Solved Need help with Conflicker virus

Status
Not open for further replies.

al davis

Posts: 232   +7
It seem I have the conflicker virus. I've used avast and Malwarebytes to detect and remove it but a couple of days later it's back. I have a small network (varies from 5 to 10 pc's XP & win 2000). Please help.

Al
 
You already had a topic in malware forum, so you should know what to do...

Please, complete all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
Attached logs won't be reviewed.


Please, observe following rules:

  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running tools or applying updates other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
 
Broni

Thanks for your help. As I mentioned I have a number of machines on this small network. On some I have seen the virus and on others not. Given the time delays and the amount of work required to identify and remove viruses this could take a very long time. Can I attack some of these machines in parallel or will the all need to be done serially ? How do you recommend I proceed ?
 
NLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows 2000 Professional
Boot Device: \Device\Harddisk0\Partition1
Install Date:
System Uptime: 11/12/2010 12:46:55 PM (5 hours ago)

Motherboard: To be filled by O.E.M. | | To be filled by O.E.M.
Processor: Intel(R) Pentium(R) M processor 1.80GHz | CPU 1 | 1800/100mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 14 GiB total, 10.956 GiB free.
D: is FIXED (NTFS) - 1 GiB total, 0.472 GiB free.
E: is FIXED (NTFS) - 75 GiB total, 74.456 GiB free.
F: is Removable
Z: RAMDisk FAT 0 GiB total, 0.03 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
Description: Microsoft PS/2 Mouse
Device ID: ACPI\PNP0F03\4&322E6CAA&0
Manufacturer: Microsoft
Name: Microsoft PS/2 Mouse
PNP Device ID: ACPI\PNP0F03\4&322E6CAA&0
Service: i8042prt

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Acronis*True*Image
avast! Antivirus
DiskSpeed32
Intel(R) Extreme Graphics 2 Driver
Intel(R) PROSafe for Wired Connections
Malwarebytes' Anti-Malware
Microsoft Office 97, Professional Edition
Microsoft Visual C++ 6.0 Professional Edition
MSDN Library - Visual Studio 6.0a
PCI-417Wins
VNC Free Edition 4.1.2
WebFldrs
Windows 2000 Hotfix - KB917953

==== End Of File ===========================
 
DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 17:47:12.54 on Fri 11/12/2010
Internet Explorer: 5.00.3700.1000
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.2039.1648 [GMT 0:00]


============== Running Processes ===============

C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\igfxtray.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImage\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Documents and Settings\Administrator\Desktop\virus_et_al\bco3fvo5.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Documents and Settings\Administrator\Desktop\virus_et_al\dds.scr

============== Pseudo HJT Report ===============

mDefault_Page_URL = hxxp://www.msn.com
mRun: [Synchronization Manager] mobsync.exe /logon
mRun: [IgfxTray] c:\winnt\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\winnt\system32\hkcmd.exe
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimage\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimage\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\shortc~1.lnk - c:\program files\argon st\tftpd32.exe
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
Notify: igfxcui - igfxsrvc.dll
LSA: Authentication Packages = msv1_0 relog_ap

============= SERVICES / DRIVERS ===============

R?2 jqzhcxpgv;Driver Center;c:\winnt\system32\svchost.exe -k netsvcs [2001-5-8 7952]
R?2 kgavbgjan;Microsoft Driver;c:\winnt\system32\svchost.exe -k netsvcs [2001-5-8 7952]
R?2 ugsau;Microsoft Boot;c:\winnt\system32\svchost.exe -k netsvcs [2001-5-8 7952]
R0 Ramdisk;Ramdisk Driver;c:\winnt\system32\drivers\ramdisk.sys [2006-5-15 6995]
R1 aswSP;avast! Self Protection;c:\winnt\system32\drivers\aswSP.sys [2010-11-12 78416]
R2 aswMon;avast! Standard Shield Support;c:\winnt\system32\drivers\aswmon.sys [2010-11-12 93264]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2010-11-12 144760]
R2 DriverX;DriverX;c:\winnt\system32\drivers\driverx.sys [2006-5-15 52512]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2010-11-12 247160]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2010-11-12 349560]
R3 dtl5933w;dtl5933w;c:\winnt\system32\drivers\dtl5933w.sys [2006-4-6 18176]
R3 E100E;E100E;c:\winnt\system32\drivers\E100ENT.sys [1999-5-27 25360]
R3 usbhub20;USB Hub Support;c:\winnt\system32\drivers\usbhub20.sys [2006-6-5 49776]
S3 yukonw2k;NDIS5 Miniport Driver for Marvell Yukon Ethernet Controller;c:\winnt\system32\drivers\yk50x86.sys [2006-5-16 243840]

=============== Created Last 30 ================

2010-11-12 17:47:13 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_34c.dat
2010-11-12 12:50:41 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_268.dat
2010-11-11 16:08:21 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2010-11-11 16:08:08 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2010-11-11 16:08:07 19288 ----a-w- c:\winnt\system32\drivers\mbam.sys
2010-11-11 16:08:07 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-11 16:08:07 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2010-08-17 17:06:50 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_274.dat
2010-08-17 14:07:58 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_278.dat
2006-04-06 17:40:44 271 ---h--w- c:\program files\desktop.ini
2006-04-06 17:40:44 21952 -c-h--w- c:\program files\folder.htt
2001-05-08 12:00:00 32528 -c--a-w- c:\winnt\inf\wbfirdma.sys

============= FINISH: 17:47:43.04 ===============
 
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-11-12 17:46:12
Windows 5.0.2195 Service Pack 4
Running: bco3fvo5.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pxtdrpow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwClose [0xB75671C2]
SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwCreateDirectoryObject [0xB75670AE]
SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwCreateFile [0xB7566184]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB78FB444]
SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwCreateProcess [0xB7565A36]
SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwCreateSection [0xB7566B4C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB78FB922]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB78FB01C]
SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwOpenFile [0xB75666AA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB78FB51E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB78FAF5C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB78FAFC0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB78FB63E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB78FB5FE]
SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwSetInformationFile [0xB7566ED8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB78FB77E]
SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwWriteFile [0xB7566E10]

---- Kernel code sections - GMER 1.0.15 ----

init C:\WINNT\System32\Drivers\driverx.sys entry point in "init" section [0xB775D6FE]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- Services - GMER 1.0.15 ----

Service C:\WINNT\system32\svchost.exe (*** hidden *** ) [AUTO] jqzhcxpgv <-- ROOTKIT !!!
Service C:\WINNT\system32\svchost.exe (*** hidden *** ) [AUTO] kgavbgjan <-- ROOTKIT !!!
Service C:\WINNT\system32\svchost.exe (*** hidden *** ) [AUTO] ugsau <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\jqzhcxpgv@DisplayName Driver Center
Reg HKLM\SYSTEM\CurrentControlSet\Services\jqzhcxpgv@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\jqzhcxpgv@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\jqzhcxpgv@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\jqzhcxpgv@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\jqzhcxpgv@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\jqzhcxpgv@Description Enables starting processes under alternate credentials
Reg HKLM\SYSTEM\CurrentControlSet\Services\jqzhcxpgv\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\jqzhcxpgv\Parameters@ServiceDll C:\WINNT\system32\bjmnq.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\kgavbgjan@DisplayName Microsoft Driver
Reg HKLM\SYSTEM\CurrentControlSet\Services\kgavbgjan@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\kgavbgjan@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\kgavbgjan@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\kgavbgjan@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\kgavbgjan@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\kgavbgjan@Description Enables starting processes under alternate credentials
Reg HKLM\SYSTEM\CurrentControlSet\Services\kgavbgjan\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\kgavbgjan\Parameters@ServiceDll C:\WINNT\system32\bjmnq.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\ugsau@DisplayName Microsoft Boot
Reg HKLM\SYSTEM\CurrentControlSet\Services\ugsau@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\ugsau@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\ugsau@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\ugsau@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\ugsau@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\ugsau@Description Provides RPC support and file, print, and named pipe sharing.
Reg HKLM\SYSTEM\CurrentControlSet\Services\ugsau\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\ugsau\Parameters@ServiceDll C:\WINNT\system32\bjmnq.dll
Reg HKLM\SYSTEM\ControlSet002\Services\jqzhcxpgv@DisplayName Driver Center
Reg HKLM\SYSTEM\ControlSet002\Services\jqzhcxpgv@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\jqzhcxpgv@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\jqzhcxpgv@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\jqzhcxpgv@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\jqzhcxpgv@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\jqzhcxpgv@Description Enables starting processes under alternate credentials
Reg HKLM\SYSTEM\ControlSet002\Services\jqzhcxpgv\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\jqzhcxpgv\Parameters@ServiceDll C:\WINNT\system32\bjmnq.dll
Reg HKLM\SYSTEM\ControlSet002\Services\kgavbgjan@DisplayName Microsoft Driver
Reg HKLM\SYSTEM\ControlSet002\Services\kgavbgjan@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\kgavbgjan@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\kgavbgjan@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\kgavbgjan@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\kgavbgjan@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\kgavbgjan@Description Enables starting processes under alternate credentials
Reg HKLM\SYSTEM\ControlSet002\Services\kgavbgjan\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\kgavbgjan\Parameters@ServiceDll C:\WINNT\system32\bjmnq.dll
Reg HKLM\SYSTEM\ControlSet002\Services\ugsau@DisplayName Microsoft Boot
Reg HKLM\SYSTEM\ControlSet002\Services\ugsau@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\ugsau@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\ugsau@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\ugsau@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\ugsau@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\ugsau@Description Provides RPC support and file, print, and named pipe sharing.
Reg HKLM\SYSTEM\ControlSet002\Services\ugsau\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\ugsau\Parameters@ServiceDll C:\WINNT\system32\bjmnq.dll

---- EOF - GMER 1.0.15 ----
 
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5099

Windows 5.0.2195 Service Pack 4
Internet Explorer 5.00.3700.1000

11/12/2010 5:27:14 PM
mbam-log-2010-11-12 (17-27-14).txt

Scan type: Full scan (C:\|D:\|E:\|)
Objects scanned: 114769
Time elapsed: 3 hour(s), 47 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 
Here are all the files from the first set of instruction. The computer apers to be running normally with one exceptions. Immediately after booting the system is very slow to respond it takes 2-3 minutes for a program to start that normally takes 30 seconds.

Al
 
You're infected with a rootkit, so far...

Download TDSSKiller and save it to your desktop.
  • Extract (unzip) its contents to your desktop.
  • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
 
2010/11/13 10:55:29.0218 TDSS rootkit removing tool 2.4.7.0 Nov 8 2010 10:52:22
2010/11/13 10:55:29.0218 ================================================================================
2010/11/13 10:55:29.0218 SystemInfo:
2010/11/13 10:55:29.0218
2010/11/13 10:55:29.0218 OS Version: 5.0.2195 ServicePack: 4.0
2010/11/13 10:55:29.0218 Product type: Workstation
2010/11/13 10:55:29.0218 ComputerName: RTM-II
2010/11/13 10:55:29.0218 UserName: Administrator
2010/11/13 10:55:29.0218 Windows directory: C:\WINNT
2010/11/13 10:55:29.0218 System windows directory: C:\WINNT
2010/11/13 10:55:29.0218 Processor architecture: Intel x86
2010/11/13 10:55:29.0218 Number of processors: 1
2010/11/13 10:55:29.0218 Page size: 0x1000
2010/11/13 10:55:29.0218 Boot type: Normal boot
2010/11/13 10:55:29.0218 ================================================================================
2010/11/13 10:55:29.0328 Initialize success
2010/11/13 10:55:33.0046 ================================================================================
2010/11/13 10:55:33.0046 Scan started
2010/11/13 10:55:33.0046 Mode: Manual;
2010/11/13 10:55:33.0046 ================================================================================
2010/11/13 10:55:34.0062 Aavmker4 (2073f856019a2bb1f774f73b34dc2944) C:\WINNT\system32\drivers\Aavmker4.sys
2010/11/13 10:55:34.0140 ACPI (083049d5dc3f32d17c2edfb732c78a09) C:\WINNT\system32\DRIVERS\ACPI.sys
2010/11/13 10:55:34.0171 ACPIEC (4b10b4db777ee2ef8e755e7f3d7c4fe8) C:\WINNT\system32\drivers\ACPIEC.sys
2010/11/13 10:55:34.0203 adpu160m (31b7c8770fda8a3a44bca9dcfe2d1e8b) C:\WINNT\system32\DRIVERS\adpu160m.sys
2010/11/13 10:55:34.0281 AFD (320cac00366bb4d5684b46928cee5adf) C:\WINNT\System32\drivers\afd.sys
2010/11/13 10:55:34.0703 aswMon (6addf942d7099629c7467d6a81ea7912) C:\WINNT\system32\drivers\aswMon.sys
2010/11/13 10:55:34.0718 aswRdr (52e2059219aadf5c896ff2364b88b4bd) C:\WINNT\system32\drivers\aswRdr.sys
2010/11/13 10:55:34.0750 aswSP (96b9eaca31846be3b780b19024dcebcf) C:\WINNT\system32\drivers\aswSP.sys
2010/11/13 10:55:34.0781 aswTdi (37edfcce12c2b46e11c9f98f36564981) C:\WINNT\system32\drivers\aswTdi.sys
2010/11/13 10:55:34.0796 AsyncMac (5d3d77c9eb3a8e6a14cc8e1252b6cc5c) C:\WINNT\system32\DRIVERS\asyncmac.sys
2010/11/13 10:55:34.0828 atapi (8c718aa8c77041b3285d55a0ce980867) C:\WINNT\system32\DRIVERS\atapi.sys
2010/11/13 10:55:34.0875 Atmarpc (3e348b3313ea633d45caf59da0d631ba) C:\WINNT\system32\DRIVERS\atmarpc.sys
2010/11/13 10:55:34.0906 audstub (39d57104a45270f0d376e9ddb484ebbd) C:\WINNT\system32\DRIVERS\audstub.sys
2010/11/13 10:55:34.0937 Beep (df012c2853281ce2bf536e8de871c8c1) C:\WINNT\system32\drivers\Beep.sys
2010/11/13 10:55:35.0000 Cdaudio (b101e013d810d6125e17125e324fcd2c) C:\WINNT\system32\drivers\Cdaudio.sys
2010/11/13 10:55:35.0031 Cdfs (378bbf444d7232e74c74dfae04d4ded0) C:\WINNT\system32\drivers\Cdfs.sys
2010/11/13 10:55:35.0062 Cdrom (4b86a90a7f0095d514d22a9083826488) C:\WINNT\system32\DRIVERS\cdrom.sys
2010/11/13 10:55:35.0250 Disk (322b9a3774dbf119f6635a476b0eb058) C:\WINNT\system32\DRIVERS\disk.sys
2010/11/13 10:55:35.0281 Diskperf (fd94497dd145b3920f5c393eab50ee3a) C:\WINNT\system32\drivers\Diskperf.sys
2010/11/13 10:55:35.0312 dmboot (0b91c63540682bc3c826fc6d8b3ecb7b) C:\WINNT\system32\drivers\dmboot.sys
2010/11/13 10:55:35.0359 dmio (6b35bfdbdbc247113852f18bf0f10e3c) C:\WINNT\system32\drivers\dmio.sys
2010/11/13 10:55:35.0390 dmload (3f1701ffa97ab012685abc8a2d6fce22) C:\WINNT\system32\drivers\dmload.sys
2010/11/13 10:55:35.0437 DriverX (5418c3432fa9c4ebc477cd4dddccd704) C:\WINNT\System32\Drivers\driverx.sys
2010/11/13 10:55:35.0453 dtl5933w (e7cd797400d82c5a9fc42506fc65e8be) C:\WINNT\system32\drivers\dtl5933w.sys
2010/11/13 10:55:35.0484 E1000 (ade967991cda5b5fbe02fae2f5fd62bb) C:\WINNT\system32\DRIVERS\e10002ke.sys
2010/11/13 10:55:35.0515 E100E (be041649cafaf1119ac23929bf90a230) C:\WINNT\system32\DRIVERS\e100ent.sys
2010/11/13 10:55:35.0531 EFS (b2916926428c0410fc1a26da0b650e41) C:\WINNT\system32\drivers\EFS.sys
2010/11/13 10:55:35.0578 Fastfat (556a224f0bd4b0221fa08feca793cd05) C:\WINNT\system32\drivers\Fastfat.sys
2010/11/13 10:55:35.0625 Fdc (233e2c4dae9c84cef241f0ea30619629) C:\WINNT\system32\DRIVERS\fdc.sys
2010/11/13 10:55:35.0640 Fips (b27a36d4725a362a13d0c52ad6c7175b) C:\WINNT\system32\drivers\Fips.sys
2010/11/13 10:55:35.0718 Flpydisk (6ca845333da54f27a8657be7ee0b600d) C:\WINNT\system32\DRIVERS\flpydisk.sys
2010/11/13 10:55:35.0734 Fs_Rec (405f231ad65c03dac70992a2aba759a5) C:\WINNT\system32\drivers\Fs_Rec.sys
2010/11/13 10:55:35.0765 Ftdisk (9b73c6887c9e7aecaaca2a71363548e9) C:\WINNT\system32\DRIVERS\ftdisk.sys
2010/11/13 10:55:35.0796 Gpc (6667d07854a3ae7715d22b82761cf0e7) C:\WINNT\system32\DRIVERS\msgpc.sys
2010/11/13 10:55:35.0828 hidusb (ff2ca3c8d0193800e4fa510ffde0960e) C:\WINNT\system32\DRIVERS\hidusb.sys
2010/11/13 10:55:35.0843 i8042prt (3b538e8a6b5e078406159edfe09a5e53) C:\WINNT\system32\DRIVERS\i8042prt.sys
2010/11/13 10:55:35.0906 ialm (d4405bd2b6e95efdc8e674ed4032874f) C:\WINNT\system32\DRIVERS\ialmnt5.sys
2010/11/13 10:55:36.0015 IpFilterDriver (09a604211e2b2334fc023a41337e3165) C:\WINNT\system32\DRIVERS\ipfltdrv.sys
2010/11/13 10:55:36.0046 IpInIp (dbc1437b56eea1af02cd39c011904491) C:\WINNT\system32\DRIVERS\ipinip.sys
2010/11/13 10:55:36.0062 IpNat (3509e9c33281f4343d2da5650039f59d) C:\WINNT\system32\DRIVERS\ipnat.sys
2010/11/13 10:55:36.0093 IPSEC (6bf394c7987fbc91b047eb0a8efb2aa5) C:\WINNT\system32\DRIVERS\ipsec.sys
2010/11/13 10:55:36.0140 IRENUM (7f5315e32be0632f680b30e03a2ca809) C:\WINNT\system32\DRIVERS\irenum.sys
2010/11/13 10:55:36.0171 isapnp (b630369ca276fd208c1b5146920b5f2e) C:\WINNT\system32\DRIVERS\isapnp.sys
2010/11/13 10:55:36.0187 Suspicious service (NoAccess): jqzhcxpgv
2010/11/13 10:55:36.0203 Kbdclass (399055f5c4a98f39b47d26888a72145d) C:\WINNT\system32\DRIVERS\kbdclass.sys
2010/11/13 10:55:36.0234 kbdhid (5afd9413400ffb2b57e9be900a12b160) C:\WINNT\system32\DRIVERS\kbdhid.sys
2010/11/13 10:55:36.0234 Suspicious service (NoAccess): kgavbgjan
2010/11/13 10:55:36.0265 KSecDD (74937a7d0c4354c025ba182aca00e41a) C:\WINNT\system32\drivers\KSecDD.sys
2010/11/13 10:55:36.0343 mnmdd (f9a1ccc84d1c8b392d67bf2e661ed334) C:\WINNT\system32\drivers\mnmdd.sys
2010/11/13 10:55:36.0375 Modem (37478d40030b15ca3860509d4f5d39d8) C:\WINNT\system32\drivers\Modem.sys
2010/11/13 10:55:36.0406 Mouclass (8d038dde3f19b88427968e99a6216766) C:\WINNT\system32\DRIVERS\mouclass.sys
2010/11/13 10:55:36.0421 mouhid (80d48f52414f7798432a4764beccbcec) C:\WINNT\system32\DRIVERS\mouhid.sys
2010/11/13 10:55:36.0453 MountMgr (5fe612cea2236543ed416de8554c3047) C:\WINNT\system32\drivers\MountMgr.sys
2010/11/13 10:55:36.0515 MRxSmb (e0836182d738ebe0e958ee641fdfa597) C:\WINNT\system32\DRIVERS\mrxsmb.sys
2010/11/13 10:55:36.0562 Msfs (8840bc3953d2c0bbb104932cab848a27) C:\WINNT\system32\drivers\Msfs.sys
2010/11/13 10:55:36.0578 MSKSSRV (883385dc3eca3cf7c2d7efcf644ca5ae) C:\WINNT\system32\drivers\MSKSSRV.sys
2010/11/13 10:55:36.0609 MSPCLOCK (4d0e25cb6bfd5bedd546501faf69b3f7) C:\WINNT\system32\drivers\MSPCLOCK.sys
2010/11/13 10:55:36.0640 MSPQM (bb041315c9930063e5eab0bee90acff6) C:\WINNT\system32\drivers\MSPQM.sys
2010/11/13 10:55:36.0656 Mup (73aec5477e873efc74d0dfc37c695b6f) C:\WINNT\system32\drivers\Mup.sys
2010/11/13 10:55:36.0718 NDIS (fb4f2d0595bd3546a4dd915e4a9b4809) C:\WINNT\system32\drivers\NDIS.sys
2010/11/13 10:55:36.0750 NdisTapi (e6f675c75c53887c58b98d6db356b153) C:\WINNT\system32\DRIVERS\ndistapi.sys
2010/11/13 10:55:36.0781 Ndisuio (69ecae880bdac3c288f0508df9cdeef0) C:\WINNT\system32\DRIVERS\ndisuio.sys
2010/11/13 10:55:36.0796 NdisWan (b86a37aa73868343a9eee148fdfce1e0) C:\WINNT\system32\DRIVERS\ndiswan.sys
2010/11/13 10:55:36.0828 NDProxy (1f426863d87bdf75aec76584223cd0c7) C:\WINNT\system32\drivers\NDProxy.sys
2010/11/13 10:55:36.0859 NetBIOS (5151e6020a26bf7bc21c18fd612506bd) C:\WINNT\system32\DRIVERS\netbios.sys
2010/11/13 10:55:36.0890 NetBT (e854473d50e5f7917767a7c10e08e5f8) C:\WINNT\system32\DRIVERS\netbt.sys
2010/11/13 10:55:36.0921 NetDetect (9b2a6147a22f7e696cc7538283de6346) C:\WINNT\system32\drivers\netdtect.sys
2010/11/13 10:55:36.0953 Npfs (e85a77dfcb8f1088f85120ca123ce191) C:\WINNT\system32\drivers\Npfs.sys
2010/11/13 10:55:37.0000 Ntfs (f6ab0e765d5b80443b93c52c42f2602a) C:\WINNT\system32\drivers\Ntfs.sys
2010/11/13 10:55:37.0062 Null (280209cde798720a24d232bf9cfda8e9) C:\WINNT\system32\drivers\Null.sys
2010/11/13 10:55:37.0093 NwlnkFlt (9b0d6fb5c5d6a7571aedb0c1a7a9c1b6) C:\WINNT\system32\DRIVERS\nwlnkflt.sys
2010/11/13 10:55:37.0109 NwlnkFwd (09fa39e4812fdd042834650df09675a0) C:\WINNT\system32\DRIVERS\nwlnkfwd.sys
2010/11/13 10:55:37.0140 Parallel (ea27799907eabdb66d2d56af68cd4f06) C:\WINNT\system32\DRIVERS\parallel.sys
2010/11/13 10:55:37.0171 Parport (69b713583d6e063ac487e2da30c04289) C:\WINNT\system32\DRIVERS\parport.sys
2010/11/13 10:55:37.0187 PartMgr (f9e922dbe9f3719ce8376cc7ed18cb8d) C:\WINNT\system32\drivers\PartMgr.sys
2010/11/13 10:55:37.0218 ParVdm (888f6a6ad5810f5828de594e17fe8f3b) C:\WINNT\system32\drivers\ParVdm.sys
2010/11/13 10:55:37.0250 PCI (f0791b1f424f8d84a81d9ae6cfadf089) C:\WINNT\system32\DRIVERS\pci.sys
2010/11/13 10:55:37.0296 PCIIde (7d0bcb325d29d15024d6a572044e410b) C:\WINNT\system32\DRIVERS\pciide.sys
2010/11/13 10:55:37.0328 Pcmcia (b737c89d439b771d92d7c5e8b8d3917c) C:\WINNT\system32\drivers\Pcmcia.sys
2010/11/13 10:55:37.0375 PptpMiniport (0e0212bbbf15800f1536cbfa157dddd6) C:\WINNT\system32\DRIVERS\raspptp.sys
2010/11/13 10:55:37.0406 Ptilink (b78775f217255f786c2e8dbe4334e413) C:\WINNT\system32\DRIVERS\ptilink.sys
2010/11/13 10:55:37.0515 Ramdisk (df45ad8ee9b2f33c1cfa52ba0a687307) C:\WINNT\system32\DRIVERS\ramdisk.sys
2010/11/13 10:55:37.0546 RasAcd (63051b814e005dc62c7a0971668c52b4) C:\WINNT\system32\DRIVERS\rasacd.sys
2010/11/13 10:55:37.0578 Rasl2tp (ec6037c594f20adedea65f0d809493d2) C:\WINNT\system32\DRIVERS\rasl2tp.sys
2010/11/13 10:55:37.0609 Raspti (cb09a98e97e52c389ab17b1e003c9566) C:\WINNT\system32\DRIVERS\raspti.sys
2010/11/13 10:55:37.0625 RCA (afce1f733a6aa3a90ac60794dfb26104) C:\WINNT\system32\drivers\RCA.sys
2010/11/13 10:55:37.0656 Rdbss (d3cb7a695a43a287979c03db94227d05) C:\WINNT\system32\DRIVERS\rdbss.sys
2010/11/13 10:55:37.0687 redbook (b5120cb5081865b0c7d93c305c7da939) C:\WINNT\system32\DRIVERS\redbook.sys
2010/11/13 10:55:37.0750 serenum (6db5fdf67486679da3149ef212374861) C:\WINNT\system32\DRIVERS\serenum.sys
2010/11/13 10:55:37.0781 Serial (80f28698f48e298d278057f23206133b) C:\WINNT\system32\DRIVERS\serial.sys
2010/11/13 10:55:37.0812 Sfloppy (96b8aae4f799e81a23aeda935e14f768) C:\WINNT\system32\drivers\Sfloppy.sys
2010/11/13 10:55:37.0875 snapman (5052dbafc8f4e4507e6ad0d467dd3529) C:\WINNT\system32\DRIVERS\snapman.sys
2010/11/13 10:55:37.0937 Srv (42306c014d9e4d285eb5f49fe1178373) C:\WINNT\system32\DRIVERS\srv.sys
2010/11/13 10:55:37.0968 swenum (a151f2d55ebf635550709c48fce564aa) C:\WINNT\system32\DRIVERS\swenum.sys
2010/11/13 10:55:38.0078 Tcpip (0f62ffcd1c136103d7ea57e5b2b30994) C:\WINNT\system32\DRIVERS\tcpip.sys
2010/11/13 10:55:38.0125 tifsfilter (304e188496ec723c369e3b27da82f992) C:\WINNT\system32\DRIVERS\tifsfilt.sys
2010/11/13 10:55:38.0171 timounter (ac0a6126138403b5913a6d819343034b) C:\WINNT\system32\DRIVERS\timntr.sys
2010/11/13 10:55:38.0218 Udfs (248a63ca8075bdf40bb56ce34cdaf332) C:\WINNT\system32\drivers\Udfs.sys
2010/11/13 10:55:38.0218 Suspicious service (NoAccess): ugsau
2010/11/13 10:55:38.0250 uhcd (376fb5e14b9d375db3536ba563eae97a) C:\WINNT\system32\DRIVERS\uhcd.sys
2010/11/13 10:55:38.0296 Update (7a77f319935328cf30945fe0f3c69c9a) C:\WINNT\system32\DRIVERS\update.sys
2010/11/13 10:55:38.0328 usbehci (86c71ce544358d3227206a894ae04443) C:\WINNT\system32\DRIVERS\usbehci.sys
2010/11/13 10:55:38.0359 usbhub (5c202078f5d500786a1f3279fac3aa64) C:\WINNT\system32\DRIVERS\usbhub.sys
2010/11/13 10:55:38.0390 usbhub20 (b0205d19ba25ca654810d0aed04496a8) C:\WINNT\system32\DRIVERS\usbhub20.sys
2010/11/13 10:55:38.0406 USBSTOR (13eba8a2da3447fe7f217e34210ac554) C:\WINNT\system32\DRIVERS\USBSTOR.SYS
2010/11/13 10:55:38.0437 VgaSave (1b0040415ba34497a8d76a553aee88aa) C:\WINNT\System32\drivers\vga.sys
2010/11/13 10:55:38.0468 Wanarp (aa8c76dfc4afa72f09fdbc6621b7d38d) C:\WINNT\system32\DRIVERS\wanarp.sys
2010/11/13 10:55:38.0515 WinDriver6 (d7352795d80e3bbc19aeb8d3361f4135) C:\WINNT\system32\drivers\windrvr6.sys
2010/11/13 10:55:38.0593 yukonw2k (bf6c24ba6cea8c3e4a77cd964f93d207) C:\WINNT\system32\DRIVERS\yk50x86.sys
2010/11/13 10:55:38.0687 ================================================================================
2010/11/13 10:55:38.0687 Scan finished
2010/11/13 10:55:38.0687 ================================================================================

I'd like to start work on another computer. Would you like me to start another thread ?
 
I'd like to start work on another computer. Would you like me to start another thread ?
You surely can :)

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
Enter N to exit.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.
 
MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows 2000 Professional
Windows Information: Service Pack 4 (build 2195)
Logical Drives Mask: 0x0200003c

Kernel Drivers (total 101):
0x80400000 \WINNT\System32\ntoskrnl.exe
0x80062000 \WINNT\System32\hal.dll
0xF6810000 \WINNT\System32\BOOTVID.DLL
0xBFFD8000 ACPI.sys
0xF69C8000 \WINNT\System32\DRIVERS\WMILIB.SYS
0xF6400000 pci.sys
0xF6410000 isapnp.sys
0xF69C9000 pciide.sys
0xF6680000 \WINNT\System32\DRIVERS\PCIIDEX.SYS
0xF6688000 MountMgr.sys
0xBFFBB000 ftdisk.sys
0xF6900000 Diskperf.sys
0xF6902000 dmload.sys
0xBFF99000 dmio.sys
0xF6814000 PartMgr.sys
0xBFF83000 atapi.sys
0xF6420000 adpu160m.sys
0xBFF70000 \WINNT\System32\DRIVERS\SCSIPORT.SYS
0xF6690000 disk.sys
0xF6430000 \WINNT\System32\DRIVERS\CLASSPNP.SYS
0xBFF5E000 KSecDD.sys
0xBFEDB000 Ntfs.sys
0xBFEB1000 NDIS.sys
0xBFE52000 timntr.sys
0xBFE39000 snapman.sys
0xF6904000 ramdisk.sys
0xBFE23000 Mup.sys
0xF6460000 \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
0xBFC95000 \SystemRoot\System32\DRIVERS\ialmnt5.sys
0xF66B0000 \SystemRoot\system32\drivers\dtl5933w.sys
0xF66D0000 \SystemRoot\System32\DRIVERS\USBD.SYS
0xF66B8000 \SystemRoot\System32\DRIVERS\uhcd.sys
0xBFC73000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
0xF66E0000 \SystemRoot\System32\DRIVERS\usbehci.sys
0xF66F0000 \SystemRoot\system32\DRIVERS\e100ent.sys
0xF6700000 \SystemRoot\System32\DRIVERS\parport.sys
0xF6470000 \SystemRoot\System32\DRIVERS\serial.sys
0xBFDE3000 \SystemRoot\System32\DRIVERS\serenum.sys
0xF6718000 \SystemRoot\System32\DRIVERS\fdc.sys
0xF6728000 \SystemRoot\System32\DRIVERS\mouclass.sys
0xF69D8000 \SystemRoot\System32\DRIVERS\audstub.sys
0xF6490000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
0xBFDC6000 \SystemRoot\System32\DRIVERS\ndistapi.sys
0xBFC5C000 \SystemRoot\System32\DRIVERS\ndiswan.sys
0xBFDB6000 \SystemRoot\System32\DRIVERS\TDI.SYS
0xF64A0000 \SystemRoot\System32\DRIVERS\raspptp.sys
0xF6748000 \SystemRoot\System32\DRIVERS\ptilink.sys
0xF6758000 \SystemRoot\System32\DRIVERS\raspti.sys
0xF64B0000 \SystemRoot\System32\DRIVERS\parallel.sys
0xBFC40000 \SystemRoot\System32\DRIVERS\ks.sys
0xF69D9000 \SystemRoot\System32\DRIVERS\swenum.sys
0xBFC15000 \SystemRoot\System32\DRIVERS\update.sys
0xBFBE9000 \SystemRoot\system32\drivers\windrvr6.sys
0xF64D0000 \SystemRoot\System32\DRIVERS\usbhub.sys
0xF64E0000 \SystemRoot\System32\DRIVERS\usbhub20.sys
0xF6500000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF6780000 \SystemRoot\System32\Drivers\EFS.SYS
0xF6912000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF69DE000 \SystemRoot\System32\Drivers\Null.SYS
0xF69DF000 \SystemRoot\System32\Drivers\Beep.SYS
0xF6510000 \SystemRoot\System32\DRIVERS\i8042prt.sys
0xF66A8000 \SystemRoot\System32\DRIVERS\HIDPARSE.SYS
0xF66C8000 \SystemRoot\System32\DRIVERS\kbdclass.sys
0xBFD7E000 \SystemRoot\System32\drivers\vga.sys
0xF69E0000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF66E8000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF6520000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF691A000 \SystemRoot\System32\DRIVERS\rasacd.sys
0xB79D8000 \SystemRoot\System32\DRIVERS\tcpip.sys
0xF6530000 \SystemRoot\System32\DRIVERS\msgpc.sys
0xF6720000 \SystemRoot\System32\DRIVERS\wanarp.sys
0xF6540000 \SystemRoot\System32\Drivers\aswTdi.SYS
0xB79AE000 \SystemRoot\System32\DRIVERS\netbt.sys
0xF6550000 \SystemRoot\System32\DRIVERS\netbios.sys
0xB7983000 \SystemRoot\System32\DRIVERS\rdbss.sys
0xB790A000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
0xB78F3000 \SystemRoot\System32\Drivers\aswSP.SYS
0xF6750000 \SystemRoot\System32\Drivers\Aavmker4.SYS
0xF6768000 \SystemRoot\System32\DRIVERS\HIDCLASS.SYS
0xBFD56000 \SystemRoot\System32\DRIVERS\hidusb.sys
0xBFDB2000 \SystemRoot\System32\DRIVERS\mouhid.sys
0xBFDAE000 \SystemRoot\System32\DRIVERS\kbdhid.sys
0xF69E1000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xB78B5000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xA0000000 \??\C:\WINNT\system32\win32k.sys
0xB786E000 \SystemRoot\System32\ialmdnt5.dll
0xF6590000 \SystemRoot\System32\ialmrnt5.dll
0xB7845000 \SystemRoot\System32\ialmdev5.DLL
0xB7777000 \SystemRoot\System32\ialmdd5.DLL
0xF6770000 \SystemRoot\system32\DRIVERS\tifsfilt.sys
0xB7641000 \SystemRoot\System32\drivers\afd.sys
0xF6972000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xB753C000 \SystemRoot\System32\Drivers\aswMon.SYS
0xB7757000 \SystemRoot\System32\Drivers\driverx.sys
0xB7737000 \SystemRoot\System32\Drivers\Fips.SYS
0xB7410000 \SystemRoot\System32\DRIVERS\srv.sys
0xB6FF8000 \SystemRoot\System32\DRIVERS\ipsec.sys
0xB7100000 \SystemRoot\System32\Drivers\aswRdr.SYS
0xF6710000 \SystemRoot\System32\DRIVERS\USBSTOR.SYS
0xB6E11000 \SystemRoot\System32\Drivers\Fastfat.SYS
0x77F80000 \WINNT\system32\NTDLL.DLL

Processes (total 28):
0 System Idle Process
8 System
248 \SystemRoot\System32\smss.exe
272 CSRSS.EXE
292 \??\C:\WINNT\system32\winlogon.exe
320 C:\WINNT\system32\services.exe
332 C:\WINNT\system32\lsass.exe
508 C:\WINNT\system32\svchost.exe
532 C:\WINNT\system32\spoolsv.exe
560 C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
604 C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
620 C:\Program Files\Alwil Software\Avast4\ashServ.exe
648 C:\WINNT\System32\svchost.exe
664 C:\WINNT\system32\hidserv.exe
724 C:\WINNT\system32\regsvc.exe
744 C:\WINNT\system32\MSTask.exe
960 C:\WINNT\System32\WBEM\WinMgmt.exe
972 C:\Program Files\RealVNC\VNC4\WinVNC4.exe
1072 C:\WINNT\Explorer.EXE
1140 C:\WINNT\system32\igfxtray.exe
1144 C:\WINNT\system32\hkcmd.exe
1160 C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
1176 C:\Program Files\Acronis\TrueImage\TimounterMonitor.exe
1184 C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
1192 C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
1208 C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
1332 C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
872 C:\Documents and Settings\Administrator\Desktop\virus_et_al\MBRCheck.exe

WARNING: Unsupported Windows version! Results may not be accurate!
\\.\C: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive1 at offset 0x00000003`8420d600 (NTFS)
\\.\E: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive1 Model Number: MTRONMSP-SATA7525, Rev: 0.20R1H1
PhysicalDrive0 Model Number: INTELSSDSA2M080G2GC, Rev: 2CV102HD

Size Device Name MBR Status
--------------------------------------------
14 GB \\.\PhysicalDrive1 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
74 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!
 
Looks good :)

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt"
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.pif
Rkill.exe

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
I haven't taken the latest action yet.

Overnight I realized i may have done somethng stupid. All along this computer has been directly connected to another computer that has also tested positive, via MalwareBytes, for the conficker virus. How would you like to proceed ?
 
Just make sure, you don't exchange any files between both computers and you'll be fine.
Go ahead with Combofix.
 
ComboFix 10-11-14.02 - Administrator 11/15/2010 12:12:58.1.1 - x86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.2039.1701 [GMT 0:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.
/wow section - STAGE 10


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Thumbs.db
c:\winnt\Web\default.htt

.
((((((((((((((((((((((((( Files Created from 2010-10-15 to 2010-11-15 )))))))))))))))))))))))))))))))
.

2010-11-12 12:45 . 2008-05-15 23:15 23152 ----a-w- c:\winnt\system32\drivers\aswRdr.sys
2010-11-12 12:45 . 2008-05-15 23:14 42912 ----a-w- c:\winnt\system32\drivers\aswTdi.sys
2010-11-12 12:45 . 2008-05-15 23:13 26944 ----a-w- c:\winnt\system32\drivers\aavmker4.sys
2010-11-12 12:45 . 2008-05-15 23:20 78416 ----a-w- c:\winnt\system32\drivers\aswSP.sys
2010-11-12 12:45 . 2008-05-15 23:18 94416 ----a-w- c:\winnt\system32\drivers\aswmon2.sys
2010-11-12 12:45 . 2008-05-15 23:12 95608 ----a-w- c:\winnt\system32\AvastSS.scr
2010-11-12 12:45 . 2008-01-17 17:34 93264 ----a-w- c:\winnt\system32\drivers\aswmon.sys
2010-11-12 12:45 . 2008-05-15 23:24 1152888 ----a-w- c:\winnt\system32\aswBoot.exe
2010-11-12 12:45 . 2004-01-09 10:13 380928 ----a-w- c:\winnt\system32\actskin4.ocx
2010-11-11 16:08 . 2010-11-11 16:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-11-11 16:08 . 2010-04-29 15:39 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2010-11-11 16:08 . 2010-11-11 16:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-11 16:08 . 2010-11-11 16:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-11-11 16:08 . 2010-04-29 15:39 19288 ----a-w- c:\winnt\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [2003-06-19 111376]
"IgfxTray"="c:\winnt\system32\igfxtray.exe" [2004-11-02 155648]
"HotKeysCmds"="c:\winnt\system32\hkcmd.exe" [2004-11-02 126976]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImage\TrueImageMonitor.exe" [2006-06-01 1106562]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImage\TimounterMonitor.exe" [2006-06-01 1827640]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2006-06-01 126976]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-15 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2003-06-19 186640]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Shortcut to begininstr.bat.lnk - c:\documents and settings\Administrator\Desktop\begininstr.bat [2006-4-7 84]
Shortcut to tftpd32.exe.lnk - c:\program files\Argon ST\tftpd32.exe [2010-2-12 57344]

R?2 jqzhcxpgv;Driver Center;c:\winnt\system32\svchost.exe -k netsvcs [5/8/2001 12:00 PM 7952]
R?2 kgavbgjan;Microsoft Driver;c:\winnt\system32\svchost.exe -k netsvcs [5/8/2001 12:00 PM 7952]
R?2 ugsau;Microsoft Boot;c:\winnt\system32\svchost.exe -k netsvcs [5/8/2001 12:00 PM 7952]
R0 Ramdisk;Ramdisk Driver;c:\winnt\system32\drivers\ramdisk.sys [5/15/2006 1:06 PM 6995]
R1 aswSP;avast! Self Protection;c:\winnt\system32\drivers\aswSP.sys [11/12/2010 12:45 PM 78416]
R2 aswMon;avast! Standard Shield Support;c:\winnt\system32\drivers\aswmon.sys [11/12/2010 12:45 PM 93264]
R2 DriverX;DriverX;c:\winnt\system32\drivers\driverx.sys [5/15/2006 12:09 PM 52512]
R3 dtl5933w;dtl5933w;c:\winnt\system32\drivers\dtl5933w.sys [4/6/2006 6:33 PM 18176]
R3 E100E;E100E;c:\winnt\system32\drivers\E100ENT.sys [5/27/1999 4:13 PM 25360]
R3 usbhub20;USB Hub Support;c:\winnt\system32\drivers\usbhub20.sys [6/5/2006 1:24 PM 49776]
S3 yukonw2k;NDIS5 Miniport Driver for Marvell Yukon Ethernet Controller;c:\winnt\system32\drivers\yk50x86.sys [5/16/2006 8:53 AM 243840]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - IPNAT
*NewlyCreated* - SHAREDACCESS

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ugsau
jqzhcxpgv
kgavbgjan
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
LSP: %SystemRoot%\system32\msafd.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
.
.
------- File Associations -------
.
.
- - - - ORPHANS REMOVED - - - -

Notify-AtiExtEvent - (no file)
AddRemove-WinZip - f:\winzip\WINZIP32.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-15 12:21
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\jqzhcxpgv]
"ServiceDll"="c:\winnt\system32\bjmnq.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kgavbgjan]
"ServiceDll"="c:\winnt\system32\bjmnq.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ugsau]
"ServiceDll"="c:\winnt\system32\bjmnq.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(292)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL

- - - - - - - > 'explorer.exe'(1156)
c:\winnt\AppPatch\AcLayers.DLL
c:\winnt\system32\msi.dll
c:\program files\Malwarebytes' Anti-Malware\mbamext.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\winnt\system32\hidserv.exe
c:\winnt\system32\regsvc.exe
c:\winnt\system32\MSTask.exe
c:\winnt\System32\WBEM\WinMgmt.exe
c:\program files\RealVNC\VNC4\WinVNC4.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\winnt\system32\NOTEPAD.EXE
.
**************************************************************************
.
Completion time: 2010-11-15 12:23:35 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-15 12:23

Pre-Run: 11,729,080,320 bytes free
Post-Run: 11,678,371,840 bytes free

- - End Of File - - 793079199734CD4DB17DBD46FFCC04A4



Note that on restart a program that is normally started by 'startup' ran while combofix was generating its report
 
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:
Driver::
jqzhcxpgv
kgavbgjan
ugsau

NetSvc::
ugsau
jqzhcxpgv
kgavbgjan


Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ugsau]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kgavbgjan]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\jqzhcxpgv]


3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
 
ComboFix 10-11-14.02 - Administrator 11/16/2010 8:46.2.1 - x86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.2039.1788 [GMT 0:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\cfscript.txt
.
/wow section - STAGE 10


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_JQZHCXPGV
-------\Legacy_KGAVBGJAN
-------\Legacy_UGSAU
-------\Service_jqzhcxpgv
-------\Service_kgavbgjan
-------\Service_ugsau


((((((((((((((((((((((((( Files Created from 2010-10-16 to 2010-11-16 )))))))))))))))))))))))))))))))
.

2010-11-12 12:45 . 2008-05-15 23:15 23152 ----a-w- c:\winnt\system32\drivers\aswRdr.sys
2010-11-12 12:45 . 2008-05-15 23:14 42912 ----a-w- c:\winnt\system32\drivers\aswTdi.sys
2010-11-12 12:45 . 2008-05-15 23:13 26944 ----a-w- c:\winnt\system32\drivers\aavmker4.sys
2010-11-12 12:45 . 2008-05-15 23:20 78416 ----a-w- c:\winnt\system32\drivers\aswSP.sys
2010-11-12 12:45 . 2008-05-15 23:18 94416 ----a-w- c:\winnt\system32\drivers\aswmon2.sys
2010-11-12 12:45 . 2008-05-15 23:12 95608 ----a-w- c:\winnt\system32\AvastSS.scr
2010-11-12 12:45 . 2008-01-17 17:34 93264 ----a-w- c:\winnt\system32\drivers\aswmon.sys
2010-11-12 12:45 . 2008-05-15 23:24 1152888 ----a-w- c:\winnt\system32\aswBoot.exe
2010-11-12 12:45 . 2004-01-09 10:13 380928 ----a-w- c:\winnt\system32\actskin4.ocx
2010-11-11 16:08 . 2010-11-11 16:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-11-11 16:08 . 2010-04-29 15:39 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2010-11-11 16:08 . 2010-11-11 16:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-11 16:08 . 2010-11-11 16:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-11-11 16:08 . 2010-04-29 15:39 19288 ----a-w- c:\winnt\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((( SnapShot@2010-11-15_12.20.08 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-16 08:53 . 2010-11-16 08:53 16384 c:\winnt\system32\Perflib_Perfdata_268.dat
- 2010-11-15 12:19 . 2010-11-15 12:19 16384 c:\winnt\system32\Perflib_Perfdata_268.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [2003-06-19 111376]
"IgfxTray"="c:\winnt\system32\igfxtray.exe" [2004-11-02 155648]
"HotKeysCmds"="c:\winnt\system32\hkcmd.exe" [2004-11-02 126976]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImage\TrueImageMonitor.exe" [2006-06-01 1106562]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImage\TimounterMonitor.exe" [2006-06-01 1827640]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2006-06-01 126976]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-15 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2003-06-19 186640]

R0 Ramdisk;Ramdisk Driver;c:\winnt\system32\drivers\ramdisk.sys [5/15/2006 1:06 PM 6995]
R1 aswSP;avast! Self Protection;c:\winnt\system32\drivers\aswSP.sys [11/12/2010 12:45 PM 78416]
R2 aswMon;avast! Standard Shield Support;c:\winnt\system32\drivers\aswmon.sys [11/12/2010 12:45 PM 93264]
R2 DriverX;DriverX;c:\winnt\system32\drivers\driverx.sys [5/15/2006 12:09 PM 52512]
R3 dtl5933w;dtl5933w;c:\winnt\system32\drivers\dtl5933w.sys [4/6/2006 6:33 PM 18176]
R3 E100E;E100E;c:\winnt\system32\drivers\E100ENT.sys [5/27/1999 4:13 PM 25360]
R3 usbhub20;USB Hub Support;c:\winnt\system32\drivers\usbhub20.sys [6/5/2006 1:24 PM 49776]
S3 yukonw2k;NDIS5 Miniport Driver for Marvell Yukon Ethernet Controller;c:\winnt\system32\drivers\yk50x86.sys [5/16/2006 8:53 AM 243840]
.
.
------- Supplementary Scan -------
.
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
LSP: %SystemRoot%\system32\msafd.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-16 08:53
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(292)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL

- - - - - - - > 'explorer.exe'(1136)
c:\winnt\AppPatch\AcLayers.DLL
c:\winnt\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\winnt\system32\hidserv.exe
c:\winnt\system32\regsvc.exe
c:\winnt\system32\MSTask.exe
c:\winnt\System32\WBEM\WinMgmt.exe
c:\program files\RealVNC\VNC4\WinVNC4.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
.
**************************************************************************
.
Completion time: 2010-11-16 08:55:40 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-16 08:55

Pre-Run: 11,685,998,592 bytes free
Post-Run: 11,678,023,680 bytes free

- - End Of File - - CDE83B91F406CF526E1EC3350A98A231
 
Very good :)

with the exception of a Tcp/Ip issue
You didn't mention anything earlier, so you have to explain.

Download OTL to your Desktop.

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Under the Custom Scan box paste this in:


netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
/md5stop


  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
 
OTL logfile created on: 11/17/2010 2:56:39 PM - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\Administrator\Desktop\virus_et_al
Windows 2000 Professional Edition Service Pack 4 (Version = 5.0.2195) - Type = NTWorkstation
Internet Explorer (Version = 5.00.3700.1000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 87.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 93.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 14.06 Gb Total Space | 10.89 Gb Free Space | 77.46% Space Free | Partition Type: NTFS
Drive D: | 854.99 Mb Total Space | 483.45 Mb Free Space | 56.54% Space Free | Partition Type: NTFS
Drive E: | 74.53 Gb Total Space | 73.12 Gb Free Space | 98.11% Space Free | Partition Type: NTFS
Drive F: | 1.86 Gb Total Space | 1.50 Gb Free Space | 80.77% Space Free | Partition Type: FAT32
Drive Z: | 30.92 Mb Total Space | 30.92 Mb Free Space | 100.00% Space Free | Partition Type: FAT

Computer Name: RTM-II | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/11/17 09:51:18 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\virus_et_al\OTL.exe
PRC - [2008/05/15 23:19:31 | 000,079,224 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
PRC - [2008/05/15 23:19:24 | 000,144,760 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
PRC - [2008/05/15 23:19:00 | 000,247,160 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
PRC - [2008/05/15 23:16:59 | 000,349,560 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
PRC - [2008/05/15 23:06:57 | 000,017,272 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2006/06/01 11:14:16 | 001,827,640 | ---- | M] (Acronis) -- C:\Program Files\Acronis\TrueImage\TimounterMonitor.exe
PRC - [2006/06/01 11:08:28 | 000,126,976 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
PRC - [2006/06/01 11:08:26 | 000,204,800 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
PRC - [2006/06/01 11:06:42 | 001,106,562 | ---- | M] (Acronis) -- C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
PRC - [2006/05/12 15:04:08 | 000,439,248 | ---- | M] (RealVNC Ltd.) -- C:\Program Files\RealVNC\VNC4\winvnc4.exe
PRC - [2003/06/19 16:05:04 | 000,243,472 | ---- | M] (Microsoft Corporation) -- C:\WINNT\explorer.exe
PRC - [2003/06/19 16:05:04 | 000,196,706 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\wbem\WinMgmt.exe
PRC - [2003/06/19 16:05:04 | 000,119,568 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\mstask.exe
PRC - [2003/06/19 16:05:04 | 000,068,368 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\regsvc.exe
PRC - [2003/06/19 16:05:04 | 000,019,728 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\hidserv.exe


========== Modules (SafeList) ==========

MOD - [2010/11/17 09:51:18 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\virus_et_al\OTL.exe
MOD - [2003/06/19 16:05:04 | 000,021,776 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\wsock32.dll
MOD - [2003/06/19 16:05:04 | 000,010,000 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\lz32.dll
MOD - [2001/05/08 12:00:00 | 000,011,536 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\netrap.dll


========== Win32 Services (SafeList) ==========

SRV - [2008/05/15 23:19:24 | 000,144,760 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus)
SRV - [2008/05/15 23:19:00 | 000,247,160 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
SRV - [2008/05/15 23:16:59 | 000,349,560 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner)
SRV - [2008/05/15 23:06:57 | 000,017,272 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV - [2006/06/01 11:08:26 | 000,204,800 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2006/05/12 15:04:08 | 000,439,248 | ---- | M] (RealVNC Ltd.) [Auto | Running] -- C:\Program Files\RealVNC\VNC4\WinVNC4.exe -- (WinVNC4)
SRV - [2003/06/19 16:05:04 | 000,196,706 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\wbem\WinMgmt.exe -- (WinMgmt)
SRV - [2003/06/19 16:05:04 | 000,147,728 | ---- | M] (VERITAS Software Corp.) [On_Demand | Stopped] -- C:\WINNT\System32\dmadmin.exe -- (dmadmin)
SRV - [2003/06/19 16:05:04 | 000,119,568 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\mstask.exe -- (Schedule)
SRV - [2003/06/19 16:05:04 | 000,094,992 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINNT\system32\FAXSVC.EXE -- (Fax)
SRV - [2003/06/19 16:05:04 | 000,068,368 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\regsvc.exe -- (RemoteRegistry)
SRV - [2003/06/19 16:05:04 | 000,022,800 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINNT\system32\utilman.exe -- (UtilMan)
SRV - [2003/06/19 16:05:04 | 000,019,728 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\hidserv.exe -- (HidServ)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINNT\System32\drivers\DMusic.sys -- (DMusic)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme)
DRV - [2008/05/15 23:20:32 | 000,078,416 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINNT\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2008/05/15 23:15:29 | 000,023,152 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Running] -- C:\WINNT\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2008/05/15 23:14:11 | 000,042,912 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINNT\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2008/05/15 23:13:26 | 000,026,944 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINNT\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2008/01/17 17:34:01 | 000,093,264 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINNT\System32\drivers\aswmon.sys -- (aswMon)
DRV - [2007/08/06 19:38:11 | 000,387,520 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINNT\system32\DRIVERS\timntr.sys -- (timounter)
DRV - [2007/08/06 19:38:11 | 000,032,224 | ---- | M] (Acronis) [File_System | Auto | Running] -- C:\WINNT\system32\drivers\tifsfilt.sys -- (tifsfilter)
DRV - [2007/08/06 19:38:08 | 000,099,776 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINNT\system32\DRIVERS\snapman.sys -- (snapman)
DRV - [2006/05/16 08:53:00 | 000,243,840 | ---- | M] (Marvell) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\yk50x86.sys -- (yukonw2k)
DRV - [2005/02/09 14:11:14 | 000,316,040 | ---- | M] (Jungo) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\windrvr6.sys -- (WinDriver6)
DRV - [2003/09/18 16:50:02 | 000,129,904 | R--- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\e10002ke.sys -- (E1000) Intel(R)
DRV - [2003/09/12 13:41:20 | 000,018,176 | R--- | M] (Datel, Inc.) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\dtl5933w.sys -- (dtl5933w)
DRV - [2003/06/19 16:05:04 | 000,369,104 | ---- | M] (VERITAS Software Corp.) [Kernel | Disabled | Stopped] -- C:\WINNT\system32\drivers\dmboot.sys -- (dmboot)
DRV - [2003/06/19 16:05:04 | 000,137,936 | ---- | M] (VERITAS Software Corp.) [Kernel | Boot | Running] -- C:\WINNT\System32\drivers\dmio.sys -- (dmio)
DRV - [2003/06/19 16:05:04 | 000,060,208 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\parallel.sys -- (Parallel)
DRV - [2003/06/19 16:05:04 | 000,049,776 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\usbhub20.sys -- (usbhub20)
DRV - [2003/06/19 16:05:04 | 000,032,848 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\uhcd.sys -- (uhcd)
DRV - [2003/06/19 16:05:04 | 000,027,440 | ---- | M] (Microsoft Corporation) [File_System | Disabled | Running] -- C:\WINNT\System32\drivers\efs.sys -- (EFS)
DRV - [2003/06/19 16:05:04 | 000,007,728 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINNT\System32\drivers\diskperf.sys -- (Diskperf)
DRV - [2003/06/19 16:05:04 | 000,007,312 | ---- | M] (VERITAS Software Corp.) [Kernel | Boot | Running] -- C:\WINNT\System32\drivers\dmload.sys -- (dmload)
DRV - [2001/06/12 02:01:10 | 000,052,512 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINNT\System32\Drivers\driverx.sys -- (DriverX)
DRV - [2001/05/08 12:00:00 | 000,021,712 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\rca.sys -- (RCA)
DRV - [2001/05/08 12:00:00 | 000,009,680 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\netdtect.sys -- (NetDetect)
DRV - [2000/04/20 03:00:02 | 000,006,995 | ---- | M] () [Kernel | Boot | Running] -- C:\WINNT\system32\DRIVERS\ramdisk.sys -- (Ramdisk)
DRV - [1999/05/27 16:13:40 | 000,025,360 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\E100ENT.sys -- (E100E)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: ([2010/11/16 08:53:33 | 000,000,027 | ---- | M]) - C:\WINNT\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O3 - HKLM\..\Toolbar: (@msdxmLC.dll,-1@1033,&Radio) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx ()
O4 - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis)
O4 - HKLM..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImage\TimounterMonitor.exe (Acronis)
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe (Acronis)
O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Shortcut to begininstr.bat.lnk = C:\Documents and Settings\Administrator\Desktop\begininstr.bat ()
O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Shortcut to scanner.exe.lnk = D:\ahs\GUI_AMS_03\debug\scanner.exe ()
O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Shortcut to tftpd32.exe.lnk = C:\Program Files\Argon ST\tftpd32.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: @shdoclc.dll,-866 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\Web\related.htm ()
O9 - Extra 'Tools' menuitem : @shdoclc.dll,-864 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\Web\related.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINNT\system32\RNR20.DLL (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O16 - DPF: DirectAnimation Java Classes file://C:\WINNT\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINNT\Java\classes\xmldso.cab (Reg Error: Key error.)
O18 - Protocol\Handler\vnd.ms.radio {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINNT\system32\msdxm.ocx ()
O18 - Protocol\Filter\Class Install Handler - No CLSID value found
O18 - Protocol\Filter\deflate - No CLSID value found
O18 - Protocol\Filter\gzip - No CLSID value found
O18 - Protocol\Filter\lzdhtml - No CLSID value found
O18 - Protocol\Filter\text/webviewhtml - No CLSID value found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINNT\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINNT\System32\igfxsrvc.dll (Intel Corporation)
O20 - Winlogon\Notify\wzcnotif: DllName - wzcdlg.dll - C:\WINNT\System32\wzcdlg.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/04/06 17:41:49 | 000,000,000 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Nwsapagent - File not found

Drivers32: aux - C:\WINNT\System32\mmdrv.dll (Microsoft Corporation)
Drivers32: aux1 - File not found
Drivers32: aux2 - File not found
Drivers32: aux3 - File not found
Drivers32: aux4 - File not found
Drivers32: aux5 - File not found
Drivers32: aux6 - File not found
Drivers32: aux7 - File not found
Drivers32: aux8 - File not found
Drivers32: aux9 - File not found
Drivers32: midi1 - File not found
Drivers32: midi2 - File not found
Drivers32: midi3 - File not found
Drivers32: midi4 - File not found
Drivers32: midi5 - File not found
Drivers32: midi6 - File not found
Drivers32: midi7 - File not found
Drivers32: midi8 - File not found
Drivers32: midi9 - File not found
Drivers32: mixer1 - File not found
Drivers32: mixer2 - File not found
Drivers32: mixer3 - File not found
Drivers32: mixer4 - File not found
Drivers32: mixer5 - File not found
Drivers32: mixer6 - File not found
Drivers32: mixer7 - File not found
Drivers32: mixer8 - File not found
Drivers32: mixer9 - File not found
Drivers32: msacm.iac2 - C:\WINNT\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.lhacm - C:\WINNT\System32\lhacm.acm (Microsoft Corporation)
Drivers32: msacm.trspch - C:\WINNT\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINNT\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINNT\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINNT\System32\ir32_32.dll ()
Drivers32: vidc.iv50 - C:\WINNT\System32\ir50_32.dll (Intel Corporation)
Drivers32: VIDC.UYVY - msyuv.dll File not found
Drivers32: wave1 - File not found
Drivers32: wave2 - File not found
Drivers32: wave3 - File not found
Drivers32: wave4 - File not found
Drivers32: wave5 - File not found
Drivers32: wave6 - File not found
Drivers32: wave7 - File not found
Drivers32: wave8 - File not found
Drivers32: wave9 - File not found
Drivers32: wdmaud.drv - wdmaud.drv File not found
SystemRestore not available.

========== Files/Folders - Created Within 30 Days ==========

[2010/11/16 09:01:33 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/11/16 08:51:58 | 000,000,000 | ---D | C] -- C:\WINNT\temp
[2010/11/15 12:12:34 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINNT\SWXCACLS.exe
[2010/11/15 12:12:34 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINNT\SWREG.exe
[2010/11/15 12:12:34 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINNT\SWSC.exe
[2010/11/15 12:12:34 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINNT\NIRCMD.exe
[2010/11/15 12:12:30 | 000,000,000 | ---D | C] -- C:\WINNT\ERDNT
[2010/11/15 12:12:12 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/11/12 12:45:30 | 000,023,152 | ---- | C] (ALWIL Software) -- C:\WINNT\System32\drivers\aswRdr.sys
[2010/11/12 12:45:29 | 000,042,912 | ---- | C] (ALWIL Software) -- C:\WINNT\System32\drivers\aswTdi.sys
[2010/11/12 12:45:28 | 000,026,944 | ---- | C] (ALWIL Software) -- C:\WINNT\System32\drivers\aavmker4.sys
[2010/11/12 12:45:25 | 000,095,608 | ---- | C] (ALWIL Software) -- C:\WINNT\System32\AvastSS.scr
[2010/11/12 12:45:25 | 000,094,416 | ---- | C] (ALWIL Software) -- C:\WINNT\System32\drivers\aswmon2.sys
[2010/11/12 12:45:25 | 000,093,264 | ---- | C] (ALWIL Software) -- C:\WINNT\System32\drivers\aswmon.sys
[2010/11/12 12:45:25 | 000,078,416 | ---- | C] (ALWIL Software) -- C:\WINNT\System32\drivers\aswSP.sys
[2010/11/12 12:45:12 | 001,152,888 | ---- | C] (ALWIL Software) -- C:\WINNT\System32\aswBoot.exe
[2010/11/12 12:41:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\AvastInstall
[2010/11/12 12:32:07 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\Desktop\virus_et_al
[2010/11/11 16:08:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2010/11/11 16:08:08 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINNT\System32\drivers\mbamswissarmy.sys
[2010/11/11 16:08:07 | 000,019,288 | ---- | C] (Malwarebytes Corporation) -- C:\WINNT\System32\drivers\mbam.sys
[2010/11/11 16:08:07 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/11/11 16:08:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes

========== Files - Modified Within 30 Days ==========

[2010/11/17 14:54:21 | 000,000,383 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to virus_et_al.lnk
[2010/11/17 14:42:56 | 000,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_268.dat
[2010/11/17 13:15:17 | 000,922,094 | -H-- | M] () -- C:\WINNT\ShellIconCache
[2010/11/17 12:53:34 | 000,000,498 | ---- | M] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Shortcut to scanner.exe.lnk
[2010/11/17 12:52:12 | 000,000,477 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to acquire.exe.lnk
[2010/11/16 18:52:33 | 000,000,539 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to weekly.lnk
[2010/11/16 08:53:33 | 000,000,027 | ---- | M] () -- C:\WINNT\System32\drivers\etc\hosts
[2010/11/15 06:39:50 | 003,910,027 | R--- | M] () -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
[2010/11/13 13:58:02 | 000,000,615 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to Startup.lnk
[2010/11/13 10:53:59 | 000,000,382 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\WinZip.lnk
[2010/11/12 12:45:30 | 000,001,584 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Antivirus.lnk
[2010/11/12 12:45:28 | 000,002,626 | ---- | M] () -- C:\WINNT\System32\CONFIG.NT
[2010/11/11 16:08:10 | 000,000,603 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/11/11 15:28:07 | 000,000,428 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to inst.exe.lnk
[2010/11/11 15:26:02 | 000,000,439 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut (2) to acquire.dsw.lnk
[2010/11/11 12:59:23 | 000,000,498 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to scanner.exe.lnk
[2010/11/09 20:31:44 | 000,000,525 | ---- | M] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Shortcut to begininstr.bat.lnk
[2010/11/09 20:31:44 | 000,000,525 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to begininstr.bat.lnk
[2010/11/09 15:25:03 | 000,000,459 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to scanner.dsw.lnk
[2010/11/09 15:22:48 | 000,000,084 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\begininstr.bat
[2010/11/09 15:19:59 | 000,000,339 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to ahs.lnk
[2010/11/09 14:32:31 | 000,000,421 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to inst.dsw.lnk
[2010/11/08 01:20:24 | 000,089,088 | ---- | M] () -- C:\WINNT\MBR.exe

========== Files Created - No Company Name ==========

[2010/11/17 14:42:56 | 000,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_268.dat
[2010/11/17 12:53:34 | 000,000,498 | ---- | C] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Shortcut to scanner.exe.lnk
[2010/11/16 09:23:40 | 000,000,607 | ---- | C] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Shortcut to tftpd32.exe.lnk
[2010/11/16 09:23:37 | 000,000,525 | ---- | C] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Shortcut to begininstr.bat.lnk
[2010/11/15 12:12:34 | 000,256,512 | ---- | C] () -- C:\WINNT\PEV.exe
[2010/11/15 12:12:34 | 000,098,816 | ---- | C] () -- C:\WINNT\sed.exe
[2010/11/15 12:12:34 | 000,089,088 | ---- | C] () -- C:\WINNT\MBR.exe
[2010/11/15 12:12:34 | 000,080,412 | ---- | C] () -- C:\WINNT\grep.exe
[2010/11/15 12:12:34 | 000,068,096 | ---- | C] () -- C:\WINNT\zip.exe
[2010/11/15 11:54:41 | 003,910,027 | R--- | C] () -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
[2010/11/13 13:58:02 | 000,000,615 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to Startup.lnk
[2010/11/13 10:53:59 | 000,000,382 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\WinZip.lnk
[2010/11/12 17:46:21 | 000,000,383 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to virus_et_al.lnk
[2010/11/12 12:45:30 | 000,001,584 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Antivirus.lnk
[2010/11/12 12:45:12 | 000,380,928 | ---- | C] () -- C:\WINNT\System32\actskin4.ocx
[2010/11/11 16:08:10 | 000,000,603 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/11/11 15:26:02 | 000,000,439 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut (2) to acquire.dsw.lnk
[2006/06/05 12:22:05 | 000,000,010 | ---- | C] () -- C:\WINNT\WININIT.INI
[2006/05/15 13:06:52 | 000,006,995 | ---- | C] () -- C:\WINNT\System32\drivers\ramdisk.sys
[2006/04/06 18:19:48 | 000,000,000 | ---- | C] () -- C:\WINNT\Devcon.INI
[2006/04/06 18:01:02 | 000,053,248 | ---- | C] () -- C:\WINNT\System32\AISS44AO4 Driver C.dll
[2006/04/06 18:01:01 | 000,057,344 | ---- | C] () -- C:\WINNT\System32\GSApi.dll
[2006/04/06 17:40:44 | 000,021,952 | -H-- | C] () -- C:\Program Files\folder.htt
[2006/04/06 13:26:54 | 000,004,073 | ---- | C] () -- C:\WINNT\ODBCINST.INI
[2001/05/08 12:00:00 | 000,176,400 | ---- | C] () -- C:\WINNT\System32\qcut.dll
[2001/05/08 12:00:00 | 000,033,552 | ---- | C] () -- C:\WINNT\System32\efsadu.dll
[2001/05/08 12:00:00 | 000,007,265 | ---- | C] () -- C:\WINNT\System32\iasperf.ini
[2001/05/08 12:00:00 | 000,001,505 | ---- | C] () -- C:\WINNT\System32\faxperf.ini
[2001/05/08 12:00:00 | 000,000,023 | ---- | C] () -- C:\WINNT\welcome.ini
[1999/09/25 10:36:24 | 000,088,816 | ---- | C] () -- C:\WINNT\System32\drivers\lvcam.sys
[1999/09/25 10:36:22 | 000,017,424 | ---- | C] () -- C:\WINNT\System32\drivers\lvsound.sys
[1997/07/11 04:00:00 | 000,031,232 | ---- | C] () -- C:\WINNT\System32\XLREC.DLL
[1997/07/11 04:00:00 | 000,025,600 | ---- | C] () -- C:\WINNT\System32\RECNCL.DLL
[1997/07/11 04:00:00 | 000,022,016 | ---- | C] () -- C:\WINNT\System32\DOCOBJ.DLL
[1997/07/11 04:00:00 | 000,012,288 | ---- | C] () -- C:\WINNT\System32\HLINKPRX.DLL

========== LOP Check ==========

[2006/09/07 01:26:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Acronis

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2009/05/06 12:11:00 | 000,581,814 | ---- | M] () -- C:\5_6_9_2nd.bmp
[2003/06/19 16:05:04 | 000,150,528 | RHS- | M] () -- C:\arcldr.exe
[2003/06/19 16:05:04 | 000,163,840 | RHS- | M] () -- C:\arcsetup.exe
[2006/04/06 17:41:49 | 000,000,000 | -H-- | M] () -- C:\AUTOEXEC.BAT
[2009/11/18 14:23:45 | 000,921,654 | ---- | M] () -- C:\bit.bmp
[2006/04/06 13:36:58 | 000,000,192 | -HS- | M] () -- C:\boot.ini
[2009/10/28 14:56:12 | 000,635,238 | ---- | M] () -- C:\cheat_dbr.bmp
[2010/11/16 08:55:58 | 000,006,335 | ---- | M] () -- C:\ComboFix.txt
[2006/04/06 17:41:49 | 000,000,000 | -H-- | M] () -- C:\CONFIG.SYS
[2009/04/10 18:17:07 | 000,581,814 | ---- | M] () -- C:\ehternet_1.bmp
[2009/04/10 18:17:43 | 000,581,814 | ---- | M] () -- C:\ehternet_2.bmp
[2009/05/06 12:07:46 | 000,581,814 | ---- | M] () -- C:\enet_5_6_9.bmp
[2010/08/17 12:02:24 | 001,825,086 | ---- | M] () -- C:\full.bmp
[2009/11/18 14:25:21 | 000,921,654 | ---- | M] () -- C:\gui.bmp
[2006/04/06 17:41:49 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/08/12 17:43:46 | 000,587,910 | ---- | M] () -- C:\ipconfig_8_12_10.bmp
[2006/04/06 17:41:49 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2006/05/10 16:27:46 | 000,034,724 | RHS- | M] () -- C:\NTDETECT.COM
[2006/05/10 16:27:46 | 000,214,432 | RHS- | M] () -- C:\ntldr
[2010/11/17 14:42:45 | 1598,029,824 | -HS- | M] () -- C:\pagefile.sys
[2007/11/27 20:11:00 | 000,000,420 | ---- | M] () -- C:\pipe.txt
[2009/05/07 16:47:46 | 001,810,614 | ---- | M] () -- C:\railed_1.bmp
[2010/11/13 10:57:28 | 000,027,638 | ---- | M] () -- C:\TDSSKiller.2.4.7.0_13.11.2010_10.55.29_log.txt
[2008/10/07 13:44:46 | 000,714,544 | ---- | M] () -- C:\vnc-4_1_2-x86_win32.zip

< %systemroot%\Fonts\*.com >

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2006/04/06 17:41:11 | 000,000,067 | -HS- | M] () -- C:\WINNT\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2003/06/19 16:05:04 | 000,006,928 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\spool\prtprocs\w32x86\sfmpsprt.dll

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >
[2006/04/06 17:40:44 | 000,000,271 | -H-- | M] () -- C:\Program Files\desktop.ini
[2006/04/06 17:40:44 | 000,021,952 | -H-- | M] () -- C:\Program Files\folder.htt

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2006/04/06 13:23:38 | 000,081,920 | ---- | M] () -- C:\WINNT\system32\config\default.sav
[2006/04/06 13:23:38 | 000,540,672 | ---- | M] () -- C:\WINNT\system32\config\software.sav
[2006/04/06 13:23:38 | 000,393,216 | ---- | M] () -- C:\WINNT\system32\config\system.sav

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
[2006/05/10 16:37:09 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

< %USERPROFILE%\Desktop\*.exe >
[2010/11/15 06:39:50 | 003,910,027 | R--- | M] () -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
[2004/10/12 18:58:32 | 000,126,976 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\DrxPortIo.exe

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< %systemroot%\AppPatch\Custom\*.* >

< %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

< %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

< %PROGRAMFILES%\Internet Explorer\*.tmp >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %USERPROFILE%\My Documents\*.exe >

< %USERPROFILE%\*.exe >

< %systemroot%\ADDINS\*.* >
[2001/05/08 12:00:00 | 000,000,777 | ---- | M] () -- C:\WINNT\addins\faxext.ecf

< %systemroot%\assembly\*.bak2 >

< %systemroot%\Config\*.* >
[2001/05/08 12:00:00 | 000,000,654 | ---- | M] () -- C:\WINNT\Config\general.idf
[2001/05/08 12:00:00 | 000,000,658 | ---- | M] () -- C:\WINNT\Config\hindered.idf
[2001/05/08 12:00:00 | 000,000,302 | ---- | M] () -- C:\WINNT\Config\msadlib.idf

< %systemroot%\REPAIR\*.bak2 >

< %systemroot%\SECURITY\Database\*.sdb /x >

< %systemroot%\SYSTEM\*.bak2 >

< %systemroot%\Web\*.bak2 >

< %systemroot%\Driver Cache\*.* >

< %PROGRAMFILES%\Mozilla Firefox\0*.exe >

< %ProgramFiles%\Microsoft Common\*.* >

< %ProgramFiles%\TinyProxy. >

< %USERPROFILE%\Favorites\*.url /x >
[2006/05/10 16:37:09 | 000,000,083 | -HS- | M] () -- C:\Documents and Settings\Administrator\Favorites\Desktop.ini
[2006/04/06 19:15:39 | 000,000,571 | ---- | M] () -- C:\Documents and Settings\Administrator\Favorites\My Documents.lnk

< %systemroot%\system32\*.bk >

< %systemroot%\*.te >

< %systemroot%\system32\system32\*.* >

< %ALLUSERSPROFILE%\*.dat /x >
[2006/05/10 16:36:56 | 000,002,370 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol

< %systemroot%\system32\drivers\*.rmv >

< dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

< dir /b "%systemroot%\*.exe" | find /i " " /c >

< %PROGRAMFILES%\Microsoft\*.* >

< %systemroot%\System32\Wbem\proquota.exe >

< %PROGRAMFILES%\Mozilla Firefox\*.dat >

< %USERPROFILE%\Cookies\*.txt /x >
[2010/11/17 14:57:29 | 000,032,768 | ---- | M] () -- C:\Documents and Settings\Administrator\Cookies\index.dat

< %SystemRoot%\system32\fonts\*.* >

< %systemroot%\system32\winlog\*.* >

< %systemroot%\system32\Language\*.* >

< %systemroot%\system32\Settings\*.* >

< %systemroot%\system32\*.quo >

< %SYSTEMROOT%\AppPatch\*.exe >

< %SYSTEMROOT%\inf\*.exe >
[2003/06/19 16:05:04 | 000,221,184 | ---- | M] () -- C:\WINNT\inf\unregmp2.exe

< %SYSTEMROOT%\Installer\*.exe >

< %systemroot%\system32\config\*.bak2 >

< %systemroot%\system32\Computers\*.* >

< %SystemRoot%\system32\Sound\*.* >

< %SystemRoot%\system32\SpecialImg\*.* >

< %SystemRoot%\system32\code\*.* >

< %SystemRoot%\system32\draft\*.* >

< %SystemRoot%\system32\MSSSys\*.* >

< %ProgramFiles%\Javascript\*.* >

< %systemroot%\pchealth\helpctr\System\*.exe /s >

< %systemroot%\Web\*.exe >

< %systemroot%\system32\msn\*.* >

< %systemroot%\system32\*.tro >

< %AppData%\Microsoft\Installer\msupdates\*.* >

< %ProgramFiles%\Messenger\*.* >

< %systemroot%\system32\systhem32\*.* >

< %systemroot%\system\*.exe >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >


< End of report >
 
OTL Extras logfile created on: 11/17/2010 2:56:39 PM - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\Administrator\Desktop\virus_et_al
Windows 2000 Professional Edition Service Pack 4 (Version = 5.0.2195) - Type = NTWorkstation
Internet Explorer (Version = 5.00.3700.1000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 87.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 93.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 14.06 Gb Total Space | 10.89 Gb Free Space | 77.46% Space Free | Partition Type: NTFS
Drive D: | 854.99 Mb Total Space | 483.45 Mb Free Space | 56.54% Space Free | Partition Type: NTFS
Drive E: | 74.53 Gb Total Space | 73.12 Gb Free Space | 98.11% Space Free | Partition Type: NTFS
Drive F: | 1.86 Gb Total Space | 1.50 Gb Free Space | 80.77% Space Free | Partition Type: FAT32
Drive Z: | 30.92 Mb Total Space | 30.92 Mb Free Space | 100.00% Space Free | Partition Type: FAT

Computer Name: RTM-II | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- %1
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{36BD0774-6CD6-4FF9-A148-83CA09AC123E}" = Intel(R) PROSafe for Wired Connections
"{403EF592-953B-4794-BCEF-ECAB835C2095}" = Intel(R) PROSafe for Wired Connections
"{6F716D8C-398F-11D3-85E1-005004838609}" = WebFldrs
"{7F129516-73AD-4232-8FD0-C7BC2508B274}" = Acronis*True*Image
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Extreme Graphics 2 Driver
"{9E8D3DE4-63B4-4BFC-80DA-9426D7A9789A}" = PCI-417Wins
"avast!" = avast! Antivirus
"DiskSpeed32" = DiskSpeed32
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft Developer Network - Visual Studio 6.0a" = MSDN Library - Visual Studio 6.0a
"Office8.0" = Microsoft Office 97, Professional Edition
"RealVNC_is1" = VNC Free Edition 4.1.2
"Visual C++ 6.0 Professional Edition" = Microsoft Visual C++ 6.0 Professional Edition

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/11/2010 7:33:39 AM | Computer Name = RTM-II | Source = rasctrs | ID = 2001
Description =

Error - 2/11/2010 7:45:37 AM | Computer Name = RTM-II | Source = Userenv | ID = 1000
Description = Windows cannot unload your registry class file. If you have a roaming
profile, your settings are not replicated. Contact your administrator. DETAIL
Access is denied. , Build number ((2195)).

Error - 2/11/2010 7:21:05 AM | Computer Name = RTM-II | Source = PerfDisk | ID = 1000
Description = Unable to open the Disk performance object. Status code returned is
data
DWORD 0.

Error - 2/11/2010 7:21:05 AM | Computer Name = RTM-II | Source = rasctrs | ID = 2001
Description =

Error - 2/11/2010 7:56:02 AM | Computer Name = RTM-II | Source = PerfDisk | ID = 1000
Description = Unable to open the Disk performance object. Status code returned is
data
DWORD 0.

Error - 2/11/2010 7:56:02 AM | Computer Name = RTM-II | Source = PerfNet | ID = 2004
Description = Unable to open the Server service. Server performance data will not
be returned. Error code returned is in data DWORD 0.

Error - 2/11/2010 7:56:02 AM | Computer Name = RTM-II | Source = PerfNet | ID = 2002
Description = Unable to open the Redirector service. Redirector performance data
will not be returned. Error code returned is in data DWORD 0.

Error - 2/11/2010 7:56:03 AM | Computer Name = RTM-II | Source = rasctrs | ID = 2001
Description =

Error - 8/12/2010 3:26:29 PM | Computer Name = RTM-II | Source = Userenv | ID = 1000
Description = Windows cannot unload your registry file. If you have a roaming profile,
your settings are not replicated. Contact your administrator. DETAIL - Access
is denied. , Build number ((2195)).

Error - 8/18/2010 3:35:54 PM | Computer Name = RTM-II | Source = Userenv | ID = 1000
Description = Windows cannot unload your registry file. If you have a roaming profile,
your settings are not replicated. Contact your administrator. DETAIL - Access
is denied. , Build number ((2195)).

[ System Events ]
Error - 11/13/2010 10:01:41 AM | Computer Name = RTM-II | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the avast! Mail Scanner service
to connect.

Error - 11/13/2010 10:01:41 AM | Computer Name = RTM-II | Source = Service Control Manager | ID = 7000
Description = The avast! Mail Scanner service failed to start due to the following
error: %%1053

Error - 11/13/2010 10:01:41 AM | Computer Name = RTM-II | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the avast! Web Scanner service
to connect.

Error - 11/13/2010 10:01:41 AM | Computer Name = RTM-II | Source = Service Control Manager | ID = 7000
Description = The avast! Web Scanner service failed to start due to the following
error: %%1053

Error - 11/13/2010 10:01:42 AM | Computer Name = RTM-II | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the avast! Mail Scanner service
to connect.

Error - 11/13/2010 10:01:42 AM | Computer Name = RTM-II | Source = Service Control Manager | ID = 7000
Description = The avast! Mail Scanner service failed to start due to the following
error: %%1053

Error - 11/13/2010 10:01:42 AM | Computer Name = RTM-II | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the avast! Web Scanner service
to connect.

Error - 11/13/2010 10:01:42 AM | Computer Name = RTM-II | Source = Service Control Manager | ID = 7000
Description = The avast! Web Scanner service failed to start due to the following
error: %%1053

Error - 11/13/2010 10:01:43 AM | Computer Name = RTM-II | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the avast! Web Scanner service
to connect.

Error - 11/13/2010 10:01:43 AM | Computer Name = RTM-II | Source = Service Control Manager | ID = 7000
Description = The avast! Web Scanner service failed to start due to the following
error: %%1053


< End of report >
 
The tcp/ip issue seems to have cleared itself. There is a TFTP (tiny ftp) program that loads a script file. Up until this morning it wasn't loading the script file. Suddenly it began working correctly and has been through several boot cycles.
 
Good news :)

Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.

===================================================================

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    Code:
    :OTL
    O16 - DPF: DirectAnimation Java Classes file://C:\WINNT\Java\classes\dajava.cab (Reg Error: Key error.)
    O16 - DPF: Microsoft XML Parser for Java file://C:\WINNT\Java\classes\xmldso.cab (Reg Error: Key error.)
    
    
    :Services
    
    :Reg
    
    :Files
    
    :Commands
    [purity]
    [emptytemp]
    [emptyflash]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • You will get a log that shows the results of the fix. Please post it.

===================================================================

Last scans...

1. Download Security Check from HERE, and save it to your Desktop.
  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.


2. Download Temp File Cleaner (TFC)
  • Double click on TFC.exe to run the program.
  • Click on Start button to begin cleaning process.
  • TFC will close all running programs, and it may ask you to restart computer.


3. Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • IMPORTANT! UN-check Remove found threats
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • NOTE. If Eset won't find any threats, it won't produce any log.
 
Status
Not open for further replies.
Back