NT Authority System shutdown & lsass.exe error

Inactive
By Smashh
May 19, 2011
Topic Status:
Not open for further replies.
  1. I have an XP Pro with SP3. I was using the computer with no problems when I noticed the automatic update shield in the task bar. I clicked on it and it vanished only to reappear a few minutes later. This process repeated several times without actually installing anything so I rebooted my computer just to see if it would stop. Ever since then I keep getting this error:

    "This shutdown was initiated by NT Authority System. The system process C:\WINDOWS\SYSTEM32\LSASS.EXE terminated unexpectedly with status code 073741795. The system will shut down and restart in 60 seconds"

    I've ran the a full scan with Microsoft Security Essentials and Malewarebytes Anti-Malware. I've also ran the Symantec removal tool for the MSBlast and Sasser virus and both scans came back clean, no signs of their respective viruses. I've ran the Microsoft Malicious Software tool and it came back clean as well. I'm at my wits end on what to do and I was hoping someone here might be able to provide a fix for me.

    My HJT Log was run in safe mode with networking while logged in as an admin, as this is the only way I can log in. If I log in normally, the error message pops up before any icons or even the start button appear on the desktop.

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    Welcome aboard [​IMG]

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
  3. Smashh

    Smashh Newcomer, in training Topic Starter

    lsass.exe shutdown problem

    Okay, I read the steps in the link provided and I was able to boot into normal mode, however, just like every time before, the message pops up as soon as windows loads so I am unable to run any programs. The first thing I have to do is click start-->run type cmd, press enter and then type shutdown -a. This stops the shutdown timer and allows me to stay logged on. However, I am unable to run my antivirus (Microsoft Security Essentials), MalewareByet's Anti Malware. MSE won't even turn on and MBAN locks up a few seconds in the scan... every time. I've tried downloading Avira and Avast, but when I click "Save" the browser locks up. I'm also unable to update my Java from version 6 update 24 to version 6 update 25. When I click on update, nothing happens at all... even after waiting for 10 minutes or longer. Also, I can't download and install anything, including HijackThis, in normal boot mode. I have it downloaded in safe mode though.


    What should I do next?
  4. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    Running all prescribed scans in safe mode will be fine for now.
  5. Smashh

    Smashh Newcomer, in training Topic Starter

    Below are the request logs in the order the scans were executed. Please note that I was unable to run my antivirus (Microsoft Security Essentials). When I tried to perform the scan, nothing happened. I let the scanning screen sit there for a good 10-15 minutes and there was absolutely no activity. I downloaded and installed Avira, linked in your 7 steps instructions, but it would not run, siting that it could not scan because there was a parallel Microsoft Update in progress. I was unable to find any evidence of this. I downloaded and installed Avast, linked in your 7 steps instructions, and it would not scan either, saying that the program was incorrectly installed and that I should reinstall it.

    The remaining scans were executed in safe mode with networking enabled and I was logged in as Administrator.

    MBAM LOG:

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6630

    Windows 5.1.2600 Service Pack 3 (Safe Mode)
    Internet Explorer 8.0.6001.18702

    5/20/2011 8:27:28 PM
    mbam-log-2011-05-20 (20-27-28).txt

    Scan type: Quick scan
    Objects scanned: 146255
    Time elapsed: 2 minute(s), 36 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 1
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_CLASSES_ROOT\piffile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (???* %*) Good: ("%1" %*) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)



    GMER LOG:

    GMER 1.0.15.15627 - http://www.gmer.net
    Rootkit quick scan 2011-05-20 20:37:02
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 WDC_WD300AB-00BPA1 rev.18.20D18
    Running: mfejy6vy.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kwpdypow.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Tcpip \Device\Tcp aswRdr.SYS (avast! TDI RDR Driver/AVAST Software)

    ---- EOF - GMER 1.0.15 ----


    DDS LOGS:
    DDS:
    .
    DDS (Ver_11-05-19.01) - NTFSx86 NETWORK
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
    Run by Administrator at 20:38:31 on 2011-05-20
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1697 [GMT -5:00]
    .
    AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    FW: ZoneAlarm Firewall *Disabled*
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Administrator\Desktop\dds.scr
    C:\WINDOWS\system32\WSCRIPT.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2645238
    uURLSearchHooks: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\prxtbZone.dll
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
    BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
    BHO: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\prxtbZone.dll
    BHO: Trillian Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Trillian Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    TB: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\prxtbZone.dll
    TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
    TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
    mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
    mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
    mRun: [ISW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"
    mRun: [C-Media Mixer] Mixer.exe /startup
    mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
    mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1304074353265
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    LSA: Notification Packages = scecli scecli
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\862a813j.default\
    FF - plugin: c:\program files\checkpoint\zaforcefield\trustchecker\bin\npFFApi.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-5-20 441176]
    S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-5-20 307928]
    S1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
    S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-5-20 19544]
    S2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-5-20 42184]
    S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2011-5-9 27064]
    S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2011-5-18 532224]
    .
    =============== File Associations ===============
    .
    piffile=???*no open command defined ***
    .
    =============== Created Last 30 ================
    .
    2011-05-21 01:22:18 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-05-21 01:22:08 40112 ----a-w- c:\windows\avastSS.scr
    2011-05-21 01:21:54 -------- d-----w- c:\program files\AVAST Software
    2011-05-21 01:21:54 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
    2011-05-21 00:52:27 -------- d-----w- c:\documents and settings\administrator\application data\com.adobe.downloadassistant.AdobeDownloadAssistant
    2011-05-21 00:52:16 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Adobe
    2011-05-20 21:23:54 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e5d1cb4a-150f-4c49-bea4-a8c05ce57d57}\MpKsl6fd4304c.sys
    2011-05-20 21:21:11 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e5d1cb4a-150f-4c49-bea4-a8c05ce57d57}\MpKsl7645f9a7.sys
    2011-05-20 06:26:22 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e5d1cb4a-150f-4c49-bea4-a8c05ce57d57}\MpKsl5b6f13b0.sys
    2011-05-19 08:11:40 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e5d1cb4a-150f-4c49-bea4-a8c05ce57d57}\MpKsl59a8ca47.sys
    2011-05-19 07:40:41 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e5d1cb4a-150f-4c49-bea4-a8c05ce57d57}\MpKsl2357eaaa.sys
    2011-05-19 06:27:03 -------- d-----w- c:\windows\pss
    2011-05-19 05:55:12 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e5d1cb4a-150f-4c49-bea4-a8c05ce57d57}\MpKsle01e9af5.sys
    2011-05-19 05:52:51 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e5d1cb4a-150f-4c49-bea4-a8c05ce57d57}\MpKslbe6189b9.sys
    2011-05-19 05:50:01 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e5d1cb4a-150f-4c49-bea4-a8c05ce57d57}\MpKsl43c1a1c2.sys
    2011-05-19 04:09:32 -------- d-----w- c:\documents and settings\administrator\application data\Mumble
    2011-05-19 04:04:03 -------- d-----w- c:\documents and settings\administrator\application data\.purple
    2011-05-19 03:35:22 -------- d-----w- c:\documents and settings\administrator\application data\Trillian
    2011-05-19 02:33:35 -------- d-----w- c:\documents and settings\administrator\application data\CheckPoint
    2011-05-19 02:27:33 -------- d-----w- c:\program files\Conduit
    2011-05-19 02:27:29 -------- d-----w- c:\documents and settings\administrator\local settings\application data\ZoneAlarm_Security
    2011-05-19 02:27:28 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Temp
    2011-05-19 02:27:28 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Conduit
    2011-05-19 02:27:25 -------- d-----w- c:\program files\ZoneAlarm_Security
    2011-05-19 02:26:57 -------- d-----w- c:\program files\CheckPoint
    2011-05-19 02:26:42 1238528 ----a-w- c:\windows\system32\zpeng25.dll
    2011-05-19 02:26:42 -------- d-----w- c:\windows\system32\ZoneLabs
    2011-05-19 02:26:38 -------- d-----w- c:\program files\Zone Labs
    2011-05-19 02:25:55 -------- d-----w- c:\windows\Internet Logs
    2011-05-19 02:18:46 -------- d-----w- c:\documents and settings\administrator\application data\Malwarebytes
    2011-05-19 02:14:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-05-19 02:14:57 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    2011-05-19 02:14:53 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-05-19 02:14:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-05-19 02:01:17 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Mozilla
    2011-05-19 01:53:17 7071056 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e5d1cb4a-150f-4c49-bea4-a8c05ce57d57}\mpengine.dll
    2011-05-19 01:48:15 -------- d-sh--w- c:\documents and settings\administrator\IECompatCache
    2011-05-19 01:47:54 -------- d-sh--w- c:\documents and settings\administrator\PrivacIE
    2011-05-19 01:47:01 -------- d-sh--w- c:\documents and settings\administrator\IETldCache
    2011-05-18 08:37:22 -------- d-----w- c:\program files\Audacity
    2011-05-17 02:04:12 197120 ----a-w- c:\windows\system32\System47.scr
    2011-05-17 02:04:11 -------- d-----w- c:\windows\system32\System47 dir
    2011-05-15 07:27:59 7071056 ------w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
    2011-05-15 03:59:46 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-05-15 03:56:01 -------- d-----w- c:\program files\Microsoft Security Client
    2011-05-15 01:33:18 294912 ------w- c:\program files\windows media player\dlimport.exe
    2011-05-15 01:33:15 294912 -c----w- c:\windows\system32\dllcache\dlimport.exe
    2011-05-15 01:29:44 19569 ----a-w- c:\windows\005967_.tmp
    2011-05-14 00:13:10 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-05-12 02:18:53 274288 ----a-w- c:\windows\system32\mucltui.dll
    2011-05-12 02:18:53 215920 ----a-w- c:\windows\system32\muweb.dll
    2011-05-12 02:18:53 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
    2011-05-12 01:48:18 -------- d-----w- c:\windows\system32\appmgmt
    2011-05-12 00:39:33 -------- d-----w- C:\tazti_2.0_xp_32-bit
    2011-05-09 23:20:39 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
    2011-05-09 23:20:32 -------- d-----w- c:\program files\VS Revo Group
    2011-05-09 21:58:46 -------- dc-h--w- c:\windows\ie8
    2011-05-09 21:25:29 -------- d-----w- c:\program files\Yahoo!
    2011-05-08 21:09:02 -------- d-----w- c:\program files\VideoLAN
    2011-05-08 20:37:06 -------- d-----w- c:\program files\GIMP-2.0
    2011-05-06 17:59:49 -------- d-----w- c:\windows\system32\LogFiles
    2011-05-06 17:58:09 -------- d-----w- c:\program files\Adobe Download Assistant
    2011-05-04 19:58:26 -------- d-----w- c:\program files\Pidgin
    2011-05-04 19:29:43 -------- d-----w- c:\program files\KVIrc
    2011-05-03 16:50:14 819200 ----a-w- c:\windows\system32\xvidcore.dll
    2011-05-03 16:50:14 77824 ----a-w- c:\windows\system32\xvid.ax
    2011-05-03 16:50:14 180224 ----a-w- c:\windows\system32\xvidvfw.dll
    2011-05-03 16:50:14 -------- d-----w- c:\program files\Xvid
    2011-05-02 21:44:16 -------- d-----w- c:\program files\common files\Akamai
    2011-04-30 02:43:03 -------- d-----w- c:\windows\system32\XPSViewer
    2011-04-30 02:42:14 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
    2011-04-30 02:41:21 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
    2011-04-30 02:41:21 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
    2011-04-30 02:41:21 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
    2011-04-30 02:41:21 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
    2011-04-30 02:41:21 575488 ------w- c:\windows\system32\xpsshhdr.dll
    2011-04-30 02:41:21 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
    2011-04-30 02:41:21 1676288 ------w- c:\windows\system32\xpssvcs.dll
    2011-04-30 02:41:21 117760 ------w- c:\windows\system32\prntvpt.dll
    2011-04-30 02:37:14 -------- d-----w- c:\program files\MSXML 6.0
    2011-04-30 02:17:10 28552 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\mdippr.dll
    2011-04-30 02:17:10 28040 ----a-w- c:\windows\system32\mdimon.dll
    2011-04-30 02:15:05 -------- d-----w- c:\program files\Microsoft ActiveSync
    2011-04-30 02:13:47 -------- d-----w- c:\windows\SHELLNEW
    2011-04-29 14:19:05 -------- d-----w- c:\windows\system32\NtmsData
    2011-04-29 12:23:53 -------- d-----w- c:\windows\system32\ReinstallBackups
    2011-04-29 11:58:09 -------- d-----w- c:\program files\BitTorrent
    2011-04-29 11:34:22 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-04-29 11:34:22 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-04-29 10:58:40 -------- d-----w- c:\windows\system32\PreInstall
    2011-04-29 10:58:39 26144 ----a-w- c:\windows\system32\spupdsvc.exe
    2011-04-29 10:58:38 -------- d--h--w- c:\windows\$hf_mig$
    2011-04-29 10:54:10 21728 ----a-w- c:\windows\system32\wucltui.dll.mui
    2011-04-29 10:54:10 17632 ----a-w- c:\windows\system32\wuaueng.dll.mui
    2011-04-29 10:54:10 15072 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
    2011-04-29 10:54:09 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
    2011-04-29 10:54:09 -------- d-----w- c:\windows\system32\SoftwareDistribution
    2011-04-29 10:00:38 -------- d-----r- c:\program files\Skype
    2011-04-29 05:38:24 -------- d-----w- c:\program files\Ask.com
    2011-04-29 05:25:49 -------- d-----w- c:\program files\Mumble
    .
    ==================== Find3M ====================
    .
    2011-04-29 05:56:04 712704 ----a-w- c:\windows\inf\other\AUDIO3D.DLL
    2011-03-04 19:44:14 59888 ------w- c:\windows\system32\pxwma.dll
    2011-03-04 19:44:14 45648 ------w- c:\windows\system32\drivers\PxHelp20.sys
    2011-03-04 19:44:14 133616 ------w- c:\windows\system32\pxafs.dll
    2011-03-04 19:44:12 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys
    2011-03-04 19:44:12 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys
    2011-03-04 19:44:12 126448 ------w- c:\windows\system32\pxinsi64.exe
    2011-03-04 19:44:12 123888 ------w- c:\windows\system32\pxcpyi64.exe
    .
    ============= FINISH: 20:39:34.04 ===============

    ATTACH LOG:

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_11-05-19.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 4/28/2011 11:44:59 PM
    System Uptime: 5/20/2011 8:28:56 PM (0 hours ago)
    .
    Motherboard: | | P4X400-8235
    Processor: Intel(R) Celeron(R) CPU 2.70GHz | Socket 478 | 2888/107mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 28 GiB total, 14.976 GiB free.
    D: is CDROM (CDFS)
    E: is CDROM (CDFS)
    F: is FIXED (NTFS) - 93 GiB total, 25.717 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: Video Controller (VGA Compatible)
    Device ID: PCI\VEN_1002&DEV_71C2&SUBSYS_030B1002&REV_00\4&283A33D&0&0008
    Manufacturer:
    Name: Video Controller (VGA Compatible)
    PNP Device ID: PCI\VEN_1002&DEV_71C2&SUBSYS_030B1002&REV_00\4&283A33D&0&0008
    Service:
    .
    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: Video Controller
    Device ID: PCI\VEN_1002&DEV_71E2&SUBSYS_030A1002&REV_00\4&283A33D&0&0108
    Manufacturer:
    Name: Video Controller
    PNP Device ID: PCI\VEN_1002&DEV_71E2&SUBSYS_030A1002&REV_00\4&283A33D&0&0108
    Service:
    .
    ==== System Restore Points ===================
    .
    RP111: 5/20/2011 5:33:21 AM - System Checkpoint
    .
    ==== Installed Programs ======================
    .
    7-Zip 9.20
    Adobe AIR
    Adobe Download Assistant
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Ask Toolbar
    Audacity 1.2.6
    avast! Free Antivirus
    BitTorrent
    GIMP 2.6.11
    Google Talk Plugin
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB981793)
    Java Auto Updater
    Java(TM) 6 Update 24
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Antimalware
    Microsoft Application Error Reporting
    Microsoft Office Professional Edition 2003
    Microsoft Security Client
    Microsoft Security Essentials
    Microsoft Silverlight
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual Studio 2010 Tools for Office Runtime (x86)
    Mozilla Firefox 4.0.1 (x86 en-US)
    MSXML 6 Service Pack 2 (KB973686)
    Mumble 1.2.3
    PCI Audio Driver
    Pidgin
    Revo Uninstaller Pro 2.5.3
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player (KB979402)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB982381)
    Skype™ 5.3
    System47 Screen Saver
    Trillian
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    VLC media player 1.1.9
    WebFldrs XP
    Winamp
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Imaging Component
    Windows Internet Explorer 8
    Windows Media Format Runtime
    Windows XP Service Pack 3
    WinRAR 4.00 (32-bit)
    Xvid 1.2.2 final uninstall
    ZoneAlarm
    ZoneAlarm Toolbar
    .
    ==== Event Viewer Messages From Past Week ========
    .
    5/20/2011 8:30:57 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 aswSP aswTdi Fips intelppm MpFilter
    5/20/2011 8:23:36 PM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\AVAST Software\Avast\AvastUI.exe. Reference error message: The operation completed successfully. .
    5/20/2011 8:12:44 PM, error: SideBySide [59] - Generate Activation Context failed for C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\redist.dll. Reference error message: The operation completed successfully. .
    5/20/2011 7:51:45 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.103.2031.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6802.0 Error code: 0x8007043c Error description: This service cannot be started in Safe Mode
    5/20/2011 4:00:56 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.103.2031.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6802.0 Error code: 0x8007043c Error description: This service cannot be started in Safe Mode
    5/20/2011 1:46:20 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.MFC. Reference error message: The referenced assembly is not installed on your system. .
    5/20/2011 1:46:20 PM, error: SideBySide [59] - Generate Activation Context failed for C:\DOCUME~1\Michael\LOCALS~1\Temp\RarSFX0\redist.dll. Reference error message: The operation completed successfully. .
    5/20/2011 1:46:20 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.MFC could not be found and Last Error was The referenced assembly is not installed on your system.
    5/19/2011 9:28:48 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}
    5/19/2011 5:07:12 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service ImapiService with arguments "-Service" in order to run the server: {520CCA63-51A5-11D3-9144-00104BA11C5E}
    5/19/2011 3:54:06 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    5/19/2011 3:06:44 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
    5/19/2011 2:50:45 AM, error: Service Control Manager [7024] - The Computer Browser service terminated with service-specific error 2146 (0x862).
    5/19/2011 2:48:11 AM, error: Service Control Manager [7038] - The SSDPSRV service was unable to log on as NT AUTHORITY\LocalService with the currently configured password due to the following error: The handle is invalid. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
    5/19/2011 2:47:39 AM, error: Service Control Manager [7023] - The Microsoft Antimalware Service service terminated with the following error: %%2147550931
    5/19/2011 2:47:24 AM, error: Service Control Manager [7023] - The Remote Access Connection Manager service terminated with the following error: Incorrect function.
    5/19/2011 2:47:24 AM, error: Rasman [20033] - Remote Access Connection Manager failed to start because it could not register with the local security authority. Restart the computer. Incorrect function.
    5/19/2011 2:47:21 AM, error: Service Control Manager [7023] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: A security package specific error occurred.
    5/19/2011 2:47:21 AM, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not start due to a logon failure.
    5/19/2011 2:47:20 AM, error: Service Control Manager [7038] - The ALG service was unable to log on as NT AUTHORITY\LocalService with the currently configured password due to the following error: The handle is invalid. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
    5/19/2011 2:47:18 AM, error: Service Control Manager [7038] - The SSDPSRV service was unable to log on as NT AUTHORITY\LocalService with the currently configured password due to the following error: An internal error occurred. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
    5/19/2011 2:47:18 AM, error: Service Control Manager [7000] - The SSDP Discovery Service service failed to start due to the following error: The service did not start due to a logon failure.
    5/19/2011 12:49:18 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
    5/18/2011 8:51:43 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 0.0.0.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 0.0.0.0 Error code: 0x8007043c Error description: This service cannot be started in Safe Mode
    5/18/2011 8:49:08 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 0.0.0.0 Update Source: Microsoft Malware Protection Center Update Stage: Install Source Path: http://go.microsoft.com/fwlink/?Lin...0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 0.0.0.0 Error code: 0x80070008 Error description: Not enough storage is available to process this command.
    5/18/2011 8:49:08 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 0.0.0.0 Update Source: Microsoft Malware Protection Center Update Stage: Install Source Path: http://go.microsoft.com/fwlink/?Lin...0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 0.0.0.0 Error code: 0x80070008 Error description: Not enough storage is available to process this command.
    5/18/2011 8:49:08 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 0.0.0.0 Update Source: Microsoft Malware Protection Center Update Stage: Install Source Path: http://go.microsoft.com/fwlink/?Lin...0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 0.0.0.0 Error code: 0x80070008 Error description: Not enough storage is available to process this command.
    5/18/2011 8:49:08 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 0.0.0.0 Update Source: Microsoft Malware Protection Center Update Stage: Install Source Path: http://go.microsoft.com/fwlink/?Lin...0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiSpyware Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 0.0.0.0 Error code: 0x80070008 Error description: Not enough storage is available to process this command.
    5/18/2011 8:49:08 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 0.0.0.0 Update Source: Microsoft Malware Protection Center Update Stage: Install Source Path: http://go.microsoft.com/fwlink/?Lin...0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiSpyware Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 0.0.0.0 Error code: 0x80070008 Error description: Not enough storage is available to process this command.
    5/18/2011 8:47:53 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm MpFilter
    5/18/2011 8:47:37 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 0.0.0.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 0.0.0.0 Error code: 0x8007043c Error description: This service cannot be started in Safe Mode
    5/18/2011 8:47:37 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
    5/18/2011 8:46:55 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    5/18/2011 8:46:36 PM, error: Microsoft Antimalware [2004] - Microsoft Antimalware has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures. Signatures Attempted: Backup Error Code: 0x8050a005 Error description: The program can't find definition files that help detect unwanted software. Check for updates to the definition files, and then try again. For information on installing updates, see Help and Support. Signature version: 1.103.1845.0;1.103.1845.0 Engine version: 1.1.6802.0
    5/18/2011 8:44:12 PM, error: Microsoft Antimalware [2004] - Microsoft Antimalware has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures. Signatures Attempted: Backup Error Code: 0x8050a005 Error description: The program can't find definition files that help detect unwanted software. Check for updates to the definition files, and then try again. For information on installing updates, see Help and Support. Signature version: 1.103.1845.0;1.103.1845.0 Engine version: 1.1.6802.0
    5/18/2011 8:41:42 PM, error: Microsoft Antimalware [2004] - Microsoft Antimalware has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures. Signatures Attempted: Backup Error Code: 0x8050a005 Error description: The program can't find definition files that help detect unwanted software. Check for updates to the definition files, and then try again. For information on installing updates, see Help and Support. Signature version: 1.103.1845.0;1.103.1845.0 Engine version: 1.1.6802.0
    5/18/2011 8:39:09 PM, error: Microsoft Antimalware [2004] - Microsoft Antimalware has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures. Signatures Attempted: Backup Error Code: 0x8050a005 Error description: The program can't find definition files that help detect unwanted software. Check for updates to the definition files, and then try again. For information on installing updates, see Help and Support. Signature version: 1.103.1845.0;1.103.1845.0 Engine version: 1.1.6802.0
    5/18/2011 8:36:21 PM, error: Microsoft Antimalware [2004] - Microsoft Antimalware has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures. Signatures Attempted: Backup Error Code: 0x8050a005 Error description: The program can't find definition files that help detect unwanted software. Check for updates to the definition files, and then try again. For information on installing updates, see Help and Support. Signature version: 1.103.1845.0;1.103.1845.0 Engine version: 1.1.6802.0
    5/18/2011 8:34:02 PM, error: Microsoft Antimalware [2004] - Microsoft Antimalware has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures. Signatures Attempted: Backup Error Code: 0x8050a005 Error description: The program can't find definition files that help detect unwanted software. Check for updates to the definition files, and then try again. For information on installing updates, see Help and Support. Signature version: 1.103.1845.0;1.103.1845.0 Engine version: 1.1.6802.0
    5/18/2011 8:33:53 PM, error: Microsoft Antimalware [2004] - Microsoft Antimalware has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures. Signatures Attempted: Current Error Code: 0x8050a005 Error description: The program can't find definition files that help detect unwanted software. Check for updates to the definition files, and then try again. For information on installing updates, see Help and Support. Signature version: 1.103.1952.0;1.103.1952.0 Engine version: 1.1.6802.0
    5/18/2011 8:33:47 PM, error: W32Time [46] - The time service encountered an error and was forced to shut down. The error was: 0x800706BA
    5/18/2011 8:33:47 PM, error: Distributed Link Tracking Client [12502] - Service failed to start. Error = 80070862
    5/18/2011 8:33:47 PM, error: Distributed Link Tracking Client [12500] - An internal error occured in Distributed Link Tracking. The error code was 80070862.
    5/18/2011 6:33:57 PM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Definition Update for Microsoft Security Essentials - KB2310138 (Definition 1.103.2031.0).
    5/18/2011 6:33:52 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.103.1952.0 Update Source: Microsoft Update Server Update Stage: Install Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6802.0 Error code: 0x80070643 Error description: Fatal error during installation.
    5/18/2011 6:33:49 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: 1.103.2031.0 Previous Signature Version: 1.103.1952.0 Update Source: User Update Stage: Install Source Path: Signature Type: AntiVirus Update Type: Delta User: NT AUTHORITY\SYSTEM Current Engine Version: 1.1.6802.0 Previous Engine Version: 1.1.6802.0 Error code: 0x8050a005 Error description: The program can't find definition files that help detect unwanted software. Check for updates to the definition files, and then try again. For information on installing updates, see Help and Support.
    5/18/2011 6:33:49 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: 1.103.2031.0 Previous Signature Version: 1.103.1952.0 Update Source: User Update Stage: Install Source Path: Signature Type: AntiSpyware Update Type: Delta User: NT AUTHORITY\SYSTEM Current Engine Version: 1.1.6802.0 Previous Engine Version: 1.1.6802.0 Error code: 0x8050a005 Error description: The program can't find definition files that help detect unwanted software. Check for updates to the definition files, and then try again. For information on installing updates, see Help and Support.
    5/16/2011 6:27:59 PM, error: Microsoft Antimalware [2004] - Microsoft Antimalware has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures. Signatures Attempted: Backup Error Code: 0x80096010 Error description: The digital signature of the object did not verify. Signature version: 1.103.1753.0;1.103.1753.0 Engine version: 1.1.6802.0
    5/16/2011 6:27:28 PM, error: Microsoft Antimalware [2004] - Microsoft Antimalware has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures. Signatures Attempted: Current Error Code: 0x8050a005 Error description: The program can't find definition files that help detect unwanted software. Check for updates to the definition files, and then try again. For information on installing updates, see Help and Support. Signature version: 1.103.1771.0;1.103.1771.0 Engine version: 1.1.6802.0
    5/15/2011 11:19:36 PM, error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\D.
    5/15/2011 11:19:36 PM, error: atapi [5] - A parity error was detected on \Device\Ide\IdePort0.
    5/14/2011 7:28:16 PM, error: Schannel [36865] - A fatal error occurred while opening the system DSS cryptographic module. Operations that require the SSL or TLS cryptographic protocols will not work correctly. The error code is 0x80090006.
    5/14/2011 10:53:09 PM, error: Disk [11] - The driver detected a controller error on \Device\Harddisk0\D.
    5/13/2011 8:39:26 PM, error: Dhcp [1002] - The IP address lease 69.247.11.212 for the Network Card with network address 00502C07EFF1 has been denied by the DHCP server 192.168.100.1 (The DHCP Server sent a DHCPNACK message).
    5/13/2011 8:35:44 PM, error: Dhcp [1002] - The IP address lease 192.168.1.2 for the Network Card with network address 00502C07EFF1 has been denied by the DHCP server 68.87.68.19 (The DHCP Server sent a DHCPNACK message).
    5/13/2011 7:33:57 PM, error: Service Control Manager [7023] - The IPSEC Services service terminated with the following error: Invalid Signature.
    .
    ==== End Of File ===========================
  6. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    Good :)

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    Click the "Scan" button to start scan:
    [​IMG]

    On completion of the scan click "Save log", save it to your desktop and post in your next reply:
    [​IMG]

    ====================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  7. Smashh

    Smashh Newcomer, in training Topic Starter

    Both scans were conducted in safe mode with networking and logged in as administrator.

    aswMBR LOG:

    aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
    Run date: 2011-05-20 21:11:43
    -----------------------------
    21:11:43.140 OS Version: Windows 5.1.2600 Service Pack 3
    21:11:43.140 Number of processors: 1 586 0x209
    21:11:43.140 ComputerName: MICHAEL-C1C5524 UserName: Administrator
    21:11:43.593 Initialize success
    21:11:48.546 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
    21:11:48.562 Disk 0 Vendor: WDC_WD300AB-00BPA1 18.20D18 Size: 28629MB BusType: 3
    21:11:48.578 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-c
    21:11:48.593 Disk 1 Vendor: Maxtor_6L100P0 BAJ41G20 Size: 95611MB BusType: 3
    21:11:50.625 Disk 0 MBR read successfully
    21:11:50.656 Disk 0 MBR scan
    21:11:50.671 Disk 0 Windows XP default MBR code
    21:11:52.687 Disk 0 scanning sectors +58605120
    21:11:52.718 Disk 0 scanning C:\WINDOWS\system32\drivers
    21:12:00.343 Service scanning
    21:12:02.953 Disk 0 trace - called modules:
    21:12:03.000 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys viaide.sys PCIIDEX.SYS
    21:12:03.015 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89bc9ab8]
    21:12:03.031 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\00000056[0x89bc63b8]
    21:12:07.390 5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x89b86d98]
    21:12:07.703 Scan finished successfully
    21:12:34.625 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
    21:12:34.640 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"


    COMBOFIX LOG:

    ComboFix 11-05-19.02 - Administrator 05/20/2011 22:14:27.2.1 - x86 NETWORK
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1678 [GMT -5:00]
    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Michael\Local Settings\Temp\IswTmp\WH\0
    .
    -- Previous Run --
    .
    Infected copy of c:\windows\system32\mshtml.dll was found and disinfected
    Restored copy from - c:\windows\system32\dllcache\mshtml.dll
    .
    Infected copy of c:\windows\system32\mshtml.dll was found and disinfected
    Restored copy from - c:\windows\system32\dllcache\mshtml.dll
    .
    Infected copy of c:\windows\system32\msvcrt.dll was found and disinfected
    Restored copy from - c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.5512_x-ww_3fd60d63\msvcrt.dll
    .
    Infected copy of c:\windows\system32\mshtml.dll was found and disinfected
    Restored copy from - c:\windows\system32\dllcache\mshtml.dll
    .
    Infected copy of c:\windows\system32\msvcrt.dll was found and disinfected
    Restored copy from - c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.5512_x-ww_3fd60d63\msvcrt.dll
    .
    Infected copy of c:\windows\pchealth\helpctr\binaries\helpsvc.exe was found and disinfected
    Restored copy from - c:\windows\$hf_mig$\KB2229593\SP2QFE\helpsvc.exe
    .
    Infected copy of c:\windows\system32\mshtml.dll was found and disinfected
    Restored copy from - c:\windows\system32\dllcache\mshtml.dll
    .
    Infected copy of c:\windows\system32\msvcrt.dll was found and disinfected
    Restored copy from - c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.5512_x-ww_3fd60d63\msvcrt.dll
    .
    Infected copy of c:\windows\pchealth\helpctr\binaries\helpsvc.exe was found and disinfected
    Restored copy from - c:\windows\$hf_mig$\KB2229593\SP2QFE\helpsvc.exe
    .
    Infected copy of c:\windows\system32\wbem\wmiprvse.exe was found and disinfected
    Restored copy from - c:\windows\$NtServicePackUninstall$\wmiprvse.exe
    .
    --------
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-04-21 to 2011-05-21 )))))))))))))))))))))))))))))))
    .
    .
    2011-05-12 00:39 . 2011-05-12 00:39 -------- d-----w- C:\tazti_2.0_xp_32-bit
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-04-29 05:56 . 2011-04-29 05:54 712704 ----a-w- c:\windows\inf\OTHER\AUDIO3D.DLL
    2011-04-30 09:14 . 2011-04-29 05:34 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\prxtbZone.dll" [2011-03-28 176936]
    .
    [HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
    2011-03-28 16:22 176936 ----a-w- c:\program files\ZoneAlarm_Security\prxtbZone.dll
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    2011-02-02 00:17 1487240 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-02-02 1487240]
    "{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\prxtbZone.dll" [2011-03-28 176936]
    .
    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    .
    [HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2011-03-18 1043968]
    "WinampAgent"="c:\program files\Winamp\winampa.exe" [2011-03-22 74752]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
    "ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2011-02-15 738808]
    "C-Media Mixer"="Mixer.exe" [2002-07-12 1581056]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "idsvc"=3 (0x3)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Documents and Settings\\Michael\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
    "c:\\Program Files\\Winamp\\winamp.exe"=
    "c:\\Program Files\\BitTorrent\\BitTorrent.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Trillian\\trillian.exe"=
    .
    S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [5/9/2011 6:20 PM 27064]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-05-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-115176313-725345543-1003Core.job
    - c:\documents and settings\Michael\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-04-29 02:39]
    .
    2011-05-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-115176313-725345543-1003UA.job
    - c:\documents and settings\Michael\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-04-29 02:39]
    .
    2011-05-21 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 17:26]
    .
    2011-05-21 c:\windows\Tasks\MpIdleTask.job
    - c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 17:26]
    .
    2011-05-21 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
    - c:\program files\Ask.com\UpdateTask.exe [2011-02-02 00:17]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2645238
    FF - ProfilePath - c:\documents and settings\Michael\Application Data\Mozilla\Firefox\Profiles\oxt0fo8d.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-05-20 22:21
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    Completion time: 2011-05-20 22:24:38
    ComboFix-quarantined-files.txt 2011-05-21 03:24
    .
    Pre-Run: 19,702,448,128 bytes free
    Post-Run: 19,659,681,792 bytes free
    .
    - - End Of File - - A853E9B5D84AE75584260F0395F83518
  8. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    Try to restart in normal mode and let me know how it goes.
  9. Smashh

    Smashh Newcomer, in training Topic Starter

    The only change is that the error now makes no mention of NT Authority System. Instead, it now reads:

    "This system is shutting down. Please save all work and log off. Any unsaved work will be lost. This shutdown was initiated by \.

    The system process C:\WINDOWS\SYSTEM32\LSASS.EXE terminated unexpectedly with status code 073741795. The system will shut down and restart in 60 seconds"
  10. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    Please, re-run Combofix and post fresh log.
  11. Smashh

    Smashh Newcomer, in training Topic Starter

    Here's the fresh ComboFix log, run again in safe mode, logged in as administrator.

    ComboFix Log:

    ComboFix 11-05-19.02 - Administrator 05/21/2011 0:12.3.1 - x86 NETWORK
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1682 [GMT -5:00]
    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Michael\Local Settings\Temp\IswTmp\WH\0
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-04-21 to 2011-05-21 )))))))))))))))))))))))))))))))
    .
    .
    2011-05-12 00:39 . 2011-05-12 00:39 -------- d-----w- C:\tazti_2.0_xp_32-bit
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-04-29 05:56 . 2011-04-29 05:54 712704 ----a-w- c:\windows\inf\OTHER\AUDIO3D.DLL
    2011-04-30 09:14 . 2011-04-29 05:34 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\prxtbZone.dll" [2011-03-28 176936]
    .
    [HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
    2011-03-28 16:22 176936 ----a-w- c:\program files\ZoneAlarm_Security\prxtbZone.dll
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    2011-02-02 00:17 1487240 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-02-02 1487240]
    "{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\prxtbZone.dll" [2011-03-28 176936]
    .
    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    .
    [HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2011-03-18 1043968]
    "WinampAgent"="c:\program files\Winamp\winampa.exe" [2011-03-22 74752]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
    "ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2011-02-15 738808]
    "C-Media Mixer"="Mixer.exe" [2002-07-12 1581056]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "idsvc"=3 (0x3)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Documents and Settings\\Michael\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
    "c:\\Program Files\\Winamp\\winamp.exe"=
    "c:\\Program Files\\BitTorrent\\BitTorrent.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Trillian\\trillian.exe"=
    .
    S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [5/9/2011 6:20 PM 27064]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-05-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-115176313-725345543-1003Core.job
    - c:\documents and settings\Michael\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-04-29 02:39]
    .
    2011-05-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-115176313-725345543-1003UA.job
    - c:\documents and settings\Michael\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-04-29 02:39]
    .
    2011-05-21 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 17:26]
    .
    2011-05-21 c:\windows\Tasks\MpIdleTask.job
    - c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 17:26]
    .
    2011-05-21 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
    - c:\program files\Ask.com\UpdateTask.exe [2011-02-02 00:17]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2645238
    FF - ProfilePath - c:\documents and settings\Michael\Application Data\Mozilla\Firefox\Profiles\oxt0fo8d.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-05-21 00:18
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    Completion time: 2011-05-21 00:20:45
    ComboFix-quarantined-files.txt 2011-05-21 05:20
    ComboFix2.txt 2011-05-21 03:24
    .
    Pre-Run: 19,645,243,392 bytes free
    Post-Run: 19,642,585,088 bytes free
    .
    - - End Of File - - 93FA745FB38F8B58DBB7D0C607E919BA
     
  12. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    Download SUPERAntiSpyware Free for Home Users:
    http://www.superantispyware.com/


    • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
    • An icon will be created on your desktop. Double-click that icon to launch the program.
    • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
    • Close SUPERAntiSpyware.
    Restart computer in Safe Mode.
    To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; pick Safe Mode; you'll see "Safe Mode" in all four corners of your screen

    • Open SUPERAntiSpyware.
    • Under "Configuration and Preferences", click the Preferences button.
    • Click the Scanning Control tab.
    • Under Scanner Options make sure the following are checked (leave all others unchecked):
      • Close browsers before scanning.
      • Terminate memory threats before quarantining.
    • Click the "Close" button to leave the control center screen.
    • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
    • On the left, make sure you check C:\Fixed Drive.
    • On the right, under "Complete Scan", choose Perform Complete Scan.
    • Click "Next" to start the scan. Please be patient while it scans your computer.
    • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
    • Make sure everything has a checkmark next to it and click "Next".
    • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
    • If asked if you want to reboot, click "Yes".
    • To retrieve the removal information after reboot, launch SUPERAntispyware again.
      • Click Preferences, then click the Statistics/Logs tab.
      • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
      • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
      • Copy and paste the Scan Log results in your next reply.
    • Click Close to exit the program.

    Post SUPERAntiSpyware log.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.