN Client 5.0.07.0290
    ClamWin Free Antivirus 0.97.2
    CleanMem
    Compatibility Pack for the 2007 Office system
    Conexant D110 MDC V.92 Modem
    Copy
    CreativeProjects
    Dell Driver Download Manager
    Dell ResourceCD
    Dell Software Uninstall
    Dell Wireless WLAN Card
    Director
    DocProc
    Emsisoft HiJackFree 4.5
    Fax
    FileASSASSIN
    Game Booster
    GoldMine 6.0
    HiJackThis
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    HP Photo & Imaging 3.1
    HP PSC & OfficeJet 3.0
    HP Software Update
    hpmdtab
    HPSystemDiagnostics
    IE Privacy Keeper
    InstantShare
    Intel(R) Graphics Media Accelerator Driver for Mobile
    Intel(R) PRO Network Connections Drivers
    Intel(R) PROSet for Wired Connections
    IObit Malware Fighter
    LiveUpdate 3.3 (Symantec Corporation)
    Malwarebytes' Anti-Malware version 1.51.2.1300
    Memories Disc Creator 2.0
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Antimalware
    Microsoft Application Error Reporting
    Microsoft Base Smart Card Cryptographic Service Provider Package
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Fix it Center
    Microsoft Office 2000 SR-1 Professional
    Microsoft Security Client
    Microsoft Security Essentials
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Minimem
    Mouse Suite for Laptop Computers
    Mozilla Firefox 6.0.1 (x86 en-GB)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Oubliette 1.9.5
    Overland
    PC Tools Firewall Plus 7.0
    PhotoGallery
    PrintScreen
    QFolder
    QuickProjects
    QuickSet
    Rapport
    Readme
    Scan
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2559049)
    Security Update for Windows Internet Explorer 8 (KB982381)
    SkinsHP1
    SkinsHP2
    Spybot - Search & Destroy
    SpywareBlaster 4.4
    SUPERAntiSpyware
    Symantec Endpoint Protection
    Synaptics Pointing Device Driver
    System Checkup 3.0
    TrayApp
    Trend Micro RUBotted 2.0 Beta
    Tweaking.com - Simple Performance Boost
    TweakNow PowerPack 2011 SP3a
    Unload
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Windows Internet Explorer 8 (KB2447568)
    Update for Windows XP (KB2467659)
    UVK
    WebFldrs XP
    WebReg
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows XP Service Pack 3
    WinPatrol
    WinPcap 4.1.1
    ZipCentral 4.01
    .
    ==== Event Viewer Messages From Past Week ========
    .
    25/09/2011 16:17:34, error: Service Control Manager [7031] - The Microsoft Antimalware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.
    25/09/2011 16:17:26, error: Service Control Manager [7034] - The IMF Service service terminated unexpectedly. It has done this 1 time(s).
    25/09/2011 16:17:12, error: Service Control Manager [7034] - The Advanced SystemCare Service service terminated unexpectedly. It has done this 1 time(s).
    25/09/2011 16:16:52, error: Service Control Manager [7034] - The Trend Micro RUBotted Service service terminated unexpectedly. It has done this 1 time(s).
    25/09/2011 16:16:43, error: Service Control Manager [7031] - The Symantec Endpoint Protection service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.
    22/09/2011 16:02:29, error: Service Control Manager [7000] - The SABProcEnum service failed to start due to the following error: The system cannot find the file specified.
    22/09/2011 02:06:45, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.111.2744.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7604.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
    22/09/2011 01:09:36, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the LiveUpdate service to connect.
    22/09/2011 01:09:36, error: Service Control Manager [7000] - The LiveUpdate service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    22/09/2011 01:09:34, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service LiveUpdate with arguments "" in order to run the server: {03E0E6C2-363B-11D3-B536-00902771A435}
    21/09/2011 23:11:15, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMF Service service to connect.
    21/09/2011 23:11:15, error: Service Control Manager [7000] - The IMF Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    21/09/2011 21:55:49, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: APPDRV eeCtrl Fips intelppm MpFilter RapportKELL SASDIFSV SASKUTIL SPBBCDrv SRTSP SRTSPX SYMTDI
    20/09/2011 22:37:44, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 0014A53D9F60. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
    20/09/2011 14:05:19, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000098' while processing the file 'wpshelper.sys' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
    19/09/2011 15:29:42, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Dnscache service.
    19/09/2011 10:35:41, error: EventLog [6004] - A driver packet received from the I/O subsystem was invalid. The data is the packet.
    18/09/2011 13:40:44, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC80.CRT. Reference error message: The referenced assembly is not installed on your system. .
    18/09/2011 13:40:44, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Trend Micro\Browser Guard\TMBGCFG2.dll. Reference error message: The operation completed successfully. .
    18/09/2011 13:40:44, error: SideBySide [32] - Dependent Assembly Microsoft.VC80.CRT could not be found and Last Error was The referenced assembly is not installed on your system.
    18/09/2011 13:00:01, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    18/09/2011 12:55:25, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    18/09/2011 12:55:17, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD APPDRV eeCtrl Fips intelppm IPSec MpFilter MRxSmb NetBIOS NetBT pctgntdi RapportKELL RasAcd Rdbss SASDIFSV SASKUTIL SPBBCDrv SRTSP SRTSPX SYMTDI Tcpip WPS
    18/09/2011 12:55:17, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Lavasoft Ad-Aware Service service to connect.
    18/09/2011 12:55:17, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    18/09/2011 12:55:17, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    18/09/2011 12:55:17, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    18/09/2011 12:55:17, error: Service Control Manager [7000] - The Lavasoft Ad-Aware Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    .
    ==== End Of File ===========================
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    When a system has multiple programs running that do the same thing, it creates the following:
    1. The purpose of any of the programs might be compromised so that none do the job intended.
    2. An unnecessary amount of resources are used which can slow the system down.
    --------------------------------------
    Multiple security programs may conflict so that none of them does what it is suppose to:
    1.Multiple antivirus programs will make a system more vulnerable so that none of them can decide which will do what and viruses, Trojans, Worms, etc can pass through on to the system.
    2. Multiple firewalls can conflict so that the ports being monitored aren't 'listening'. This may allow scanners, hackers, crackers,et al to pass through a port bring malware with it.

    Multiple system monitors for cleaning, registry removal, memory optimizing all running at the same time will:
    1. Use large amount of the system resources.
    2. Possibly in the attempt to decide which program will do what, entries may be removed in error or entries that should be removed aren't.

    That being said, here is your system:
    Antivirus:
    ClamWin
    Symantec Endpoint Protection
    Lavasoft Ad-Watch Live! Anti-Virus
    Microsoft Security Essentials

    Firewall:
    Zone Alarm> vsdatant.sys> Related to ZoneAlarm Firewall Driver.
    PC Tools Firewall Plus
    Symantec Endpoint Protectio
    Microsoft Security Essentials

    Anrtimalware: 2 or more is okay. They should use different manners to monitor:
    Spybot-S&D IE Protection
    Trend Micro Browser Guard/ BHO and TB
    SUPERAntiSpyware
    IObit Malware Fighter
    IE Privacy Keeper
    Malwarebytes
    SuperAdBlocker
    Norman Malware Cleaner
    Lavasoft Ad-Aware
    Microsoft Security Client\Antimalwar
    Emsisoft HiJackFree 4.5
    HiJackThis

    System Cleaners/Optomizers:
    Advanced SystemCare
    IOLO> PC Tuneup
    CleanMem
    Microsoft Fix it Center
    CCleaner
    FileASSASSIN> unlock
    System Checkup 3.0
    ---------------------------------------------
    Please get this down to:
    One antivirus
    One Firewall
    Three of the antimalware programs
    One system 'cleaner.'

    ===========================================
    Please reboot the system when through
    ===========================================
    When the above has been handled:
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
    ==================================
    Edit: A reminder that it is the user who is the first line of security. No matter how much or how many security programs you put on a system, you are the first block of malware. So if you do careless things on the internet, you will see the results happen on your system.
     
  8. Virtual Madness

    Virtual Madness TS Rookie Topic Starter Posts: 16

    Hi Bobbye,

    Thankyou for your advice...all done as requested, along with the ComboFix log.

    One thing I've just noticed though, despite using the 'uninstall' facility to remove Microsoft Security Essentials, it's still showing as an AV in the ComboFix log (I'm going to keep Symantec Endpoint Protection as the primary and only AV)???

    Look forward to hearing from you ref. the next step.

    Best regards,
    Virtual Madness

    ***************************
    ComboFix 11-09-27.01 - virtual madness 27/09/2011 23:21:56.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1271.765 [GMT 1:00]
    Running from: c:\documents and settings\virtual madness\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
    FW: PC Tools Firewall Plus *Disabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}
    FW: Symantec Endpoint Protection *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\virtual madness\Local Settings\Application Data\ApplicationHistory
    c:\documents and settings\virtual madness\Local Settings\Application Data\ApplicationHistory\ProcessDll.exe.cd116cf9.ini
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_NPF
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-08-27 to 2011-09-27 )))))))))))))))))))))))))))))))
    .
    .
    2011-09-27 20:55 . 2011-09-27 21:31 -------- d-----w- c:\windows\SxsCaPendDel
    2011-09-26 20:54 . 2011-09-26 20:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
    2011-09-26 20:40 . 2011-09-26 20:40 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Trusteer
    2011-09-26 17:30 . 2010-09-10 21:32 167936 ----a-w- c:\windows\system32\drivers\wpshelper.sys
    2011-09-26 17:29 . 2009-09-17 17:38 92488 ----a-w- c:\windows\system32\drivers\SysPlant.sys
    2011-09-26 17:28 . 2011-09-26 17:28 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
    2011-09-26 17:28 . 2011-09-26 17:28 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2011-09-26 17:23 . 2011-09-26 17:28 -------- d-----w- c:\program files\Symantec
    2011-09-26 16:03 . 2011-09-26 16:03 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-09-25 19:33 . 2011-09-25 19:33 -------- d-----w- c:\documents and settings\virtual madness\Application Data\SUPERAntiSpyware.com
    2011-09-25 19:32 . 2011-09-25 19:32 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2011-09-25 18:11 . 2011-09-25 18:11 -------- d-----w- c:\windows\Sun
    2011-09-25 18:10 . 2011-09-25 18:10 -------- d-----w- c:\program files\Common Files\Java
    2011-09-25 18:09 . 2011-09-25 18:09 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2011-09-25 18:09 . 2011-09-25 18:08 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-09-25 18:09 . 2011-09-25 18:08 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-09-25 18:08 . 2011-09-25 18:08 -------- d-----w- c:\program files\Java
    2011-09-25 18:00 . 2011-09-25 18:00 56336 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
    2011-09-21 23:21 . 2011-09-21 23:21 -------- d-----w- c:\documents and settings\virtual madness\Local Settings\Application Data\Norman Malware Cleaner
    2011-09-21 22:18 . 2011-09-21 22:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Tweaking.com
    2011-09-20 21:06 . 2011-09-21 06:17 -------- d-----w- c:\windows\2Wire.0000
    2011-09-17 21:38 . 2011-09-17 22:41 -------- d-----w- c:\program files\TweakNow PowerPack 2011
    2011-09-17 21:38 . 2011-09-17 21:38 -------- d-----w- c:\documents and settings\virtual madness\Application Data\TweakNow PowerPack 2011
    2011-09-17 20:13 . 2011-09-17 22:36 -------- d-----w- c:\documents and settings\virtual madness\Application Data\TweakNow RegCleaner 2011
    2011-09-16 22:54 . 2011-09-16 22:54 -------- d-----w- c:\documents and settings\virtual madness\Local Settings\Application Data\Opera
    2011-09-15 16:05 . 2011-09-15 16:10 -------- dc-h--w- c:\windows\ie8
    2011-09-14 20:54 . 2011-09-14 20:54 -------- d-----w- c:\documents and settings\virtual madness\Local Settings\Application Data\WMTools Downloaded Files
    2011-09-14 17:43 . 2011-09-27 21:01 -------- d-----w- c:\documents and settings\All Users\Application Data\iolo
    2011-09-14 09:56 . 2011-09-14 09:56 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2011-09-11 23:19 . 2011-09-11 23:19 -------- d-----w- c:\program files\Trusteer
    2011-09-08 14:35 . 2011-09-15 16:19 -------- d--h--w- c:\windows\msdownld.tmp
    2011-09-07 19:34 . 2011-09-07 19:33 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys
    2011-09-07 19:30 . 2011-09-07 19:35 -------- d-----w- c:\documents and settings\virtual madness\Local Settings\Application Data\Browser Guard
    2011-09-07 13:34 . 2001-08-17 11:20 297728 -c--a-w- c:\windows\system32\dllcache\ac97sis.sys
    2011-09-07 13:33 . 2001-08-17 13:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
    2011-09-07 10:26 . 2011-09-07 10:26 19416 ----a-w- c:\program files\Mozilla Firefox\AccessibleMarshal.dll
    2011-09-07 10:26 . 2011-09-07 10:26 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
    2011-09-07 10:26 . 2011-09-07 10:26 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
    2011-09-07 10:26 . 2011-09-07 10:26 125912 ----a-w- c:\program files\Mozilla Firefox\crashreporter.exe
    2011-09-07 08:09 . 2011-09-07 08:09 -------- d-----w- c:\program files\MSXML 4.0
    2011-09-06 18:52 . 2011-09-06 18:52 -------- d-----w- c:\documents and settings\virtual madness\Application Data\HP
    2011-09-06 18:52 . 2011-09-06 18:52 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
    2011-09-06 18:51 . 2011-09-06 18:51 -------- d-----w- c:\documents and settings\virtual madness\Local Settings\Application Data\IsolatedStorage
    2011-09-06 18:46 . 2011-09-06 18:46 -------- d-----w- c:\documents and settings\virtual madness\Local Settings\Application Data\HP
    2011-09-06 18:09 . 2003-06-23 10:44 626960 ----a-r- c:\windows\system32\hpvaut32.dll
    2011-09-06 18:09 . 2003-06-23 10:44 44544 ----a-r- c:\windows\system32\MSXML4a.dll
    2011-09-06 18:09 . 2003-06-23 10:44 487424 ----a-r- c:\windows\system32\hpvcp70.dll
    2011-09-06 18:09 . 2003-06-23 10:44 344064 ----a-r- c:\windows\system32\hpvcr70.dll
    2011-09-06 18:08 . 2011-09-06 18:08 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
    2011-09-06 18:01 . 2011-09-06 18:01 -------- d-----w- c:\program files\Common Files\HP
    2011-09-06 18:01 . 2004-10-08 01:16 35840 ----a-w- c:\windows\system32\drivers\AFS2K.SYS
    2011-09-06 17:54 . 2011-09-06 18:09 -------- d-----w- c:\program files\HP
    2011-09-06 17:52 . 2003-08-11 06:44 94208 ----a-r- c:\windows\system32\HPZipt12.dll
    2011-09-06 17:52 . 2003-08-11 06:44 61699 ----a-r- c:\windows\system32\HPZinw12.exe
    2011-09-06 17:52 . 2003-08-11 06:44 57344 ----a-r- c:\windows\system32\HPZisn12.dll
    2011-09-06 17:52 . 2003-08-11 06:44 65795 ----a-r- c:\windows\system32\HPZipm12.exe
    2011-09-06 17:52 . 2003-08-11 06:44 266296 ----a-r- c:\windows\system32\HPZidr12.dll
    2011-09-06 17:52 . 2003-08-11 06:44 196608 ----a-r- c:\windows\system32\HPZipr12.dll
    2011-09-06 17:52 . 2003-08-11 06:44 16496 ----a-r- c:\windows\system32\drivers\HPZipr12.sys
    2011-09-06 17:52 . 2003-08-11 06:44 51056 ----a-r- c:\windows\system32\drivers\hpzid412.sys
    2011-09-06 17:50 . 2003-08-11 06:44 21488 ----a-r- c:\windows\system32\drivers\HPZius12.sys
    2011-09-06 17:50 . 2003-08-11 06:44 262144 ----a-r- c:\windows\system32\HPZc3212.dll
    2011-09-06 17:50 . 2003-08-11 06:44 77824 ----a-r- c:\windows\system32\hpovst08.dll
    2011-09-06 17:50 . 2003-08-11 06:44 565248 ----a-r- c:\windows\system32\hpotscl.dll
    2011-09-06 17:50 . 2003-08-11 06:44 274432 ----a-r- c:\windows\system32\hpgwiamd.dll
    2011-09-06 17:50 . 2008-04-13 18:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
    2011-09-06 17:50 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
    2011-09-06 17:46 . 2008-04-13 18:45 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
    2011-09-06 17:46 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
    2011-09-05 17:04 . 2011-09-05 17:04 183696 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
    2011-09-05 17:04 . 2011-09-05 17:04 183696 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
    2011-09-05 13:43 . 2011-09-07 10:26 785368 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
    2011-09-05 13:43 . 2011-09-07 10:26 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
    2011-09-05 13:43 . 2011-09-07 10:26 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
    2011-09-05 13:43 . 2011-09-07 10:26 478168 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
    2011-09-05 13:43 . 2011-09-07 10:26 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
    2011-09-05 13:43 . 2011-09-07 10:26 1846232 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
    2011-08-31 22:36 . 2011-08-31 22:36 -------- d-----w- c:\windows\system32\config\systemprofile\PrivacIE
    2011-08-31 22:36 . 2011-08-31 22:36 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Trusteer
    2011-08-31 22:33 . 2011-09-01 07:55 -------- d-----w- c:\program files\Microsoft Silverlight
    2011-08-31 22:27 . 2011-09-01 07:55 -------- dc----w- c:\documents and settings\All Users\Application Data\{7AE4A0A3-2DDC-42D5-B8B0-D26BFAAA07F5}
    2011-08-31 22:23 . 2011-09-01 07:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-09-27 22:42 . 2011-08-19 19:03 29 ----a-w- c:\windows\system32\TempWmicBatchFile.bat
    2011-09-27 00:03 . 2004-08-12 13:31 26112 ----a-w- c:\windows\system32\userinit.exe
    2011-09-12 20:25 . 2011-07-28 07:53 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-09-09 09:12 . 2004-08-12 13:18 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-07-15 13:29 . 2004-08-12 13:22 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-07-08 14:02 . 2004-08-12 13:24 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
    2011-09-07 10:26 . 2011-09-07 10:26 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Advanced SystemCare 4"="c:\program files\IObit\Advanced SystemCare 4\ASCTray.exe" [2011-08-09 417112]
    "Minimem"="c:\program files\Kerkia\Minimem\minimem.exe" [2011-01-09 95744]
    "SmartRAM"="c:\program files\IObit\Advanced SystemCare 4\Suo10_SmartRAM.exe" [2011-08-09 373080]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-09-27 4611456]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2010-11-17 329096]
    "00PCTFW"="c:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2011-04-07 2672600]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-07-08 115560]
    "IE Privacy Keeper"="c:\program files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe" [2005-12-03 1015808]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-7-7 233472]
    VPN Client.lnk - c:\windows\Installer\{B0BF7057-6869-4E4B-920C-EA2A58DA07F0}\Icon3E5562ED7.ico [2011-7-29 6144]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "MemCheckBoxInRunDlg"= 1 (0x1)
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoResolveTrack"= 1 (0x1)
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
    @="Service"
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=
    backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2011-06-06 11:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2003-06-25 10:24 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
    2006-06-06 16:06 77824 ----a-w- c:\windows\system32\hkcmd.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
    2006-06-06 16:10 118784 ----a-w- c:\windows\system32\igfxpers.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
    2006-06-06 16:09 94208 ----a-w- c:\windows\system32\igfxtray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\WINDOWS\\system32\\DKabcoms.exe"=
    "c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
    "c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
    "c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
    .
    R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [05/08/2011 00:37 251560]
    R1 RapportCerberus_29574;RapportCerberus_29574;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_29574.sys [25/09/2011 19:01 216912]
    R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [25/09/2011 19:00 70416]
    R2 Crypto;Crypto;c:\windows\system32\drivers\Crypto.sys [28/07/2011 19:44 521786]
    R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [05/08/2011 00:37 160576]
    R3 DniVap;SafeNet WAN Miniport (VA);c:\windows\system32\drivers\vap.sys [28/07/2011 19:40 36188]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [26/09/2011 18:38 105592]
    R3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter.sys [05/08/2011 00:35 89472]
    R3 pctNdisMP;PC Tools Driver;c:\windows\system32\drivers\pctNdis.sys [05/08/2011 00:35 57536]
    R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [05/08/2011 00:34 125248]
    S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [14/07/2009 12:51 23888]
    S3 pctNdis;PC Tools Firewall Intermediate Filter Service;c:\windows\system32\drivers\pctNdis.sys [05/08/2011 00:35 57536]
    S3 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [25/09/2011 19:00 56336]
    S3 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [25/09/2011 19:00 161936]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    WINRM REG_MULTI_SZ WINRM
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    IE: {{D799B0E4-BEDE-41d2-AEE0-1E3A1C4EF918} - c:\program files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe
    TCP: DhcpNameServer = 192.168.178.254
    DPF: {5033E708-9A94-4EF7-A50E-DF0F3A2E636F} - hxxp://crmprod.private.de:8001/sap/bc/bsp/sap/public/Calendar/BSP_SAPCalendar.CAB
    FF - ProfilePath - c:\documents and settings\virtual madness\Application Data\Mozilla\Firefox\Profiles\ct56r620.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
    FF - prefs.js: network.proxy.type - 0
    .
    - - - - ORPHANS REMOVED - - - -
    .
    SafeBoot-Symantec Antvirus
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-09-27 23:43
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(756)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    .
    - - - - - - - > 'explorer.exe'(3560)
    c:\windows\system32\WININET.dll
    c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
    c:\program files\Trusteer\Rapport\bin\rooksbas.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe
    c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
    c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
    c:\windows\System32\WLTRYSVC.EXE
    c:\windows\System32\bcmwltry.exe
    c:\program files\SUPERAntiSpyware\SASCORE.EXE
    c:\program files\IObit\Advanced SystemCare 4\ASCService.exe
    c:\prey\platform\windows\cronsvc.exe
    c:\program files\Cisco Systems\VPN Client\cvpnd.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
    c:\program files\PC Tools Firewall Plus\FWService.exe
    c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
    c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
    c:\program files\Trusteer\Rapport\bin\RapportService.exe
    .
    **************************************************************************
    .
    Completion time: 2011-09-27 23:52:40 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-09-27 22:52
    .
    Pre-Run: 138,798,661,632 bytes free
    Post-Run: 138,668,171,264 bytes free
    .
    - - End Of File - - AF27B1BB68CD9C1903F6EBB45830768D
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    System looking better- would still like for you to go through all the programs you gathered to fix the problem. They don't need to keep loading.

    I can remove Microsoft Security Essentials in the Combofix header since you ran the uninstaller. I will also include any left-over entries in script through Combofix. Since Symantec Endpoint Protection "Integrated antivirus, antispyware, firewall, and intrusion prevention as well as device control and application control" you should also uninstall the PC Tools Firewall.

    From PC Tools Firewall support: Try using the program uninstaller first:
    -----------------------
    If you have any problem with that:
    After uninstalling any program, you should always delete it's program folder: Right click on Taskbar> Explore> Computer> double click Local Drive> Programs> do a right click> Delete on the folder.
    ====================================
    Please go ahead with the PCTools Firewall removal. There are several entries running.
    ========================================
    You still have excess 'system cleaners/optimizers:
    1. Advise remove Advanced System Care: none of the software maker sites or pages are considered safe per WOT.
    2. You are also running TweakNow PowerPack 2011 and TweakNow RegCleaner 2011. We don't recommend anyone using a registry cleaner.
    3. Iolo is still running.
    ------------------------------
    What you need to consider is that all these programs that are suppose to be cleaning and optimizing are using system resources. Rarely is it the case of them being enough of a trade off in what they do to make them worth the resources they use. Historically, a memory optimizer uses more resources than what it's suppose to be optimizing!
    ======================
    Are you still using the HP printer you installed in 2003?
    =====================
    What do you have from Webroot> There is some appdata for 'Webroot.'
    ======================
    Did you set these up?
     
  10. Virtual Madness

    Virtual Madness TS Rookie Topic Starter Posts: 16

    Hi Bobbye,

    It’s starting to become apparent that you’re the genius I’ve been trying to track down :wave:

    Yes, please :)

    Done :)

    Done :)

    TweakNow PowerPack uninstalled as requested, but I didn’t realise I was still running TweakNow RegCleaner – I thought I had uninstalled it previously, but obviously not!?!? Can you advise of the best way to remove please, as it doesn’t appear in the Add/Remove Programs List or Program Folder (I found a Folder In Application Data, so I deleted that as a starting point)?

    Again, I thought I had uninstalled it previously, but obviously not!?!? Can you advise of the best way to remove please, as it doesn’t appear in the Add/Remove Programs List or Program Folder (again, I found a Folder In Application Data, so I deleted that as a starting point)?

    Yes, it’s an old ‘all-in-one’ Printer Scanner and Copier – I’ll get something newer one day I’m sure :)

    Again, I thought I had uninstalled it previously, but obviously not!?!? Can you advise of the best way to remove please, as it doesn’t appear in the Add/Remove Programs List or Program Folder (again, I found a Folder In Application Data that you noticed, so I deleted that as a starting point)?

    Yes, they're work related IP addresses that I connect to via a Secure VPN – the content isn’t too sensitive though, just access to product information that I can pass on to customers.

    Finally, not too sure if it was the right thing to do or not, but I downloaded from the link in your previous post a fresh copy of ComboFix and run it again – I just thought providing you with an up-to-date log would give you a snapshot of the system after taking into account the above.

    I also uninstalled it (Combofix /Uninstall from the cmd prompt) and turned back on System Restore etc.

    Look forward to hearing from you again (at your convienence) ref. going through the last of the clean up process :)

    Very best regards,
    Virtual Madness.
     
  11. Virtual Madness

    Virtual Madness TS Rookie Topic Starter Posts: 16

    As per the previous post, the latest ComboFix Log for you reference:

    ComboFix 11-09-29.06 - virtual madness 29/09/2011 23:30:18.2.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1271.810 [GMT 1:00]
    Running from: c:\documents and settings\virtual madness\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
    FW: Symantec Endpoint Protection *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-08-28 to 2011-09-29 )))))))))))))))))))))))))))))))
    .
    .
    2011-09-27 20:55 . 2011-09-27 21:31 -------- d-----w- c:\windows\SxsCaPendDel
    2011-09-26 20:54 . 2011-09-26 20:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
    2011-09-26 20:40 . 2011-09-26 20:40 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Trusteer
    2011-09-26 17:30 . 2011-06-22 18:05 167936 ----a-w- c:\windows\system32\drivers\wpshelper.sys
    2011-09-26 17:29 . 2009-09-17 17:38 92488 ----a-w- c:\windows\system32\drivers\SysPlant.sys
    2011-09-26 17:28 . 2011-09-26 17:28 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
    2011-09-26 17:28 . 2011-09-26 17:28 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2011-09-26 17:23 . 2011-09-26 17:28 -------- d-----w- c:\program files\Symantec
    2011-09-26 16:03 . 2011-09-26 16:03 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-09-25 19:33 . 2011-09-25 19:33 -------- d-----w- c:\documents and settings\virtual madness\Application Data\SUPERAntiSpyware.com
    2011-09-25 19:32 . 2011-09-25 19:32 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2011-09-25 18:11 . 2011-09-25 18:11 -------- d-----w- c:\windows\Sun
    2011-09-25 18:10 . 2011-09-25 18:10 -------- d-----w- c:\program files\Common Files\Java
    2011-09-25 18:09 . 2011-09-25 18:09 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2011-09-25 18:09 . 2011-09-25 18:08 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-09-25 18:09 . 2011-09-25 18:08 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-09-25 18:08 . 2011-09-25 18:08 -------- d-----w- c:\program files\Java
    2011-09-25 18:00 . 2011-09-25 18:00 56336 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
    2011-09-21 23:21 . 2011-09-21 23:21 -------- d-----w- c:\documents and settings\virtual madness\Local Settings\Application Data\Norman Malware Cleaner
    2011-09-20 21:06 . 2011-09-21 06:17 -------- d-----w- c:\windows\2Wire.0000
    2011-09-17 21:38 . 2011-09-29 19:40 -------- d-----w- c:\documents and settings\virtual madness\Application Data\TweakNow PowerPack 2011
    2011-09-17 20:13 . 2011-09-17 22:36 -------- d-----w- c:\documents and settings\virtual madness\Application Data\TweakNow RegCleaner 2011
    2011-09-16 22:54 . 2011-09-16 22:54 -------- d-----w- c:\documents and settings\virtual madness\Local Settings\Application Data\Opera
    2011-09-15 16:05 . 2011-09-15 16:10 -------- dc-h--w- c:\windows\ie8
    2011-09-14 20:54 . 2011-09-14 20:54 -------- d-----w- c:\documents and settings\virtual madness\Local Settings\Application Data\WMTools Downloaded Files
    2011-09-14 09:56 . 2011-09-14 09:56 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2011-09-11 23:19 . 2011-09-11 23:19 -------- d-----w- c:\program files\Trusteer
    2011-09-08 14:35 . 2011-09-15 16:19 -------- d--h--w- c:\windows\msdownld.tmp
    2011-09-07 19:34 . 2011-09-07 19:33 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys
    2011-09-07 19:30 . 2011-09-07 19:35 -------- d-----w- c:\documents and settings\virtual madness\Local Settings\Application Data\Browser Guard
    2011-09-07 13:34 . 2001-08-17 11:20 297728 -c--a-w- c:\windows\system32\dllcache\ac97sis.sys
    2011-09-07 13:33 . 2001-08-17 13:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
    2011-09-07 10:26 . 2011-09-07 10:26 19416 ----a-w- c:\program files\Mozilla Firefox\AccessibleMarshal.dll
    2011-09-07 10:26 . 2011-09-07 10:26 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
    2011-09-07 10:26 . 2011-09-07 10:26 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
    2011-09-07 10:26 . 2011-09-07 10:26 125912 ----a-w- c:\program files\Mozilla Firefox\crashreporter.exe
    2011-09-07 08:09 . 2011-09-07 08:09 -------- d-----w- c:\program files\MSXML 4.0
    2011-09-06 18:52 . 2011-09-06 18:52 -------- d-----w- c:\documents and settings\virtual madness\Application Data\HP
    2011-09-06 18:52 . 2011-09-06 18:52 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
    2011-09-06 18:51 . 2011-09-06 18:51 -------- d-----w- c:\documents and settings\virtual madness\Local Settings\Application Data\IsolatedStorage
    2011-09-06 18:46 . 2011-09-06 18:46 -------- d-----w- c:\documents and settings\virtual madness\Local Settings\Application Data\HP
    2011-09-06 18:09 . 2003-06-23 10:44 626960 ----a-r- c:\windows\system32\hpvaut32.dll
    2011-09-06 18:09 . 2003-06-23 10:44 44544 ----a-r- c:\windows\system32\MSXML4a.dll
    2011-09-06 18:09 . 2003-06-23 10:44 487424 ----a-r- c:\windows\system32\hpvcp70.dll
    2011-09-06 18:09 . 2003-06-23 10:44 344064 ----a-r- c:\windows\system32\hpvcr70.dll
    2011-09-06 18:08 . 2011-09-06 18:08 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
    2011-09-06 18:01 . 2011-09-06 18:01 -------- d-----w- c:\program files\Common Files\HP
    2011-09-06 18:01 . 2004-10-08 01:16 35840 ----a-w- c:\windows\system32\drivers\AFS2K.SYS
    2011-09-06 17:54 . 2011-09-06 18:09 -------- d-----w- c:\program files\HP
    2011-09-06 17:52 . 2003-08-11 06:44 94208 ----a-r- c:\windows\system32\HPZipt12.dll
    2011-09-06 17:52 . 2003-08-11 06:44 61699 ----a-r- c:\windows\system32\HPZinw12.exe
    2011-09-06 17:52 . 2003-08-11 06:44 57344 ----a-r- c:\windows\system32\HPZisn12.dll
    2011-09-06 17:52 . 2003-08-11 06:44 65795 ----a-r- c:\windows\system32\HPZipm12.exe
    2011-09-06 17:52 . 2003-08-11 06:44 266296 ----a-r- c:\windows\system32\HPZidr12.dll
    2011-09-06 17:52 . 2003-08-11 06:44 196608 ----a-r- c:\windows\system32\HPZipr12.dll
    2011-09-06 17:52 . 2003-08-11 06:44 16496 ----a-r- c:\windows\system32\drivers\HPZipr12.sys
    2011-09-06 17:52 . 2003-08-11 06:44 51056 ----a-r- c:\windows\system32\drivers\hpzid412.sys
    2011-09-06 17:50 . 2003-08-11 06:44 21488 ----a-r- c:\windows\system32\drivers\HPZius12.sys
    2011-09-06 17:50 . 2003-08-11 06:44 262144 ----a-r- c:\windows\system32\HPZc3212.dll
    2011-09-06 17:50 . 2003-08-11 06:44 77824 ----a-r- c:\windows\system32\hpovst08.dll
    2011-09-06 17:50 . 2003-08-11 06:44 565248 ----a-r- c:\windows\system32\hpotscl.dll
    2011-09-06 17:50 . 2003-08-11 06:44 274432 ----a-r- c:\windows\system32\hpgwiamd.dll
    2011-09-06 17:50 . 2008-04-13 18:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
    2011-09-06 17:50 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
    2011-09-06 17:46 . 2008-04-13 18:45 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
    2011-09-06 17:46 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
    2011-09-05 17:04 . 2011-09-05 17:04 183696 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
    2011-09-05 17:04 . 2011-09-05 17:04 183696 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
    2011-09-05 13:43 . 2011-09-07 10:26 785368 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
    2011-09-05 13:43 . 2011-09-07 10:26 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
    2011-09-05 13:43 . 2011-09-07 10:26 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
    2011-09-05 13:43 . 2011-09-07 10:26 478168 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
    2011-09-05 13:43 . 2011-09-07 10:26 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
    2011-09-05 13:43 . 2011-09-07 10:26 1846232 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
    2011-08-31 22:36 . 2011-08-31 22:36 -------- d-----w- c:\windows\system32\config\systemprofile\PrivacIE
    2011-08-31 22:33 . 2011-09-01 07:55 -------- d-----w- c:\program files\Microsoft Silverlight
    2011-08-31 22:27 . 2011-09-01 07:55 -------- dc----w- c:\documents and settings\All Users\Application Data\{7AE4A0A3-2DDC-42D5-B8B0-D26BFAAA07F5}
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-09-29 22:32 . 2011-08-19 19:03 29 ----a-w- c:\windows\system32\TempWmicBatchFile.bat
    2011-09-27 00:03 . 2004-08-12 13:31 26112 ----a-w- c:\windows\system32\userinit.exe
    2011-09-12 20:25 . 2011-07-28 07:53 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-09-09 09:12 . 2004-08-12 13:18 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-07-15 13:29 . 2004-08-12 13:22 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-07-08 14:02 . 2004-08-12 13:24 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
    2011-09-07 10:26 . 2011-09-07 10:26 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Minimem"="c:\program files\Kerkia\Minimem\minimem.exe" [2011-01-09 95744]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-09-27 4611456]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2010-11-17 329096]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-07-08 115560]
    "IE Privacy Keeper"="c:\program files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe" [2005-12-03 1015808]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-7-7 233472]
    VPN Client.lnk - c:\windows\Installer\{B0BF7057-6869-4E4B-920C-EA2A58DA07F0}\Icon3E5562ED7.ico [2011-7-29 6144]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "MemCheckBoxInRunDlg"= 1 (0x1)
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoResolveTrack"= 1 (0x1)
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus]
    @=""
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\WINDOWS\\system32\\DKabcoms.exe"=
    "c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
    "c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
    "c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
    .
    R1 RapportCerberus_29574;RapportCerberus_29574;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_29574.sys [25/09/2011 19:01 216912]
    R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [25/09/2011 19:00 70416]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [22/07/2011 17:27 12880]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/07/2011 22:55 67664]
    R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [12/08/2011 00:38 116608]
    R2 CronService;Cron Service for Prey;c:\prey\platform\windows\cronsvc.exe [15/02/2011 17:01 19968]
    R2 Crypto;Crypto;c:\windows\system32\drivers\Crypto.sys [28/07/2011 19:44 521786]
    R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [25/09/2011 18:59 919352]
    R3 DniVap;SafeNet WAN Miniport (VA);c:\windows\system32\drivers\vap.sys [28/07/2011 19:40 36188]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [26/09/2011 18:38 105592]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 13:16 130384]
    S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [14/07/2009 12:51 23888]
    S3 dkab_device;dkab_device;c:\windows\system32\DKabcoms.exe -service --> c:\windows\system32\DKabcoms.exe -service [?]
    S3 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [25/09/2011 19:00 56336]
    S3 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [25/09/2011 19:00 161936]
    S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [12/08/2004 14:30 14336]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 13:16 753504]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    WINRM REG_MULTI_SZ WINRM
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    IE: {{D799B0E4-BEDE-41d2-AEE0-1E3A1C4EF918} - c:\program files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe
    TCP: DhcpNameServer = 192.168.178.254
    DPF: {5033E708-9A94-4EF7-A50E-DF0F3A2E636F} - hxxp://crmprod.private.de:8001/sap/bc/bsp/sap/public/Calendar/BSP_SAPCalendar.CAB
    FF - ProfilePath - c:\documents and settings\virtual madness\Application Data\Mozilla\Firefox\Profiles\ct56r620.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
    FF - prefs.js: network.proxy.type - 0
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-09-29 23:36
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(1916)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    .
    - - - - - - - > 'explorer.exe'(2376)
    c:\windows\system32\WININET.dll
    c:\program files\Trusteer\Rapport\bin\rooksbas.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2011-09-29 23:39:34
    ComboFix-quarantined-files.txt 2011-09-29 22:39
    .
    Pre-Run: 138,686,439,424 bytes free
    Post-Run: 138,671,296,512 bytes free
    .
    - - End Of File - - AA0AB03A3B12FD3A867956A79CC0FEDA
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Well you surely made my day with all those Smiley faces! Although I do not resemble a genius in any way, I do ask questions- we all have processes on the system either that we no longer use or didn't know we had. I will include script for removal of those 'left overs':

    By the way, all peripherals I've had have been from HP. I think I might have the same all in one HP you do- it's been the best workhorse for years! Plain and simple> print, scan and copy!
    ============================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    c:\windows\system32\TempWmicBatchFile.bat
    c:\windows\system32\drivers\pctNdis.sys
    c:\windows\system32\vsdatant.sys
    DDS::
    mRun: [00PCTFW] "c:\program files\pc tools firewall plus\FirewallGUI.exe" -s
    mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
    DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/betapit/PCPitStop.CAB
    uRun: [Advanced SystemCare 4] c:\program files\iobit\advanced systemcare 4\ASCTray.exe
    mRun: [00PCTFW] "c:\program files\pc tools firewall plus\FirewallGUI.exe" -s
    mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
    Folder::
    c:\windows\msdownld.tmp
    c:\documents and settings\virtual madness\Application Data\TweakNow RegCleaner 2011
    c:\documents and settings\All Users\Application Data\{7AE4A0A3-2DDC-42D5-B8B0-D26BFAAA07F5}
    c:\program files\TweakNow RegCleaner 2011
    c:\program files\iolo
    c:\documents and settings\virtual madness\application data\iolo
    c:\documents and settings\all users\application data\iolo
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "00PCTFW"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
    SecCenter::
    {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    Driver::
    pctNdis
    vsdatant
    FCopy::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    Removes processes for:
    TweakNow RegCleaner 2011
    Webroot appdata: {7AE4A0A3-2DDC-42D5-B8B0-D26BFAAA07F5}
    PCTools Firewall
    Zone Alarm
    Iolo
    Advanced System Care
    Root Repeal
    Microsoft Security Center
    .
    Check Add/Remove to make sure the above are gone.
    Be sure to check program folders and delete any for the programs removed.
    [​IMG]
     
  13. Virtual Madness

    Virtual Madness TS Rookie Topic Starter Posts: 16

    Hi Bobbye,

    Thanks again for all your help with this and by the way, I agree, the old HP 'all-in-one' is a very good work horse and it hasn't let me down yet :)

    Okay, again I done as you asked, but this time, just when everything seemed to be going so well, I made a bit of an error!!! Hope it hasn't messed up all your good work???

    I ran the CF Script as you suggested, but when copying and pasting, I forgot to change 'virtual madness' in the code you had written, for my real name in a couple of the paths...Of course, it ran, but didn't do anything where 'virtual madness' was included in the script, as you would expect.

    After it had finished, I saved the log as ComboFix Log 1 - see next post...

    I ran it for a second time, this time being sure to change 'virtual madness' for my real name - it made some further changes, as I had hoped, then I saved the log as ComboFix Log 2 - see following posts.

    Sorry for any inconvienence and confusion caused and I hope the script has still performed as you intended?

    Pending your further instructions/advice after review, I have also just noticed that I still have references to the uninstalled Ad Aware and Root Repeal programs:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @=""

    AND

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
    @=""

    Shall I just leave them and/or ignore, or can you remove them for me as well?

    Look forward to hearing from you as always.

    Very best regards,
    Virtual Madness :)
     
  14. Virtual Madness

    Virtual Madness TS Rookie Topic Starter Posts: 16

    ComboFix Log 1:

    ComboFix 11-10-01.03 - virtual madness 01/10/2011 20:26:28.3.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1271.809 [GMT 1:00]
    Running from: c:\documents and settings\virtual madness\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\virtual madness\Desktop\CFScript.txt.txt
    AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
    FW: Symantec Endpoint Protection *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
    .
    FILE ::
    "c:\windows\system32\drivers\pctNdis.sys"
    "c:\windows\system32\TempWmicBatchFile.bat"
    "c:\windows\system32\vsdatant.sys"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Application Data\{7AE4A0A3-2DDC-42D5-B8B0-D26BFAAA07F5}
    c:\documents and settings\All Users\Application Data\{7AE4A0A3-2DDC-42D5-B8B0-D26BFAAA07F5}\{8B287B75-DF8D-40C8-9620-8E4492C38EF1}
    c:\documents and settings\All Users\Application Data\{7AE4A0A3-2DDC-42D5-B8B0-D26BFAAA07F5}\instance.dat
    c:\documents and settings\All Users\Application Data\{7AE4A0A3-2DDC-42D5-B8B0-D26BFAAA07F5}\mia.lib
    c:\documents and settings\All Users\Application Data\{7AE4A0A3-2DDC-42D5-B8B0-D26BFAAA07F5}\OFFLINE\{7AE4A0A3-2DDC-42D5-B8B0-D26BFAAA07F5}
    c:\documents and settings\All Users\Application Data\{7AE4A0A3-2DDC-42D5-B8B0-D26BFAAA07F5}\WRInstall.dat
    c:\documents and settings\All Users\Application Data\{7AE4A0A3-2DDC-42D5-B8B0-D26BFAAA07F5}\WRInstall.lan
    c:\documents and settings\All Users\Application Data\{7AE4A0A3-2DDC-42D5-B8B0-D26BFAAA07F5}\WRInstall.par
    c:\documents and settings\All Users\Application Data\{7AE4A0A3-2DDC-42D5-B8B0-D26BFAAA07F5}\WRInstall.res
    c:\windows\msdownld.tmp
    c:\windows\system32\TempWmicBatchFile.bat
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_VSDATANT
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-09-01 to 2011-10-01 )))))))))))))))))))))))))))))))
    .
    .
    2011-09-27 20:55 . 2011-09-27 21:31 -------- d-----w- c:\windows\SxsCaPendDel
    2011-09-26 20:54 . 2011-09-26 20:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
    2011-09-26 20:40 . 2011-09-26 20:40 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Trusteer
    2011-09-26 17:30 . 2010-09-10 21:32 167936 ----a-w- c:\windows\system32\drivers\wpshelper.sys
    2011-09-26 17:29 . 2009-09-17 17:38 92488 ----a-w- c:\windows\system32\drivers\SysPlant.sys
    2011-09-26 17:28 . 2011-09-26 17:28 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
    2011-09-26 17:28 . 2011-09-26 17:28 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2011-09-26 17:23 . 2011-09-26 17:28 -------- d-----w- c:\program files\Symantec
    2011-09-26 16:03 . 2011-09-26 16:03 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-09-25 19:33 . 2011-09-25 19:33 -------- d-----w- c:\documents and settings\virtual madness\Application Data\SUPERAntiSpyware.com
    2011-09-25 19:32 . 2011-09-25 19:32 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2011-09-25 18:11 . 2011-09-25 18:11 -------- d-----w- c:\windows\Sun
    2011-09-25 18:10 . 2011-09-25 18:10 -------- d-----w- c:\program files\Common Files\Java
    2011-09-25 18:09 . 2011-09-25 18:09 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2011-09-25 18:09 . 2011-09-25 18:08 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-09-25 18:09 . 2011-09-25 18:08 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-09-25 18:08 . 2011-09-25 18:08 -------- d-----w- c:\program files\Java
    2011-09-25 18:00 . 2011-09-25 18:00 56336 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
    2011-09-21 23:21 . 2011-09-21 23:21 -------- d-----w- c:\documents and settings\virtual madness\Local Settings\Application Data\Norman Malware Cleaner
    2011-09-20 21:06 . 2011-09-21 06:17 -------- d-----w- c:\windows\2Wire.0000
    2011-09-17 21:38 . 2011-09-29 19:40 -------- d-----w- c:\documents and settings\virtual madness\Application Data\TweakNow PowerPack 2011
    2011-09-17 20:13 . 2011-09-17 22:36 -------- d-----w- c:\documents and settings\virtual madness\Application Data\TweakNow RegCleaner 2011
    2011-09-16 22:54 . 2011-09-16 22:54 -------- d-----w- c:\documents and settings\virtual madness\Local Settings\Application Data\Opera
    2011-09-15 16:05 . 2011-09-15 16:10 -------- dc-h--w- c:\windows\ie8
    2011-09-14 20:54 . 2011-09-14 20:54 -------- d-----w- c:\documents and settings\virtual madness\Local Settings\Application Data\WMTools Downloaded Files
    2011-09-14 09:56 . 2011-09-14 09:56 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2011-09-11 23:19 . 2011-09-11 23:19 -------- d-----w- c:\program files\Trusteer
    2011-09-07 19:34 . 2011-09-07 19:33 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys
    2011-09-07 19:30 . 2011-09-07 19:35 -------- d-----w- c:\documents and settings\virtual madness\Local Settings\Application Data\Browser Guard
    2011-09-07 13:34 . 2001-08-17 11:20 297728 -c--a-w- c:\windows\system32\dllcache\ac97sis.sys
    2011-09-07 13:33 . 2001-08-17 13:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
    2011-09-07 10:26 . 2011-09-29 07:09 19416 ----a-w- c:\program files\Mozilla Firefox\AccessibleMarshal.dll
    2011-09-07 10:26 . 2011-09-29 00:26 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
    2011-09-07 10:26 . 2011-09-29 07:09 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
    2011-09-07 10:26 . 2011-09-29 07:09 125912 ----a-w- c:\program files\Mozilla Firefox\crashreporter.exe
    2011-09-07 08:09 . 2011-09-07 08:09 -------- d-----w- c:\program files\MSXML 4.0
    2011-09-06 18:52 . 2011-09-06 18:52 -------- d-----w- c:\documents and settings\virtual madness\Application Data\HP
    2011-09-06 18:52 . 2011-09-06 18:52 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
    2011-09-06 18:51 . 2011-09-06 18:51 -------- d-----w- c:\documents and settings\virtual madness\Local Settings\Application Data\IsolatedStorage
    2011-09-06 18:46 . 2011-09-06 18:46 -------- d-----w- c:\documents and settings\virtual madness\Local Settings\Application Data\HP
    2011-09-06 18:09 . 2003-06-23 10:44 626960 ----a-r- c:\windows\system32\hpvaut32.dll
    2011-09-06 18:09 . 2003-06-23 10:44 44544 ----a-r- c:\windows\system32\MSXML4a.dll
    2011-09-06 18:09 . 2003-06-23 10:44 487424 ----a-r- c:\windows\system32\hpvcp70.dll
    2011-09-06 18:09 . 2003-06-23 10:44 344064 ----a-r- c:\windows\system32\hpvcr70.dll
    2011-09-06 18:08 . 2011-09-06 18:08 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
    2011-09-06 18:01 . 2011-09-06 18:01 -------- d-----w- c:\program files\Common Files\HP
    2011-09-06 18:01 . 2004-10-08 01:16 35840 ----a-w- c:\windows\system32\drivers\AFS2K.SYS
    2011-09-06 17:54 . 2011-09-06 18:09 -------- d-----w- c:\program files\HP
    2011-09-06 17:52 . 2003-08-11 06:44 94208 ----a-r- c:\windows\system32\HPZipt12.dll
    2011-09-06 17:52 . 2003-08-11 06:44 61699 ----a-r- c:\windows\system32\HPZinw12.exe
    2011-09-06 17:52 . 2003-08-11 06:44 57344 ----a-r- c:\windows\system32\HPZisn12.dll
    2011-09-06 17:52 . 2003-08-11 06:44 65795 ----a-r- c:\windows\system32\HPZipm12.exe
    2011-09-06 17:52 . 2003-08-11 06:44 266296 ----a-r- c:\windows\system32\HPZidr12.dll
    2011-09-06 17:52 . 2003-08-11 06:44 196608 ----a-r- c:\windows\system32\HPZipr12.dll
    2011-09-06 17:52 . 2003-08-11 06:44 16496 ----a-r- c:\windows\system32\drivers\HPZipr12.sys
    2011-09-06 17:52 . 2003-08-11 06:44 51056 ----a-r- c:\windows\system32\drivers\hpzid412.sys
    2011-09-06 17:50 . 2003-08-11 06:44 21488 ----a-r- c:\windows\system32\drivers\HPZius12.sys
    2011-09-06 17:50 . 2003-08-11 06:44 262144 ----a-r- c:\windows\system32\HPZc3212.dll
    2011-09-06 17:50 . 2003-08-11 06:44 77824 ----a-r- c:\windows\system32\hpovst08.dll
    2011-09-06 17:50 . 2003-08-11 06:44 565248 ----a-r- c:\windows\system32\hpotscl.dll
    2011-09-06 17:50 . 2003-08-11 06:44 274432 ----a-r- c:\windows\system32\hpgwiamd.dll
    2011-09-06 17:50 . 2008-04-13 18:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
    2011-09-06 17:50 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
    2011-09-06 17:46 . 2008-04-13 18:45 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
    2011-09-06 17:46 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
    2011-09-05 17:04 . 2011-09-05 17:04 183696 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
    2011-09-05 17:04 . 2011-09-05 17:04 183696 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
    2011-09-05 13:43 . 2011-09-29 07:09 773080 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
    2011-09-05 13:43 . 2011-09-29 07:09 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
    2011-09-05 13:43 . 2011-09-29 07:09 478168 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
    2011-09-05 13:43 . 2011-09-29 07:09 1833944 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
    2011-09-05 13:43 . 2011-09-29 07:09 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
    2011-09-05 13:43 . 2011-09-29 00:26 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-09-27 00:03 . 2004-08-12 13:31 26112 ----a-w- c:\windows\system32\userinit.exe
    2011-09-12 20:25 . 2011-07-28 07:53 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-09-09 09:12 . 2004-08-12 13:18 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-07-15 13:29 . 2004-08-12 13:22 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-07-08 14:02 . 2004-08-12 13:24 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
    2011-09-29 07:09 . 2011-09-07 10:26 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Minimem"="c:\program files\Kerkia\Minimem\minimem.exe" [2011-01-09 95744]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-09-27 4611456]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2010-11-17 329096]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-07-08 115560]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
    "IE Privacy Keeper"="c:\program files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe" [2005-12-03 1015808]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-7-7 233472]
    VPN Client.lnk - c:\windows\Installer\{B0BF7057-6869-4E4B-920C-EA2A58DA07F0}\Icon3E5562ED7.ico [2011-7-29 6144]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "MemCheckBoxInRunDlg"= 1 (0x1)
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoResolveTrack"= 1 (0x1)
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus]
    @=""
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\WINDOWS\\system32\\DKabcoms.exe"=
    "c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
    "c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
    "c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
    .
    R1 RapportCerberus_29574;RapportCerberus_29574;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_29574.sys [25/09/2011 19:01 216912]
    R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [25/09/2011 19:00 70416]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [22/07/2011 17:27 12880]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/07/2011 22:55 67664]
    R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [12/08/2011 00:38 116608]
    R2 CronService;Cron Service for Prey;c:\prey\platform\windows\cronsvc.exe [15/02/2011 17:01 19968]
    R2 Crypto;Crypto;c:\windows\system32\drivers\Crypto.sys [28/07/2011 19:44 521786]
    R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [25/09/2011 18:59 919352]
    R3 DniVap;SafeNet WAN Miniport (VA);c:\windows\system32\drivers\vap.sys [28/07/2011 19:40 36188]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [26/09/2011 18:38 105592]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 13:16 130384]
    S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [14/07/2009 12:51 23888]
    S3 dkab_device;dkab_device;c:\windows\system32\DKabcoms.exe -service --> c:\windows\system32\DKabcoms.exe -service [?]
    S3 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [25/09/2011 19:00 56336]
    S3 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [25/09/2011 19:00 161936]
    S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [12/08/2004 14:30 14336]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 13:16 753504]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    WINRM REG_MULTI_SZ WINRM
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    IE: {{D799B0E4-BEDE-41d2-AEE0-1E3A1C4EF918} - c:\program files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe
    TCP: DhcpNameServer = 192.168.178.254
    DPF: {5033E708-9A94-4EF7-A50E-DF0F3A2E636F} - hxxp://crmprod.private.de:8001/sap/bc/bsp/sap/public/Calendar/BSP_SAPCalendar.CAB
    FF - ProfilePath - c:\documents and settings\virtual madness\Application Data\Mozilla\Firefox\Profiles\mmjzlu96.CashBack\
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-10-01 20:38
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(1928)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    .
    - - - - - - - > 'explorer.exe'(2580)
    c:\windows\system32\WININET.dll
    c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
    c:\program files\Trusteer\Rapport\bin\rooksbas.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
    c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
    c:\windows\System32\WLTRYSVC.EXE
    c:\windows\System32\bcmwltry.exe
    c:\program files\Cisco Systems\VPN Client\cvpnd.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
    c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
    c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
    c:\program files\Symantec\Symantec Endpoint Protection\DoScan.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\Trusteer\Rapport\bin\RapportService.exe
    c:\program files\Symantec\Symantec Endpoint Protection\SavUI.exe
    .
    **************************************************************************
    .
    Completion time: 2011-10-01 20:43:07 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-10-01 19:43
    ComboFix2.txt 2011-09-29 22:55
    .
    Pre-Run: 138,733,740,032 bytes free
    Post-Run: 138,649,792,512 bytes free
    .
    - - End Of File - - 867839407C6DE396ABB1005B99189EC9
     
  15. Virtual Madness

    Virtual Madness TS Rookie Topic Starter Posts: 16

    ComboFix Log 2:

    ComboFix 11-10-01.03 - virtual madness 01/10/2011 20:53:11.4.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1271.655 [GMT 1:00]
    Running from: c:\documents and settings\virtual madness\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\virtual madness\Desktop\CFScript.txt.txt
    AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
    FW: Symantec Endpoint Protection *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
    .
    FILE ::
    "c:\windows\system32\drivers\pctNdis.sys"
    "c:\windows\system32\TempWmicBatchFile.bat"
    "c:\windows\system32\vsdatant.sys"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\virtual madness\Application Data\TweakNow RegCleaner 2011
    c:\documents and settings\virtual madness\Application Data\TweakNow RegCleaner 2011\Backup\DiskCleaner_17%a09%a2011_21%b21%b4.zip
    c:\documents and settings\virtual madness\Application Data\TweakNow RegCleaner 2011\Backup\QuickOptimizer_17%a09%a2011_21%b17%b2.twn
    c:\documents and settings\virtual madness\Application Data\TweakNow RegCleaner 2011\Backup\RegCleaner_17%a09%a2011_21%b16%b4.dat
    c:\documents and settings\virtual madness\Application Data\TweakNow RegCleaner 2011\Backup\RegCleaner_17%a09%a2011_21%b28%b2.dat
    c:\documents and settings\virtual madness\Application Data\TweakNow RegCleaner 2011\Backup\RegCleaner_17%a09%a2011_21%b55%b0.dat
    c:\windows\system32\TempWmicBatchFile.bat
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-09-01 to 2011-10-01 )))))))))))))))))))))))))))))))
    .
    .
    2011-09-27 20:55 . 2011-09-27 21:31 -------- d-----w- c:\windows\SxsCaPendDel
    2011-09-26 20:54 . 2011-09-26 20:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
    2011-09-26 20:40 . 2011-09-26 20:40 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Trusteer
    2011-09-26 17:30 . 2010-09-10 21:32 167936 ----a-w- c:\windows\system32\drivers\wpshelper.sys
    2011-09-26 17:29 . 2009-09-17 17:38 92488 ----a-w- c:\windows\system32\drivers\SysPlant.sys
    2011-09-26 17:28 . 2011-09-26 17:28 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
    2011-09-26 17:28 . 2011-09-26 17:28 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2011-09-26 17:23 . 2011-09-26 17:28 -------- d-----w- c:\program files\Symantec
    2011-09-26 16:03 . 2011-09-26 16:03 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-09-25 19:33 . 2011-09-25 19:33 -------- d-----w- c:\documents and settings\virtual madness\Application Data\SUPERAntiSpyware.com
    2011-09-25 19:32 . 2011-09-25 19:32 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2011-09-25 18:11 . 2011-09-25 18:11 -------- d-----w- c:\windows\Sun
    2011-09-25 18:10 . 2011-09-25 18:10 -------- d-----w- c:\program files\Common Files\Java
    2011-09-25 18:09 . 2011-09-25 18:09 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2011-09-25 18:09 . 2011-09-25 18:08 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-09-25 18:09 . 2011-09-25 18:08 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-09-25 18:08 . 2011-09-25 18:08 -------- d-----w- c:\program files\Java
    2011-09-25 18:00 . 2011-09-25 18:00 56336 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
    2011-09-21 23:21 . 2011-09-21 23:21 -------- d-----w- c:\documents and settings\virtual madness\Local Settings\Application Data\Norman Malware Cleaner
    2011-09-20 21:06 . 2011-09-21 06:17 -------- d-----w- c:\windows\2Wire.0000
    2011-09-17 21:38 . 2011-09-29 19:40 -------- d-----w- c:\documents and settings\virtual madness\Application Data\TweakNow PowerPack 2011
    2011-09-16 22:54 . 2011-09-16 22:54 -------- d-----w- c:\documents and settings\virtual madness\Local Settings\Application Data\Opera
    2011-09-15 16:05 . 2011-09-15 16:10 -------- dc-h--w- c:\windows\ie8
    2011-09-14 20:54 . 2011-09-14 20:54 -------- d-----w- c:\documents and settings\virtual madness\Local Settings\Application Data\WMTools Downloaded Files
    2011-09-14 09:56 . 2011-09-14 09:56 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2011-09-11 23:19 . 2011-09-11 23:19 -------- d-----w- c:\program files\Trusteer
    2011-09-07 19:34 . 2011-09-07 19:33 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys
    2011-09-07 19:30 . 2011-09-07 19:35 -------- d-----w- c:\documents and settings\virtual madness\Local Settings\Application Data\Browser Guard
    2011-09-07 13:34 . 2001-08-17 11:20 297728 -c--a-w- c:\windows\system32\dllcache\ac97sis.sys
    2011-09-07 13:33 . 2001-08-17 13:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
    2011-09-07 10:26 . 2011-09-29 07:09 19416 ----a-w- c:\program files\Mozilla Firefox\AccessibleMarshal.dll
    2011-09-07 10:26 . 2011-09-29 00:26 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
    2011-09-07 10:26 . 2011-09-29 07:09 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
    2011-09-07 10:26 . 2011-09-29 07:09 125912 ----a-w- c:\program files\Mozilla Firefox\crashreporter.exe
    2011-09-07 08:09 . 2011-09-07 08:09 -------- d-----w- c:\program files\MSXML 4.0
    2011-09-06 18:52 . 2011-09-06 18:52 -------- d-----w- c:\documents and settings\virtual madness\Application Data\HP
    2011-09-06 18:52 . 2011-09-06 18:52 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
    2011-09-06 18:51 . 2011-09-06 18:51 -------- d-----w- c:\documents and settings\virtual madness\Local Settings\Application Data\IsolatedStorage
    2011-09-06 18:46 . 2011-09-06 18:46 -------- d-----w- c:\documents and settings\virtual madness\Local Settings\Application Data\HP
    2011-09-06 18:09 . 2003-06-23 10:44 626960 ----a-r- c:\windows\system32\hpvaut32.dll
    2011-09-06 18:09 . 2003-06-23 10:44 44544 ----a-r- c:\windows\system32\MSXML4a.dll
    2011-09-06 18:09 . 2003-06-23 10:44 487424 ----a-r- c:\windows\system32\hpvcp70.dll
    2011-09-06 18:09 . 2003-06-23 10:44 344064 ----a-r- c:\windows\system32\hpvcr70.dll
    2011-09-06 18:08 . 2011-09-06 18:08 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
    2011-09-06 18:01 . 2011-09-06 18:01 -------- d-----w- c:\program files\Common Files\HP
    2011-09-06 18:01 . 2004-10-08 01:16 35840 ----a-w- c:\windows\system32\drivers\AFS2K.SYS
    2011-09-06 17:54 . 2011-09-06 18:09 -------- d-----w- c:\program files\HP
    2011-09-06 17:52 . 2003-08-11 06:44 94208 ----a-r- c:\windows\system32\HPZipt12.dll
    2011-09-06 17:52 . 2003-08-11 06:44 61699 ----a-r- c:\windows\system32\HPZinw12.exe
    2011-09-06 17:52 . 2003-08-11 06:44 57344 ----a-r- c:\windows\system32\HPZisn12.dll
    2011-09-06 17:52 . 2003-08-11 06:44 65795 ----a-r- c:\windows\system32\HPZipm12.exe
    2011-09-06 17:52 . 2003-08-11 06:44 266296 ----a-r- c:\windows\system32\HPZidr12.dll
    2011-09-06 17:52 . 2003-08-11 06:44 196608 ----a-r- c:\windows\system32\HPZipr12.dll
    2011-09-06 17:52 . 2003-08-11 06:44 16496 ----a-r- c:\windows\system32\drivers\HPZipr12.sys
    2011-09-06 17:52 . 2003-08-11 06:44 51056 ----a-r- c:\windows\system32\drivers\hpzid412.sys
    2011-09-06 17:50 . 2003-08-11 06:44 21488 ----a-r- c:\windows\system32\drivers\HPZius12.sys
    2011-09-06 17:50 . 2003-08-11 06:44 262144 ----a-r- c:\windows\system32\HPZc3212.dll
    2011-09-06 17:50 . 2003-08-11 06:44 77824 ----a-r- c:\windows\system32\hpovst08.dll
    2011-09-06 17:50 . 2003-08-11 06:44 565248 ----a-r- c:\windows\system32\hpotscl.dll
    2011-09-06 17:50 . 2003-08-11 06:44 274432 ----a-r- c:\windows\system32\hpgwiamd.dll
    2011-09-06 17:50 . 2008-04-13 18:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
    2011-09-06 17:50 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
    2011-09-06 17:46 . 2008-04-13 18:45 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
    2011-09-06 17:46 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
    2011-09-05 17:04 . 2011-09-05 17:04 183696 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
    2011-09-05 17:04 . 2011-09-05 17:04 183696 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
    2011-09-05 13:43 . 2011-09-29 07:09 773080 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
    2011-09-05 13:43 . 2011-09-29 07:09 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
    2011-09-05 13:43 . 2011-09-29 07:09 478168 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
    2011-09-05 13:43 . 2011-09-29 07:09 1833944 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
    2011-09-05 13:43 . 2011-09-29 07:09 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
    2011-09-05 13:43 . 2011-09-29 00:26 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-09-27 00:03 . 2004-08-12 13:31 26112 ----a-w- c:\windows\system32\userinit.exe
    2011-09-12 20:25 . 2011-07-28 07:53 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-09-09 09:12 . 2004-08-12 13:18 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-07-15 13:29 . 2004-08-12 13:22 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-07-08 14:02 . 2004-08-12 13:24 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
    2011-09-29 07:09 . 2011-09-07 10:26 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-10-01_19.36.18 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-10-01 19:41 . 2011-10-01 19:41 16384 c:\windows\temp\Perflib_Perfdata_c90.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Minimem"="c:\program files\Kerkia\Minimem\minimem.exe" [2011-01-09 95744]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-09-27 4611456]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2010-11-17 329096]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-07-08 115560]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
    "IE Privacy Keeper"="c:\program files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe" [2005-12-03 1015808]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-7-7 233472]
    VPN Client.lnk - c:\windows\Installer\{B0BF7057-6869-4E4B-920C-EA2A58DA07F0}\Icon3E5562ED7.ico [2011-7-29 6144]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "MemCheckBoxInRunDlg"= 1 (0x1)
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoResolveTrack"= 1 (0x1)
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus]
    @=""
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\WINDOWS\\system32\\DKabcoms.exe"=
    "c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
    "c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
    "c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
    .
    R1 RapportCerberus_29574;RapportCerberus_29574;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_29574.sys [25/09/2011 19:01 216912]
    R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [25/09/2011 19:00 70416]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [22/07/2011 17:27 12880]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/07/2011 22:55 67664]
    R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [12/08/2011 00:38 116608]
    R2 CronService;Cron Service for Prey;c:\prey\platform\windows\cronsvc.exe [15/02/2011 17:01 19968]
    R2 Crypto;Crypto;c:\windows\system32\drivers\Crypto.sys [28/07/2011 19:44 521786]
    R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [25/09/2011 18:59 919352]
    R3 DniVap;SafeNet WAN Miniport (VA);c:\windows\system32\drivers\vap.sys [28/07/2011 19:40 36188]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [26/09/2011 18:38 105592]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 13:16 130384]
    S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [14/07/2009 12:51 23888]
    S3 dkab_device;dkab_device;c:\windows\system32\DKabcoms.exe -service --> c:\windows\system32\DKabcoms.exe -service [?]
    S3 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [25/09/2011 19:00 56336]
    S3 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [25/09/2011 19:00 161936]
    S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [12/08/2004 14:30 14336]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 13:16 753504]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    WINRM REG_MULTI_SZ WINRM
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    IE: {{D799B0E4-BEDE-41d2-AEE0-1E3A1C4EF918} - c:\program files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe
    TCP: DhcpNameServer = 192.168.178.254
    DPF: {5033E708-9A94-4EF7-A50E-DF0F3A2E636F} - hxxp://crmprod.private.de:8001/sap/bc/bsp/sap/public/Calendar/BSP_SAPCalendar.CAB
    FF - ProfilePath - c:\documents and settings\virtual madness\Application Data\Mozilla\Firefox\Profiles\mmjzlu96.CashBack\
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-10-01 21:00
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(1928)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    .
    Completion time: 2011-10-01 21:03:34
    ComboFix-quarantined-files.txt 2011-10-01 20:03
    ComboFix2.txt 2011-10-01 19:43
    ComboFix3.txt 2011-09-29 22:55
    .
    Pre-Run: 138,656,047,104 bytes free
    Post-Run: 138,636,845,056 bytes free
    .
    - - End Of File - - C5EF05E8F2ED58C782B4BBE19403B4F7
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, I had the rootrepeal.sys registry entry in the first script:
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]

    But I did not include AdAware:
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

    For that: Click on Start> Run> type in services.msc[/]b> enter> scroll to the:
    Service Name: aawservice
    Service Display Name: Ad-Aware 2007 Service
    Double click to open> Set Startup type to Disable> Stop the Service.
    ========================================
    Prevyx is calling rootrepeal.sys a virus. It describes as this:
    However it does modify this saying:
    I was surprised to see the entry as there were no other entries for it. Since it remained on the system, let's check it out for a virus:
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish

    Please post the entire log with heading resembling this:
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
     
  17. Virtual Madness

    Virtual Madness TS Rookie Topic Starter Posts: 16

    Hi Bobbeye,

    Thanks again for your prompt reply.

    I ran the ESET on-line scanner as you suggested - after a couple of hours of scanning this morning, it finaly ended saying no threats were found, so of course, no log report was produced.

    Prior to running the scan, I also followed your instructions with regards to stopping the Ad-Adware Service, but it didn't appear in the list??? FYI, I've posted below details of all of the services and their current state.

    By the way, just before I post the list, I still have the following entries which is strange, as there is no other reference to them anywhere else??? I didn't notice the 'IMF' one when posting the ComboFix Logs before (I obviously wasn't looking hard enough :)), and isn't the 'MsMpSvc' entry something to do with Microsoft's antimalware stuff (which again, I thought you and I had removed??).

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
    @=""

    Services:

    Edit: Unneeded list of Services deleted by Bobbye

    Looking forward to your expert advice :)

    Very best regards,
    Virtual Madness
     
  18. Virtual Madness

    Virtual Madness TS Rookie Topic Starter Posts: 16

    Sorry, me again Bobbye...

    I also neglected to mention in earlier posts, but over the last few weeks, whilst trying to self diagnose (wish I had just posted her in the first place!!!), somewhere along the way, something else has changed with my login sequence. Before all this started, when I turned on my Laptop, it would start in the normal way stating 'Windows is starting up' etc - it would then prompt for my password in the normal way. Now (I'm not extactly sure when it started, but it was a while ago), it also goes through a process of showing different paths before getting to the password stage. I know the wording 'RPCSS is starting' is included. When logging off, a similar thing happens, but this time it will say something along the lines of 'Machine Policies' and 'Playing Log Off Sound' etc?

    I'm guesing whilst installing different freeware and/or googling different 'fixes', I've activated a setting that shows what is happening behind the scences, when normally, such info. is hidden at the Welcome/Login stage. It doesn't matter if it stays there/continues from here on in, it's just taking a little getting used to, that's all...

    Cheers Bobbye.

    Kindest regards,
    Virtual Madness
     
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You are getting way too involved for our purposes.

    I listed your excess Security programs. I instructed you to remove the excess and get them down to the number I quoted. That was your job. I did remove excess entries when it appeared you had remove the program- that was my job.

    This showed running in the DDS log:
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-8-18 2151640]
    The Combofix log didn't have it and the header no longer showed it. You apparently decided to uninstall AdAware instead if just disabling the AdWatch Live AV

    I told you that I had not included AdAware in the script- it is a registry process-,please be sure to use Windows Explorer> right click on Start> Explore> My Computer> Double click on Local Drive (C)> Programs.> look for AdAware or Lavasoft folder and do a right click> Delete .

    You can remove it here:
    Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    File::
    Registry::
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . No log needed.
    ====================
    This is not an issue. Microsoft Security Client\Antimalware was sent as an update as far as I know. It is not part of MSE- also as far as I know: http://support.microsoft.com/kb/2394433

    You are taking log entries out of context. Just like pulling one sentence out of an article, it can be very misleading.

    You initial problem was closing ports. I have not heard anything about that so you must have resolved it.

    This is IMF: IObit Malware Fighter
    R2 IMFservice;IMF Service;c:\program files\iobit\iobit malware fighter\IMFsrv.exe [2011-7-28 820568]

    When you were trying to fix the problem before you got here, did you run RootRepeal?
     
  20. Virtual Madness

    Virtual Madness TS Rookie Topic Starter Posts: 16

    My apologies, I didn't mean to get so involved...it's just that I've spent so long trying to resolve the issue that I got completely rapped up in your guidance - which seemed to be making such a difference (everything was getting so much faster and repsonse times were so much better etc. etc.).

    Don't worry about the odd left over entry and the weired logging on and off scenario - I can live with that now.

    More importantly, I've just tried logging onto the website where I first noticed the issue - you'll be pleased to know everything seems to be cured - no more iexplore.exe hanging (for the first time in what seems like ages)!!!!!! I guess it was the mutliple malware programs I had running and a combination of tweaks which led to a conflict that ultimately caused the original problem.

    Anyway, it seems to be resolved now you've cleaned up my system, so I'm not going to take up anymore of your time and let you get on and help others.

    I'll run the last ComboFix script you've provided and leave it at that.

    By the way, yes, I did run RootRepeal before visiting TechSpot - it was recommended by someone as a potential fix.

    Thanks again, and sorry for dragging it on.
    Virtual Madness
     
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're welcome! It's not that I minded helping you, but my main function in this forum is Virus and Malware removal. That is a time consuming activity. I try to give other tips as we go along if appropriate and I'm going to leave some for you.
    --------------------------------
    First, let's remove all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    -----
    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
    ------------------------------------------
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin
    ====================================
    As was discussed, too much of the same type of security can be a bad thing. Better is to use different types of security and work on the settings in the system:

    Tips for added security and safer browsing: (Links are in Bold Blue)
    1. Browser Security
      [o] Safe Settings (Please ignore the suggestion to use the Registry Editor in this section "Creating a Custom Security Zone")
      [o] ZonedOut. This manages the Zones in Internet Explorer. (For IE7 and IE8, Windows 2000 thru Vista. No Windows 7)
      [o] Replace the Host Files
      [o] Google Toolbar Pop Up Blocker
      I consider a Site Advisor to be one of the most important assets there are to a safe system.
      [o]Web of Trust (WOT) Site Advisor. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.
    2. Have layered Security:
      [o]Antivirus :(only one): Previously discussed
      [o]Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
      [o]Comodo
      [o]Zone Alarm
    3. Antimalware: I recommend all of the following:
      [o]Spywareblaster: SpywareBlaster protects against bad ActiveX.
      [o]Spybot Search & Destroy
    4. Updates: Stay current:
      [o] the Microsoft Download Sitefrequently. All updates marked Critical and the current SP updates.
      [o]Adobe Reader Install current, uninstall old.
      [o]Java Updates Install current, uninstall old.
    5. Tracking Cookies
      Reset Cookie:
      [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
      [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
      I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
      AdBlock Plus
      Easy List
      [o]For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
    6. Do regular Maintenance
      Clean the temporary internet files often:
      [o] Temporary File Cleaner]
      or
      [o] ATF Cleaner by Atribune
    7. Restore Points:
      [o]See System Restore Guide
    8. Safe Email Handling
      [o] Don't open email from anyone you don't know.
      [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
      [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.
    Please let me know if you find any bad link.
    ================================
    And a word of caution regarding this:
    Programs of this nature, should only be run if appropriate for the particular malware and then only with the directions of a helper. This is the one time you don't want to listen to friends!
     
  22. Virtual Madness

    Virtual Madness TS Rookie Topic Starter Posts: 16

    Hi Bobbye,

    Thanks again for all of your help - I carried out the final stages that you've mentioned above (running OldTimer etc). Everything seems to be in order now and running like new.

    As I mentioned before, I still have the bizzare start up routine after pressing the Power Button (Blue Screen with 'Windows is starting up' etc. with RPSCC is starting...underneath (in white letters) along with a few other lines of text that flash by quickly. The Logging off sequence, as mentioned before, is still weird as well, showing the words 'Playing Log Off Sound' etc, again in white letters. Oh well, unless you can point me in the right direction within the forum (and I don't expect you to, you've done more than enough), I guess I'll find someone who will have some idea of what it's all about in the end - but it's something that can be lived with if all else failes :)

    Oh yes, and finally, no matter how times I run the CFScripts you gave me, or manually delete the entries within the registry, the following lines still keep coming back from somewhere after a reboot (despite the programs or any potential 'leftover components' not showing up anywhere else in the root directory!?!):

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]

    But hey, so what, things are 100 times better than they were :)

    Cheers Bobbye!
     
  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Thread got away from me- sorry.

    Try this: Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
    --------------------
    Now rerun the script as follows:
    Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    File::
    Registry::
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFser vice
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    Make sure the program folders for AdAware, Iobit Malware Fighter and RootRepeal are removed.
    =====================
    Boot back into Normal Mode.
    [=====================
    For the other logoff problem: Note the time on the computer clock as you log off:
    First, logoff to force the problem. Then do the following:

    Please download VEW and save it to your Desktop:

    Setting up the program

    Double-click VEW.exe to run.

    • Select log to query, select
    • Application
    • System

      Under Select type to list, select:
    • Critical (Vista only)
    • Error

      Click the radio button for Number of events
    • Type 20 in the 1 to 20 box
    • Then click the Run button.
    • Notepad will open with the output log.

      Load the log
    • In Notepad, click Edit> Select all
    • Then press Edit > Copy
    • Press Ctrl+V on your keyboard to paste the log to your next reply.

    (Courtesy rev-Olie)

    Please tell me what the log off time was and I'll try to see if I can find a corresponding error. This is out of the malware realm and depending on what I see, I may refer you to a more appropriate forum to troubleshoot it.
     
  24. Virtual Madness

    Virtual Madness TS Rookie Topic Starter Posts: 16

    Hi Bobbye,

    Okay, I did as you suggested ref. running the latest CFScript you provided (in Safemode) - no change, the entries are still there:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFser vice
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys

    As a further test, I ran a search in Reg Edit and found similar entries in the following locations:

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\IMFservice
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\rootrepeal.sys

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Minimal\IMFservice
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Minimal\rootrepeal.sys

    There are no other entries anywhere else in the Registry Keys and no left over folders in Program Files or Application Data etc. etc.

    It's weird, because as a further test of my own (after running your CFScript), I decided to manually delete all of the above entries - after a reboot, they all appeared again in exactly the same place...very strange...

    Oh well, I can live with it, they obviously don't want to be removed and you've made a big difference to the performance of my Laptop anyway - as well as sorting out those stubborn open internet ports that were refusing to close before you got involved!

    Finally, I got to the bottom of the logging on/logging off scenario myself just before you had the chance to reply - it turns out whilst trying to sort out the open internet ports problem before approaching you guys initially, I had down loaded and installed a freeware package called 'tweaking.com_simple_performance_boost_setup'. It had a check box named 'show start up information'...To resolve the issue, I re-installed the package - but this time I un-checked the box, ran it, then completely uninstalled it from my Laptop - problem sorted at last!

    Thanks again for all of your help Bobbye - if you want to go ahead and close this thread now, by all means do so. If there is anything else you do want or need to add though, again by all means do.

    Very best regards,
    Virtual Madness
     
  25. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    If you notice, the 3 entries are in the CONTROLSETS: I found information on these here: http://support.microsoft.com/kb/302829/ko

    About #11 starts the pertinent information:
    If you decide to attempt any of the suggestions, always remember Backup the Registry before making any changes:
    ========================================
    I'm glad we were able to handle the other problems: Go through the removal steps for the cleaning tools. And here are some tips for you:

    Tips for added security and safer browsing: (Links are in Bold Blue)
    1. Browser Security
      [o] Safe Settings (Please ignore the suggestion to use the Registry Editor in this section "Creating a Custom Security Zone")
      [o] ZonedOut. This manages the Zones in Internet Explorer. (For IE7 and IE8, Windows 2000 thru Vista. No Windows 7)
      [o] Replace the Host Files
      [o] Google Toolbar Pop Up Blocker
      [o]Web of Trust (WOT) Site Advisor. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.
    2. Have layered Security:
      [o]Antivirus :(only one):Both of the following programs are free and known to be good:
      [o]Avira-AntiVir-Personal-Free-Antivirus
      [o]Avast-Free Antivirus
      [o]Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
      [o]Comodo
      [o]Zone Alarm
    3. Antimalware: I recommend all of the following:
      [o]Spywareblaster: SpywareBlaster protects against bad ActiveX.
      [o]Spybot Search & Destroy
    4. Updates: Stay current:
      [o] the Microsoft Download Sitefrequently. All updates marked Critical and the current SP updates.
      [o]Adobe Reader Install current, uninstall old.
      [o]Java Updates Install current, uninstall old.
    5. Tracking Cookies
      Reset Cookie:
      [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
      [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
      I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
      AdBlock Plus
      Easy List
      [o]For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
    6. Do regular Maintenance
      Clean the temporary internet files often:
      [o] Temporary File Cleaner]
      or
      [o] ATF Cleaner by Atribune
    7. Restore Points:
      [o]See System Restore Guide
    8. Safe Email Handling
      [o] Don't open email from anyone you don't know.
      [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
      [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.
    Please let me know if you find any bad link.
    ==========================================
    You ask about how you got infected: An excerpt from Tony Klein´s guide:

    An another approach:14 ways to get Infected without trying

    Thanks to Metallica for most of those and CalamityJane, bitman, Lonny, shelf life.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...