TechSpot

Unknown virus stopping everything from running

By swisstonyholmes
May 18, 2011
  1. Anybody who can help,

    I have a system which boots ok but when loading into any user profile no antivirus programs load and I'm unable to manually run anything i.e. exe's or any programs without getting the "Open with" menu.

    I have tried to slave the HDD up to another machine and run multiple scans with Malwarebytes, AVG, ESET and Panda online scanners but they find nothing.

    Something seems to be stopping me from running anything to do with virus removal as well, i.e. I can’t run Malwarebytes, AVG or even GMER properly without this virus intervening.

    I have been able to run DDS and have the report shown below if this is any use.

    Any help would be greatly appreciated.

    Thanks in advance,

    Tony.
     
  2. swisstonyholmes

    swisstonyholmes TS Rookie Topic Starter Posts: 98

    DDs log part 1


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_11-03-05.01)
    .
    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume1
    Install Date: 19/05/2008 14:57:29
    System Uptime: 18/05/2011 19:44:19 (0 hours ago)
    .
    Motherboard: Gigabyte Technology Co., Ltd. | | K8VM800M
    Processor: AMD Sempron(tm) Processor 2800+ | Socket 754 | 1607/200mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 75 GiB total, 52.148 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: VIA Rhine II Fast Ethernet Adapter
    Device ID: PCI\VEN_1106&DEV_3065&SUBSYS_E0001458&REV_78\3&13C0B0C5&0&90
    Manufacturer: VIA Technologies, Inc.
    Name: VIA Rhine II Fast Ethernet Adapter #2
    PNP Device ID: PCI\VEN_1106&DEV_3065&SUBSYS_E0001458&REV_78\3&13C0B0C5&0&90
    Service: FET5X86V
    .
    ==== System Restore Points ===================
    .
    RP547: 04/02/2011 19:44:37 - System Checkpoint
    RP548: 07/02/2011 16:48:09 - System Checkpoint
    RP549: 18/02/2011 18:13:33 - System Checkpoint
    RP550: 23/02/2011 17:55:34 - System Checkpoint
    RP551: 25/02/2011 19:16:07 - System Checkpoint
    RP552: 27/02/2011 11:57:55 - System Checkpoint
    RP553: 05/03/2011 12:17:43 - System Checkpoint
    RP554: 06/03/2011 20:17:44 - System Checkpoint
    RP555: 15/03/2011 18:16:58 - Avg Update
    RP556: 15/03/2011 18:19:12 - Avg Update
    RP557: 17/03/2011 19:08:58 - System Checkpoint
    RP558: 20/03/2011 13:32:12 - System Checkpoint
    RP559: 15/04/2011 19:58:10 - System Checkpoint
    RP560: 15/04/2011 20:07:37 - Installed Java(TM) 6 Update 24
    RP561: 15/04/2011 20:20:28 - Installed Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    RP562: 15/04/2011 20:21:07 - Installed AVG 2011
    RP563: 15/04/2011 20:23:53 - Removed AVG Free 9.0
    RP564: 15/04/2011 20:28:52 - Installed AVG 2011
    RP565: 15/04/2011 21:33:23 - Software Distribution Service 3.0
    RP566: 16/04/2011 09:25:44 - Software Distribution Service 3.0
    RP567: 16/04/2011 09:52:04 - Software Distribution Service 3.0
    RP568: 17/04/2011 10:20:41 - System Checkpoint
    RP569: 18/04/2011 08:30:45 - Software Distribution Service 3.0
    RP570: 20/04/2011 09:07:31 - Software Distribution Service 3.0
    RP571: 20/04/2011 09:22:57 - Installed FW LiveUpdate
    RP572: 20/04/2011 09:28:18 - Removed FW LiveUpdate
    RP573: 20/04/2011 09:37:32 - Installed DirectX
    RP574: 20/04/2011 09:39:25 - Installed Nero 9 Essentials 4.4.9.0
    RP575: 20/04/2011 10:19:33 - Installed Nero InCD.
    RP576: 21/04/2011 08:43:39 - Software Distribution Service 3.0
    RP577: 21/04/2011 08:48:21 - Stable System
    RP578: 28/04/2011 16:50:04 - Installed Rapport
    RP579: 30/04/2011 18:20:17 - System Checkpoint
    RP580: 18/05/2011 19:30:11 - Restore Operation
    .
    ==== Installed Programs ======================
    .
    Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Media Player
    Adobe Reader 8.1.2
    Adobe Reader 8.1.2 Security Update 1 (KB403742)
    Advertising Center
    Apple Mobile Device Support
    Apple Software Update
    AVG 2011
    CCleaner
    CCScore
    Coupon Printer
    Critical Update for Windows Media Player 11 (KB959772)
    DolbyFiles
    ESSBrwr
    ESSCDBK
    ESScore
    ESSgui
    ESSini
    ESSPCD
    ESSPDock
    ESSTOOLS
    essvatgt
    fflink
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB932716-v2)
    Hotfix for Windows XP (KB945060-v3)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976002-v5)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    ImagXpress
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 24
    kgcbaby
    kgchday
    kgchlwn
    kgcinvt
    kgckids
    kgcmove
    kgcvday
    Kodak EasyShare software
    Lexmark 2200 Series
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Antimalware
    Microsoft Application Error Reporting
    Microsoft Base Smart Card Cryptographic Service Provider Package
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Standard Edition 2003
    Microsoft Security Client
    Microsoft Security Essentials
    Microsoft Silverlight
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2005 Redistributable - KB2467175
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Nero 9 Essentials
    Nero BurnRights
    Nero BurnRights Help
    Nero ControlCenter
    Nero CoverDesigner
    Nero CoverDesigner Help
    Nero DiscSpeed
    Nero DiscSpeed Help
    Nero DriveSpeed
    Nero DriveSpeed Help
    Nero Express Help
    Nero InCD
    Nero InfoTool
    Nero InfoTool Help
    Nero Installer
    Nero Online Upgrade
    Nero PhotoSnap
    Nero PhotoSnap Help
    Nero Recode
    Nero Recode Help
    Nero ShowTime
    Nero StartSmart
    Nero StartSmart Help
    Nero StartSmart OEM
    Nero Vision
    Nero Vision Help
    NeroExpress
    neroxml
    netbrdg
    OfotoXMI
    QuickTime
    Rapport
    Realtek AC'97 Audio
    S3GSetup
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165-v2)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982665)
    SFR
    SHASTA
    skin0001
    SKINXSDK
    staticcr
    tooltips
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Windows (KB971513)
    Update for Windows Internet Explorer 8 (KB2447568)
    Update for Windows Internet Explorer 8 (KB971930)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB942763)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    VIA Rhine-Family Fast-Ethernet Adapter
    VIA/S3G Display Driver
    VPRINTOL
    WebFldrs XP
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Management Framework Core
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows XP Service Pack 3
    WIRELESS
    .
    ==== Event Viewer Messages From Past Week ========
    .
    18/05/2011 19:54:04, error: Service Control Manager [7016] - The SmartLinkService service has reported an invalid current state 0.
    18/05/2011 19:43:03, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.103.130.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Lin...0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.6802.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved
    18/05/2011 19:43:03, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.103.130.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Lin...0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiSpyware Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.6802.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved
    18/05/2011 19:43:02, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.103.130.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Lin...0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.6802.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved
    18/05/2011 19:43:02, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.103.130.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Lin...0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiSpyware Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.6802.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved
    18/05/2011 19:42:43, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.103.130.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6802.0 Error code: 0x80070424 Error description: The specified service does not exist as an installed service.
    18/05/2011 19:09:05, error: Service Control Manager [7031] - The Microsoft Antimalware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.
    18/05/2011 19:07:48, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdPPM Avgldx86 Avgmfx86 Avgtdix Fips InCDRec IPSec MpFilter MRxSmb NetBIOS NetBT RapportKELL RasAcd Rdbss Tcpip
    18/05/2011 19:07:48, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
    18/05/2011 19:07:48, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    18/05/2011 19:07:48, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    18/05/2011 19:07:48, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    18/05/2011 19:07:48, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    18/05/2011 19:07:04, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    11/05/2011 22:53:21, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
    11/05/2011 22:52:25, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    11/05/2011 22:52:08, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    11/05/2011 21:14:10, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdPPM Avgldx86 Avgmfx86 Fips InCDRec MpFilter RapportKELL
    11/05/2011 21:03:22, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.103.130.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Lin...0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.6802.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved
    11/05/2011 21:03:22, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.103.130.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Lin...0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.6802.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved
    11/05/2011 21:03:22, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.103.130.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Lin...0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiSpyware Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.6802.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved
    11/05/2011 21:03:22, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.103.130.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Lin...0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiSpyware Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.6802.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved
    11/05/2011 21:03:21, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.103.130.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6802.0 Error code: 0x80070424 Error description: The specified service does not exist as an installed service.
    .
    ==== End Of File ===========================



    DDS log part 2



    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by Alan at 19:54:00.05 on 18/05/2011
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1215.596 [GMT 1:00]
    .
    AV: Microsoft Security Essentials *Enabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    .
    ============== Running Processes ===============
    .
    C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\Program Files\Nero\Tools\InCD\InCDSrv.exe
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\AVG\AVG10\avgwdsvc.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
    C:\Program Files\Nero\Tools\InCD\NBHRegInCDSrv.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    C:\Program Files\AVG\AVG10\avgnsx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\AVG\AVG10\avgrsx.exe
    C:\Program Files\AVG\AVG10\avgcsrvx.exe
    C:\Documents and Settings\Alan\Desktop\dds.scr
    .
    ============== Pseudo HJT Report ===============
    .
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    mDefault_Page_URL = hxxp://uk.yahoo.com
    mStart Page = hxxp://uk.yahoo.com
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mSearchAssistant = hxxp://www.google.com/ie
    uURLSearchHooks: H - No File
    mURLSearchHooks: H - No File
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
    TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
    TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
    uRun: [tSfkTNduxrPpGPr.exe] c:\docume~1\alan\locals~1\temp\tSfkTNduxrPpGPr.exe
    mRun: [SoundMan] SOUNDMAN.EXE
    mRun: [Lexmark 2200 Series] "c:\program files\lexmark 2200 series\lxbvbmgr.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
    mRun: [NBHGui] c:\program files\nero\tools\incd\NBHGui.exe
    mRun: [InCD] c:\program files\nero\tools\incd\InCD.exe
    mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
    mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
    mRun: [VTTrayp] VTtrayp.exe
    mRun: [VTTimer] VTTimer.exe
    mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: {958A1A47-CD7C-4E5E-8F97-067DA0900DAE} = 194.72.9.34,194.72.0.98
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 22992]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-1-19 32464]
    R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2011-4-8 53816]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 248656]
    R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 34896]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-2-10 296400]
    R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
    R1 MpKsl8363c67c;MpKsl8363c67c;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{91ff1576-442d-465d-975f-e6e70be0893d}\MpKsl8363c67c.sys [2011-5-18 28752]
    R1 MpKsle8ac809a;MpKsle8ac809a;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{91ff1576-442d-465d-975f-e6e70be0893d}\MpKsle8ac809a.sys [2011-5-18 28752]
    R1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [2010-3-6 390528]
    R1 RapportCerberus_26169;RapportCerberus_26169;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\26169\RapportCerberus_26169.sys [2011-5-2 57144]
    R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2011-4-8 66360]
    R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2011-4-8 158904]
    R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-2-15 7421280]
    R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
    R2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\nero\tools\incd\NBHRegInCDSrv.exe [2009-10-16 53560]
    R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2011-4-8 870200]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-3-30 134480]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24144]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 27216]
    S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2006-2-28 14336]
    .
    =============== Created Last 30 ================
    .
    2011-05-18 18:45:11 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{91ff1576-442d-465d-975f-e6e70be0893d}\MpKsl8363c67c.sys
    2011-05-18 18:32:14 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{91ff1576-442d-465d-975f-e6e70be0893d}\MpKsle8ac809a.sys
    2011-05-18 17:56:52 446464 ----a-w- C:\TFC.exe
    2011-05-18 17:56:52 1407280 ----a-w- C:\TDSSKiller.exe
    2011-05-11 19:50:58 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{91ff1576-442d-465d-975f-e6e70be0893d}\MpKsl21a78748.sys
    2011-04-27 20:41:17 -------- d-----w- c:\docume~1\alan\locals~1\applic~1\Trusteer
    2011-04-20 09:20:02 19096 ----a-w- c:\windows\system32\drivers\InCDRec.sys
    2011-04-20 09:19:59 130200 ----a-w- c:\windows\system32\drivers\InCDFs.sys
    2011-04-20 09:19:43 48280 ----a-w- c:\windows\system32\drivers\InCDPass.sys
    2011-04-20 08:41:30 -------- d-----w- c:\program files\Nero
    2011-04-20 08:40:58 -------- d-----w- c:\docume~1\alluse~1\applic~1\Nero
    2011-04-20 08:08:14 7071056 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{91ff1576-442d-465d-975f-e6e70be0893d}\mpengine.dll
    .
    ==================== Find3M ====================
    .
    2011-04-15 19:00:27 0 ----a-w- c:\windows\Nmoyozewa.bin
    2011-03-07 05:33:50 692736 ------w- c:\windows\system32\inetcomm.dll
    2011-03-04 06:37:06 420864 ------w- c:\windows\system32\vbscript.dll
    2011-03-03 13:21:11 1857920 ------w- c:\windows\system32\win32k.sys
    2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-02-22 23:06:29 43520 ------w- c:\windows\system32\licmgr10.dll
    2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-02-22 11:41:59 385024 ------w- c:\windows\system32\html.iec
    2009-04-26 09:31:44 62270256 -c----w- c:\program files\avg8.exe
    2009-01-30 17:18:22 51812984 -c----w- c:\program files\avg.exe
    .
    ============= FINISH: 19:55:28.86 ===============
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Tony, marking a thread Active is done by Broni or myself when we pick up a thread. You're lucky I checked or it would be next week with 'your' active thread!

    Please download randmbam.exe

    It will try to create random names and shortcuts for Malwarebytes Anti Malware(MBAM) if you have it installed already.

    Once done, try running a scan again.
    ===================================
    Part of the AV problem could be because you have 3 different versions lf AVG loading:
    AVG v8
    AVG v9
    AVG 2010
    ===================================
    Additionally, you ran these:
    2011-05-18 17:56:52 446464 ----a-w- C:\TFC.exe>> We pulled this from the thread because there have been some problems noted
    2011-05-18 17:56:52 1407280 ----a-w- C:\TDSSKiller.exe>> more trying to fix?

    RP577: 21/04/2011 08:48:21 - Stable System>> What happened after this?
    RP578: 28/04/2011 16:50:04 - Installed Rapport> Why did you install more security?
    RP580: 18/05/2011 19:30:11 - Restore Operation>> System Restore? What had you done previously trying to fix the problem.

    We now follow this: TFC was removed before you ran the program.
    Preliminary Virus and Malware Removal thread HERE.

    NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
    .
     
  4. swisstonyholmes

    swisstonyholmes TS Rookie Topic Starter Posts: 98

    Bobbye,

    Firstly sorry for the late response, I’m back on the case now. Secondly sorry again for marking the thread Active for some reason I marked it can’t remember why, but now know for the future.

    I will try running randmbam.exe and let you know the results.

    2011-05-18 17:56:52 446464 ----a-w- C:\TFC.exe>> We pulled this from the thread because there have been some problems noted

    I’ve only run this because I personally see this as a good tool and having seen no problems using it in the past I thought it wouldn’t harm now. Tell me if I’m wrong and why or if you could advise another similar tool that would be great.

    RP577: 21/04/2011 08:48:21 - Stable System>> What happened after this?
    Ok about a month ago this same computer came to me with another fake antivirus tool installed, your colleague Broni helped me disinfect the system which I then passed back to my friend.

    Please check my previous posts if you wish to see the history of the system so far with Broni’s help.

    After disinfecting the system I created a stable system restore point, so as far as I as concerned the system was functioning fine with no problems.


    RP578: 28/04/2011 16:50:04 - Installed Rapport> Why did you install more security?
    A week later I have the computer back again with a similar problem i.e. the one we have here. I have spoken to the owner about installing another duplicate security program, but they have no knowledge of doing so. I can therefore only presume its part of the infection?


    RP580: 18/05/2011 19:30:11 - Restore Operation>> System Restore? What had you done previously trying to fix the problem?
    As you can see one of the programs I had previously run was TDSSKILLER.exe and amongst other things mentioned at the beginning of the post, I tried to see if a system restore would help things, apparently not.

    So after all that I will try your suggestion and post any results I have here ASAP.

    Thanks for your help so far.

    Tony.
     
  5. swisstonyholmes

    swisstonyholmes TS Rookie Topic Starter Posts: 98

    Bobbye,

    Ok story so far, I've tried running randmbam.exe with no success I have included some pictures of the error messages as I can’t even run paint properly to copy and paste them.

    When trying to run the program it wants to again open an "open with" box and refuses to go any further. I have to right click and run as administrator to get the program to do anything.

    Also another concerning thing is that upon turning the system on it now thinks that the hardware has changed and now wants to re-activate windows again?? I can’t understand why this has happened and can only presume it’s all part of what we are trying to fix.

    I now have 3 days in which to activate windows....again!

    I will wait for a response from you before proceeding any further.

    Tony.
     

    Attached Files:

  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    We also ran it because it was a good tool. But if got a glitch in it that was causing programs an/or entries to be removed that should not be and they couldn't be recovered. So until that is resolved, we pulled it.
    ==========================================
    Here is an alternative Temporary File Cleaner:
    Download ATC Cleaner by Attribuneto your desktop
    • Double-click ATF-Cleaner.exe to run the program.
    • Under Main choose: Select All
    • Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
    • Click the Empty Selected button.
    • NOTE: If you would like to keep your saved passwords, please click No at the prompt
    .
    If you use Opera browser
    • Click Opera at the top and choose: Select All
    • Click the Empty Selected button.
    • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
      • [/B]

        This will remove all files from the items that are checked so if you have some cookies you'd like to save. please move them to a different directory first.

        Notes for Windows Vista users:

        On Windows Vista that "Windows Temp" is disabled, to empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator"
        Prefetch has been disabled on Windows Vista.
        =====================================
        For Malwarebytes:
        Download it and save to the desktop first
        Once downloaded, then run randmbam
        When it has finished, try the Mbam scan again.

        IF it still won't scan:
        Try renaming the setup file to install.com {right click> rename)
        -or-
        Try installing in safe mode
        =========================================
        Regarding this:


        ==========================================
        There is a rogue program named System Defragmentor running:
        uRun: [tSfkTNduxrPpGPr.exe] c:\docume~1\alan\locals~1\temp\tSfkTNduxrPpGPr.exe

        It should be removed in Malwarebytes.
        It cn be moved in HijackThis.
        I can use script ro move it in Combofix.

        1. Try the new dirsctions to run Mbam.
        2. Follow with Eset online virus scan:
        • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
          ESETOnlineScan
        • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
          [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
          [o] Double click on the [​IMG]on your desktop.
        • Check 'Yes I accept terms of use.'
        • Click Start button
        • Accept any security warnings from your browser.
          [​IMG]
        • Uncheck 'Remove found threats'
        • Check 'Scan archives/
        • Leave remaining settings as is.
        • Press the Start button.
        • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
        • When the scan completes, press List of found threats
        • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
        • Push the Back button
        • Push Finish

        NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
        =======================================
        Follow with HijackThis:
        Please note: If you have Combofix on the desktop already, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
        • [
        • Click START> then RUN
        • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there./list]
          --------------------------------------
          You will hve to uninstall AVG to run Combofix:
          Download AppRemover and save to the desktop
          1. Double click the setup on the desktop> click Next
          2. Select “Remove Security Application”
          3. Let scan finish to determine security apps
          4. A screen like below will appear:
            [​IMG]
          5. Click on Next after choice has been made
          6. Check the AVG program you want to uninstall
          7. After uninstall shows complete, follow online prompts to Exit the program.

          Temporary AV: Use one:
          Avira-AntiVir-Personal-Free-Antivirus
          Avast Free Version
          =============================
          Note: If Combofix is already on the desktop, please uninstall it and reinstall the current version. Uninstall directions, if needed:
          • Click START> then RUN
          • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
          ------------------------------------------------
          Download Combofix from HERE or HERE and save to the desktop
          • Double click combofix.exe & follow the prompts.
          • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
            **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
          • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
          • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
            [​IMG]
          • .Click on Yes, to continue scanning for malware
          • .If Combofix asks you to update the program, allow
          • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
          • .Close any open browsers.
          • .Double click combofix.exe[​IMG] & follow the prompts to run.
          • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
          Re-enable your Antivirus software.
          Notes:
          1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
          2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
          3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
          4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

          Please leave the follow logs in the next reply:
          1. Mbam is able to run
          2. Eset scan
          3. Combofix log
          I do not need a log for the AVG app Remover.
     
  7. swisstonyholmes

    swisstonyholmes TS Rookie Topic Starter Posts: 98

    Bobbye,

    As I mentioned before Windows now wants to activate before letting me log into the machine, should I do this with my original product key or do you have another suggestion?

    As I can't log in I've not tried any of the above mentioned fixes so far, I will wait for your response.

    Tony.
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sorry- internet has been down. If you have the original key for the OS, go ahead with the resctivatrion.

    As for Combofix: :
    NOTE: If, for some reason, Combofix refuses to run, try one of the following:
    1. Run Combofix from Safe Mode.
    2. Delete Combofix file, download fresh one, but rename combofix.exe to
    mcirish.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    3. Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
    • Rkill.com
    • Rkill.scr
    • Rkill.pif
    • Rkill.exe
    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run then try to immediately run the following>>>>.

    Please download exeHelper by Raktor and save it to your desktop.
    • Double-click on exeHelper.com or exeHelper.scr to run the fix tool.
    • A black window should pop up, press any key to close once the fix is completed.
    • A log file called exehelperlog.txt will be created and should open at the end of the scan)
    • A copy of that log will also be saved in the directory where you ran exeHelper.com
    • Copy and paste the contents of exehelperlog.txt in your next reply.

    Note: If the window shows a message that says "Error deleting file", please re-run the tool again before posting a log and then post the two logs together (they both will be in the one file).

    Rkill instructions
    *************************************
    Once you've gotten one of them to run, immediately run

    mcirish.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.
     
  9. swisstonyholmes

    swisstonyholmes TS Rookie Topic Starter Posts: 98

    Bobbye,

    After re-activating windows all of my scans and instalations of applications have been done in safe mode because I can run nothing in normal mode.

    I have attached the required log files for your viewing note that Eset did not find any virus so no log file is included.

    Thanks,

    Tony.

    Malwarebytes' Anti-Malware 1.51.0.1200
    www.malwarebytes.org

    Database version: 6748

    Windows 5.1.2600 Service Pack 3 (Safe Mode)
    Internet Explorer 8.0.6001.18702

    01/06/2011 22:25:02
    mbam-log-2011-06-01 (22-25-02).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 257772
    Time elapsed: 19 minute(s), 26 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    ComboFix 11-06-01.07 - Administrator 02/06/2011 19:21:28.1.1 - x86 NETWORK
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1215.890 [GMT 1:00]
    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
    AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
    AV: Microsoft Security Essentials *Disabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Alan\Application Data\Elbo
    c:\documents and settings\Alan\Application Data\Elbo\seod.ryx
    c:\documents and settings\Alan\Application Data\Esha
    c:\documents and settings\Alan\Application Data\Esha\ozuv.nex
    c:\documents and settings\Alan\Application Data\Hage
    c:\documents and settings\Alan\Application Data\Hage\fiif.ubf
    c:\documents and settings\Alan\Local Settings\Application Data\{86EAEFBC-B625-4ACC-AF7B-3EA9D5046AE5}
    c:\documents and settings\Alan\Local Settings\Application Data\{86EAEFBC-B625-4ACC-AF7B-3EA9D5046AE5}\chrome.manifest
    c:\documents and settings\Alan\Local Settings\Application Data\{86EAEFBC-B625-4ACC-AF7B-3EA9D5046AE5}\chrome\content\_cfg.js
    c:\documents and settings\Alan\Local Settings\Application Data\{86EAEFBC-B625-4ACC-AF7B-3EA9D5046AE5}\chrome\content\overlay.xul
    c:\documents and settings\Alan\Local Settings\Application Data\{86EAEFBC-B625-4ACC-AF7B-3EA9D5046AE5}\install.rdf
    c:\documents and settings\PAULINE\Application Data\Loofm
    c:\documents and settings\PAULINE\Application Data\Loofm\ehavb.kee
    c:\documents and settings\PAULINE\Local Settings\Application Data\{E1D60807-30A7-420A-8F8B-E3844EBF72B8}
    c:\documents and settings\PAULINE\Local Settings\Application Data\{E1D60807-30A7-420A-8F8B-E3844EBF72B8}\chrome.manifest
    c:\documents and settings\PAULINE\Local Settings\Application Data\{E1D60807-30A7-420A-8F8B-E3844EBF72B8}\chrome\content\_cfg.js
    c:\documents and settings\PAULINE\Local Settings\Application Data\{E1D60807-30A7-420A-8F8B-E3844EBF72B8}\chrome\content\overlay.xul
    c:\documents and settings\PAULINE\Local Settings\Application Data\{E1D60807-30A7-420A-8F8B-E3844EBF72B8}\install.rdf
    C:\Microsoft
    c:\microsoft\Protect\CREDHIST
    c:\windows\system\oeminfo.ini
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-05-02 to 2011-06-02 )))))))))))))))))))))))))))))))
    .
    .
    2011-06-02 18:13 . 2011-06-02 18:13 -------- d-----w- c:\program files\Avira
    2011-06-02 18:13 . 2011-06-02 18:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2011-06-02 18:13 . 2011-04-01 16:07 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-06-02 18:13 . 2011-04-01 16:07 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-06-02 18:13 . 2010-06-17 14:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2011-06-02 18:13 . 2010-06-17 14:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2011-06-01 21:32 . 2011-06-01 21:32 -------- d-----w- c:\windows\LastGood
    2011-06-01 21:32 . 2011-06-01 21:32 -------- d-----w- c:\program files\ESET
    2011-06-01 21:25 . 2011-06-02 05:34 -------- d-----w- C:\01 06 11
    2011-06-01 20:59 . 2011-06-01 20:58 9435312 ----a-w- C:\mbam-setup-1.51.0.1200.exe
    2011-06-01 20:59 . 2011-05-25 21:32 222714 ----a-w- C:\randmbam.exe
    2011-05-18 17:56 . 2011-05-18 17:55 1407280 ----a-w- C:\TDSSKiller.exe
    2011-05-18 17:56 . 2011-05-17 21:23 446464 ----a-w- C:\TFC.exe
    2011-05-11 20:12 . 2011-06-01 21:26 -------- d-----w- c:\documents and settings\Administrator
    2011-05-11 19:50 . 2011-05-11 19:50 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{91FF1576-442D-465D-975F-E6E70BE0893D}\MpKsl21a78748.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-05-29 08:11 . 2011-04-15 19:10 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-05-29 08:11 . 2011-04-15 19:10 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-04-14 15:30 . 2011-04-16 08:38 6792528 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2011-04-11 07:04 . 2011-04-20 08:08 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{91FF1576-442D-465D-975F-E6E70BE0893D}\mpengine.dll
    2011-04-08 09:17 . 2011-04-08 09:17 53816 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
    2011-03-08 08:22 . 2004-12-16 12:36 48128 ----a-w- c:\windows\system32\drivers\fetnd5bv.sys
    2011-03-07 05:33 . 2008-05-19 13:51 692736 ------w- c:\windows\system32\inetcomm.dll
    2009-04-26 09:31 . 2009-04-26 09:31 62270256 -c----w- c:\program files\avg8.exe
    2009-01-30 17:18 . 2009-01-30 17:18 51812984 -c----w- c:\program files\avg.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\NBHShellExt]
    @="{8D2223A2-B3C6-4e32-B096-CDD11F628C60}"
    [HKEY_CLASSES_ROOT\CLSID\{8D2223A2-B3C6-4e32-B096-CDD11F628C60}]
    2009-10-16 09:44 97072 ----a-w- c:\program files\Nero\Tools\InCD\NBHshx.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
    "Lexmark 2200 Series"="c:\program files\Lexmark 2200 Series\lxbvbmgr.exe" [2004-02-13 57344]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    "NBHGui"="c:\program files\Nero\Tools\InCD\NBHGui.exe" [2009-10-16 1600816]
    "InCD"="c:\program files\Nero\Tools\InCD\InCD.exe" [2009-10-16 1060136]
    "Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-05-29 1047656]
    "VTTimer"="VTTimer.exe" [2004-10-22 53248]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
    "LexPPS.exe"="c:\windows\system32\lexpps.exe" [2004-01-14 174592]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]
    openURL.vbs [2011-6-2 271]
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2008-06-02 10:13 267048 ------w- c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "DisableNotifications"= 1 (0x1)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\system32\\LEXPPS.EXE"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    .
    S0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [08/04/2011 10:17 53816]
    S1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [06/03/2010 17:05 390528]
    S1 RapportCerberus_26169;RapportCerberus_26169;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\26169\RapportCerberus_26169.sys [02/05/2011 18:11 57144]
    S1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [08/04/2011 10:17 66360]
    S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [08/04/2011 10:17 158904]
    S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [02/06/2011 19:13 136360]
    S2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\Nero\Tools\InCD\NBHRegInCDSrv.exe [16/10/2009 10:44 53560]
    S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [08/04/2011 10:17 870200]
    S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [28/02/2006 13:00 14336]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - ANTIVIRSERVICE
    *NewlyCreated* - AVGNTFLT
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    WINRM REG_MULTI_SZ WINRM
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-06-02 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 11:26]
    .
    .
    ------- Supplementary Scan -------
    .
    mStart Page = hxxp://uk.yahoo.com
    TCP: Interfaces\{958A1A47-CD7C-4E5E-8F97-067DA0900DAE}: NameServer = 194.72.9.34,194.72.0.98
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKLM-Run-VTTrayp - VTtrayp.exe
    MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-06-02 19:25
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-1708537768-1390067357-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,bd,91,b0,48,49,0b,d9,4e,80,3a,bb,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,bd,91,b0,48,49,0b,d9,4e,80,3a,bb,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(580)
    c:\windows\system32\l3codeca.acm
    .
    Completion time: 2011-06-02 19:27:40
    ComboFix-quarantined-files.txt 2011-06-02 18:27
    .
    Pre-Run: 56,189,702,144 bytes free
    Post-Run: 56,247,771,136 bytes free
    .
    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect
    .
    - - End Of File - - 8A9B92B841A75884885198FFC2AB8523
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I think that who ever owns this computer is doing more than you are aware of. Is this the prior work on this system you refderred to> http://www.techspot.com/vb/topic162314.html

    If it is, the user is going right back with outdated or insufficient security. I see things now not getting done. And upon reviewing this:
    I'm wondering what 'hardware' is causing this. And if this has a legitimate copy of the OS on it, it makes no sense at all that on reactivating, it won't run in Normal Mode!
    ================================
    This is curious: the winlogon.exe shows this:
    ===================================
    Please decide whether you want to run MSE or Avira. Uninstall the one you don't want to use. They are both running now. It doesn't matter that one is outdates and disabled. They are both loading:
    AV: AntiVir Desktop *Disabled/Outdated*
    AV: Microsoft Security Essentials
    =======================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    C:\TDSSKiller.exe
    C:\TFC.exe
    C:\mbam-setup-1.51.0.1200.exe
    c:\program files\avg8.exe
    c:\program files\avg.exe
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=-
    "FirewallOverride"=--
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "DisableNotifications"=-
    RegLock::
    [HKEY_USERS\S-1-5-21-1708537768-1390067357-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    What is this? I don't want to open it and have a gazillion files fall out! 2011-06-02 05:34 -------- d-----w- C:\01 06 11

    When you finish with this, try booting into Normal Mode.
     
  11. swisstonyholmes

    swisstonyholmes TS Rookie Topic Starter Posts: 98

    Bobbye,

    You are correct that the topic you mentioned was in your last post was indeed the same computer. I have spoken to the user and from completing the last topic with Broni and giving it back to the user now working and clean they are telling me that they have not installed any security software or modified any settings. There are however multiple family users of this computer and that’s not to say that someone else may have modified something.

    As far as I’m aware this computer came from a legitimate store and the user has had no previous encounters of having to re-activate windows until now.

    There may be some confusion over my description of "Normal Mode" I have had to run all programs in safe mode because through the normal logon process i.e. not in safe mode or any other diagnostic mode I'm unable to run any programs at all without an "Open With” box popping up when I double click on any icon on the desktop.

    I will uninstall MSE and for now use AVIRA, but I would however like to go back to the latest free version of AVG when we are done.

    C:\01 06 11 is a folder I created to put the up to date log files I have been creating for you.

    After completing the running of your latest script file starting off in safe mode I let the computer re-start in normal mode this logged in ok and seemed to start up the usual tasks in the bottom right hand corner on the task bar, which is the first time I've seen this happen so far.

    Shown below is the new log file.

    Thanks,

    Tony.





    ComboFix 11-06-01.07 - Administrator 03/06/2011 0:01.2.1 - x86 NETWORK
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1215.934 [GMT 1:00]
    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
    AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
    AV: Microsoft Security Essentials *Disabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    .
    FILE ::
    "C:\mbam-setup-1.51.0.1200.exe"
    "c:\program files\avg.exe"
    "c:\program files\avg8.exe"
    "C:\TDSSKiller.exe"
    "C:\TFC.exe"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\mbam-setup-1.51.0.1200.exe
    c:\program files\avg.exe
    c:\program files\avg8.exe
    C:\TDSSKiller.exe
    C:\TFC.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-05-02 to 2011-06-02 )))))))))))))))))))))))))))))))
    .
    .
    2011-06-02 23:08 . 2011-06-02 23:08 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{91FF1576-442D-465D-975F-E6E70BE0893D}\MpKsl4b91ceab.sys
    2011-06-02 18:13 . 2011-06-02 18:13 -------- d-----w- c:\program files\Avira
    2011-06-02 18:13 . 2011-06-02 18:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2011-06-02 18:13 . 2011-04-01 16:07 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-06-02 18:13 . 2011-04-01 16:07 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-06-02 18:13 . 2010-06-17 14:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2011-06-02 18:13 . 2010-06-17 14:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2011-06-01 21:32 . 2011-06-01 21:32 -------- d-----w- c:\program files\ESET
    2011-06-01 21:25 . 2011-06-02 18:28 -------- d-----w- C:\01 06 11
    2011-06-01 20:59 . 2011-05-25 21:32 222714 ----a-w- C:\randmbam.exe
    2011-05-11 20:12 . 2011-06-01 21:26 -------- d-----w- c:\documents and settings\Administrator
    2011-05-11 19:50 . 2011-05-11 19:50 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{91FF1576-442D-465D-975F-E6E70BE0893D}\MpKsl21a78748.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-05-29 08:11 . 2011-04-15 19:10 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-05-29 08:11 . 2011-04-15 19:10 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-04-14 15:30 . 2011-04-16 08:38 6792528 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2011-04-11 07:04 . 2011-04-20 08:08 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{91FF1576-442D-465D-975F-E6E70BE0893D}\mpengine.dll
    2011-04-08 09:17 . 2011-04-08 09:17 53816 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
    2011-03-08 08:22 . 2004-12-16 12:36 48128 ----a-w- c:\windows\system32\drivers\fetnd5bv.sys
    2011-03-07 05:33 . 2008-05-19 13:51 692736 ------w- c:\windows\system32\inetcomm.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\NBHShellExt]
    @="{8D2223A2-B3C6-4e32-B096-CDD11F628C60}"
    [HKEY_CLASSES_ROOT\CLSID\{8D2223A2-B3C6-4e32-B096-CDD11F628C60}]
    2009-10-16 09:44 97072 ----a-w- c:\program files\Nero\Tools\InCD\NBHshx.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
    "Lexmark 2200 Series"="c:\program files\Lexmark 2200 Series\lxbvbmgr.exe" [2004-02-13 57344]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    "NBHGui"="c:\program files\Nero\Tools\InCD\NBHGui.exe" [2009-10-16 1600816]
    "InCD"="c:\program files\Nero\Tools\InCD\InCD.exe" [2009-10-16 1060136]
    "VTTimer"="VTTimer.exe" [2004-10-22 53248]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Taskman"=""
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2008-06-02 10:13 267048 ------w- c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "FirewallOverride"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\system32\\LEXPPS.EXE"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    .
    R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [08/04/2011 10:17 53816]
    R1 MpKsl4b91ceab;MpKsl4b91ceab;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{91FF1576-442D-465D-975F-E6E70BE0893D}\MpKsl4b91ceab.sys [03/06/2011 00:08 28752]
    R1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [06/03/2010 17:05 390528]
    R1 RapportCerberus_26169;RapportCerberus_26169;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\26169\RapportCerberus_26169.sys [02/05/2011 18:11 57144]
    R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [08/04/2011 10:17 66360]
    R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [08/04/2011 10:17 158904]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [02/06/2011 19:13 136360]
    R2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\Nero\Tools\InCD\NBHRegInCDSrv.exe [16/10/2009 10:44 53560]
    R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [08/04/2011 10:17 870200]
    S3 CFcatchme;CFcatchme;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\CFcatchme.sys --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\CFcatchme.sys [?]
    S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [28/02/2006 13:00 14336]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - MPKSL4B91CEAB
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    WINRM REG_MULTI_SZ WINRM
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
    \Shell\AutoRun\command - E:\LaunchU3.exe -a
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4163f87f-25ac-11dd-92c3-0014851fb060}]
    \Shell\AutoRun\command - E:\support.bat
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{adcc9d45-25b7-11dd-92c6-0014851fb060}]
    \Shell\AutoRun\command - E:\support.bat
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-06-02 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 11:26]
    .
    .
    ------- Supplementary Scan -------
    .
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    mStart Page = hxxp://uk.yahoo.com
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    TCP: Interfaces\{958A1A47-CD7C-4E5E-8F97-067DA0900DAE}: NameServer = 194.72.9.34,194.72.0.98
    .
    - - - - ORPHANS REMOVED - - - -
    .
    WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    HKCU-Run-msnmsgr - c:\program files\MSN Messenger\msnmsgr.exe
    HKCU-Run-tSfkTNduxrPpGPr.exe - c:\docume~1\Alan\LOCALS~1\Temp\tSfkTNduxrPpGPr.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-06-03 00:13
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(7488)
    c:\windows\system32\WININET.dll
    c:\program files\Nero\Tools\InCD\NBHshx.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.5592_x-ww_179798c8\MSVCR80.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
    c:\program files\Nero\Tools\InCD\InCDSrv.exe
    c:\windows\system32\LEXBCES.EXE
    c:\windows\system32\LEXPPS.EXE
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Avira\AntiVir Desktop\avshadow.exe
    c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
    c:\windows\SOUNDMAN.EXE
    c:\program files\Lexmark 2200 Series\lxbvbmon.exe
    c:\windows\system32\VTTimer.exe
    .
    **************************************************************************
    .
    Completion time: 2011-06-03 00:19:01 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-06-02 23:18
    ComboFix2.txt 2011-06-02 18:27
    .
    Pre-Run: 56,256,282,624 bytes free
    Post-Run: 55,856,316,416 bytes free
    .
    - - End Of File - - 9B5B32FC7C549F4B4AC1A8A90A2DD79A
     
  12. swisstonyholmes

    swisstonyholmes TS Rookie Topic Starter Posts: 98

    Bobbye,

    From the outside the system looks fine I now have access to all programs as usual everything seems to function and look as normal.

    I've also run up Malwarebytes which now starts fine I could run another scan if you want?

    I will wait for further instructions.

    Thanks,

    Tony.
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    This is your choice, but I do not advise going back to AVG. You have better security with either Avira or Avast. I would encourage you to install a firewall also:
    Free and good: Use only one:
    Comodo
    Zone Alarm
    I thought it was something like that. No problem.
    ===================================================
    I don't understand what you mean by this:
    Do you mean the problem have been resolved?
     
  14. swisstonyholmes

    swisstonyholmes TS Rookie Topic Starter Posts: 98

    Bobbye,

    Why would you not recommend AVG I have used this for years now on my own computer with no problems?

    I have now installed Zone Alarm as my firewall.

    Everything now looks ok with the system I'm now running the usual scans and windows updates before returning the computer to its owner......again!

    Are there any more scans you wish me to complete? If I find anything during these scans I'm doing now I will post under this message.

    Thanks for your help so far,

    Tony.
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    1. AVG misses much malware.
    2. AVG doesn't quarantine much of the malware it finds.
    3. AVG frequently finds only Tracking Cookies.
    4. AVG has released numerous wrong updates causing users to get False Positive Win32Heur notices.
    5. AVG has not left any way to disable it to run a security scan- such as Combofix. This makes it necessary to uninstall it entirely.
    5. IMO, there are much better AV programs than AVG.
    ============================================
    One entry to remove:
    Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Taskman"=-
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    Please update and rescan with the Eset Online Virus scan.

    After I check that, I will have you remove the cleaning tools and then close this thread now since the problems have been resolved.
     
  16. swisstonyholmes

    swisstonyholmes TS Rookie Topic Starter Posts: 98

    Bobbye,

    New log files shown below for your viewing, please note that Eset did not find any problems although Avira did.

    On a side note what would you recomend to replace AVG with regards to a free anti virus program?

    Thanks,

    Tony.

    ComboFix 11-06-03.02 - Alan 03/06/2011 23:05:38.3.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1215.714 [GMT 1:00]
    Running from: c:\documents and settings\Alan\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Alan\Desktop\CFScript.txt.txt
    AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    FW: ZoneAlarm Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-05-03 to 2011-06-03 )))))))))))))))))))))))))))))))
    .
    .
    2011-06-03 09:50 . 2011-06-03 11:10 -------- d-----w- c:\windows\system32\NtmsData
    2011-06-03 09:40 . 2011-06-03 09:40 -------- d-----w- c:\windows\LastGood
    2011-06-03 09:01 . 2011-06-03 09:01 -------- d-----w- c:\documents and settings\Alan\Application Data\CheckPoint
    2011-06-03 08:59 . 2011-06-03 22:09 -------- d-----w- c:\windows\Internet Logs
    2011-06-02 23:22 . 2011-06-02 23:22 -------- d-----w- c:\documents and settings\Alan\Application Data\Avira
    2011-06-02 18:13 . 2011-06-02 18:13 -------- d-----w- c:\program files\Avira
    2011-06-02 18:13 . 2011-06-02 18:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2011-06-02 18:13 . 2011-04-01 16:07 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-06-02 18:13 . 2011-04-01 16:07 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-06-02 18:13 . 2010-06-17 14:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2011-06-02 18:13 . 2010-06-17 14:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2011-06-01 21:32 . 2011-06-01 21:32 -------- d-----w- c:\program files\ESET
    2011-06-01 21:25 . 2011-06-02 23:22 -------- d-----w- C:\01 06 11
    2011-06-01 20:59 . 2011-05-25 21:32 222714 ----a-w- C:\randmbam.exe
    2011-05-11 20:12 . 2011-06-01 21:26 -------- d-----w- c:\documents and settings\Administrator
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-05-29 08:11 . 2011-04-15 19:10 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-05-29 08:11 . 2011-04-15 19:10 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-04-01 06:37 . 2004-12-16 12:36 48128 ----a-w- c:\windows\system32\drivers\fetnd5bv.sys
    2011-03-07 05:33 . 2008-05-19 13:51 692736 ------w- c:\windows\system32\inetcomm.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-06-02_18.25.58 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-06-03 09:04 . 2011-06-03 09:04 16384 c:\windows\temp\Perflib_Perfdata_7c0.dat
    + 2011-06-03 09:00 . 2011-03-18 00:24 99328 c:\windows\system32\ZoneLabs\zlquarantine.dll
    + 2011-06-03 09:00 . 2011-03-18 00:24 70656 c:\windows\system32\ZoneLabs\zatray.exe
    + 2011-06-03 09:00 . 2011-03-18 00:25 21504 c:\windows\system32\ZoneLabs\lib\zsys.zip.dll
    + 2011-06-03 09:00 . 2011-03-18 00:25 14336 c:\windows\system32\ZoneLabs\lib\zmenu.zip.dll
    + 2011-06-03 09:00 . 2011-03-18 00:25 48640 c:\windows\system32\ZoneLabs\lib\zfde.zip.dll
    + 2011-06-03 09:00 . 2011-03-18 00:25 85504 c:\windows\system32\ZoneLabs\lib\ZAlert.zip.dll
    + 2011-06-03 09:00 . 2011-03-18 00:25 37376 c:\windows\system32\ZoneLabs\lib\UpdateUI.zip.dll
    + 2011-06-03 09:00 . 2011-03-18 00:25 12800 c:\windows\system32\ZoneLabs\lib\oem_1488.zip.dll
    + 2011-06-03 09:00 . 2011-03-18 00:25 12800 c:\windows\system32\ZoneLabs\lib\oem_1487.zip.dll
    + 2011-06-03 09:00 . 2011-03-18 00:25 12800 c:\windows\system32\ZoneLabs\lib\oem_1486.zip.dll
    + 2011-06-03 09:00 . 2011-03-18 00:25 20992 c:\windows\system32\ZoneLabs\lib\oem_1466.zip.dll
    + 2011-06-03 09:00 . 2011-03-18 00:25 12800 c:\windows\system32\ZoneLabs\lib\oem_1460.zip.dll
    + 2011-06-03 09:00 . 2011-03-18 00:25 10240 c:\windows\system32\ZoneLabs\lib\oem_1454.zip.dll
    + 2011-06-03 09:00 . 2011-03-18 00:25 11264 c:\windows\system32\ZoneLabs\lib\oem_1445.zip.dll
    + 2011-06-03 09:00 . 2011-03-18 00:25 14336 c:\windows\system32\ZoneLabs\lib\oem_1440.zip.dll
    + 2011-06-03 09:00 . 2011-03-18 00:25 12288 c:\windows\system32\ZoneLabs\lib\oem_1413.zip.dll
    + 2011-06-03 09:00 . 2011-03-18 00:24 11264 c:\windows\system32\ZoneLabs\lib\oem_1010.zip.dll
    + 2011-06-03 09:00 . 2011-03-18 00:24 29184 c:\windows\system32\ZoneLabs\lib\NavBar.zip.dll
    + 2011-06-03 09:00 . 2011-03-18 00:24 13312 c:\windows\system32\ZoneLabs\lib\MainLoop.zip.dll
    + 2011-06-03 09:00 . 2011-03-18 00:24 35840 c:\windows\system32\ZoneLabs\lib\Alert.zip.dll
    + 2011-06-03 09:00 . 2011-03-18 00:24 38912 c:\windows\system32\ZoneLabs\featuremap.dll
    + 2011-06-03 09:00 . 2011-03-18 00:24 75776 c:\windows\system32\ZoneLabs\camupd.dll
    + 2011-06-03 09:00 . 2011-03-18 00:24 69120 c:\windows\system32\zlcomm.dll
    + 2011-06-03 09:00 . 2011-03-18 00:24 43008 c:\windows\system32\vswmi.dll
    + 2011-06-03 09:00 . 2011-03-18 00:24 58368 c:\windows\system32\vsregexp.dll
    + 2011-06-03 09:40 . 2006-10-27 07:26 69632 c:\windows\system32\ReinstallBackups\0001\DriverFiles\vuins32.dll
    + 2011-06-03 09:40 . 2011-03-08 08:22 48128 c:\windows\system32\ReinstallBackups\0001\DriverFiles\fetnd5bv.sys
    + 2006-02-28 12:00 . 2011-06-03 09:41 71962 c:\windows\system32\perfc009.dat
    - 2006-02-28 12:00 . 2011-05-18 19:16 71962 c:\windows\system32\perfc009.dat
    + 2011-06-03 09:40 . 2006-10-27 07:26 69632 c:\windows\LastGood\system32\vuins32.dll
    + 2011-06-03 09:40 . 2011-03-08 08:22 48128 c:\windows\LastGood\system32\DRIVERS\fetnd5bv.sys
    + 2008-11-14 21:21 . 2011-06-03 08:47 23040 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
    - 2008-11-14 21:21 . 2011-04-15 21:39 23040 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
    + 2008-11-14 21:21 . 2011-06-03 08:47 27136 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
    - 2008-11-14 21:21 . 2011-04-15 21:39 27136 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
    - 2008-11-14 21:21 . 2011-04-15 21:39 11264 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
    + 2008-11-14 21:21 . 2011-06-03 08:47 11264 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
    + 2008-11-14 21:21 . 2011-06-03 08:47 12288 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
    - 2008-11-14 21:21 . 2011-04-15 21:39 12288 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
    + 2011-06-03 09:00 . 2011-06-03 09:00 4212 c:\windows\system32\zllictbl.dat
    - 2008-11-14 21:21 . 2011-04-15 21:39 4096 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
    + 2008-11-14 21:21 . 2011-06-03 08:47 4096 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
    + 2011-06-03 09:00 . 2011-03-18 00:24 141824 c:\windows\system32\ZoneLabs\zlupdate.dll
    + 2011-06-03 09:00 . 2011-03-18 00:24 173056 c:\windows\system32\ZoneLabs\vsvault.dll
    + 2011-06-03 08:59 . 2011-03-18 00:24 211456 c:\windows\system32\ZoneLabs\vsdb.dll
    + 2011-06-03 09:00 . 2007-10-11 15:51 832984 c:\windows\system32\ZoneLabs\updating.dll
    + 2011-06-03 09:00 . 2011-03-18 00:24 434688 c:\windows\system32\ZoneLabs\ssleay32.dll
    + 2011-06-03 09:00 . 2011-03-18 00:24 135680 c:\windows\system32\ZoneLabs\scheduler.dll
    + 2011-06-03 09:00 . 2009-07-13 22:58 722392 c:\windows\system32\ZoneLabs\qrbase.dll
    + 2011-06-03 09:00 . 2011-03-18 00:25 126976 c:\windows\system32\ZoneLabs\lib\zui.zip.dll
    + 2011-06-03 09:00 . 2011-03-18 00:25 280064 c:\windows\system32\ZoneLabs\lib\TrayTest.zip.dll
    + 2011-06-03 09:00 . 2011-03-18 00:25 225792 c:\windows\system32\ZoneLabs\lib\Overview.zip.dll
    + 2011-06-03 09:00 . 2011-03-18 00:24 368640 c:\windows\system32\ZoneLabs\lib\LicenseUI.zip.dll
    + 2011-06-03 09:00 . 2011-03-18 00:24 184832 c:\windows\system32\ZoneLabs\lib\DashBoard.zip.dll
    + 2011-06-03 09:00 . 2011-03-18 00:24 375296 c:\windows\system32\ZoneLabs\lib\ConfigWizard.zip.dll
    + 2011-06-03 08:59 . 2010-02-08 07:41 595432 c:\windows\system32\ZoneLabs\icslta.dll
    + 2011-06-03 09:01 . 2010-11-08 17:58 284136 c:\windows\system32\ZoneLabs\ffapi.dll
    + 2011-06-03 09:00 . 2011-03-18 00:24 169984 c:\windows\system32\ZoneLabs\fbl.dll
    + 2011-06-03 09:00 . 2008-03-17 15:52 813568 c:\windows\system32\ZoneLabs\dbghelp.dll
    + 2011-06-03 09:00 . 2011-03-18 00:24 104448 c:\windows\system32\zlcommdb.dll
    + 2011-06-03 09:00 . 2011-03-18 00:24 110080 c:\windows\system32\vsxml.dll
    + 2011-06-03 08:59 . 2011-03-18 00:24 715264 c:\windows\system32\vsutil.dll
    + 2011-06-03 09:00 . 2011-03-18 00:24 302592 c:\windows\system32\vspubapi.dll
    + 2011-06-03 09:00 . 2011-03-18 00:24 108032 c:\windows\system32\vsmonapi.dll
    + 2011-06-03 08:59 . 2011-03-18 00:24 228864 c:\windows\system32\vsinit.dll
    + 2011-06-03 09:00 . 2010-05-13 09:02 532224 c:\windows\system32\vsdatant.sys
    + 2011-06-03 08:59 . 2011-03-18 00:24 112128 c:\windows\system32\vsdata.dll
    + 2011-06-03 09:40 . 2006-11-01 22:21 319456 c:\windows\system32\ReinstallBackups\0001\DriverFiles\difxapi.dll
    - 2006-02-28 12:00 . 2011-05-18 19:16 443896 c:\windows\system32\perfh009.dat
    + 2006-02-28 12:00 . 2011-06-03 09:41 443896 c:\windows\system32\perfh009.dat
    + 2011-06-03 09:40 . 2006-11-01 22:21 319456 c:\windows\LastGood\system32\difxapi.dll
    + 2008-11-14 21:21 . 2011-06-03 08:47 409600 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
    - 2008-11-14 21:21 . 2011-04-15 21:39 409600 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
    - 2008-11-14 21:21 . 2011-04-15 21:39 286720 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
    + 2008-11-14 21:21 . 2011-06-03 08:47 286720 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
    + 2008-11-14 21:21 . 2011-06-03 08:47 249856 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
    - 2008-11-14 21:21 . 2011-04-15 21:39 249856 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
    - 2008-11-14 21:21 . 2011-04-15 21:39 794624 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
    + 2008-11-14 21:21 . 2011-06-03 08:47 794624 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
    - 2008-11-14 21:21 . 2011-04-15 21:39 135168 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
    + 2008-11-14 21:21 . 2011-06-03 08:47 135168 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
    + 2011-06-03 09:00 . 2011-03-18 00:24 1238528 c:\windows\system32\zpeng25.dll
    + 2011-06-03 09:00 . 2011-03-18 00:24 1790464 c:\windows\system32\ZoneLabs\vsruledb.dll
    + 2011-06-03 09:00 . 2011-03-18 00:26 2435592 c:\windows\system32\ZoneLabs\vsmon.exe
    + 2011-06-03 09:00 . 2011-03-18 00:25 1536512 c:\windows\system32\ZoneLabs\lib\zpy.zip.dll
    + 2011-04-27 10:14 . 2011-04-27 10:14 5520384 c:\windows\Installer\d87e.msp
    + 2011-04-29 12:04 . 2011-04-29 12:04 5053440 c:\windows\Installer\d86c.msp
    + 2008-05-19 15:30 . 2011-04-29 10:29 42829768 c:\windows\system32\MRT.exe
    .
    -- Snapshot reset to current date --
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\prxtbZone.dll" [2011-05-09 176936]
    .
    [HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
    2011-05-09 09:49 176936 ----a-w- c:\program files\ZoneAlarm_Security\prxtbZone.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\prxtbZone.dll" [2011-05-09 176936]
    .
    [HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{91DA5E8A-3318-4F8C-B67E-5964DE3AB546}"= "c:\program files\ZoneAlarm_Security\prxtbZone.dll" [2011-05-09 176936]
    .
    [HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\NBHShellExt]
    @="{8D2223A2-B3C6-4e32-B096-CDD11F628C60}"
    [HKEY_CLASSES_ROOT\CLSID\{8D2223A2-B3C6-4e32-B096-CDD11F628C60}]
    2009-10-16 09:44 97072 ----a-w- c:\program files\Nero\Tools\InCD\NBHshx.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
    "Lexmark 2200 Series"="c:\program files\Lexmark 2200 Series\lxbvbmgr.exe" [2004-02-13 57344]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    "NBHGui"="c:\program files\Nero\Tools\InCD\NBHGui.exe" [2009-10-16 1600816]
    "InCD"="c:\program files\Nero\Tools\InCD\InCD.exe" [2009-10-16 1060136]
    "VTTimer"="VTTimer.exe" [2004-10-22 53248]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768]
    "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2011-03-18 1043968]
    "ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2011-02-15 738808]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2008-06-02 10:13 267048 ------w- c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "FirewallOverride"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\system32\\LEXPPS.EXE"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
    .
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [02/06/2011 19:13 136360]
    R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [15/02/2011 16:25 26872]
    R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [15/02/2011 16:25 488952]
    R2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\Nero\Tools\InCD\NBHRegInCDSrv.exe [16/10/2009 10:44 53560]
    S1 RapportBuka;RapportBuka;\??\c:\windows\system32\drivers\RapportBuka.sys --> c:\windows\system32\drivers\RapportBuka.sys [?]
    S3 CFcatchme;CFcatchme;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\CFcatchme.sys --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\CFcatchme.sys [?]
    S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [28/02/2006 13:00 14336]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - NTMSSVC
    *NewlyCreated* - SWPRV
    *NewlyCreated* - VSMON
    *NewlyCreated* - VSS
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    WINRM REG_MULTI_SZ WINRM
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    mStart Page = hxxp://uk.yahoo.com
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    TCP: Interfaces\{958A1A47-CD7C-4E5E-8F97-067DA0900DAE}: NameServer = 194.72.9.34,194.72.0.98
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-06-03 23:11
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(684)
    c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
    .
    - - - - - - - > 'lsass.exe'(740)
    c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
    .
    - - - - - - - > 'explorer.exe'(2336)
    c:\windows\system32\WININET.dll
    c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.5592_x-ww_179798c8\MSVCR80.dll
    c:\program files\Nero\Tools\InCD\NBHshx.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2011-06-03 23:13:33
    ComboFix-quarantined-files.txt 2011-06-03 22:13
    ComboFix2.txt 2011-06-02 23:19
    ComboFix3.txt 2011-06-02 18:27
    .
    Pre-Run: 55,888,941,056 bytes free
    Post-Run: 55,891,496,960 bytes free
    .
    - - End Of File - - BAA5B3755FE882D3003AC2D6182AD1C4




    Malwarebytes' Anti-Malware 1.51.0.1200
    www.malwarebytes.org

    Database version: 6758

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    03/06/2011 11:19:32
    mbam-log-2011-06-03 (11-19-32).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 261234
    Time elapsed: 43 minute(s), 27 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)






    Avira AntiVir Personal
    Report file date: 03 June 2011 11:28

    Scanning for 2710957 virus strains and unwanted programs.

    The program is running as an unrestricted full version.
    Online services are available:

    Licensee : Avira AntiVir Personal - FREE Antivirus
    Serial number : 0000149996-ADJIE-0000001
    Platform : Windows XP
    Windows version : (Service Pack 3) [5.1.2600]
    Boot mode : Normally booted
    Username : SYSTEM
    Computer name : ALAN-2CB3E130BF

    Version information:
    BUILD.DAT : 10.0.0.648 31823 Bytes 01/04/2011 18:36:00
    AVSCAN.EXE : 10.0.4.2 442024 Bytes 01/04/2011 16:07:43
    AVSCAN.DLL : 10.0.3.0 46440 Bytes 01/04/2011 16:07:57
    LUKE.DLL : 10.0.3.2 104296 Bytes 01/04/2011 16:07:53
    LUKERES.DLL : 10.0.0.1 12648 Bytes 10/02/2010 23:40:49
    VBASE000.VDF : 7.10.0.0 19875328 Bytes 06/11/2009 09:05:36
    VBASE001.VDF : 7.11.0.0 13342208 Bytes 14/12/2010 15:15:47
    VBASE002.VDF : 7.11.3.0 1950720 Bytes 09/02/2011 15:15:47
    VBASE003.VDF : 7.11.5.225 1980416 Bytes 07/04/2011 23:10:27
    VBASE004.VDF : 7.11.8.178 2354176 Bytes 31/05/2011 23:10:35
    VBASE005.VDF : 7.11.8.179 2048 Bytes 31/05/2011 23:10:35
    VBASE006.VDF : 7.11.8.180 2048 Bytes 31/05/2011 23:10:35
    VBASE007.VDF : 7.11.8.181 2048 Bytes 31/05/2011 23:10:35
    VBASE008.VDF : 7.11.8.182 2048 Bytes 31/05/2011 23:10:36
    VBASE009.VDF : 7.11.8.183 2048 Bytes 31/05/2011 23:10:36
    VBASE010.VDF : 7.11.8.184 2048 Bytes 31/05/2011 23:10:36
    VBASE011.VDF : 7.11.8.185 2048 Bytes 31/05/2011 23:10:36
    VBASE012.VDF : 7.11.8.186 2048 Bytes 31/05/2011 23:10:36
    VBASE013.VDF : 7.11.8.222 121856 Bytes 02/06/2011 23:10:37
    VBASE014.VDF : 7.11.8.223 2048 Bytes 02/06/2011 23:10:37
    VBASE015.VDF : 7.11.8.224 2048 Bytes 02/06/2011 23:10:37
    VBASE016.VDF : 7.11.8.225 2048 Bytes 02/06/2011 23:10:37
    VBASE017.VDF : 7.11.8.226 2048 Bytes 02/06/2011 23:10:38
    VBASE018.VDF : 7.11.8.227 2048 Bytes 02/06/2011 23:10:38
    VBASE019.VDF : 7.11.8.228 2048 Bytes 02/06/2011 23:10:38
    VBASE020.VDF : 7.11.8.229 2048 Bytes 02/06/2011 23:10:38
    VBASE021.VDF : 7.11.8.230 2048 Bytes 02/06/2011 23:10:39
    VBASE022.VDF : 7.11.8.231 2048 Bytes 02/06/2011 23:10:39
    VBASE023.VDF : 7.11.8.232 2048 Bytes 02/06/2011 23:10:39
    VBASE024.VDF : 7.11.8.233 2048 Bytes 02/06/2011 23:10:39
    VBASE025.VDF : 7.11.8.234 2048 Bytes 02/06/2011 23:10:39
    VBASE026.VDF : 7.11.8.235 2048 Bytes 02/06/2011 23:10:39
    VBASE027.VDF : 7.11.8.236 2048 Bytes 02/06/2011 23:10:40
    VBASE028.VDF : 7.11.8.237 2048 Bytes 02/06/2011 23:10:40
    VBASE029.VDF : 7.11.8.238 2048 Bytes 02/06/2011 23:10:40
    VBASE030.VDF : 7.11.8.239 2048 Bytes 02/06/2011 23:10:40
    VBASE031.VDF : 7.11.8.253 76288 Bytes 03/06/2011 09:18:04
    Engineversion : 8.2.5.12
    AEVDF.DLL : 8.1.2.1 106868 Bytes 28/03/2011 15:15:27
    AESCRIPT.DLL : 8.1.3.65 1606010 Bytes 02/06/2011 23:10:55
    AESCN.DLL : 8.1.7.2 127349 Bytes 28/03/2011 15:15:27
    AESBX.DLL : 8.2.1.34 323957 Bytes 02/06/2011 23:11:01
    AERDL.DLL : 8.1.9.9 639347 Bytes 25/03/2011 11:21:38
    AEPACK.DLL : 8.2.6.8 557430 Bytes 02/06/2011 23:10:54
    AEOFFICE.DLL : 8.1.1.25 205178 Bytes 02/06/2011 23:10:53
    AEHEUR.DLL : 8.1.2.123 3502456 Bytes 02/06/2011 23:10:52
    AEHELP.DLL : 8.1.17.2 246135 Bytes 02/06/2011 23:10:44
    AEGEN.DLL : 8.1.5.6 401780 Bytes 02/06/2011 23:10:44
    AEEMU.DLL : 8.1.3.0 393589 Bytes 28/03/2011 15:15:19
    AECORE.DLL : 8.1.21.1 196983 Bytes 02/06/2011 23:10:43
    AEBB.DLL : 8.1.1.0 53618 Bytes 28/03/2011 15:15:19
    AVWINLL.DLL : 10.0.0.0 19304 Bytes 28/03/2011 15:15:31
    AVPREF.DLL : 10.0.0.0 44904 Bytes 01/04/2011 16:07:42
    AVREP.DLL : 10.0.0.10 174120 Bytes 02/06/2011 23:11:02
    AVREG.DLL : 10.0.3.2 53096 Bytes 01/04/2011 16:07:42
    AVSCPLR.DLL : 10.0.4.2 84840 Bytes 01/04/2011 16:07:43
    AVARKT.DLL : 10.0.22.6 231784 Bytes 01/04/2011 16:07:38
    AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 01/04/2011 16:07:41
    SQLITE3.DLL : 3.6.19.0 355688 Bytes 17/06/2010 14:27:22
    AVSMTP.DLL : 10.0.0.17 63848 Bytes 28/03/2011 15:15:30
    NETNT.DLL : 10.0.0.0 11624 Bytes 28/03/2011 15:15:39
    RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 01/04/2011 16:07:58
    RCTEXT.DLL : 10.0.58.0 97128 Bytes 28/03/2011 15:15:52

    Configuration settings for the scan:
    Jobname.............................: Complete system scan
    Configuration file..................: C:\Program Files\Avira\AntiVir Desktop\sysscan.avp
    Logging.............................: low
    Primary action......................: interactive
    Secondary action....................: ignore
    Scan master boot sector.............: on
    Scan boot sector....................: on
    Boot sectors........................: C:,
    Process scan........................: on
    Extended process scan...............: on
    Scan registry.......................: on
    Search for rootkits.................: on
    Integrity checking of system files..: off
    Scan all files......................: All files
    Scan archives.......................: on
    Recursion depth.....................: 20
    Smart extensions....................: on
    Macro heuristic.....................: on
    File heuristic......................: medium

    Start of the scan: 03 June 2011 11:28

    Starting search for hidden objects.

    The scan of running processes will be started
    Scan process 'dllhost.exe' - '57' Module(s) have been scanned
    Scan process 'vssvc.exe' - '57' Module(s) have been scanned
    Scan process 'avscan.exe' - '79' Module(s) have been scanned
    Scan process 'avcenter.exe' - '72' Module(s) have been scanned
    Scan process 'msdtc.exe' - '52' Module(s) have been scanned
    Scan process 'dllhost.exe' - '71' Module(s) have been scanned
    Scan process 'svchost.exe' - '41' Module(s) have been scanned
    Scan process 'EasyShare.exe' - '172' Module(s) have been scanned
    Scan process 'ctfmon.exe' - '37' Module(s) have been scanned
    Scan process 'avgnt.exe' - '60' Module(s) have been scanned
    Scan process 'VTTimer.exe' - '25' Module(s) have been scanned
    Scan process 'InCD.exe' - '38' Module(s) have been scanned
    Scan process 'NBHGui.exe' - '35' Module(s) have been scanned
    Scan process 'jusched.exe' - '32' Module(s) have been scanned
    Scan process 'lxbvbmon.exe' - '31' Module(s) have been scanned
    Scan process 'lxbvbmgr.exe' - '29' Module(s) have been scanned
    Scan process 'SOUNDMAN.EXE' - '33' Module(s) have been scanned
    Scan process 'alg.exe' - '45' Module(s) have been scanned
    Scan process 'svchost.exe' - '47' Module(s) have been scanned
    Scan process 'slserv.exe' - '21' Module(s) have been scanned
    Scan process 'NBHRegInCDSrv.exe' - '25' Module(s) have been scanned
    Scan process 'NBService.exe' - '54' Module(s) have been scanned
    Scan process 'avshadow.exe' - '26' Module(s) have been scanned
    Scan process 'jqs.exe' - '41' Module(s) have been scanned
    Scan process 'AppleMobileDeviceService.exe' - '28' Module(s) have been scanned
    Scan process 'avguard.exe' - '55' Module(s) have been scanned
    Scan process 'svchost.exe' - '43' Module(s) have been scanned
    Scan process 'sched.exe' - '47' Module(s) have been scanned
    Scan process 'spoolsv.exe' - '67' Module(s) have been scanned
    Scan process 'LEXPPS.EXE' - '34' Module(s) have been scanned
    Scan process 'LEXBCES.EXE' - '34' Module(s) have been scanned
    Scan process 'Explorer.EXE' - '124' Module(s) have been scanned
    Scan process 'svchost.exe' - '49' Module(s) have been scanned
    Scan process 'svchost.exe' - '44' Module(s) have been scanned
    Scan process 'InCDSrv.exe' - '30' Module(s) have been scanned
    Scan process 'svchost.exe' - '174' Module(s) have been scanned
    Scan process 'svchost.exe' - '47' Module(s) have been scanned
    Scan process 'svchost.exe' - '58' Module(s) have been scanned
    Scan process 'lsass.exe' - '66' Module(s) have been scanned
    Scan process 'services.exe' - '42' Module(s) have been scanned
    Scan process 'winlogon.exe' - '76' Module(s) have been scanned
    Scan process 'csrss.exe' - '12' Module(s) have been scanned
    Scan process 'smss.exe' - '2' Module(s) have been scanned

    Starting master boot sector scan:
    Master boot sector HD0
    [INFO] No virus was found!

    Start scanning boot sectors:
    Boot sector 'C:\'
    [INFO] No virus was found!

    Starting to scan executable files (registry).
    The registry was scanned ( '1653' files ).


    Starting the file scan:

    Begin scan in 'C:\'
    C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

    [0] Archive type: NSIS
    --> ProgramFilesDir/handle.cfxxe
    [1] Archive type: RSRC
    --> Object
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    C:\Qoobox\Quarantine\C\mbam-setup-1.51.0.1200.exe.vir
    [DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm
    C:\Qoobox\Quarantine\C\TDSSKiller.exe.vir
    [DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm
    C:\Qoobox\Quarantine\C\TFC.exe.vir
    [DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm
    C:\System Volume Information\_restore{277102AF-CF18-4900-992D-7F2CB4FE30A2}\RP567\A0284450.exe
    [DETECTION] Is the TR/Trash.Gen Trojan
    C:\System Volume Information\_restore{277102AF-CF18-4900-992D-7F2CB4FE30A2}\RP580\A0289084.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    C:\System Volume Information\_restore{D49A7662-467B-4DEC-A560-D477F86C24CE}\RP16\A0002118.dll
    [DETECTION] Is the TR/Trash.Gen Trojan
    C:\System Volume Information\_restore{D49A7662-467B-4DEC-A560-D477F86C24CE}\RP16\A0002119.dll
    [DETECTION] Is the TR/Trash.Gen Trojan

    Beginning disinfection:
    C:\System Volume Information\_restore{D49A7662-467B-4DEC-A560-D477F86C24CE}\RP16\A0002119.dll
    [DETECTION] Is the TR/Trash.Gen Trojan
    [NOTE] The file was moved to the quarantine directory under the name '471cfcfd.qua'.
    C:\System Volume Information\_restore{D49A7662-467B-4DEC-A560-D477F86C24CE}\RP16\A0002118.dll
    [DETECTION] Is the TR/Trash.Gen Trojan
    [NOTE] The file was moved to the quarantine directory under the name '5f8bd35a.qua'.
    C:\System Volume Information\_restore{277102AF-CF18-4900-992D-7F2CB4FE30A2}\RP580\A0289084.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The file was moved to the quarantine directory under the name '0dd689b2.qua'.
    C:\System Volume Information\_restore{277102AF-CF18-4900-992D-7F2CB4FE30A2}\RP567\A0284450.exe
    [DETECTION] Is the TR/Trash.Gen Trojan
    [NOTE] The file was moved to the quarantine directory under the name '6be1c670.qua'.
    C:\Qoobox\Quarantine\C\TFC.exe.vir
    [DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm
    [NOTE] The file was moved to the quarantine directory under the name '2e52ebb4.qua'.
    C:\Qoobox\Quarantine\C\TDSSKiller.exe.vir
    [DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm
    [NOTE] The file was moved to the quarantine directory under the name '5159d9db.qua'.
    C:\Qoobox\Quarantine\C\mbam-setup-1.51.0.1200.exe.vir
    [DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm
    [NOTE] The file was moved to the quarantine directory under the name '1d97f5b3.qua'.
    C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The file was moved to the quarantine directory under the name '6193b5f4.qua'.


    End of the scan: 03 June 2011 22:55
    Used time: 43:17 Minute(s)

    The scan has been done completely.

    7011 Scanned directories
    267009 Files were scanned
    8 Viruses and/or unwanted programs were found
    0 Files were classified as suspicious
    0 files were deleted
    0 Viruses and unwanted programs were repaired
    8 Files were moved to quarantine
    0 Files were renamed
    0 Files cannot be scanned
    267001 Files not concerned
    1402 Archives were scanned
    0 Warnings
    8 Notes
    321983 Objects were scanned with rootkit scan
    0 Hidden objects were found
     
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I did not request the Avira scan. The entries 'found' are in the Qoobox, which i s where Combofix sends the quarantined entries. The other entries were found in System Volume, which is the restore points.

    All of these entries have been previously handled. The restore points are in the removal below.
    =========================================
    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    -----
    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
    ------------------------------------------
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin
     
  18. swisstonyholmes

    swisstonyholmes TS Rookie Topic Starter Posts: 98

    Bobbye,

    First of all can you answer my question re recommended antivirus to replace AVG as per my last post.

    Secondly, I have completed all of the above and all seems to be ok.......with this account.....but not with two others. There are five user accounts on the system these are:

    Alan (which works ok no problems, this is the profile I have been doing all of our work in)
    Kayleigh (This also works fine.)
    Kimberly (This also works fine.)
    Pauline (This one still refuses to run any programs from the desktop and insists on executing all files with an "Open With" popup, it also fails to start Zone Alarm and Avira amongst other things. Basically it’s doing exactly the same as Alans profile until you fixed it.)
    Samantha (Does the same as Pauline's)

    Let me know what you think,

    Tony.
     
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please note: Combofix found entries in these 2 accounts, which mean it checked them.
    Alan
    PAULINE
    ===========================
    See below:
    Reply #13
    If you want a good paid AV, I highly recommend Esst Nod32

    See Reply #13
    Accounts:
    Have the individuals check their own settings. The malware is gone and not the issue.
     
  20. swisstonyholmes

    swisstonyholmes TS Rookie Topic Starter Posts: 98

    Bobbye,

    Just to let you know all problems have now been fixed, I done some research on the "Open with exe problem" and came across the same fix on a few forums. It involved running a script file from the "Kellys Korner" website link named "exe fix" I ran this on both the profiles that were no longer running desktop icons and this fixed the problem.

    Weather this was the right "Technical" thing to do I'm not sure but I'm happy all the same.

    Thanks for your time and support with this matter I know it has been a long slog but we got there in the end ,

    Cheers again.

    Tony.
     
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're welcome. Thank you for the update. Since the issues have been resolved, I'll close this thread. Leaving some additional tips:

    Tips for added security and safer browsing: (Links are in Bold Blue)
    1. Browser Security
      [o] Safe Settings (Please ignore the suggestion to use the Registry Editior in this section "Creating a Custom Security Zone")
      [o] ZonedOut. This manages the Zones in Internet Explorer. (For IE7 and IE8, Windows 2000 thru Vista. No Windows 7)
      [o] Replace the Host Files
      [o] Google Toolbar Pop Up Blocker
      [o]Web of Trust (WOT) Site Advisor. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.
    2. Have layered Security:
      [o]Antivirus :(only one):Both of the following programs are free and known to be good:
      [o]Avira-AntiVir-Personal-Free-Antivirus
      [o] [o]Avast-Free Antivirus
      [o]Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
      [o]Comodo
      [o]Zone Alarm
    3. Antimalware: I recommend all of the following:
      [o]Spywareblaster: SpywareBlaster protects against bad ActiveX.
      [o]Spybot Search & Destroy
    4. Updates: Stay current:
      [o] the Microsoft Download Sitefrequently. All updates marked Critical and the current SP updates.
      [o]Adobe Reader Install current, uninstall old.
      [o]Java Updates Install current, uninstall old.
    5. Tracking Cookies
      Reset Cookie:
      [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
      [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
      I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
      AdBlock Plus
      Easy List
      [o]For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
    6. Do regular Maintenance
      [o] Temporary File Cleaner
    7. Restore Points:
      [o]See System Restore Guide
    8. Safe Email Handling
      [o] Don't open email from anyone you don't know.
      [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
      [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.
    Please let me know if you find any bad link.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...