Solved Infected by rootkit zeroaccess

I disabled avast. then uplugged the internet cable as mentionned in 5 steps. Then I opened Gmer and at the beginning it runs for a few seconds. I got a dozen hits regarding avast. (I never saw anything there, before it would run then after that mini scan I clicked scan but in the opening scan I got those avast links) should I procedd nonetheless with gmer even though it still sees avast?
 
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Owner at 19:07:07 on 2012-04-10
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1509.1144 [GMT -4:00]
.
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
.
============== Pseudo HJT Report ===============
.
uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.metacrawler.com/
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [Gestionnaire Antidote.exe] c:\program files\druide\antidote\Gestionnaire Antidote.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SunKistEM] c:\program files\digital media reader\shwiconem.exe
mRun: [<NO NAME>]
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\BigFix.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1334078451687
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
TCP: DhcpNameServer = 24.200.241.37 24.202.72.13 24.200.0.1
TCP: Interfaces\{826423B9-6621-48B0-801F-26BC0A96DEAF} : DhcpNameServer = 24.200.241.37 24.202.72.13 24.200.0.1
Notify: igfxcui - igfxsrvc.dll
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-4-10 612184]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2012-4-10 337880]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2012-4-10 20696]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2012-4-10 44768]
R2 FastPara;FastPara;c:\windows\system32\drivers\fastpara.sys [2012-4-10 33696]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2012-4-10 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2012-4-10 136176]
.
=============== Created Last 30 ================
.
2012-04-10 20:53:25 -------- d-----w- c:\program files\home plan software
2012-04-10 19:05:00 -------- d-----w- c:\documents and settings\owner\local settings\application data\Google
2012-04-10 19:04:55 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-04-10 19:04:31 41184 ----a-w- c:\windows\avastSS.scr
2012-04-10 19:04:14 -------- d-----w- c:\program files\AVAST Software
2012-04-10 19:04:14 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
2012-04-10 18:51:52 -------- d-sh--w- c:\documents and settings\owner\PrivacIE
2012-04-10 18:50:59 -------- d-sh--w- c:\documents and settings\owner\IETldCache
2012-04-10 18:45:44 6144 -c----w- c:\windows\system32\dllcache\iecompat.dll
2012-04-10 18:45:25 -------- d-----w- c:\windows\ie8updates
2012-04-10 18:45:19 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2012-04-10 18:45:19 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2012-04-10 18:45:19 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2012-04-10 18:45:19 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2012-04-10 18:45:19 2000384 -c----w- c:\windows\system32\dllcache\iertutil.dll
2012-04-10 18:45:19 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2012-04-10 18:45:19 11082752 -c----w- c:\windows\system32\dllcache\ieframe.dll
2012-04-10 18:44:19 -------- dc-h--w- c:\windows\ie8
2012-04-10 18:35:40 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-04-10 18:35:40 3072 ------w- c:\windows\system32\iacenc.dll
2012-04-10 18:33:14 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2012-04-10 18:33:04 758784 -c--a-w- c:\windows\system32\dllcache\vgx.dll
2012-04-10 18:32:53 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2012-04-10 18:31:01 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2012-04-10 18:30:51 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2012-04-10 18:30:29 978944 -c----w- c:\windows\system32\dllcache\mfc42.dll
2012-04-10 18:30:29 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2012-04-10 18:30:04 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2012-04-10 18:28:01 139784 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2012-04-10 18:24:38 274288 ----a-w- c:\windows\system32\mucltui.dll
2012-04-10 18:24:38 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-04-10 18:17:39 -------- d-----w- c:\program files\Messenger
2012-04-10 18:17:24 -------- d-----w- c:\windows\system32\scripting
2012-04-10 18:17:24 -------- d-----w- c:\windows\l2schemas
2012-04-10 18:17:23 -------- d-----w- c:\windows\system32\en
2012-04-10 18:17:23 -------- d-----w- c:\windows\system32\bits
2012-04-10 18:14:39 -------- d-----w- c:\windows\network diagnostic
2012-04-10 18:11:45 -------- d-----w- c:\windows\EHome
2012-04-10 17:53:47 73216 ------w- c:\windows\system32\drivers\atintuxx.sys
2012-04-10 17:42:49 -------- d-----w- c:\program files\MSXML 4.0
2012-04-10 17:38:07 -------- d-----w- c:\documents and settings\owner\local settings\application data\ApplicationHistory
2012-04-10 17:35:38 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2012-04-10 17:34:06 456320 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2012-04-10 17:33:48 357888 -c----w- c:\windows\system32\dllcache\srv.sys
2012-04-10 17:32:59 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2012-04-10 17:32:59 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2012-04-10 17:32:52 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2012-04-10 17:28:57 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2012-04-10 17:28:20 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2012-04-10 17:28:20 272128 ------w- c:\windows\system32\drivers\bthport.sys
2012-04-10 17:28:17 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2012-04-10 17:23:13 -------- d-----w- c:\windows\system32\PreInstall
2012-04-10 17:23:12 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2012-04-10 17:23:11 -------- d--h--w- c:\windows\$hf_mig$
2012-04-10 17:20:35 -------- d-sh--w- c:\documents and settings\owner\UserData
2012-04-10 14:10:53 -------- d-----w- c:\documents and settings\owner\application data\Malwarebytes
2012-04-10 14:10:49 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-04-10 14:10:48 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-10 14:10:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-04-10 13:29:54 33696 ----a-w- c:\windows\system32\drivers\fastpara.sys
2012-04-10 02:58:59 61500 ----a-w- c:\windows\system32\usrcntra.dll
2012-04-10 02:57:59 12288 ----a-w- c:\windows\system32\drivers\tunmp.sys
2012-04-10 02:56:34 47104 ----a-w- c:\windows\system32\cnbjmon.dll
2012-04-10 02:54:59 9216 -c--a-w- c:\windows\system32\dllcache\subst.exe
2012-04-10 02:53:59 76800 ----a-w- c:\windows\system32\nslookup.exe
2012-04-10 02:52:03 9728 -c--a-w- c:\windows\system32\dllcache\label.exe
2012-04-10 02:51:59 81920 ----a-w- c:\windows\system32\isign32.dll
2012-04-10 02:50:37 83456 ----a-w- c:\windows\system32\dpvsetup.exe
2012-04-10 02:49:54 8192 -c--a-w- c:\windows\system32\dllcache\asferror.dll
2012-04-10 02:07:25 -------- d-----r- C:\Program Files
2012-04-10 02:06:32 -------- d-----r- c:\documents and settings\all users\Documents
2012-04-10 01:59:19 -------- d-----r- c:\windows\Offline Web Pages
2012-04-10 01:58:02 -------- dcsh--r- c:\windows\system32\dllcache
2012-04-10 01:56:27 -------- d-----w- C:\My Backup -- 12-04-09 0656PM
2012-04-10 00:48:59 -------- d-----w- c:\program files\Big Hammer
2012-04-10 00:45:17 -------- d-----w- c:\program files\Druide
2012-04-10 00:44:54 -------- d-----w- c:\program files\PDF-Convert
2012-04-10 00:44:43 913408 ----a-w- c:\program files\windows media player\wmpnetwk.exe
2012-04-10 00:44:43 493568 ----a-w- c:\program files\windows media player\wmdbexport.exe
2012-04-10 00:44:43 36864 ----a-w- c:\program files\windows media player\wmpshare.exe
2012-04-10 00:44:43 25600 ----a-w- c:\program files\windows media player\wmpenc.exe
2012-04-10 00:44:43 241664 ----a-w- c:\program files\windows media player\wmlaunch.exe
2012-04-10 00:44:43 204288 ----a-w- c:\program files\windows media player\wmpnscfg.exe
2012-04-10 00:44:43 198144 ----a-w- c:\program files\windows media player\wmpnssci.dll
2012-04-10 00:44:43 1669120 ----a-w- c:\program files\windows media player\wmsetsdk.exe
2012-04-10 00:44:42 410928 ----a-w- c:\program files\windows media player\LegitLibM.dll
2012-04-10 00:43:59 -------- d-----w- c:\program files\twain_32
2012-04-10 00:43:35 -------- d-----w- c:\program files\Samsung
2012-04-10 00:43:06 -------- d-----w- c:\program files\maxxscan61
2012-04-10 00:41:18 -------- d-----w- c:\program files\compeyescan300600
2012-04-10 00:32:23 -------- d-----w- c:\documents and settings\owner\application data\Symantec
2012-04-10 00:17:36 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2012-04-10 00:15:20 -------- d-----w- C:\SYSPREP
2012-04-10 00:13:01 -------- d-----w- c:\windows\system32\SoftwareDistribution
.
==================== Find3M ====================
.
2012-03-01 11:01:32 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01:32 43520 ------w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01:32 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10:16 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10:16 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17:40 385024 ------w- c:\windows\system32\html.iec
2012-02-28 18:50:29 81920 ------w- c:\windows\system32\ieencode.dll
2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 19:08:22.45 ===============
.
 
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 4/9/2012 8:14:07 PM
System Uptime: 4/10/2012 7:05:20 PM (0 hours ago)
.
Motherboard: Intel Corporation | | D915GSE
Processor: Intel(R) Pentium(R) 4 CPU 3.20GHz | | 3200/800mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 233 GiB total, 176.389 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID:
Description: USB Device
Device ID: USB\VID_05CB&PID_1483\5&1AEC3740&0&1
Manufacturer:
Name: USB Device
PNP Device ID: USB\VID_05CB&PID_1483\5&1AEC3740&0&1
Service:
.
==== System Restore Points ===================
.
RP6: 4/10/2012 11:28:18 AM - System Checkpoint
RP7: 4/10/2012 1:22:35 PM - Software Distribution Service 3.0
RP8: 4/10/2012 1:36:31 PM - Software Distribution Service 3.0
RP9: 4/10/2012 1:55:17 PM - Software Distribution Service 3.0
RP10: 4/10/2012 2:36:15 PM - Software Distribution Service 3.0
RP11: 4/10/2012 2:53:25 PM - Software Distribution Service 3.0
RP12: 4/10/2012 3:04:14 PM - avast! Free Antivirus Setup
.
==== Installed Programs ======================
.
America Online (Choose which version to remove)
avast! Free Antivirus
BigFix
Compeye 300/600 Driver
Digital Media Reader
Google Update Helper
High Definition Audio Driver Package - KB835221
Home Plan Pro version 5.2.12.20
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB981793)
hp deskjet 3320 series
Intel(R) Graphics Media Accelerator Driver
Java 2 Runtime Environment, SE v1.4.2
Malwarebytes Anti-Malware version 1.61.0.1400
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB2656370)
Microsoft Picture It! Photo Premium 9
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
oobeFlagNetscape0
PowerDVD
QuickTime
RealPlayer Basic
Realtek High Definition Audio Driver
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2544521)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2675157)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982381)
Security Update for Windows XP (KB982665)
SoftV92 Data Fax Modem with SmartCP
Update for Windows Internet Explorer 8 (KB2598845)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2641690)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Viewpoint Media Player
WebFldrs XP
Windows Backup Utility
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows XP Service Pack 3
.
==== Event Viewer Messages From Past Week ========
.
4/9/2012 8:44:49 PM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\windows media player\wmplayer.exe. This file was restored to the original version to maintain system stability. The file version of the bad file is 11.0.5721.5145, the version of the system file is 9.0.0.3250.
4/9/2012 8:44:49 PM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\windows media player\wmpband.dll. This file was restored to the original version to maintain system stability. The file version of the bad file is 11.0.5721.5145, the version of the system file is 9.0.0.3250.
4/9/2012 8:44:49 PM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\windows media player\setup_wm.exe. This file was restored to the original version to maintain system stability. The file version of the bad file is 11.0.5721.5146, the version of the system file is 9.0.0.3250.
4/9/2012 8:44:49 PM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\windows media player\npwmsdrm.dll. This file was restored to the original version to maintain system stability. The file version of the bad file is 9.0.0.4503, the version of the system file is 9.0.0.3250.
4/9/2012 8:44:49 PM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\windows media player\npdsplay.dll. This file was restored to the original version to maintain system stability. The file version of the bad file is 3.0.2.629, the version of the system file is 3.0.2.628.
4/9/2012 8:44:49 PM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\windows media player\npdrmv2.dll. This file was restored to the original version to maintain system stability. The file version of the bad file is 9.0.0.4503, the version of the system file is 9.0.0.3250.
4/9/2012 8:44:49 PM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\windows media player\mpvis.dll. This file was restored to the original version to maintain system stability. The file version of the bad file is 11.0.5721.5145, the version of the system file is 9.0.0.3250.
4/9/2012 8:44:48 PM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\windows media player\mplayer2.exe. This file was restored to the original version to maintain system stability. The file version of the bad file is 6.4.9.1126, the version of the system file is 6.4.9.1125.
4/9/2012 8:42:28 PM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\internet explorer\connection wizard\inetwiz.exe. This file was restored to the original version to maintain system stability. The file version of the bad file is 6.0.2900.5512, the version of the system file is 6.0.2900.2180.
4/9/2012 8:42:28 PM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\internet explorer\connection wizard\icwutil.dll. This file was restored to the original version to maintain system stability. The file version of the bad file is 6.0.2900.5512, the version of the system file is 6.0.2900.2180.
4/9/2012 8:42:28 PM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\internet explorer\connection wizard\icwrmind.exe. This file was restored to the original version to maintain system stability. The file version of the bad file is 6.0.2900.5512, the version of the system file is 6.0.2900.2180.
4/9/2012 8:42:27 PM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\internet explorer\iexplore.exe. This file was restored to the original version to maintain system stability. The file version of the bad file is 8.0.6001.18702, the version of the system file is 6.0.2900.2180.
4/9/2012 8:42:27 PM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\internet explorer\iedw.exe. This file was restored to the original version to maintain system stability. The file version of the bad file is 5.1.2600.5512, the version of the system file is 5.1.2600.2180.
4/9/2012 8:42:27 PM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\internet explorer\hmmapi.dll. This file was restored to the original version to maintain system stability. The file version of the bad file is 8.0.6001.18702, the version of the system file is 6.0.2900.2180.
4/9/2012 8:42:27 PM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\internet explorer\connection wizard\icwhelp.dll. This file was restored to the original version to maintain system stability. The file version of the bad file is 6.0.2900.5512, the version of the system file is 6.0.2900.2180.
4/9/2012 8:42:27 PM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\internet explorer\connection wizard\icwdl.dll. This file was restored to the original version to maintain system stability. The file version of the bad file is 6.0.2900.5512, the version of the system file is 6.0.2900.2180.
4/9/2012 8:42:27 PM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\internet explorer\connection wizard\icwconn2.exe. This file was restored to the original version to maintain system stability. The file version of the bad file is 6.0.2900.5512, the version of the system file is 6.0.2900.2180.
4/9/2012 8:42:27 PM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\internet explorer\connection wizard\icwconn1.exe. This file was restored to the original version to maintain system stability. The file version of the bad file is 6.0.2900.5512, the version of the system file is 6.0.2900.2180.
4/9/2012 8:42:27 PM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\internet explorer\connection wizard\icwconn.dll. This file was restored to the original version to maintain system stability. The file version of the bad file is 6.0.2900.5512, the version of the system file is 6.0.2900.2180.
4/9/2012 8:37:06 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
4/10/2012 9:31:50 AM, error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{826423B9-6621-48B0-801F-26BC0A96DEAF} because another computer on the network has the same name. The server could not start.
4/10/2012 9:31:50 AM, error: NetBT [4321] - The name "NP :20" could not be registered on the Interface with IP address 169.254.97.224. The machine with the IP address 169.254.0.60 did not allow the name to be claimed by this machine.
4/10/2012 9:31:50 AM, error: NetBT [4321] - The name "NP :0" could not be registered on the Interface with IP address 169.254.97.224. The machine with the IP address 169.254.0.60 did not allow the name to be claimed by this machine.
4/10/2012 11:55:19 AM, error: atapi [9] - The device, \Device\Ide\IdePort1, did not respond within the timeout period.
4/10/2012 10:39:53 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: abp480n5 adpu160m agp440 agpCPQ Aha154x aic78u2 aic78xx AliIde alim1541 amdagp amsint asc asc3350p asc3550 cbidf cd20xrnt CmdIde Cpqarray dac2w2k dac960nt dpti2o hpn i2omp ini910u IntelIde mraid35x perc2 perc2hib ql1080 Ql10wnt ql12160 ql1240 ql1280 sisagp Sparrow symc810 symc8xx sym_hi sym_u3 TosIde ultra viaagp ViaIde
.
==== End Of File ===========================
 
Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

=================================================================

Download Bootkit Remover to your desktop.

  • Unzip downloaded file to your Desktop.
  • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
  • It will show a Black screen with some data on it.
  • Right click on the screen and click Select All.
  • Press CTRL+C
  • Open a Notepad and press CTRL+V
  • Post the output back here.
 
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-04-11 15:32:01
-----------------------------
15:32:01.531 OS Version: Windows 5.1.2600 Service Pack 3
15:32:01.531 Number of processors: 2 586 0x304
15:32:01.531 ComputerName: NP UserName:
15:32:02.984 Initialize success
15:32:03.171 AVAST engine defs: 12041101
15:32:18.390 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-17
15:32:18.390 Disk 0 Vendor: WDC_WD2500JD-22HBB0 08.02D08 Size: 238475MB BusType: 3
15:32:18.406 Disk 0 MBR read successfully
15:32:18.406 Disk 0 MBR scan
15:32:18.406 Disk 0 unknown MBR code
15:32:18.406 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 238472 MB offset 63
15:32:18.406 Disk 0 scanning sectors +488392065
15:32:18.500 Disk 0 scanning C:\WINDOWS\system32\drivers
15:32:25.156 Service scanning
15:32:32.656 Modules scanning
15:32:36.125 Disk 0 trace - called modules:
15:32:36.140 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
15:32:36.140 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a394030]
15:32:36.140 3 CLASSPNP.SYS[f76b7fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-17[0x8a3aad98]
15:32:36.593 AVAST engine scan C:\WINDOWS
15:32:49.437 AVAST engine scan C:\WINDOWS\system32
15:34:20.000 AVAST engine scan C:\WINDOWS\system32\drivers
15:34:34.671 AVAST engine scan C:\Documents and Settings\Owner
15:39:11.671 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\MBR.dat"
15:39:11.687 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\aswMBR.txt"


thne it said it had an error and stopped. tried it twice

botkit now

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-04-11 15:32:01
-----------------------------
15:32:01.531 OS Version: Windows 5.1.2600 Service Pack 3
15:32:01.531 Number of processors: 2 586 0x304
15:32:01.531 ComputerName: NP UserName:
15:32:02.984 Initialize success
15:32:03.171 AVAST engine defs: 12041101
15:32:18.390 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-17
15:32:18.390 Disk 0 Vendor: WDC_WD2500JD-22HBB0 08.02D08 Size: 238475MB BusType: 3
15:32:18.406 Disk 0 MBR read successfully
15:32:18.406 Disk 0 MBR scan
15:32:18.406 Disk 0 unknown MBR code
15:32:18.406 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 238472 MB offset 63
15:32:18.406 Disk 0 scanning sectors +488392065
15:32:18.500 Disk 0 scanning C:\WINDOWS\system32\drivers
15:32:25.156 Service scanning
15:32:32.656 Modules scanning
15:32:36.125 Disk 0 trace - called modules:
15:32:36.140 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
15:32:36.140 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a394030]
15:32:36.140 3 CLASSPNP.SYS[f76b7fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-17[0x8a3aad98]
15:32:36.593 AVAST engine scan C:\WINDOWS
15:32:49.437 AVAST engine scan C:\WINDOWS\system32
15:34:20.000 AVAST engine scan C:\WINDOWS\system32\drivers
15:34:34.671 AVAST engine scan C:\Documents and Settings\Owner
15:39:11.671 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\MBR.dat"
15:39:11.687 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\aswMBR.txt"


Bootkit Remover
(c) 2009 Esage Lab
www.esagelab.com

Program version: 1.2.0.1
OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: 869670d31e461535ecca5b3e97963d9c

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>


Done;
Press any key to quit...
 
Looks good :)

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  • Double click on combofix.exe & follow the prompts.

  • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
There are 4 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click Rkill and choose Run as Administrator
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.exe
  • Double-click on the Rkill icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.
Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
ComboFix 12-04-11.03 - Owner 04/11/2012 17:44:36.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1509.1116 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Online Armor Firewall *Disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\Owner\WINDOWS
c:\program files\keygen.exe
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\dllcache\dlimport.exe
c:\windows\wallpg.exe
K:\Autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2012-03-11 to 2012-04-11 )))))))))))))))))))))))))))))))
.
.
2012-04-11 20:56 . 2012-02-10 18:33 42152 ----a-w- c:\windows\system32\drivers\oahlp32.sys
2012-04-11 20:56 . 2012-02-10 18:33 29464 ----a-w- c:\windows\system32\drivers\OAnet.sys
2012-04-11 20:56 . 2012-02-10 18:33 25192 ----a-w- c:\windows\system32\drivers\OAmon.sys
2012-04-11 20:56 . 2012-02-10 18:33 205864 ----a-w- c:\windows\system32\drivers\OADriver.sys
2012-04-11 00:38 . 2012-04-11 00:38 -------- d-----w- C:\Downloads
2012-04-10 23:45 . 2012-04-11 21:34 -------- d-----w- c:\documents and settings\Owner\Tracing
2012-04-10 23:44 . 2012-04-10 23:44 -------- dc----w- c:\windows\system32\DRVSTORE
2012-04-10 23:44 . 2010-04-28 11:44 54760 ----a-w- c:\windows\system32\drivers\fssfltr_tdi.sys
2012-04-10 23:39 . 2006-11-29 17:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2012-04-10 19:06 . 2012-04-10 19:06 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2012-04-10 19:05 . 2012-04-10 23:04 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Google
2012-04-10 19:04 . 2012-03-06 23:03 337880 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-04-10 19:04 . 2012-03-06 23:01 20696 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-04-10 19:04 . 2012-03-06 23:02 35672 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-04-10 19:04 . 2012-03-06 23:01 53848 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-04-10 19:04 . 2012-03-06 23:03 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-04-10 19:04 . 2012-03-06 23:01 95704 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2012-04-10 19:04 . 2012-03-06 23:01 89048 ----a-w- c:\windows\system32\drivers\aswmon.sys
2012-04-10 19:04 . 2012-03-06 22:58 24920 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2012-04-10 19:04 . 2012-03-06 23:15 41184 ----a-w- c:\windows\avastSS.scr
2012-04-10 19:04 . 2012-03-06 23:15 201352 ----a-w- c:\windows\system32\aswBoot.exe
2012-04-10 18:51 . 2012-04-10 18:51 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE
2012-04-10 18:50 . 2012-04-10 18:50 -------- d-sh--w- c:\documents and settings\Owner\IETldCache
2012-04-10 18:44 . 2012-04-10 18:44 -------- dc-h--w- c:\windows\ie8
2012-04-10 18:35 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
2012-04-10 18:24 . 2009-08-06 23:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2012-04-10 18:17 . 2012-04-10 18:17 -------- d-----w- c:\windows\system32\scripting
2012-04-10 18:17 . 2012-04-10 18:17 -------- d-----w- c:\windows\l2schemas
2012-04-10 18:17 . 2012-04-10 18:17 -------- d-----w- c:\windows\system32\en
2012-04-10 18:17 . 2012-04-10 18:17 -------- d-----w- c:\windows\system32\bits
2012-04-10 18:11 . 2012-04-10 18:11 -------- d-----w- c:\windows\EHome
2012-04-10 17:53 . 2004-08-04 02:29 73216 ------w- c:\windows\system32\drivers\atintuxx.sys
2012-04-10 17:39 . 2012-04-10 18:16 -------- d-----w- c:\windows\ServicePackFiles
2012-04-10 17:38 . 2012-04-10 18:47 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\ApplicationHistory
2012-04-10 17:29 . 2011-02-17 12:32 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2012-04-10 17:28 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\drivers\bthport.sys
2012-04-10 17:23 . 2009-01-07 22:21 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2012-04-10 17:23 . 2012-04-10 18:54 -------- d--h--w- c:\windows\$hf_mig$
2012-04-10 17:20 . 2012-04-10 17:20 -------- d-sh--w- c:\documents and settings\Owner\UserData
2012-04-10 14:10 . 2012-04-04 19:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-10 13:29 . 1998-10-10 00:53 33696 ----a-w- c:\windows\system32\drivers\fastpara.sys
2012-04-10 02:58 . 2001-08-17 22:36 61500 ----a-w- c:\windows\system32\usrcntra.dll
2012-04-10 02:57 . 2008-04-13 18:56 12288 ----a-w- c:\windows\system32\drivers\tunmp.sys
2012-04-10 02:56 . 2008-04-14 00:11 47104 ----a-w- c:\windows\system32\cnbjmon.dll
2012-04-10 02:54 . 2009-10-21 05:38 75776 ----a-w- c:\windows\system32\strmfilt.dll
2012-04-10 02:53 . 2008-04-14 00:12 76800 ----a-w- c:\windows\system32\nslookup.exe
2012-04-10 02:52 . 2010-06-15 16:17 143422 ----a-w- c:\windows\system32\l3codecx.ax
2012-04-10 02:50 . 2008-04-14 00:12 83456 ----a-w- c:\windows\system32\dpvsetup.exe
2012-04-10 02:49 . 2008-04-14 00:08 114688 ----a-w- c:\windows\system32\asctrls.ocx
2012-04-10 02:07 . 2012-04-11 21:47 -------- d-----r- C:\Program Files
2012-04-10 01:58 . 2012-04-11 21:47 -------- dcsh--r- c:\windows\system32\dllcache
2012-04-10 01:56 . 2012-04-10 15:09 -------- d-----w- C:\My Backup -- 12-04-09 0656PM
2012-04-10 00:17 . 2008-04-13 18:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2012-04-10 00:15 . 2012-04-10 00:15 -------- d-----w- C:\SYSPREP
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-10 23:42 . 2004-10-16 06:45 73728 ----a-w- c:\windows\ALCFDRTM.VER
2012-02-28 18:50 . 2012-02-28 18:50 81920 ------w- c:\windows\system32\ieencode.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-06 23:15 123536 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gestionnaire Antidote.exe"="c:\program files\Druide\Antidote\Gestionnaire Antidote.exe" [2007-04-16 534200]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-07-02 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-07-01 118784]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-18 61952]
"SoundMan"="SOUNDMAN.EXE" [2004-08-25 77824]
"AlcWzrd"="ALCWZRD.EXE" [2004-08-25 2552320]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-03-12 135168]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-06 4241512]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
"@OnlineArmor GUI"="c:\program files\Online Armor\OAui.exe" [2012-02-10 2645440]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\BigFix.exe [2004-10-14 1742384]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\ONLINE~2\oaevent.dll" [2012-02-10 359352]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [4/10/2012 3:04 PM 612184]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/10/2012 3:04 PM 337880]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [4/11/2012 4:56 PM 205864]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [4/11/2012 4:56 PM 25192]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [4/11/2012 4:56 PM 29464]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/10/2012 3:04 PM 20696]
R2 FastPara;FastPara;c:\windows\system32\drivers\fastpara.sys [4/10/2012 9:29 AM 33696]
R2 OAcat;Online Armor Helper Service;c:\program files\Online Armor\oacat.exe [4/11/2012 4:56 PM 208472]
S1 oahlpXX;Online Armor helper driver;c:\windows\system32\drivers\oahlp32.sys [4/11/2012 4:56 PM 42152]
S2 SvcOnlineArmor;Online Armor;c:\program files\Online Armor\oasrv.exe [4/11/2012 4:56 PM 4369208]
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-10 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2012-04-10 00:12]
.
2012-04-10 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2012-04-10 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.metacrawler.com/
TCP: DhcpNameServer = 24.200.241.37 24.202.72.13 24.200.0.1
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-America Online us - c:\program files\Common Files\aolshare\Aolunins_us.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-11 17:49
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2012-04-11 17:51:38
ComboFix-quarantined-files.txt 2012-04-11 21:51
.
Pre-Run: 187,644,379,136 bytes free
Post-Run: 187,771,375,616 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Home Edition" /fastdetect
.
- - End Of File - - 7E1AD0D9655F971648D5DC6AC0150CE9



do have question how can i get rid of whats left of the c:backup (2-3 files that wont delete)

and is it true I should use the admin account cause thats the one I always use (kida ahve limited account)

also can i delet the log an dbak file?thanks!
 
Combofix log looks good.

how can i get rid of whats left of the c:backup
What do you have that folder for?

is it true I should use the admin account
Yes.

can i delet the log an dbak file?
Say again?

Download OTL to your Desktop.

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Click the Scan All Users checkbox.
  • Under the Custom Scan box paste this in:


netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\tasks\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
/md5stop


  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
 
i dont have internet access anymore

EDIT
Ihave sometimes internet access and sometimes not. it just reworked no idea why or why it stops
and looks like my laptop and desktop now share the same internet line(we have a router so I dont understand why this is happening.
 
otl downloaded but it wont run I get the error message that i dont have access. and again im the admin!

---------------------------
C:\Documents and Settings\Owner\Desktop\OTL.exe
---------------------------
Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.
---------------------------
OK
---------------------------


c:backup was created when I did recovery.the files have long digits info and seems tobe empty
ecample of one:

7abaffad1a563007e0b2fd
 
Lets run the following tool. This will help determine which files need permissions restored.

Please download and save Junction.zip

Unzip it and place Junction.exe in the Windows directory (C:\Windows).
Go to Start>Run (Vista and Windows 7 users use "Start search" box).
Copy and paste the following command in the Run box and click OK (Vista and Windows 7 users press "Enter"):

cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

A command window opens starting to scan the system.
Wait until a log file opens.
Copy and paste the log in your next reply.
 
Junction v1.06 - Windows junction creator and reparse point viewer
Copyright (C) 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com


Failed to open \\?\c:\\hiberfil.sys: The process cannot access the file because it is being used by another process.



Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.


...

...

...

...

..
Failed to open \\?\c:\\Documents and Settings\Owner\Desktop\96dcea1\update: Access is denied.


.

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

..
Failed to open \\?\c:\\My Backup -- 12-04-09\7abaffad1a563007e0b2fd\amd64: Access is denied.



Failed to open \\?\c:\\My Backup -- 12-04-09\7abaffad1a563007e0b2fd\i386: Access is denied.



Failed to open \\?\c:\\My Backup -- 12-04-09\ac7d152522fead729386a5e252\update: Access is denied.



Failed to open \\?\c:\\My Backup -- 12-04-09\Qoobox\BackEnv: Access is denied.


.

...

...

...

...

...

...


Failed to open \\?\c:\\Qoobox\BackEnv: Access is denied.


...

...

...

...

...

...

...\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790



...

...

...

...

...

...

...

...

...

...

...

...

...

...
 
For 32-bit systems please download GrantPerms.zip and save it to your desktop.
For 64-bit systems please download GrantPerms64.zip and save it to your desktop.
Unzip the file and depending on the system run GrantPerms.exe or GrantPerms64.exe
Copy and paste the following in the edit box:

Code:
c:\\Documents and Settings\Owner\Desktop\96dcea1\update
c:\\My Backup -- 12-04-09\7abaffad1a563007e0b2fd\amd64
c:\\My Backup -- 12-04-09\7abaffad1a563007e0b2fd\i386
c:\\My Backup -- 12-04-09\ac7d152522fead729386a5e252\update
c:\\My Backup -- 12-04-09\Qoobox\BackEnv
c:\\My Backup -- 12-04-09
c:\\Qoobox\BackEnv

Click Unlock. When it is done click "OK".
Click List Permissions and post the result of Perms.txt file that pops up.
A copy of Perms.txt will be saved in the same directory the tool is run.

You should be able to delete those stubborn files now.

===================================================================

Skip OTL.

1. Download Security Check from HERE, and save it to your Desktop.
  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


3. Download Temp File Cleaner (TFC)
  • Double click on TFC.exe to run the program.
  • Click on Start button to begin cleaning process.
  • TFC will close all running programs, and it may ask you to restart computer.


4. Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click on List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • NOTE. If Eset won't find any threats, it won't produce any log.
 
ok I figured out I have a 32 bit system. I donwload the right one. extracted it but still receives thsi error message that I dont have access to open it. arhg so ...whats next...

bon i restartted and tried it now it uns Grant perms sorry
GrantPerms by Farbar
Ran by Owner (administrator) at 2012-04-11 20:45:17

===============================================
\\?\c:\\Documents and Settings\Owner\Desktop\96dcea1\update

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
BUILTIN\Users ADD FILE ALLOW (CI)(I)


\\?\c:\\My Backup -- 12-04-09\7abaffad1a563007e0b2fd\amd64

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)


\\?\c:\\My Backup -- 12-04-09\7abaffad1a563007e0b2fd\i386

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)


\\?\c:\\My Backup -- 12-04-09\ac7d152522fead729386a5e252\update

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)


\\?\c:\\My Backup -- 12-04-09\Qoobox\BackEnv

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
BUILTIN\Users ADD FILE ALLOW (CI)(I)


\\?\c:\\My Backup -- 12-04-09

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
BUILTIN\Users ADD FILE ALLOW (CI)(I)


\\?\c:\\Qoobox\BackEnv

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
BUILTIN\Users ADD FILE ALLOW (CI)(I)
 
sorry I ,meant grantperms...oups so many software heremy mistakes getting confused by the names

. sorry the log is above but I still cannot remove those files except the c:\\Qoobox\BackEnv that one I oculd delete. heres

Results of screen317's Security Check version 0.99.24
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
avast! Free Antivirus
Online Armor 5.5
```````````````````````````````
Anti-malware/Other Utilities Check:

Java 2 Runtime Environment, SE v1.4.2
Adobe Reader X (10.1.3)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Tall Emu Online Armor OAcat.exe
Tall Emu Online Armor oasrv.exe
Tall Emu Online Armor oaui.exe
Tall Emu Online Armor OAhlp.exe
AVAST Software Avast AvastSvc.exe
AVAST Software Avast avastUI.exe
``````````End of Log````````````
 
yes that s the one and one file on desktop which came from there when I was trying today to get rid of all info from backup in case virus was there.

fss now

Farbar Service Scanner Version: 01-03-2012
Ran by Owner (administrator) on 11-04-2012 at 20:57:33
Running from "C:\Documents and Settings\Owner\Desktop"
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============
BITS Service is not running. Checking service configuration:
The start type of BITS service is set to Demand. The default start type is Auto.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.

RpcSs Service is not running. Checking service configuration:
The start type of RpcSs service is OK.
The ImagePath of RpcSs: "%SystemRoot%\system32\svchost.exe -k rpcss".


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
aswTdi(8) fssfltr(9) Gpc(6) IPSec(4) NetBT(5) OAmon(10) Tcpip(3)
0x0800000004000000030000000A0000000800000005000000060000000700000009000000
IpSec Tag value is correct.

**** End of log ****
 
Regarding that folder....

Download BlitzBlank and save it to your desktop.
Double click on Blitzblank.exe

  • Click OK at the warning.
  • Click the Script tab and copy/paste the following text there:
Code:
DeleteFolder: 
"c:\My Backup -- 12-04-09"
  • Click Execute Now. Your computer will need to reboot in order to replace the files.
  • When done, post the report created by Blitzblank.
    You can find it in the root of the drive, normally C:\
 
some inside that folder got deleted...now it seems to be empty but if I click on it it says 154mb...and it wont delete

Also to run blitcblank I had to restart the computer I had again an administrator error(cannot access files u might not have permission bla bla.


BlitzBlank 1.0.0.32

File/Registry Modification Engine native application
MoveDirectoryOnReboot: sourceDirectory = "\??\c:\my backup -- 12-04-09", destinationDirectory = "(null)", replaceWithDummy = 0
MoveDirectoryOnReboot: sourceDirectory = "\??\c:\my backup -- 12-04-09\7abaffad1a563007e0b2fd", destinationDirectory = "(null)", replaceWithDummy = 0
MoveDirectoryOnReboot: sourceDirectory = "\??\c:\my backup -- 12-04-09\7abaffad1a563007e0b2fd\amd64", destinationDirectory = "(null)", replaceWithDummy = 0
MoveFileOnReboot: sourceFile = "\??\c:\my backup -- 12-04-09\7abaffad1a563007e0b2fd\amd64\msxpsinc.gpd", destinationFile = "(null)", replaceWithDummy = 0
MoveFileOnReboot: sourceFile = "\??\c:\my backup -- 12-04-09\7abaffad1a563007e0b2fd\amd64\msxpsinc.ppd", destinationFile = "(null)", replaceWithDummy = 0
MoveFileOnReboot: sourceFile = "\??\c:\my backup -- 12-04-09\7abaffad1a563007e0b2fd\amd64\mxdwdrv.dll", destinationFile = "(null)", replaceWithDummy = 0
MoveFileOnReboot: sourceFile = "\??\c:\my backup -- 12-04-09\7abaffad1a563007e0b2fd\amd64\xpssvcs.dll", destinationFile = "(null)", replaceWithDummy = 0
MoveDirectoryOnReboot: sourceDirectory = "\??\c:\my backup -- 12-04-09\7abaffad1a563007e0b2fd\i386", destinationDirectory = "(null)", replaceWithDummy = 0
MoveFileOnReboot: sourceFile = "\??\c:\my backup -- 12-04-09\7abaffad1a563007e0b2fd\i386\filterpipelineprintproc.dll", destinationFile = "(null)", replaceWithDummy = 0
MoveFileOnReboot: sourceFile = "\??\c:\my backup -- 12-04-09\7abaffad1a563007e0b2fd\i386\msxpsdrv.cat", destinationFile = "(null)", replaceWithDummy = 0
MoveFileOnReboot: sourceFile = "\??\c:\my backup -- 12-04-09\7abaffad1a563007e0b2fd\i386\msxpsdrv.inf", destinationFile = "(null)", replaceWithDummy = 0
MoveFileOnReboot: sourceFile = "\??\c:\my backup -- 12-04-09\7abaffad1a563007e0b2fd\i386\msxpsinc.gpd", destinationFile = "(null)", replaceWithDummy = 0
MoveFileOnReboot: sourceFile = "\??\c:\my backup -- 12-04-09\7abaffad1a563007e0b2fd\i386\msxpsinc.ppd", destinationFile = "(null)", replaceWithDummy = 0
MoveFileOnReboot: sourceFile = "\??\c:\my backup -- 12-04-09\7abaffad1a563007e0b2fd\i386\mxdwdrv.dll", destinationFile = "(null)", replaceWithDummy = 0
MoveFileOnReboot: sourceFile = "\??\c:\my backup -- 12-04-09\7abaffad1a563007e0b2fd\i386\xpssvcs.dll", destinationFile = "(null)", replaceWithDummy = 0
MoveDirectoryOnReboot: sourceDirectory = "\??\c:\my backup -- 12-04-09\96dcea1", destinationDirectory = "(null)", replaceWithDummy = 0
MoveDirectoryOnReboot: sourceDirectory = "\??\c:\my backup -- 12-04-09\96dcea1\update", destinationDirectory = "(null)", replaceWithDummy = 0
MoveDirectoryOnReboot: sourceDirectory = "\??\c:\my backup -- 12-04-09\ac7d152522fead729386a5e252", destinationDirectory = "(null)", replaceWithDummy = 0
MoveDirectoryOnReboot: sourceDirectory = "\??\c:\my backup -- 12-04-09\ac7d152522fead729386a5e252\update", destinationDirectory = "(null)", replaceWithDummy = 0
MoveFileOnReboot: sourceFile = "\??\c:\my backup -- 12-04-09\ac7d152522fead729386a5e252\update\updspapi.dll", destinationFile = "(null)", replaceWithDummy = 0
MoveFileOnReboot: sourceFile = "\??\c:\my backup -- 12-04-09\ac7d152522fead729386a5e252\update\wpdinstallutil.dll", destinationFile = "(null)", replaceWithDummy = 0
MoveFileOnReboot: sourceFile = "\??\c:\my backup -- 12-04-09\boot.ini", destinationFile = "(null)", replaceWithDummy = 0
RemoveFile: ZwDeleteFile failed: status = c0000121
MoveDirectoryOnReboot: ProcessElement failed: status = c0000121
 
(redid this blitzbank)
when the computer logs I get error messages in blue at the booting time. I went to see it was still there
So I tried to get rid of it manually.
here is the error message I get on it if I tryto get rid of it manually

---------------------------
Error Deleting File or Folder
---------------------------
Cannot delete 1394BUS.SY_: Access is denied.

Make sure the disk is not full or write-protected
and that the file is not currently in use.
---------------------------
OK
---------------------------
 
Back