TechSpot

Virus preventing connection to the Internet

Solved
By fairway76
Nov 15, 2011
  1. Hi,

    I hope you will be able to help. I am trying to remove a virus from a colleague's computer which started by re-directing search engine results but has now led to the computer not being able to connect to the network.

    This means that it can't connect to the internet or update the Avira virus definitions.

    I have tried manually updating the the definitions but it keeps coming up with the error:

    Avira Free Antivirus Updater
    Complete product update

    Creation time: Monday, November 14, 2011 14:49:20

    Operating system:
    Windows XP (Service Pack 3) [5.1.2600] 32 bit

    Product information:
    Product version: 12.0.0.861
    Updater: C:\Program Files\Avira\AntiVir Desktop\update.exe 12.1.13.17
    Update resource: C:\Program Files\Avira\AntiVir Desktop\updaterc.dll 12.1.0.17
    Library: C:\Program Files\Avira\AntiVir Desktop\update.dll 1.0.0.8
    Plugin: C:\Program Files\Avira\AntiVir Desktop\updext.dll 12.1.0.17
    GUI: C:\Program Files\Avira\AntiVir Desktop\updgui.dll 12.1.3.17

    Temp Directory: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\
    Backup folder: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\BACKUP\
    Installation Directory: C:\Program Files\Avira\AntiVir Desktop\
    Updater folder: C:\Program Files\Avira\AntiVir Desktop\
    AppData folder: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\

    Proxy settings:
    System settings used

    14:49:20 [UPD] [ERROR] Terminating update. Initialization of UpdateLib has reported error 11003.


    Summary:
    ********
    0 Files downloaded
    0 Files installed

    Monday, November 14, 2011 14:49:20

    The update failed!

    I have followed the instructions on this forum and will post the logs following, however, please note that I was unable to update the definitions on MBAM as I could not connect to the internet.

    Logs as follows:

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 7622

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    15/11/2011 15:38:20
    mbam-log-2011-11-15 (15-38-20).txt

    Scan type: Quick scan
    Objects scanned: 161041
    Time elapsed: 2 minute(s), 2 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
  2. fairway76

    fairway76 TS Rookie Topic Starter Posts: 17

    GMER Log

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2011-11-15 15:40:26
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-16 ST3250318AS rev.CC38
    Running: m74618vt.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\axtdqpog.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----
  3. fairway76

    fairway76 TS Rookie Topic Starter Posts: 17

    attach.txt

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 26/03/2009 15:26:32
    System Uptime: 15/11/2011 14:36:31 (1 hours ago)
    .
    Motherboard: Hewlett-Packard | | 3031h
    Processor: Intel Pentium III Xeon processor | XU1 PROCESSOR | 2593/800mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 233 GiB total, 215.777 GiB free.
    D: is CDROM ()
    E: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP44: 15/08/2011 13:26:48 - System Checkpoint
    RP45: 17/08/2011 11:37:13 - System Checkpoint
    RP46: 19/08/2011 10:05:12 - System Checkpoint
    RP47: 22/08/2011 12:36:24 - System Checkpoint
    RP48: 23/08/2011 14:32:47 - System Checkpoint
    RP49: 30/08/2011 09:05:07 - Software Distribution Service 3.0
    RP50: 31/08/2011 12:32:55 - System Checkpoint
    RP51: 02/09/2011 12:39:22 - System Checkpoint
    RP52: 05/09/2011 10:04:41 - System Checkpoint
    RP53: 06/09/2011 12:22:16 - System Checkpoint
    RP54: 07/09/2011 12:34:50 - System Checkpoint
    RP55: 07/09/2011 17:39:56 - Software Distribution Service 3.0
    RP56: 09/09/2011 11:55:21 - System Checkpoint
    RP57: 12/09/2011 12:50:30 - System Checkpoint
    RP58: 15/09/2011 09:35:38 - System Checkpoint
    RP59: 15/09/2011 17:38:39 - Software Distribution Service 3.0
    RP60: 19/09/2011 10:29:05 - System Checkpoint
    RP61: 20/09/2011 12:17:25 - System Checkpoint
    RP62: 21/09/2011 12:38:21 - System Checkpoint
    RP63: 22/09/2011 13:10:22 - System Checkpoint
    RP64: 26/09/2011 13:50:26 - System Checkpoint
    RP65: 29/09/2011 09:22:41 - Software Distribution Service 3.0
    RP66: 03/10/2011 10:47:34 - System Checkpoint
    RP67: 05/10/2011 12:48:17 - System Checkpoint
    RP68: 06/10/2011 14:15:23 - System Checkpoint
    RP69: 10/10/2011 11:15:45 - System Checkpoint
    RP70: 11/10/2011 11:33:22 - System Checkpoint
    RP71: 12/10/2011 14:44:09 - System Checkpoint
    RP72: 14/10/2011 10:29:10 - Software Distribution Service 3.0
    RP73: 17/10/2011 10:28:45 - System Checkpoint
    RP74: 19/10/2011 12:18:24 - System Checkpoint
    RP75: 31/10/2011 14:03:22 - System Checkpoint
    RP76: 02/11/2011 10:51:51 - System Checkpoint
    RP77: 07/11/2011 13:04:57 - System Checkpoint
    RP78: 08/11/2011 15:01:55 - System Checkpoint
    RP79: 10/11/2011 09:22:32 - Software Distribution Service 3.0
    RP80: 11/11/2011 11:27:45 - System Checkpoint
    RP81: 14/11/2011 09:17:09 - Software Distribution Service 3.0
    .
    ==== Installed Programs ======================
    .
    .
    32 Bit HP BiDi Channel Components Installer
    ActivClient 6.1 x86
    Adobe Flash Player 10 ActiveX
    Adobe Reader 9.1
    AOL Toolbar 5.0
    Avira Free Antivirus
    BufferChm
    CustomerResearchQFolder
    Destination Component
    DeviceDiscovery
    DeviceManagementQFolder
    DocMgr
    DocProc
    eSupportQFolder
    Google Toolbar for Internet Explorer
    Google Update Helper
    GPBaseService
    High Definition Audio Driver Package - KB888111
    HiJackThis
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB2570791)
    Hotfix for Windows XP (KB952117-v2)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB976002-v5)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    HP Color LaserJet CM1312 MFP Series 3.1
    HP Customer Participation Program 10.0
    HP Document Manager 1.0
    HP Help and Support
    HP Imaging Device Functions 10.0
    HP Solution Center 10.0
    HP Update
    hppCLJCM1312
    hppFaxDrvCM1312
    hppFaxUtilityCM1312
    hppFonts
    hppManualsCM1312
    hppPQVideoCM1312
    hppQFolderCM1312
    HPProductAssistant
    hppscanCM1312
    hppScanToCM1312
    hppSendFaxCM1312
    hppTLBXFXCM1312
    hppusgCM1312
    HPSSupply
    hpzTLBXFX
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) Management Engine Interface
    Intel(R) Network Connections 13.1.33.0
    IntelĀ® Active Management Technology
    InterVideo DVD Check
    InterVideo Register Manager
    InterVideo WinDVD
    Java(TM) 6 Update 7
    LightScribe System Software 1.14.17.1
    Malwarebytes' Anti-Malware version 1.51.2.1300
    MarketResearch
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2572067)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Professional Edition 2003
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6 Service Pack 2 (KB954459)
    OGA Notifier 2.0.0048.0
    PDF Complete
    Roxio Activation Module
    Roxio Creator Audio
    Roxio Creator Business
    Roxio Creator Business v10
    Roxio Creator Copy
    Roxio Creator Data
    Roxio Creator Tools
    Roxio Express Labeler 3
    Roxio MyDVD
    Scan
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft Windows (KB2564958)
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2530548)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2559049)
    Security Update for Windows Internet Explorer 8 (KB2586448)
    Security Update for Windows Internet Explorer 8 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player (KB979402)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows Media Player 9 (KB936782)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2503665)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB2536276)
    Security Update for Windows XP (KB2544893-v2)
    Security Update for Windows XP (KB2544893)
    Security Update for Windows XP (KB2555917)
    Security Update for Windows XP (KB2562937)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2567053)
    Security Update for Windows XP (KB2567680)
    Security Update for Windows XP (KB2570222)
    Security Update for Windows XP (KB2570947)
    Security Update for Windows XP (KB2592799)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958215)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960714)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371-v2)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982665)
    Shop for HP Supplies
    SolutionCenter
    Sonic CinePlayer Decoder Pack
    SoundMAX
    TrayApp
    Trojan Cease v2.1.0
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB971180)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB2607712)
    Update for Windows XP (KB2616676)
    Update for Windows XP (KB2641690)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    WebFldrs XP
    WebReg
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Imaging Component
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Media Format Runtime
    Windows Presentation Foundation
    Windows XP Service Pack 3
    XML Paper Specification Shared Components Pack 1.0
    .
    ==== Event Viewer Messages From Past Week ========
    .
    15/11/2011 15:31:51, error: Service Control Manager [7000] - The Wireless Zero Configuration service failed to start due to the following error: The pipe has been ended.
    15/11/2011 13:31:44, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: avipbb avkmgr Fips intelppm
    15/11/2011 12:00:54, error: Service Control Manager [7000] - The CryptSvc service failed to start due to the following error: The pipe state is invalid.
    15/11/2011 11:09:20, error: Service Control Manager [7023] - The Local Communication Channel service terminated with the following error: A non-recoverable error occurred during a database lookup.
    15/11/2011 11:09:18, error: Service Control Manager [7031] - The Logon Session Broker service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
    15/11/2011 11:09:18, error: Service Control Manager [7031] - The Local Communication Channel service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
    15/11/2011 11:05:52, error: Service Control Manager [7023] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: Either the application has not called WSAStartup, or WSAStartup failed.
    15/11/2011 11:00:35, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: iaStor
    15/11/2011 10:54:55, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
    15/11/2011 10:28:01, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
    15/11/2011 10:10:04, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: avipbb avkmgr Fips intelppm ssmdrv
    15/11/2011 09:17:20, error: Service Control Manager [7000] - The Wireless Zero Configuration service failed to start due to the following error: The pipe state is invalid.
    14/11/2011 16:30:12, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.
    14/11/2011 14:21:21, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
    14/11/2011 14:04:00, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm
    14/11/2011 14:01:17, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
    14/11/2011 14:01:16, error: Service Control Manager [7034] - The System Restore Service service terminated unexpectedly. It has done this 1 time(s).
    14/11/2011 14:01:16, error: Service Control Manager [7034] - The Logical Disk Manager service terminated unexpectedly. It has done this 1 time(s).
    14/11/2011 14:01:16, error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 1 time(s).
    14/11/2011 14:01:16, error: Service Control Manager [7031] - The Windows Management Instrumentation service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    14/11/2011 14:01:16, error: Service Control Manager [7031] - The Help and Support service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 100 milliseconds: Restart the service.
    14/11/2011 13:57:30, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD avipbb avkmgr Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss ssmdrv Tcpip
    14/11/2011 13:57:30, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
    14/11/2011 13:57:30, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    14/11/2011 13:57:30, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    14/11/2011 13:57:30, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    14/11/2011 13:56:56, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}
    14/11/2011 13:56:42, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
    14/11/2011 13:56:28, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    14/11/2011 13:45:15, error: Service Control Manager [7031] - The Remote Procedure Call (RPC) service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
    14/11/2011 13:44:47, error: Service Control Manager [7034] - The DNS Client service terminated unexpectedly. It has done this 1 time(s).
    14/11/2011 13:44:42, error: Service Control Manager [7034] - The TCP/IP NetBIOS Helper service terminated unexpectedly. It has done this 1 time(s).
    14/11/2011 13:44:42, error: Service Control Manager [7031] - The Remote Registry service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.
    14/11/2011 13:44:37, error: Service Control Manager [7034] - The Windows Image Acquisition (WIA) service terminated unexpectedly. It has done this 1 time(s).
    14/11/2011 13:44:34, error: Service Control Manager [7034] - The Pml Driver HPZ12 service terminated unexpectedly. It has done this 1 time(s).
    14/11/2011 13:44:31, error: Service Control Manager [7034] - The WebClient service terminated unexpectedly. It has done this 1 time(s).
    14/11/2011 13:41:13, error: Service Control Manager [7024] - The Background Intelligent Transfer Service service terminated with service-specific error 2147953403 (0x80072AFB).
    14/11/2011 13:40:27, error: Service Control Manager [7024] - The Remote Access Connection Manager service terminated with service-specific error 3221356592 (0xC0020030).
    14/11/2011 13:40:16, error: Service Control Manager [7034] - The Wireless Zero Configuration service terminated unexpectedly. It has done this 1 time(s).
    14/11/2011 13:40:16, error: Service Control Manager [7034] - The DHCP Client service terminated unexpectedly. It has done this 1 time(s).
    14/11/2011 13:40:16, error: Service Control Manager [7031] - The Themes service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    14/11/2011 13:40:16, error: Service Control Manager [7023] - The IPSEC Services service terminated with the following error: A non-recoverable error occurred during a database lookup.
    14/11/2011 13:40:16, error: Service Control Manager [7022] - The Wireless Zero Configuration service hung on starting.
    14/11/2011 13:40:16, error: Service Control Manager [7022] - The Windows Image Acquisition (WIA) service hung on starting.
    14/11/2011 13:40:16, error: Service Control Manager [7022] - The Net Driver HPZ12 service hung on starting.
    14/11/2011 13:40:16, error: Service Control Manager [7022] - The HP CUE DeviceDiscovery Service service hung on starting.
    14/11/2011 13:40:16, error: Service Control Manager [7022] - The DHCP Client service hung on starting.
    14/11/2011 13:40:16, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Intel(R) Active Management Technology Local Management Service service to connect.
    14/11/2011 13:40:16, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the hpqwmiex service to connect.
    14/11/2011 13:40:16, error: Service Control Manager [7001] - The Windows Firewall/Internet Connection Sharing (ICS) service depends on the Network Connections service which failed to start because of the following error: The pipe state is invalid.
    14/11/2011 13:40:16, error: Service Control Manager [7001] - The System Event Notification service depends on the COM+ Event System service which failed to start because of the following error: The pipe state is invalid.
    14/11/2011 13:40:16, error: Service Control Manager [7001] - The Security Center service depends on the Windows Management Instrumentation service which failed to start because of the following error: The pipe state is invalid.
    14/11/2011 13:40:16, error: Service Control Manager [7001] - The Computer Browser service depends on the Workstation service which failed to start because of the following error: The pipe state is invalid.
    14/11/2011 13:40:16, error: Service Control Manager [7000] - The Workstation service failed to start due to the following error: The pipe state is invalid.
    14/11/2011 13:40:16, error: Service Control Manager [7000] - The Windows Time service failed to start due to the following error: The pipe state is invalid.
    14/11/2011 13:40:16, error: Service Control Manager [7000] - The Windows Audio service failed to start due to the following error: The pipe state is invalid.
    14/11/2011 13:40:16, error: Service Control Manager [7000] - The Task Scheduler service failed to start due to the following error: The pipe state is invalid.
    14/11/2011 13:40:16, error: Service Control Manager [7000] - The System Restore Service service failed to start due to the following error: The pipe state is invalid.
    14/11/2011 13:40:16, error: Service Control Manager [7000] - The Server service failed to start due to the following error: The pipe state is invalid.
    14/11/2011 13:40:16, error: Service Control Manager [7000] - The Network Connections service failed to start due to the following error: The pipe state is invalid.
    14/11/2011 13:40:16, error: Service Control Manager [7000] - The Logical Disk Manager service failed to start due to the following error: The pipe state is invalid.
    14/11/2011 13:40:16, error: Service Control Manager [7000] - The Intel(R) Active Management Technology Local Management Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    14/11/2011 13:40:16, error: Service Control Manager [7000] - The hpqwmiex service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    14/11/2011 13:40:16, error: Service Control Manager [7000] - The Help and Support service failed to start due to the following error: The pipe state is invalid.
    14/11/2011 13:40:16, error: Service Control Manager [7000] - The Distributed Link Tracking Client service failed to start due to the following error: The pipe state is invalid.
    14/11/2011 13:40:16, error: Service Control Manager [7000] - The Cryptographic Services service failed to start due to the following error: The pipe state is invalid.
    14/11/2011 13:40:16, error: Service Control Manager [7000] - The COM+ Event System service failed to start due to the following error: The pipe state is invalid.
    14/11/2011 13:40:16, error: Service Control Manager [7000] - The Automatic Updates service failed to start due to the following error: The pipe state is invalid.
    14/11/2011 13:40:13, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service hpqwmiex with arguments "" in order to run the server: {F5539356-2F02-40D4-999E-FA61F45FE12E}
    14/11/2011 13:33:20, error: Service Control Manager [7023] - The Automatic Updates service terminated with the following error: %%2147942450
    14/11/2011 13:20:18, error: Service Control Manager [7022] - The WebClient service hung on starting.
    14/11/2011 13:20:18, error: Service Control Manager [7016] - The WebClient service has reported an invalid current state 11003.
    14/11/2011 13:00:44, error: Removable Storage Service [111] - RSM could not load media in drive Drive 0 of library Verbatim STORE N GO USB Device.
    14/11/2011 13:00:23, error: Service Control Manager [7000] - The Fast User Switching Compatibility service failed to start due to the following error: The pipe state is invalid.
    14/11/2011 12:56:08, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    14/11/2011 12:55:23, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: avgio avipbb Fips intelppm ssmdrv
    14/11/2011 12:49:25, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    14/11/2011 12:10:27, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service hpqwmiex with arguments "" in order to run the server: {F5539356-2F02-40D4-999E-FA61F45FE12E}
    .
    ==== End Of File ===========================

    I can't submit the dds.txt part because it says "1.You have included 7 images in your message. You are limited to using 6 images so please go back and correct the problem and then continue again.

    Images include use of smilies, the BB code tag and HTML <img> tags. The use of these is all subject to them being enabled by the administrator"

    I don't know what they are so I can't remove them.

    All help will be very welcome!!

    Thanks
  4. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ===============================================================

    Please attach DDS.txt log.
  5. fairway76

    fairway76 TS Rookie Topic Starter Posts: 17

    dds log

    Please see the attached

    Thanks

    Attached Files:

    • dds.txt
      File size:
      11.2 KB
      Views:
      1
  6. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702
    Run by Administrator at 15:54:51 on 2011-11-15
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1977.1494 [GMT 0:00]
    .
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost.exe -k DcomLaunch
    svchost.exe
    svchost.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    svchost.exe
    C:\Program Files\ActivIdentity\ActivClient\accoca.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\Program Files\PDF Complete\pdfsvc.exe
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe
    C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\ActivIdentity\ActivClient\acevents.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.co.uk/
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
    BHO: AOL Toolbar BHO: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
    TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
    TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [picon] "c:\program files\common files\intel\privacy icon\PrivacyIconClient.exe" -startup
    mRun: [PDF Complete] c:\program files\pdf complete\pdfsty.exe
    mRun: [accrdsub] "c:\program files\actividentity\activclient\accrdsub.exe"
    mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
    mRun: [WatchDog] c:\program files\intervideo\dvd check\DVDCheck.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    Code:
    mRun: [ToolBoxFX] "c:\program files\hp\toolboxfx\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /fl:on /fr:on /appData:on /tmcp:on
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mRun: [TrojanCease.exe] c:\program files\trojan cease\TrojanCease.exe
    mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dvdche~1.lnk - c:\program files\intervideo\dvd check\DVDCheck.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    IE: &AOL Toolbar Search - c:\documents and settings\all users\application data\aol\ietoolbar\resources\en-gb\local\search.html
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1260466450515
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1271949628296
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    TCP: DhcpNameServer = 208.67.222.222 195.97.231.31
    TCP: Interfaces\{3375EADC-D658-4213-A3A1-15C68035A72B} : DhcpNameServer = 208.67.222.222 195.97.231.31
    TCP: Interfaces\{8435D69D-C618-4C62-8C0C-6BD45B3DF1F6} : DhcpNameServer = 192.168.10.254
    Notify: ackpbsc - c:\windows\system32\ackpbsc.dll
    Notify: acunlock - c:\program files\actividentity\activclient\acunlock.dll
    Notify: igfxcui - igfxdev.dll
    mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2009-3-26 24064]
    R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2011-11-15 36000]
    R2 accoca;ActivClient Middleware Service;c:\program files\actividentity\activclient\accoca.exe [2007-11-28 185896]
    R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-11-15 86224]
    R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2011-11-15 110032]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-11-15 74640]
    R2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2009-3-26 576024]
    R2 UNS;Intel(R) Active Management Technology User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2009-3-26 2054680]
    R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [2009-3-26 144480]
    R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2009-3-26 44800]
    R3 RkHit;RkHit;c:\windows\system32\drivers\RKHit.sys [2011-11-15 29312]
    S2 0219941309520905mcinstcleanup;McAfee Application Installer Cleanup (0219941309520905);c:\docume~1\admini~1\locals~1\temp\021994~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\admini~1\locals~1\temp\021994~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-7-1 136176]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-7-1 136176]
    S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2008-4-8 1112560]
    .
    =============== Created Last 30 ================
    .
    2011-11-15 13:32:18 29312 ----a-w- c:\windows\system32\drivers\RKHit.sys
    2011-11-15 13:32:18 -------- d-----w- c:\program files\Trojan Cease
    2011-11-15 13:00:57 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-11-15 13:00:57 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
    2011-11-15 13:00:52 -------- d-----w- c:\documents and settings\all users\application data\Avira
    2011-11-15 12:16:14 -------- d-----w- c:\documents and settings\all users\application data\REPORTS
    2011-11-15 12:16:14 -------- d-----w- c:\documents and settings\all users\application data\LOGFILES
    2011-11-15 12:16:14 -------- d-----w- c:\documents and settings\all users\application data\INFECTED
    2011-11-15 12:16:01 -------- d-----w- c:\documents and settings\administrator\application data\Avira
    2011-11-15 12:02:59 -------- d-----w- c:\program files\Avira
    2011-11-15 11:40:15 98816 ----a-w- c:\windows\sed.exe
    2011-11-15 11:40:15 518144 ----a-w- c:\windows\SWREG.exe
    2011-11-15 11:40:15 256000 ----a-w- c:\windows\PEV.exe
    2011-11-15 11:40:15 208896 ----a-w- c:\windows\MBR.exe
    2011-11-15 11:04:05 -------- d-----w- c:\documents and settings\all users\application data\Hitman Pro
    2011-11-15 09:53:54 388096 ----a-r- c:\documents and settings\administrator\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
    2011-11-15 09:53:53 -------- d-----w- c:\program files\Trend Micro
    2011-11-15 09:19:03 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-11-15 09:19:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-11-14 12:50:11 -------- d-----w- c:\documents and settings\administrator\application data\Malwarebytes
    2011-11-14 12:50:07 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    .
    ==================== Find3M ====================
    .
    2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-26 10:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 10:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 10:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
    2011-08-22 23:48:55 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-08-22 23:48:54 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-08-22 23:48:54 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-08-22 11:56:39 385024 ----a-w- c:\windows\system32\html.iec
    .
    ============= FINISH: 15:55:03.10 ===============
  7. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan:
    [​IMG]

    On completion of the scan click "Save log", save it to your desktop and post in your next reply:
    [​IMG]

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    =============================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode (How to...)

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  8. fairway76

    fairway76 TS Rookie Topic Starter Posts: 17

    Hi,

    Thanks for your help on this. I have run the 2 programs and the logs are below:-

    aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
    Run date: 2011-11-15 17:39:29
    -----------------------------
    17:39:29.765 OS Version: Windows 5.1.2600 Service Pack 3
    17:39:29.765 Number of processors: 2 586 0x170A
    17:39:29.765 ComputerName: NRCOMP UserName:
    17:39:30.187 Initialize success
    17:39:37.828 AVAST engine download error: 0
    17:39:37.828 AVAST engine error: 11003
    17:40:11.296 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-16
    17:40:11.296 Disk 0 Vendor: ST3250318AS CC38 Size: 238475MB BusType: 3
    17:40:13.343 Disk 0 MBR read successfully
    17:40:13.343 Disk 0 MBR scan
    17:40:13.343 Disk 0 Windows VISTA default MBR code
    17:40:13.343 Disk 0 scanning sectors +488394752
    17:40:13.453 Disk 0 scanning C:\WINDOWS\system32\drivers
    17:40:31.328 Service scanning
    17:40:32.093 Modules scanning
    17:41:00.687 Disk 0 trace - called modules:
    17:41:00.703 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
    17:41:00.703 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a5b7ab8]
    17:41:00.718 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\00000065[0x8a5bbf18]
    17:41:00.718 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-16[0x8a576940]
    17:41:00.718 Scan finished successfully
    17:42:53.031 Disk 0 MBR has been saved successfully to "E:\2011 Files\MBR.dat"
    17:42:53.062 The log file has been saved successfully to "E:\2011 Files\aswMBR.txt"

    --------------------------------------------------------------------------------------------------------

    ComboFix 11-11-15.01 - Administrator 15/11/2011 17:44:04.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1977.1401 [GMT 0:00]
    Running from: e:\2011 files\ComboFix.exe
    .
    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Application Data\TEMP
    c:\windows\system32\drivers\RKHit.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_RKHIT
    -------\Service_RkHit
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-10-15 to 2011-11-15 )))))))))))))))))))))))))))))))
    .
    .
    2011-11-15 13:32 . 2011-11-15 15:35 -------- d-----w- c:\program files\Trojan Cease
    2011-11-15 13:00 . 2011-10-19 16:56 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-11-15 13:00 . 2011-10-19 16:56 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
    2011-11-15 13:00 . 2011-10-19 16:56 134344 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-11-15 13:00 . 2011-11-15 13:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2011-11-15 12:16 . 2011-11-15 12:51 -------- d-----w- c:\documents and settings\All Users\Application Data\INFECTED
    2011-11-15 12:16 . 2011-11-15 12:16 -------- d-----w- c:\documents and settings\All Users\Application Data\LOGFILES
    2011-11-15 12:16 . 2011-11-15 12:16 -------- d-----w- c:\documents and settings\All Users\Application Data\REPORTS
    2011-11-15 12:16 . 2011-11-15 12:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Avira
    2011-11-15 12:02 . 2011-11-15 12:02 -------- d-----w- c:\program files\Avira
    2011-11-15 11:04 . 2011-11-15 11:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
    2011-11-15 09:53 . 2011-11-15 09:53 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2011-11-15 09:53 . 2011-11-15 09:53 -------- d-----w- c:\program files\Trend Micro
    2011-11-15 09:19 . 2011-11-15 15:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-11-15 09:19 . 2011-08-31 17:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-11-14 12:50 . 2011-11-14 12:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2011-11-14 12:50 . 2011-11-14 12:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-10-10 14:22 . 2004-08-04 07:56 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-09-28 07:06 . 2004-08-04 07:56 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-26 10:41 . 2008-07-29 19:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 10:41 . 2001-08-18 05:36 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 10:41 . 2001-08-18 05:35 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-09-06 13:20 . 2004-08-04 06:17 1858944 ----a-w- c:\windows\system32\win32k.sys
    2011-08-22 23:48 . 2004-08-04 07:56 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-08-22 23:48 . 2004-08-04 07:56 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-08-22 23:48 . 2004-08-04 07:56 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-08-22 11:56 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    Cryptography Services Error !!
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-11-15_11.45.30 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2006-04-26 00:43 . 2011-11-15 11:30 72582 c:\windows\system32\perfc009.dat
    + 2006-04-26 00:43 . 2011-11-15 15:36 72582 c:\windows\system32\perfc009.dat
    + 2011-11-15 13:01 . 2010-06-17 15:14 28520 c:\windows\system32\drivers\ssmdrv.sys
    + 2006-04-26 00:43 . 2011-11-15 15:36 444832 c:\windows\system32\perfh009.dat
    - 2006-04-26 00:43 . 2011-11-15 11:30 444832 c:\windows\system32\perfh009.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-06-09 2363392]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-07-01 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2008-07-19 773144]
    "PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2008-04-07 318488]
    "accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2007-11-28 298536]
    "SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
    "WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2008-05-23 197904]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-04-04 1044480]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-01 150040]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-01 170520]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-01 141848]
    "ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2008-08-01 53248]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-05 421888]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-10-19 258512]
    "TrojanCease.exe"="c:\program files\Trojan Cease\TrojanCease.exe" [2011-07-20 2122752]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2009-6-23 197904]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]
    2007-11-28 01:41 109568 ----a-w- c:\windows\system32\ackpbsc.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]
    2007-11-28 01:40 286720 ----a-w- c:\program files\ActivIdentity\ActivClient\acunlock.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RkHit.sys]
    @=""
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\system32\\mstsc.exe"=
    .
    3;2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [x]
    R2 0219941309520905mcinstcleanup;McAfee Application Installer Cleanup (0219941309520905);c:\docume~1\ADMINI~1\LOCALS~1\Temp\021994~1.EXE [x]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-07-01 136176]
    R3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2008-04-08 1112560]
    S0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2008-03-28 24064]
    S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [2011-10-19 36000]
    S2 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient\accoca.exe [2007-11-28 185896]
    S2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-10-19 86224]
    S2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [2008-04-07 576024]
    S2 UNS;Intel(R) Active Management Technology User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2008-07-19 2054680]
    S3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k5132.sys [2008-06-05 144480]
    S3 IFXTPM;IFXTPM;c:\windows\system32\DRIVERS\IFXTPM.SYS [2007-12-18 44800]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2008-06-09 10:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-11-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-07-01 12:25]
    .
    2011-11-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-07-01 12:25]
    .
    2011-11-14 c:\windows\Tasks\OGALogon.job
    - c:\windows\system32\OGAEXEC.exe [2009-08-03 14:07]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    IE: &AOL Toolbar Search - c:\documents and settings\All Users\Application Data\AOL\ieToolbar\resources\en-GB\local\search.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
    TCP: DhcpNameServer = 208.67.222.222 195.97.231.31
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-11-15 17:49
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher]
    "ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-1163765230-883671085-333756272-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ec,9b,b4,73,38,ae,9a,43,b2,dc,20,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5c,89,f1,0b,81,d3,78,49,99,12,f6,\
    "6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ec,9b,b4,73,38,ae,9a,43,b2,dc,20,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(688)
    c:\windows\system32\ackpbsc.dll
    c:\windows\system32\aclog.dll
    c:\windows\system32\accrypto.dll
    c:\windows\system32\ACLIBEAY.dll
    c:\windows\system32\acevtsub.dll
    c:\windows\system32\asphat32.dll
    c:\windows\system32\acerrmes.dll
    c:\windows\system32\aspcom.dll
    c:\program files\ActivIdentity\ActivClient\Resources\Localized\acerrmrc.dll
    c:\program files\ActivIdentity\ActivClient\Resources\Localized\asphatrc.dll
    c:\program files\ActivIdentity\ActivClient\acunlock.dll
    c:\windows\system32\aipingui.dll
    c:\windows\system32\aicext.dll
    c:\program files\ActivIdentity\ActivClient\Resources\Localized\aipinguirc.dll
    c:\program files\ActivIdentity\ActivClient\resources\acCobAPIrc.dll
    c:\program files\ActivIdentity\ActivClient\Resources\Localized\acunlockrc.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\ActivIdentity\ActivClient\acevents.exe
    c:\windows\system32\WgaTray.exe
    c:\windows\System32\SCardSvr.exe
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\windows\system32\wdfmgr.exe
    c:\program files\Avira\AntiVir Desktop\avshadow.exe
    .
    **************************************************************************
    .
    Completion time: 2011-11-15 17:50:18 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-11-15 17:50
    ComboFix2.txt 2011-11-15 11:46
    .
    Pre-Run: 231,667,474,432 bytes free
    Post-Run: 231,573,700,608 bytes free
    .
    - - End Of File - - 590697E28789B3403638355F8349E445
  9. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box
    • Click OK
    Windows Vista/7 users: click Start, in "Start search" type notepad and press Enter.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    Driver::
    0219941309520905mcinstcleanup
    
    Registry::
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RkHit.sys]
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt

    ================================================================

    Please download Farbar Service Scanner and run it on the computer with the issue.
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.
  10. fairway76

    fairway76 TS Rookie Topic Starter Posts: 17

    Thanks Broni.

    I will do this in the morning and post the results.

    Cheers
  11. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    No problem :)
     
  12. fairway76

    fairway76 TS Rookie Topic Starter Posts: 17

    Hi Broni,

    I have done as you instructed. When the ComboFix started to run it came up with following message while it was trying to create a recovery point:-

    "This machine does not have the 'Microsoft Windows recovery console' installed. Alternately, an existing installation of the recovery console may be present but requires updating.

    Without it, ComboFix shall not attempt the fixing of some serious infections."

    It gave me the option to try to download the Console but it requires a working internet connection which that computer does not have so I couldn't.

    It's also worth noting that the computer restarted during the ComboFix procedure - I wasn't watching it but I assume this is part of the normal process.

    Here are the two logs:-

    ComboFix 11-11-15.01 - Administrator 16/11/2011 9:01.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1977.1576 [GMT 0:00]
    Running from: e:\2011 files\ComboFix.exe
    Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
    * Created a new restore point
    .
    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_0219941309520905MCINSTCLEANUP
    -------\Service_0219941309520905mcinstcleanup
    -------\Service_RkHit
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-10-16 to 2011-11-16 )))))))))))))))))))))))))))))))
    .
    .
    2011-11-15 13:32 . 2011-11-15 15:35 -------- d-----w- c:\program files\Trojan Cease
    2011-11-15 13:00 . 2011-10-19 16:56 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-11-15 13:00 . 2011-10-19 16:56 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
    2011-11-15 13:00 . 2011-10-19 16:56 134344 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-11-15 13:00 . 2011-11-15 13:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2011-11-15 12:16 . 2011-11-15 12:51 -------- d-----w- c:\documents and settings\All Users\Application Data\INFECTED
    2011-11-15 12:16 . 2011-11-15 12:16 -------- d-----w- c:\documents and settings\All Users\Application Data\LOGFILES
    2011-11-15 12:16 . 2011-11-15 12:16 -------- d-----w- c:\documents and settings\All Users\Application Data\REPORTS
    2011-11-15 12:16 . 2011-11-15 12:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Avira
    2011-11-15 12:02 . 2011-11-15 12:02 -------- d-----w- c:\program files\Avira
    2011-11-15 11:04 . 2011-11-15 11:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
    2011-11-15 09:53 . 2011-11-15 09:53 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2011-11-15 09:53 . 2011-11-15 09:53 -------- d-----w- c:\program files\Trend Micro
    2011-11-15 09:19 . 2011-11-15 15:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-11-15 09:19 . 2011-08-31 17:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-11-14 12:50 . 2011-11-14 12:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2011-11-14 12:50 . 2011-11-14 12:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-10-10 14:22 . 2004-08-04 07:56 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-09-28 07:06 . 2004-08-04 07:56 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-26 10:41 . 2008-07-29 19:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 10:41 . 2001-08-18 05:36 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 10:41 . 2001-08-18 05:35 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-09-06 13:20 . 2004-08-04 06:17 1858944 ----a-w- c:\windows\system32\win32k.sys
    2011-08-22 23:48 . 2004-08-04 07:56 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-08-22 23:48 . 2004-08-04 07:56 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-08-22 23:48 . 2004-08-04 07:56 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-08-22 11:56 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    Cryptography Services Error !!
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-11-15_11.45.30 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2006-04-26 00:43 . 2011-11-15 11:30 72582 c:\windows\system32\perfc009.dat
    + 2006-04-26 00:43 . 2011-11-16 08:54 72582 c:\windows\system32\perfc009.dat
    + 2011-11-15 13:01 . 2010-06-17 15:14 28520 c:\windows\system32\drivers\ssmdrv.sys
    + 2006-04-26 00:43 . 2011-11-16 08:54 444832 c:\windows\system32\perfh009.dat
    - 2006-04-26 00:43 . 2011-11-15 11:30 444832 c:\windows\system32\perfh009.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-06-09 2363392]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-07-01 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2008-07-19 773144]
    "PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2008-04-07 318488]
    "accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2007-11-28 298536]
    "SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
    "WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2008-05-23 197904]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-04-04 1044480]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-01 150040]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-01 170520]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-01 141848]
    "ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2008-08-01 53248]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-05 421888]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-10-19 258512]
    "TrojanCease.exe"="c:\program files\Trojan Cease\TrojanCease.exe" [2011-07-20 2122752]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2009-6-23 197904]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]
    2007-11-28 01:41 109568 ----a-w- c:\windows\system32\ackpbsc.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]
    2007-11-28 01:40 286720 ----a-w- c:\program files\ActivIdentity\ActivClient\acunlock.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\system32\\mstsc.exe"=
    .
    3;2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [x]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-07-01 136176]
    R3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2008-04-08 1112560]
    S0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2008-03-28 24064]
    S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [2011-10-19 36000]
    S2 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient\accoca.exe [2007-11-28 185896]
    S2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-10-19 86224]
    S2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [2008-04-07 576024]
    S2 UNS;Intel(R) Active Management Technology User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2008-07-19 2054680]
    S3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k5132.sys [2008-06-05 144480]
    S3 IFXTPM;IFXTPM;c:\windows\system32\DRIVERS\IFXTPM.SYS [2007-12-18 44800]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2008-06-09 10:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-11-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-07-01 12:25]
    .
    2011-11-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-07-01 12:25]
    .
    2011-11-14 c:\windows\Tasks\OGALogon.job
    - c:\windows\system32\OGAEXEC.exe [2009-08-03 14:07]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    IE: &AOL Toolbar Search - c:\documents and settings\All Users\Application Data\AOL\ieToolbar\resources\en-GB\local\search.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
    TCP: DhcpNameServer = 208.67.222.222 195.97.231.31
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-11-16 09:07
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher]
    "ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-1163765230-883671085-333756272-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ec,9b,b4,73,38,ae,9a,43,b2,dc,20,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5c,89,f1,0b,81,d3,78,49,99,12,f6,\
    "6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ec,9b,b4,73,38,ae,9a,43,b2,dc,20,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(692)
    c:\windows\system32\ackpbsc.dll
    c:\windows\system32\aclog.dll
    c:\windows\system32\accrypto.dll
    c:\windows\system32\ACLIBEAY.dll
    c:\windows\system32\acevtsub.dll
    c:\windows\system32\asphat32.dll
    c:\windows\system32\acerrmes.dll
    c:\windows\system32\aspcom.dll
    c:\program files\ActivIdentity\ActivClient\Resources\Localized\acerrmrc.dll
    c:\program files\ActivIdentity\ActivClient\Resources\Localized\asphatrc.dll
    c:\program files\ActivIdentity\ActivClient\acunlock.dll
    c:\windows\system32\aipingui.dll
    c:\windows\system32\aicext.dll
    c:\program files\ActivIdentity\ActivClient\Resources\Localized\aipinguirc.dll
    c:\program files\ActivIdentity\ActivClient\resources\acCobAPIrc.dll
    c:\program files\ActivIdentity\ActivClient\Resources\Localized\acunlockrc.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\ActivIdentity\ActivClient\acevents.exe
    c:\windows\system32\WgaTray.exe
    c:\windows\System32\SCardSvr.exe
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\windows\system32\wdfmgr.exe
    c:\program files\Avira\AntiVir Desktop\avshadow.exe
    .
    **************************************************************************
    .
    Completion time: 2011-11-16 09:08:20 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-11-16 09:08
    ComboFix2.txt 2011-11-15 17:50
    ComboFix3.txt 2011-11-15 11:46
    .
    Pre-Run: 231,543,582,720 bytes free
    Post-Run: 231,533,817,856 bytes free
    .
    - - End Of File - - 91D96CD5355745714EB5EB0D8316175E

    --------------------------------------------------------------------------------------------------------

    Farbar Service Scanner
    Ran by Administrator (administrator) on 16-11-2011 at 09:11:34
    Microsoft Windows XP Service Pack 3 (X86)
    ********************************************************

    Service Check:
    ==============
    Dhcp Service is not running. Checking service configuration:
    The start type of Dhcp service is OK.
    The ImagePath of Dhcp service is OK.
    The ServiceDll of Dhcp service is OK.


    File Check:
    ===========
    C:\WINDOWS\system32\svchost.exe => MD5 is legit
    C:\WINDOWS\system32\rpcss.dll => MD5 is legit
    C:\WINDOWS\system32\services.exe => MD5 is legit
    C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
    C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit

    Connection Status:
    ==================
    Localhost is blocked.
    LAN connected.
    Attempt to Google returned error: Other errors
    Attempt to yahoo returend error: Other errors

    **** End of log ****


    Thanks
  13. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    Go Start>Run, type in:
    services.msc
    Click OK.

    Services window will open.
    Scroll down to DHCP Client service and see if it's running and if "Startup type" is set to "Automatic".
    Let me know.
  14. fairway76

    fairway76 TS Rookie Topic Starter Posts: 17

    Hi Broni,

    Yes the Startup type is set to automatic, but it is not started. I tried to start it but it said it terminated unexpectedly.

    Thanks
  15. Broni

    Broni Malware Annihilator Posts: 46,797   +254

  16. fairway76

    fairway76 TS Rookie Topic Starter Posts: 17

    I followed the instructions on bleepingcomputers - everything was the same as the guy on there until I ran the cmd prompt: netsh winsock reset catalogue

    I then got the following error:-

    "Initialization Function InitHelperDll in IPMONTR.DLL failed to start with error code 11003.

    Successfully reset the Winsock Catalogue.

    You must restart the machine in order to complete the reset."

    I restarted the machine. When it restarted the CryptSvc had not started although it was set to automatic. I could start it however. When I then tried to start the DHCP Client it wouldn't start and I got the same error as before. The CryptSvc also stopped then but again I could restart it.

    Incidentally, the error code 11003 above is the same error code I get when I tried to manually update the Avira Virus Definitions.

    I then ran the ComboFix but hadn't turned the Avira off so it thought it was a virus. I restarted the computer again, manually started CryptSvc and then ran the ComboFix with Avira disabled.

    Here is the ComboFix Log:

    ComboFix 11-11-14.03 - Administrator 18/11/2011 10:04:05.4.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1977.1537 [GMT 0:00]
    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
    .
    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Service_RkHit
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-10-18 to 2011-11-18 )))))))))))))))))))))))))))))))
    .
    .
    2011-11-18 09:07 . 2011-11-18 10:03 -------- d-----w- c:\windows\system32\CatRoot2
    2011-11-15 13:32 . 2011-11-15 15:35 -------- d-----w- c:\program files\Trojan Cease
    2011-11-15 13:00 . 2011-10-19 16:56 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-11-15 13:00 . 2011-10-19 16:56 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
    2011-11-15 13:00 . 2011-10-19 16:56 134344 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-11-15 13:00 . 2011-11-15 13:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2011-11-15 12:16 . 2011-11-15 12:51 -------- d-----w- c:\documents and settings\All Users\Application Data\INFECTED
    2011-11-15 12:16 . 2011-11-15 12:16 -------- d-----w- c:\documents and settings\All Users\Application Data\LOGFILES
    2011-11-15 12:16 . 2011-11-15 12:16 -------- d-----w- c:\documents and settings\All Users\Application Data\REPORTS
    2011-11-15 12:16 . 2011-11-15 12:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Avira
    2011-11-15 12:02 . 2011-11-15 12:02 -------- d-----w- c:\program files\Avira
    2011-11-15 11:04 . 2011-11-15 11:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
    2011-11-15 09:53 . 2011-11-15 09:53 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2011-11-15 09:53 . 2011-11-15 09:53 -------- d-----w- c:\program files\Trend Micro
    2011-11-15 09:19 . 2011-11-15 15:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-11-15 09:19 . 2011-08-31 17:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-11-14 12:50 . 2011-11-14 12:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2011-11-14 12:50 . 2011-11-14 12:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-10-10 14:22 . 2004-08-04 07:56 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-09-28 07:06 . 2004-08-04 07:56 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-26 10:41 . 2008-07-29 19:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 10:41 . 2001-08-18 05:36 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 10:41 . 2001-08-18 05:35 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-09-06 13:20 . 2004-08-04 06:17 1858944 ----a-w- c:\windows\system32\win32k.sys
    2011-08-22 23:48 . 2004-08-04 07:56 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-08-22 23:48 . 2004-08-04 07:56 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-08-22 23:48 . 2004-08-04 07:56 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-08-22 11:56 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    Cryptography Services Error !!
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-11-15_11.45.30 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2006-04-26 00:43 . 2011-11-15 11:30 72582 c:\windows\system32\perfc009.dat
    + 2006-04-26 00:43 . 2011-11-18 09:58 72582 c:\windows\system32\perfc009.dat
    + 2011-11-15 13:01 . 2010-06-17 15:14 28520 c:\windows\system32\drivers\ssmdrv.sys
    + 2006-04-26 00:43 . 2011-11-18 09:58 444832 c:\windows\system32\perfh009.dat
    - 2006-04-26 00:43 . 2011-11-15 11:30 444832 c:\windows\system32\perfh009.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-06-09 2363392]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-07-01 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2008-07-19 773144]
    "PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2008-04-07 318488]
    "accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2007-11-28 298536]
    "SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
    "WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2008-05-23 197904]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-04-04 1044480]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-01 150040]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-01 170520]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-01 141848]
    "ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2008-08-01 53248]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-05 421888]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-10-19 258512]
    "TrojanCease.exe"="c:\program files\Trojan Cease\TrojanCease.exe" [2011-07-20 2122752]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2009-6-23 197904]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]
    2007-11-28 01:41 109568 ----a-w- c:\windows\system32\ackpbsc.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]
    2007-11-28 01:40 286720 ----a-w- c:\program files\ActivIdentity\ActivClient\acunlock.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\system32\\mstsc.exe"=
    .
    3;2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [x]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-07-01 136176]
    R3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2008-04-08 1112560]
    S0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2008-03-28 24064]
    S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [2011-10-19 36000]
    S2 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient\accoca.exe [2007-11-28 185896]
    S2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-10-19 86224]
    S2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [2008-04-07 576024]
    S2 UNS;Intel(R) Active Management Technology User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2008-07-19 2054680]
    S3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k5132.sys [2008-06-05 144480]
    S3 IFXTPM;IFXTPM;c:\windows\system32\DRIVERS\IFXTPM.SYS [2007-12-18 44800]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2008-06-09 10:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-11-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-07-01 12:25]
    .
    2011-11-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-07-01 12:25]
    .
    2011-11-14 c:\windows\Tasks\OGALogon.job
    - c:\windows\system32\OGAEXEC.exe [2009-08-03 14:07]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    IE: &AOL Toolbar Search - c:\documents and settings\All Users\Application Data\AOL\ieToolbar\resources\en-GB\local\search.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
    TCP: DhcpNameServer = 208.67.222.222 195.97.231.31
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-11-18 10:10
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher]
    "ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-1163765230-883671085-333756272-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ec,9b,b4,73,38,ae,9a,43,b2,dc,20,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5c,89,f1,0b,81,d3,78,49,99,12,f6,\
    "6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ec,9b,b4,73,38,ae,9a,43,b2,dc,20,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(688)
    c:\windows\system32\ackpbsc.dll
    c:\windows\system32\aclog.dll
    c:\windows\system32\accrypto.dll
    c:\windows\system32\ACLIBEAY.dll
    c:\windows\system32\acevtsub.dll
    c:\windows\system32\asphat32.dll
    c:\windows\system32\acerrmes.dll
    c:\windows\system32\aspcom.dll
    c:\program files\ActivIdentity\ActivClient\Resources\Localized\acerrmrc.dll
    c:\program files\ActivIdentity\ActivClient\Resources\Localized\asphatrc.dll
    c:\program files\ActivIdentity\ActivClient\acunlock.dll
    c:\windows\system32\aipingui.dll
    c:\windows\system32\aicext.dll
    c:\program files\ActivIdentity\ActivClient\Resources\Localized\aipinguirc.dll
    c:\program files\ActivIdentity\ActivClient\resources\acCobAPIrc.dll
    c:\program files\ActivIdentity\ActivClient\Resources\Localized\acunlockrc.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\ActivIdentity\ActivClient\acevents.exe
    c:\windows\system32\WgaTray.exe
    c:\windows\System32\SCardSvr.exe
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\windows\system32\wdfmgr.exe
    c:\program files\Avira\AntiVir Desktop\avshadow.exe
    .
    **************************************************************************
    .
    Completion time: 2011-11-18 10:11:30 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-11-18 10:11
    ComboFix2.txt 2011-11-16 09:08
    ComboFix3.txt 2011-11-15 17:50
    ComboFix4.txt 2011-11-15 11:46
    .
    Pre-Run: 231,484,432,384 bytes free
    Post-Run: 231,474,257,920 bytes free
    .
    - - End Of File - - AEC015A152F7C99D745BC4C039927F6F


    Thanks
  17. fairway76

    fairway76 TS Rookie Topic Starter Posts: 17

    Hi Broni,

    Not sure if this helps but in My Device Manager under the Non-Plug and Play section there is a device called catchme that has a yellow "!" against it.

    I've checked on the computers on the same network to see if they have this device but none of them have it.

    Is this of any significance?

    Cheers
  18. Broni

    Broni Malware Annihilator Posts: 46,797   +254

  19. fairway76

    fairway76 TS Rookie Topic Starter Posts: 17

    Hi Broni,

    I will try this on Monday. Do you need me to post a new ComboFix log after I have tried this?

    I have had a look through the article but none of the error numbers match what I have experienced - but I will give it a go.

    If this doesn't work, is it worth re-loading Windows XP and starting again?
  20. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    Try MS article first and then post fresh Combofix log.
  21. fairway76

    fairway76 TS Rookie Topic Starter Posts: 17

    Broni you are a star!!

    I followed the steps to manually delete the registry keys for Winsock and Winsock2, then re-installed them and internet connection is back!!

    I have run the ComboFix and the log is below, however it did say that ComboFix had expired and asked if I wished to run it with reduced functionality which I said yes to:-

    ComboFix 11-11-14.03 - Administrator 21/11/2011 9:24.5.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1977.1505 [GMT 0:00]
    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
    AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    * Created a new restore point
    .
    - REDUCED FUNCTIONALITY MODE -
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-10-21 to 2011-11-21 )))))))))))))))))))))))))))))))
    .
    .
    2011-11-18 09:07 . 2011-11-21 09:24 -------- d-----w- c:\windows\system32\CatRoot2
    2011-11-15 13:00 . 2011-10-19 16:56 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-11-15 13:00 . 2011-10-19 16:56 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
    2011-11-15 13:00 . 2011-10-19 16:56 134344 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-11-15 13:00 . 2011-11-15 13:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2011-11-15 12:16 . 2011-11-15 12:51 -------- d-----w- c:\documents and settings\All Users\Application Data\INFECTED
    2011-11-15 12:16 . 2011-11-15 12:16 -------- d-----w- c:\documents and settings\All Users\Application Data\LOGFILES
    2011-11-15 12:16 . 2011-11-15 12:16 -------- d-----w- c:\documents and settings\All Users\Application Data\REPORTS
    2011-11-15 12:16 . 2011-11-15 12:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Avira
    2011-11-15 12:02 . 2011-11-15 12:02 -------- d-----w- c:\program files\Avira
    2011-11-15 11:04 . 2011-11-15 11:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
    2011-11-15 09:53 . 2011-11-15 09:53 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2011-11-15 09:53 . 2011-11-15 09:53 -------- d-----w- c:\program files\Trend Micro
    2011-11-15 09:19 . 2011-11-18 17:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-11-15 09:19 . 2011-08-31 17:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-11-14 12:50 . 2011-11-14 12:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2011-11-14 12:50 . 2011-11-14 12:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-10-10 14:22 . 2004-08-04 07:56 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-09-28 07:06 . 2004-08-04 07:56 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-26 10:41 . 2008-07-29 19:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 10:41 . 2001-08-18 05:36 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 10:41 . 2001-08-18 05:35 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-09-06 13:20 . 2004-08-04 06:17 1858944 ----a-w- c:\windows\system32\win32k.sys
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-11-15_11.45.30 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-11-21 09:24 . 2011-11-21 09:24 16384 c:\windows\temp\Perflib_Perfdata_e0c.dat
    + 2006-04-26 00:43 . 2011-11-21 09:21 72582 c:\windows\system32\perfc009.dat
    - 2006-04-26 00:43 . 2011-11-15 11:30 72582 c:\windows\system32\perfc009.dat
    + 2011-11-15 13:01 . 2010-06-17 15:14 28520 c:\windows\system32\drivers\ssmdrv.sys
    + 2006-04-26 00:43 . 2011-11-21 09:21 444832 c:\windows\system32\perfh009.dat
    - 2006-04-26 00:43 . 2011-11-15 11:30 444832 c:\windows\system32\perfh009.dat
    + 2011-11-21 09:01 . 2011-08-02 08:51 196318 c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
    + 2011-11-18 17:37 . 2011-11-18 17:44 1927404 c:\windows\system32\Restore\rstrlog.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-06-09 2363392]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-07-01 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2008-07-19 773144]
    "PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2008-04-07 318488]
    "accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2007-11-28 298536]
    "SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
    "WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2008-05-23 197904]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-04-04 1044480]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-01 150040]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-01 170520]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-01 141848]
    "ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2008-08-01 53248]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-05 421888]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-10-19 258512]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2009-6-23 197904]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]
    2007-11-28 01:41 109568 ----a-w- c:\windows\system32\ackpbsc.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]
    2007-11-28 01:40 286720 ----a-w- c:\program files\ActivIdentity\ActivClient\acunlock.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\system32\\mstsc.exe"=
    .
    R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [26/03/2009 21:13 24064]
    R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [15/11/2011 13:00 36000]
    R2 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient\accoca.exe [28/11/2007 01:42 185896]
    R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [15/11/2011 12:15 86224]
    R2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [26/03/2009 22:11 576024]
    R2 UNS;Intel(R) Active Management Technology User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [26/03/2009 22:07 2054680]
    R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [26/03/2009 21:52 144480]
    R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [26/03/2009 21:10 44800]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [01/07/2011 12:25 136176]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [01/07/2011 12:25 136176]
    S3 RkHit;RkHit;\??\c:\windows\system32\drivers\RKHit.sys --> c:\windows\system32\drivers\RKHit.sys [?]
    S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [08/04/2008 17:12 1112560]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2008-06-09 10:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-11-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-07-01 12:25]
    .
    2011-11-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-07-01 12:25]
    .
    2011-11-21 c:\windows\Tasks\OGALogon.job
    - c:\windows\system32\OGAEXEC.exe [2009-08-03 14:07]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    IE: &AOL Toolbar Search - c:\documents and settings\All Users\Application Data\AOL\ieToolbar\resources\en-GB\local\search.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
    TCP: DhcpNameServer = 208.67.222.222 195.97.231.31
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-11-21 09:28
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher]
    "ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-1163765230-883671085-333756272-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ec,9b,b4,73,38,ae,9a,43,b2,dc,20,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5c,89,f1,0b,81,d3,78,49,99,12,f6,\
    "6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ec,9b,b4,73,38,ae,9a,43,b2,dc,20,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(692)
    c:\windows\system32\ackpbsc.dll
    c:\windows\system32\aclog.dll
    c:\windows\system32\accrypto.dll
    c:\windows\system32\ACLIBEAY.dll
    c:\windows\system32\acevtsub.dll
    c:\windows\system32\asphat32.dll
    c:\windows\system32\acerrmes.dll
    c:\windows\system32\aspcom.dll
    c:\program files\ActivIdentity\ActivClient\Resources\Localized\acerrmrc.dll
    c:\program files\ActivIdentity\ActivClient\Resources\Localized\asphatrc.dll
    c:\program files\ActivIdentity\ActivClient\acunlock.dll
    c:\windows\system32\aipingui.dll
    c:\windows\system32\aicext.dll
    c:\program files\ActivIdentity\ActivClient\Resources\Localized\aipinguirc.dll
    c:\program files\ActivIdentity\ActivClient\resources\acCobAPIrc.dll
    c:\program files\ActivIdentity\ActivClient\Resources\Localized\acunlockrc.dll
    .
    - - - - - - - > 'explorer.exe'(1368)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\ActivIdentity\ActivClient\acevents.exe
    c:\windows\System32\SCardSvr.exe
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\program files\Intel\AMT\LMS.exe
    c:\windows\system32\wdfmgr.exe
    c:\windows\system32\igfxsrvc.exe
    c:\program files\ActivIdentity\ActivClient\acevents.exe
    c:\program files\Avira\AntiVir Desktop\avshadow.exe
    .
    **************************************************************************
    .
    Completion time: 2011-11-21 09:29:42 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-11-21 09:29
    ComboFix2.txt 2011-11-18 10:11
    ComboFix3.txt 2011-11-16 09:08
    ComboFix4.txt 2011-11-15 17:50
    ComboFix5.txt 2011-11-21 09:21
    .
    Pre-Run: 231,303,159,808 bytes free
    Post-Run: 231,302,934,528 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    .
    - - End Of File - - 8A1CCF5633622843EAF16F77A928F525

    I am now updating my antivirus and will run the scan etc.

    Thank you so much for all of your help - is there anything else I need to do?

    Thanks
  22. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    Very good news :)

    Delete your Combofix file, download fresh one and post new log.
    We'll run couple more checks afterwards.

    Also, update MBAM, run "Quick scan" and post new log.

    Any current issues?
  23. fairway76

    fairway76 TS Rookie Topic Starter Posts: 17

    Hi Broni,

    There are no issues at the moment.

    The logs are as follows:-

    ComboFix 11-11-22.01 - Administrator 22/11/2011 9:30.6.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1977.1552 [GMT 0:00]
    Running from: c:\documents and settings\Administrator\Desktop\Virus Removal\ComboFix.exe
    AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\CSC\d6
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Service_RkHit
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-10-22 to 2011-11-22 )))))))))))))))))))))))))))))))
    .
    .
    2011-11-21 10:03 . 2011-11-21 10:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
    2011-11-21 10:02 . 2011-11-21 10:03 -------- d-----w- c:\program files\SUPERAntiSpyware
    2011-11-21 10:02 . 2011-11-21 10:02 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2011-11-18 09:07 . 2011-11-22 09:30 -------- d-----w- c:\windows\system32\CatRoot2
    2011-11-15 13:00 . 2011-10-19 16:56 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-11-15 13:00 . 2011-10-19 16:56 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
    2011-11-15 13:00 . 2011-10-19 16:56 134344 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-11-15 13:00 . 2011-11-15 13:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2011-11-15 12:16 . 2011-11-15 12:51 -------- d-----w- c:\documents and settings\All Users\Application Data\INFECTED
    2011-11-15 12:16 . 2011-11-15 12:16 -------- d-----w- c:\documents and settings\All Users\Application Data\LOGFILES
    2011-11-15 12:16 . 2011-11-15 12:16 -------- d-----w- c:\documents and settings\All Users\Application Data\REPORTS
    2011-11-15 12:16 . 2011-11-15 12:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Avira
    2011-11-15 12:02 . 2011-11-15 12:02 -------- d-----w- c:\program files\Avira
    2011-11-15 11:04 . 2011-11-15 11:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
    2011-11-15 09:53 . 2011-11-15 09:53 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2011-11-15 09:53 . 2011-11-15 09:53 -------- d-----w- c:\program files\Trend Micro
    2011-11-15 09:19 . 2011-11-18 17:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-11-15 09:19 . 2011-08-31 17:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-11-14 12:50 . 2011-11-14 12:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2011-11-14 12:50 . 2011-11-14 12:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-11-21 15:33 . 2011-07-01 12:36 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-10-10 14:22 . 2004-08-04 07:56 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-09-28 07:06 . 2004-08-04 07:56 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-26 10:41 . 2008-07-29 19:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 10:41 . 2001-08-18 05:36 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 10:41 . 2001-08-18 05:35 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-09-06 13:20 . 2004-08-04 06:17 1858944 ----a-w- c:\windows\system32\win32k.sys
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-11-15_11.45.30 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-11-22 09:34 . 2011-11-22 09:34 16384 c:\windows\temp\Perflib_Perfdata_ad0.dat
    + 2011-06-11 01:58 . 2011-06-11 01:58 51024 c:\windows\system32\vcomp100.dll
    - 2011-02-19 23:03 . 2011-02-19 23:03 51024 c:\windows\system32\vcomp100.dll
    + 2006-04-26 00:43 . 2011-11-22 09:22 72582 c:\windows\system32\perfc009.dat
    - 2006-04-26 00:43 . 2011-11-15 11:30 72582 c:\windows\system32\perfc009.dat
    - 2011-02-19 23:03 . 2011-02-19 23:03 81744 c:\windows\system32\mfcm100u.dll
    + 2011-06-11 01:58 . 2011-06-11 01:58 81744 c:\windows\system32\mfcm100u.dll
    + 2011-06-11 01:58 . 2011-06-11 01:58 81744 c:\windows\system32\mfcm100.dll
    - 2011-02-19 23:03 . 2011-02-19 23:03 81744 c:\windows\system32\mfcm100.dll
    - 2011-02-19 23:03 . 2011-02-19 23:03 60752 c:\windows\system32\mfc100rus.dll
    + 2011-06-11 01:58 . 2011-06-11 01:58 60752 c:\windows\system32\mfc100rus.dll
    - 2011-02-19 23:03 . 2011-02-19 23:03 43344 c:\windows\system32\mfc100kor.dll
    + 2011-06-11 01:58 . 2011-06-11 01:58 43344 c:\windows\system32\mfc100kor.dll
    + 2011-06-11 01:58 . 2011-06-11 01:58 43856 c:\windows\system32\mfc100jpn.dll
    - 2011-02-19 23:03 . 2011-02-19 23:03 43856 c:\windows\system32\mfc100jpn.dll
    - 2011-02-19 23:03 . 2011-02-19 23:03 62288 c:\windows\system32\mfc100ita.dll
    + 2011-06-11 01:58 . 2011-06-11 01:58 62288 c:\windows\system32\mfc100ita.dll
    + 2011-06-11 01:58 . 2011-06-11 01:58 64336 c:\windows\system32\mfc100fra.dll
    - 2011-02-19 23:03 . 2011-02-19 23:03 64336 c:\windows\system32\mfc100fra.dll
    - 2011-02-19 23:03 . 2011-02-19 23:03 63824 c:\windows\system32\mfc100esn.dll
    + 2011-06-11 01:58 . 2011-06-11 01:58 63824 c:\windows\system32\mfc100esn.dll
    + 2011-06-11 01:58 . 2011-06-11 01:58 55120 c:\windows\system32\mfc100enu.dll
    - 2011-02-19 23:03 . 2011-02-19 23:03 55120 c:\windows\system32\mfc100enu.dll
    + 2011-06-11 01:58 . 2011-06-11 01:58 64336 c:\windows\system32\mfc100deu.dll
    - 2011-02-19 23:03 . 2011-02-19 23:03 64336 c:\windows\system32\mfc100deu.dll
    - 2011-02-19 23:03 . 2011-02-19 23:03 36176 c:\windows\system32\mfc100cht.dll
    + 2011-06-11 01:58 . 2011-06-11 01:58 36176 c:\windows\system32\mfc100cht.dll
    - 2011-02-19 23:03 . 2011-02-19 23:03 36176 c:\windows\system32\mfc100chs.dll
    + 2011-06-11 01:58 . 2011-06-11 01:58 36176 c:\windows\system32\mfc100chs.dll
    - 2011-07-11 11:20 . 2008-04-13 18:45 15104 c:\windows\system32\drivers\usbscan.sys
    + 2011-07-11 11:20 . 2008-04-13 19:45 15104 c:\windows\system32\drivers\usbscan.sys
    + 2011-11-15 13:01 . 2010-06-17 15:14 28520 c:\windows\system32\drivers\ssmdrv.sys
    + 2011-07-11 11:20 . 2008-04-13 19:45 15104 c:\windows\system32\dllcache\usbscan.sys
    - 2011-07-11 11:20 . 2008-04-13 18:45 15104 c:\windows\system32\dllcache\usbscan.sys
    + 2011-11-21 10:11 . 2011-11-21 10:11 19968 c:\windows\Installer\24919.msi
    + 2006-04-26 00:43 . 2011-11-22 09:22 444832 c:\windows\system32\perfh009.dat
    - 2006-04-26 00:43 . 2011-11-15 11:30 444832 c:\windows\system32\perfh009.dat
    + 2011-06-11 01:58 . 2011-06-11 01:58 773968 c:\windows\system32\msvcr100.dll
    - 2011-02-19 00:40 . 2011-02-19 00:40 773968 c:\windows\system32\msvcr100.dll
    - 2011-02-19 23:03 . 2011-02-19 23:03 421200 c:\windows\system32\msvcp100.dll
    + 2011-06-11 01:58 . 2011-06-11 01:58 421200 c:\windows\system32\msvcp100.dll
    + 2011-11-21 15:33 . 2011-11-21 15:33 247968 c:\windows\system32\Macromed\Flash\FlashUtil11e_ActiveX.exe
    + 2011-11-21 15:33 . 2011-11-21 15:33 335520 c:\windows\system32\Macromed\Flash\FlashUtil11e_ActiveX.dll
    - 2011-02-19 23:03 . 2011-02-19 23:03 138056 c:\windows\system32\atl100.dll
    + 2011-06-11 01:58 . 2011-06-11 01:58 138056 c:\windows\system32\atl100.dll
    + 2011-11-21 09:01 . 2011-08-02 08:51 196318 c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
    + 2011-01-14 07:10 . 2011-01-14 07:10 155520 c:\windows\Installer\$PatchCache$\Managed\00004109500200000000000000F01FEC\14.0.5130\GKWORD6.DLL
    + 2011-01-14 07:10 . 2011-01-14 07:10 140160 c:\windows\Installer\$PatchCache$\Managed\00004109500200000000000000F01FEC\14.0.5130\GKEXCEL2.DLL
    + 2011-07-11 11:15 . 2011-11-21 15:22 174128 c:\windows\hppins11.dat
    + 2011-11-18 17:37 . 2011-11-18 17:44 1927404 c:\windows\system32\Restore\rstrlog.dat
    - 2011-02-19 23:03 . 2011-02-19 23:03 4422992 c:\windows\system32\mfc100u.dll
    + 2011-06-11 01:58 . 2011-06-11 01:58 4422992 c:\windows\system32\mfc100u.dll
    - 2011-02-19 23:03 . 2011-02-19 23:03 4397384 c:\windows\system32\mfc100.dll
    + 2011-06-11 01:58 . 2011-06-11 01:58 4397384 c:\windows\system32\mfc100.dll
    + 2011-06-28 21:27 . 2011-06-28 21:27 4028928 c:\windows\Installer\11e567e.msp
    + 2011-07-21 12:34 . 2011-07-21 12:34 3456000 c:\windows\Installer\11e5667.msp
    + 2011-01-14 07:10 . 2011-01-14 07:10 2395008 c:\windows\Installer\$PatchCache$\Managed\00004109500200000000000000F01FEC\14.0.5130\GKWORD.DLL
    + 2011-01-14 07:10 . 2011-01-14 07:10 2180992 c:\windows\Installer\$PatchCache$\Managed\00004109500200000000000000F01FEC\14.0.5130\GKPOWERPOINT.DLL
    + 2011-01-14 07:10 . 2011-01-14 07:10 3443072 c:\windows\Installer\$PatchCache$\Managed\00004109500200000000000000F01FEC\14.0.5130\GKEXCEL.DLL
    .
    -- Snapshot reset to current date --
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-06-09 2363392]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-07-01 39408]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-11-07 4617600]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2008-07-19 773144]
    "PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2008-04-07 318488]
    "accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2007-11-28 298536]
    "SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
    "WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2008-05-23 197904]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-04-04 1044480]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-01 150040]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-01 170520]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-01 141848]
    "ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2008-08-01 53248]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-05 421888]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-10-19 258512]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2009-6-23 197904]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]
    2007-11-28 01:41 109568 ----a-w- c:\windows\system32\ackpbsc.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]
    2007-11-28 01:40 286720 ----a-w- c:\program files\ActivIdentity\ActivClient\acunlock.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\system32\\mstsc.exe"=
    "c:\\Program Files\\HP\\HP Color LaserJet CM1312 MFP Series\\hppfaxnc2.exe"=
    .
    R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [26/03/2009 21:13 24064]
    R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [15/11/2011 13:00 36000]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [22/07/2011 16:27 12880]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/07/2011 21:55 67664]
    R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [11/08/2011 23:38 116608]
    R2 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient\accoca.exe [28/11/2007 01:42 185896]
    R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [15/11/2011 12:15 86224]
    R2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [26/03/2009 22:11 576024]
    R2 UNS;Intel(R) Active Management Technology User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [26/03/2009 22:07 2054680]
    R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [26/03/2009 21:52 144480]
    R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [26/03/2009 21:10 44800]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [01/07/2011 12:25 136176]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [01/07/2011 12:25 136176]
    S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [08/04/2008 17:12 1112560]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2008-06-09 10:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-11-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-07-01 12:25]
    .
    2011-11-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-07-01 12:25]
    .
    2011-11-22 c:\windows\Tasks\OGALogon.job
    - c:\windows\system32\OGAEXEC.exe [2009-08-03 14:07]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    IE: &AOL Toolbar Search - c:\documents and settings\All Users\Application Data\AOL\ieToolbar\resources\en-GB\local\search.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
    TCP: DhcpNameServer = 208.67.222.222 195.97.231.31
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-11-22 09:37
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher]
    "ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-1163765230-883671085-333756272-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ec,9b,b4,73,38,ae,9a,43,b2,dc,20,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5c,89,f1,0b,81,d3,78,49,99,12,f6,\
    "6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ec,9b,b4,73,38,ae,9a,43,b2,dc,20,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(688)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    c:\windows\system32\ackpbsc.dll
    c:\windows\system32\aclog.dll
    c:\windows\system32\accrypto.dll
    c:\windows\system32\ACLIBEAY.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_150c9e8b\MFC80.DLL
    c:\windows\system32\acevtsub.dll
    c:\windows\system32\asphat32.dll
    c:\windows\system32\acerrmes.dll
    c:\windows\system32\aspcom.dll
    c:\program files\ActivIdentity\ActivClient\Resources\Localized\acerrmrc.dll
    c:\program files\ActivIdentity\ActivClient\Resources\Localized\asphatrc.dll
    c:\program files\ActivIdentity\ActivClient\acunlock.dll
    c:\windows\system32\aipingui.dll
    c:\windows\system32\aicext.dll
    c:\program files\ActivIdentity\ActivClient\Resources\Localized\aipinguirc.dll
    c:\program files\ActivIdentity\ActivClient\resources\acCobAPIrc.dll
    c:\program files\ActivIdentity\ActivClient\Resources\Localized\acunlockrc.dll
    .
    - - - - - - - > 'explorer.exe'(3628)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\ActivIdentity\ActivClient\acevents.exe
    c:\windows\System32\SCardSvr.exe
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\program files\Intel\AMT\LMS.exe
    c:\windows\system32\wdfmgr.exe
    c:\windows\system32\igfxsrvc.exe
    c:\program files\ActivIdentity\ActivClient\acevents.exe
    c:\program files\Avira\AntiVir Desktop\avshadow.exe
    .
    **************************************************************************
    .
    Completion time: 2011-11-22 09:38:33 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-11-22 09:38
    ComboFix2.txt 2011-11-21 09:29
    ComboFix3.txt 2011-11-18 10:11
    ComboFix4.txt 2011-11-16 09:08
    ComboFix5.txt 2011-11-22 09:30
    .
    Pre-Run: 230,961,688,576 bytes free
    Post-Run: 231,034,253,312 bytes free
    .
    - - End Of File - - 8CD4EE990F79B23053DD1FFCA0FFE51A

    --------------------------------------------------------------------------------------------------------

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 8213

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    22/11/2011 09:44:48
    mbam-log-2011-11-22 (09-44-48).txt

    Scan type: Quick scan
    Objects scanned: 160578
    Time elapsed: 3 minute(s), 46 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    Once again, thanks for all of your help Broni it really is appreciated.
  24. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    You're very welcome and good news.

    Combofix log looks clean as well :)

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
  25. fairway76

    fairway76 TS Rookie Topic Starter Posts: 17

    Hi Broni,

    I have run OTL and the logs are as follows:-

    otl.txt:-

    OTL logfile created on: 23/11/2011 09:16:12 - Run 1
    OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Administrator\Desktop\Virus Removal
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

    1.93 Gb Total Physical Memory | 1.19 Gb Available Physical Memory | 61.61% Memory free
    3.78 Gb Paging File | 3.06 Gb Available in Paging File | 81.03% Paging File free
    Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 232.88 Gb Total Space | 215.27 Gb Free Space | 92.44% Space Free | Partition Type: NTFS

    Computer Name: NRCOMP | User Name: Administrator | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2011/11/23 09:14:50 | 000,526,512 | ---- | M] (Google Inc.) -- C:\Documents and Settings\All Users\Application Data\Google\Google Toolbar\Update\GoogleToolbarInstaller_updater_signed.exe
    PRC - [2011/11/23 09:14:43 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\Virus Removal\OTL.exe
    PRC - [2011/11/07 18:04:36 | 004,617,600 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    PRC - [2011/10/19 16:56:50 | 000,080,336 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    PRC - [2011/10/19 16:56:36 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
    PRC - [2011/10/19 16:56:24 | 000,258,512 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    PRC - [2011/10/19 16:56:24 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    PRC - [2011/08/11 23:38:07 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASCore.exe
    PRC - [2008/08/01 08:47:20 | 000,053,248 | ---- | M] (HP) -- C:\Program Files\HP\ToolboxFX\bin\HPTLBXFX.exe
    PRC - [2008/07/19 10:40:58 | 002,054,680 | ---- | M] (Intel Corporation) -- C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
    PRC - [2008/07/19 10:40:54 | 000,773,144 | ---- | M] (Intel Corporation) -- C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe
    PRC - [2008/07/19 10:40:52 | 000,174,616 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\AMT\LMS.exe
    PRC - [2008/04/14 00:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
    PRC - [2008/04/07 15:10:52 | 000,576,024 | ---- | M] (PDF Complete Inc) -- C:\Program Files\PDF Complete\pdfsvc.exe
    PRC - [2007/11/28 01:42:14 | 000,185,896 | ---- | M] (ActivIdentity) -- C:\Program Files\ActivIdentity\ActivClient\accoca.exe
    PRC - [2007/11/28 01:42:12 | 000,093,736 | ---- | M] (ActivIdentity) -- C:\Program Files\ActivIdentity\ActivClient\acevents.exe
    PRC - [2007/11/28 01:40:42 | 000,298,536 | ---- | M] (ActivIdentity) -- C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
    PRC - [2007/01/04 18:48:52 | 000,112,152 | R--- | M] (InterVideo) -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe


    ========== Modules (No Company Name) ==========

    MOD - [2011/11/23 09:13:27 | 000,063,488 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
    MOD - [2011/11/23 09:13:27 | 000,052,736 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10007.dll
    MOD - [2011/11/21 10:03:27 | 000,117,760 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    MOD - [2011/11/21 10:03:27 | 000,052,224 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
    MOD - [2011/10/19 16:56:38 | 000,398,288 | ---- | M] () -- C:\Program Files\Avira\AntiVir Desktop\sqlite3.dll
    MOD - [2011/10/14 10:13:56 | 000,998,400 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Management\90b90e700e59d73d6d692cf74e1ba16e\System.Management.ni.dll
    MOD - [2011/10/14 09:37:29 | 000,771,584 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\36bf3d5f05a40c9e3cadca5789c8a469\System.Runtime.Remoting.ni.dll
    MOD - [2011/10/14 09:37:02 | 000,311,296 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\81096bfe85eb0da5f05e8a127ffa43b2\System.Runtime.Serialization.Formatters.Soap.ni.dll
    MOD - [2011/10/14 09:37:01 | 012,430,848 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\71a2ae9ad561a62181cbd9fb11e9de7a\System.Windows.Forms.ni.dll
    MOD - [2011/10/14 09:36:54 | 001,587,200 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\c10bea3c4bb7ef654651141bf9419090\System.Drawing.ni.dll
    MOD - [2011/10/14 09:36:52 | 001,801,216 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Deployment\cc5ac99e8af2738e85cda5525fdd944f\System.Deployment.ni.dll
    MOD - [2011/10/14 09:36:32 | 005,450,752 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\70cacc44f0b4257f6037eda7a59a0aeb\System.Xml.ni.dll
    MOD - [2011/10/14 09:36:28 | 000,971,264 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\bce0720436dc6cb76006377f295ea365\System.Configuration.ni.dll
    MOD - [2011/10/14 09:36:26 | 007,950,848 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\af39f6e644af02873b9bae319f2bfb13\System.ni.dll
    MOD - [2011/10/14 09:36:18 | 011,490,816 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\ca87ba84221991839abbe7d4bc9c6721\mscorlib.ni.dll
    MOD - [2008/08/01 08:47:02 | 000,102,400 | ---- | M] () -- C:\Program Files\HP\ToolboxFX\bin\HPFaxUtilities.dll
    MOD - [2008/08/01 08:47:00 | 000,552,960 | ---- | M] () -- C:\Program Files\HP\ToolboxFX\bin\Alerts.dll
    MOD - [2008/08/01 08:46:36 | 000,593,920 | ---- | M] () -- C:\Program Files\HP\ToolboxFX\bin\HPAppTools.dll
    MOD - [2008/08/01 08:46:30 | 000,126,976 | ---- | M] () -- C:\Program Files\HP\ToolboxFX\bin\HPToolkit.dll
    MOD - [2008/08/01 08:46:30 | 000,069,632 | ---- | M] () -- C:\Program Files\HP\ToolboxFX\bin\AppConstants.dll
    MOD - [2008/08/01 08:46:30 | 000,040,960 | ---- | M] () -- C:\Program Files\HP\ToolboxFX\bin\Enumeration.dll
    MOD - [2008/08/01 08:46:28 | 000,016,384 | ---- | M] () -- C:\Program Files\HP\ToolboxFX\bin\HPStreamsInterface.dll
    MOD - [2008/08/01 08:46:26 | 000,069,632 | ---- | M] () -- C:\Program Files\HP\ToolboxFX\bin\HPTools.dll
    MOD - [2008/07/31 13:37:06 | 000,086,016 | ---- | M] () -- C:\Program Files\HP\ToolboxFX\bin\NativeUtils.dll
    MOD - [2007/11/28 01:41:06 | 000,114,688 | ---- | M] () -- C:\WINDOWS\system32\aicext.dll
    MOD - [2007/08/14 13:59:54 | 006,365,184 | ---- | M] () -- C:\Program Files\Common Files\LightScribe\QtGui4.dll
    MOD - [2007/07/12 13:55:52 | 000,131,072 | ---- | M] () -- C:\Program Files\Common Files\LightScribe\plugins\imageformats\qjpeg4.dll
    MOD - [2007/07/12 13:55:28 | 001,581,056 | ---- | M] () -- C:\Program Files\Common Files\LightScribe\QtCore4.dll


    ========== Win32 Services (SafeList) ==========

    SRV - File not found [Disabled | Stopped] -- -- (HidServ)
    SRV - [2011/10/19 16:56:36 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
    SRV - [2011/10/19 16:56:24 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
    SRV - [2011/08/11 23:38:07 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) [Auto | Running] -- C:\Program Files\SUPERAntiSpyware\SASCORE.EXE -- (!SASCORE)
    SRV - [2008/07/19 10:40:58 | 002,054,680 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe -- (UNS) Intel(R)
    SRV - [2008/07/19 10:40:52 | 000,174,616 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\AMT\LMS.exe -- (LMS) Intel(R)
    SRV - [2008/04/08 17:12:50 | 001,112,560 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe -- (RoxMediaDB10)
    SRV - [2008/04/07 15:10:52 | 000,576,024 | ---- | M] (PDF Complete Inc) [Auto | Running] -- C:\Program Files\PDF Complete\pdfsvc.exe -- (pdfcDispatcher)
    SRV - [2007/11/28 01:42:14 | 000,185,896 | ---- | M] (ActivIdentity) [Auto | Running] -- C:\Program Files\ActivIdentity\ActivClient\accoca.exe -- (accoca)
    SRV - [2007/01/04 18:48:52 | 000,112,152 | R--- | M] (InterVideo) [Auto | Running] -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr)


    ========== Driver Services (SafeList) ==========

    DRV - [2011/10/19 16:56:50 | 000,134,344 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
    DRV - [2011/10/19 16:56:50 | 000,074,640 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
    DRV - [2011/10/19 16:56:50 | 000,036,000 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avkmgr.sys -- (avkmgr)
    DRV - [2011/07/22 16:27:02 | 000,012,880 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
    DRV - [2011/07/12 21:55:22 | 000,067,664 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
    DRV - [2010/06/17 15:14:27 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
    DRV - [2008/07/19 10:40:46 | 000,040,832 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HECI.sys -- (HECI) Intel(R)
    DRV - [2008/06/05 11:58:18 | 000,144,480 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1k5132.sys -- (e1kexpress) Intel(R)
    DRV - [2008/05/24 00:54:38 | 000,030,816 | ---- | M] (Intel Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\iqvw32.sys -- (NAL)
    DRV - [2008/03/28 10:14:02 | 000,024,064 | ---- | M] (Sonic Focus, Inc) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\sfaudio.sys -- (SFAUDIO)
    DRV - [2007/12/18 09:46:34 | 000,044,800 | ---- | M] (Infineon Technologies AG) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ifxtpm.sys -- (IFXTPM)
    DRV - [2004/08/04 00:29:50 | 000,019,455 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wVchNTxx.sys -- (iAimFP4)
    DRV - [2004/08/04 00:29:48 | 000,012,063 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wSiINTxx.sys -- (iAimFP3)
    DRV - [2004/08/04 00:29:46 | 000,025,471 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wATV10nt.sys -- (iAimTV5)
    DRV - [2004/08/04 00:29:46 | 000,023,615 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wCh7xxNT.sys -- (iAimTV4)
    DRV - [2004/08/04 00:29:46 | 000,022,271 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wATV06nt.sys -- (iAimTV6)
    DRV - [2004/08/04 00:29:44 | 000,033,599 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wATV04nt.sys -- (iAimTV3)
    DRV - [2004/08/04 00:29:44 | 000,019,551 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wATV02NT.sys -- (iAimTV1)
    DRV - [2004/08/04 00:29:42 | 000,029,311 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wATV01nt.sys -- (iAimTV0)
    DRV - [2004/08/04 00:29:42 | 000,011,871 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wADV09NT.sys -- (iAimFP7)
    DRV - [2004/08/04 00:29:40 | 000,011,807 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wADV07nt.sys -- (iAimFP5)
    DRV - [2004/08/04 00:29:40 | 000,011,295 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wADV08NT.sys -- (iAimFP6)
    DRV - [2004/08/04 00:29:38 | 000,161,020 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\i81xnt5.sys -- (i81x)
    DRV - [2004/08/04 00:29:38 | 000,012,415 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wADV01nt.sys -- (iAimFP0)
    DRV - [2004/08/04 00:29:38 | 000,012,127 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wADV02NT.sys -- (iAimFP1)
    DRV - [2004/08/04 00:29:38 | 000,011,775 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wADV05NT.sys -- (iAimFP2)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========



    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com

    IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com

    IE - HKU\S-1-5-21-1163765230-883671085-333756272-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    IE - HKU\S-1-5-21-1163765230-883671085-333756272-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    ========== FireFox ==========


    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)


    [2011/07/07 13:21:56 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
    [2011/07/07 13:22:01 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\nmbn4uc1.default\extensions
    [2011/07/07 13:22:01 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\nmbn4uc1.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    [2011/07/07 13:22:00 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\nmbn4uc1.default\extensions\staged-xpis

    O1 HOSTS File: ([2011/11/22 09:35:43 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
    O2 - BHO: (AOL Toolbar BHO) - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll (AOL LLC)
    O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7018.1622\swg.dll (Google Inc.)
    O3 - HKLM\..\Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (AOL Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll (AOL LLC)
    O3 - HKU\S-1-5-21-1163765230-883671085-333756272-500\..\Toolbar\WebBrowser: (AOL Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll (AOL LLC)
    O4 - HKLM..\Run: [accrdsub] C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe (ActivIdentity)
    O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
    O4 - HKLM..\Run: [PDF Complete] C:\Program Files\PDF Complete\pdfsty.exe (PDF Complete Inc)
    O4 - HKLM..\Run: [picon] C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe (Intel Corporation)
    O4 - HKLM..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe (Hewlett-Packard Company)
    O4 - HKLM..\Run: [ToolBoxFX] C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe (HP)
    O4 - HKLM..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe (InterVideo Inc.)
    O4 - HKU\S-1-5-21-1163765230-883671085-333756272-500..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe (InterVideo Inc.)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-21-1163765230-883671085-333756272-500\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-1163765230-883671085-333756272-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\S-1-5-21-1163765230-883671085-333756272-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-21-1163765230-883671085-333756272-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O8 - Extra context menu item: &AOL Toolbar Search - C:\Documents and Settings\All Users\Application Data\AOL\ieToolbar\resources\en-GB\local\search.html ()
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html File not found
    O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll (Sun Microsystems, Inc.)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab (QuickTime Plugin Control)
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1260466450515 (WUWebControl Class)
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1271949628296 (MUWebControl Class)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
    O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 208.67.222.222 195.97.231.31
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{3375EADC-D658-4213-A3A1-15C68035A72B}: DhcpNameServer = 208.67.222.222 195.97.231.31
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{8435D69D-C618-4C62-8C0C-6BD45B3DF1F6}: DhcpNameServer = 192.168.10.254
    O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\!SASWinLogon: DllName - (C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL) - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
    O20 - Winlogon\Notify\ackpbsc: DllName - (C:\WINDOWS\system32\ackpbsc.dll) - C:\WINDOWS\system32\ackpbsc.dll (ActivIdentity)
    O20 - Winlogon\Notify\acunlock: DllName - (C:\Program Files\ActivIdentity\ActivClient\acunlock.dll) - C:\Program Files\ActivIdentity\ActivClient\acunlock.dll (ActivIdentity)
    O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
    O24 - Desktop BackupWallPaper: C:\WINDOWS\hp1_1024x768.bmp
    O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
    O32 - HKLM CDRom: AutoRun - 1
    O34 - HKLM BootExecute: (autocheck autochk *)
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    NetSvcs: 6to4 - File not found
    NetSvcs: HidServ - File not found
    NetSvcs: Ias - File not found
    NetSvcs: Iprip - File not found
    NetSvcs: Irmon - File not found
    NetSvcs: NWCWorkstation - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: WmdmPmSp - File not found

    Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
    Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
    Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
    Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
    Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
    Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point

    ========== Files/Folders - Created Within 30 Days ==========

    [2011/11/22 09:38:35 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
    [2011/11/22 09:30:12 | 000,000,000 | ---D | C] -- C:\ComboFix
    [2011/11/21 10:13:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\Virus Removal
    [2011/11/21 10:03:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
    [2011/11/21 10:02:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\SUPERAntiSpyware
    [2011/11/21 10:02:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    [2011/11/21 10:02:35 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
    [2011/11/21 09:23:30 | 000,000,000 | RHSD | C] -- C:\cmdcons
    [2011/11/18 09:07:18 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\CatRoot2
    [2011/11/15 13:01:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Avira
    [2011/11/15 13:01:01 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
    [2011/11/15 13:00:57 | 000,134,344 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
    [2011/11/15 13:00:57 | 000,074,640 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
    [2011/11/15 13:00:57 | 000,036,000 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avkmgr.sys
    [2011/11/15 13:00:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira
    [2011/11/15 12:16:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\REPORTS
    [2011/11/15 12:16:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\LOGFILES
    [2011/11/15 12:16:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\INFECTED
    [2011/11/15 12:16:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Avira
    [2011/11/15 12:02:59 | 000,000,000 | ---D | C] -- C:\Program Files\Avira
    [2011/11/15 11:40:15 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
    [2011/11/15 11:40:15 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
    [2011/11/15 11:40:15 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
    [2011/11/15 11:40:15 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
    [2011/11/15 11:40:11 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
    [2011/11/15 11:40:07 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2011/11/15 11:18:06 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\Start Menu\Programs\Administrative Tools
    [2011/11/15 11:04:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
    [2011/11/15 09:53:53 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
    [2011/11/15 09:53:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Start Menu\Programs\HiJackThis
    [2011/11/15 09:19:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2011/11/15 09:19:03 | 000,022,216 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2011/11/15 09:19:03 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2011/11/14 12:50:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
    [2011/11/14 12:50:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    [2011/11/14 12:04:54 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
    [4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2011/11/23 09:15:44 | 000,444,832 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2011/11/23 09:15:44 | 000,072,582 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2011/11/23 09:13:18 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2011/11/23 09:11:42 | 000,000,236 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job
    [2011/11/23 09:11:39 | 000,000,896 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
    [2011/11/23 09:11:21 | 2073,288,704 | -HS- | M] () -- C:\hiberfil.sys
    [2011/11/23 09:11:21 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2011/11/22 16:53:02 | 000,001,772 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Default.rdp
    [2011/11/22 16:46:00 | 000,000,900 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
    [2011/11/22 09:39:46 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
    [2011/11/22 09:35:43 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
    [2011/11/21 15:22:49 | 000,000,177 | ---- | M] () -- C:\WINDOWS\System32\AddPort.ini
    [2011/11/21 15:22:47 | 000,000,717 | ---- | M] () -- C:\WINDOWS\hpntwksetup.ini
    [2011/11/21 15:22:03 | 000,174,128 | ---- | M] () -- C:\WINDOWS\hppins11.dat
    [2011/11/21 09:23:34 | 000,000,327 | RHS- | M] () -- C:\boot.ini
    [2011/11/15 15:35:53 | 000,000,802 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
    [2011/11/15 13:01:12 | 000,001,707 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Avira Control Center.lnk
    [2011/11/15 11:09:05 | 000,000,032 | ---- | M] () -- C:\WINDOWS\System32\MAPISVC.INF
    [2011/11/14 14:49:43 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Word 2003.lnk
    [2011/11/14 09:28:26 | 000,000,804 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
    [2011/11/14 09:19:47 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
    [2011/11/10 09:25:05 | 000,000,792 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk
    [4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2011/11/22 09:39:46 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
    [2011/11/21 15:22:01 | 000,183,183 | ---- | C] () -- C:\WINDOWS\hppins11.dat.temp
    [2011/11/21 15:22:01 | 000,006,091 | ---- | C] () -- C:\WINDOWS\hppmdl11.dat.temp
    [2011/11/21 09:23:34 | 000,000,211 | ---- | C] () -- C:\Boot.bak
    [2011/11/21 09:23:32 | 000,260,272 | RHS- | C] () -- C:\cmldr
    [2011/11/15 15:35:53 | 000,000,802 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
    [2011/11/15 15:28:34 | 2073,288,704 | -HS- | C] () -- C:\hiberfil.sys
    [2011/11/15 13:01:12 | 000,001,707 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Avira Control Center.lnk
    [2011/11/15 11:40:15 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
    [2011/11/15 11:40:15 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
    [2011/11/15 11:40:15 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
    [2011/11/15 11:40:15 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
    [2011/11/15 11:40:15 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
    [2011/11/14 09:28:26 | 000,000,804 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
    [2011/07/11 11:23:08 | 000,000,608 | -HS- | C] () -- C:\WINDOWS\System32\winzvprt5.sys
    [2011/07/11 11:19:36 | 000,000,665 | R--- | C] () -- C:\WINDOWS\System32\hppapr11.dat
    [2011/07/11 11:19:25 | 000,000,177 | ---- | C] () -- C:\WINDOWS\System32\AddPort.ini
    [2011/07/11 11:19:07 | 000,000,717 | ---- | C] () -- C:\WINDOWS\hpntwksetup.ini
    [2011/07/11 11:15:01 | 000,174,128 | ---- | C] () -- C:\WINDOWS\hppins11.dat
    [2011/07/11 11:15:01 | 000,006,091 | ---- | C] () -- C:\WINDOWS\hppmdl11.dat
    [2011/07/07 13:21:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
    [2010/03/02 13:05:36 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
    [2009/08/03 14:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
    [2009/08/03 14:07:42 | 000,230,768 | ---- | C] () -- C:\WINDOWS\System32\OGAEXEC.exe
    [2009/06/23 09:07:03 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
    [2009/06/23 09:07:03 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
    [2009/06/23 09:07:03 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
    [2009/06/23 09:07:03 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
    [2009/06/23 09:07:03 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
    [2009/06/23 09:07:02 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
    [2009/03/26 22:18:11 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
    [2009/03/26 21:52:37 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4964.dll
    [2009/03/26 21:52:36 | 001,991,464 | ---- | C] () -- C:\WINDOWS\System32\igkrng500.bin
    [2009/03/26 21:52:36 | 000,432,400 | ---- | C] () -- C:\WINDOWS\System32\igcompkrng500.bin
    [2009/03/26 21:19:58 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
    [2009/03/26 21:19:54 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
    [2009/03/26 21:19:54 | 000,004,605 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
    [2009/03/26 21:19:53 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
    [2009/03/26 21:19:36 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
    [2009/03/26 21:07:23 | 000,000,836 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
    [2007/11/28 01:41:06 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\aicext.dll
    [2007/03/16 16:00:00 | 000,003,403 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini
    [2006/05/16 13:54:13 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
    [2006/04/26 00:43:56 | 000,444,832 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
    [2006/04/26 00:43:56 | 000,072,582 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
    [2006/04/26 00:39:48 | 000,298,848 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2006/04/26 00:31:56 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
    [2006/04/26 00:27:14 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
    [2005/04/03 22:30:00 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\scardsyn.dll
    [2003/01/07 14:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
    [2001/08/17 20:30:26 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
    [2001/08/17 20:30:26 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
    [2001/08/17 20:15:40 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
    [2001/07/21 21:36:50 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
    [2001/07/21 21:36:06 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
    [1998/05/07 03:10:00 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\ODMA32.dll

    ========== LOP Check ==========

    [2009/06/23 09:40:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\InterVideo
    [2011/11/15 11:04:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
    [2011/11/15 12:51:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\INFECTED
    [2011/11/15 12:16:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LOGFILES
    [2011/11/15 12:16:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\REPORTS
    [2009/03/26 15:41:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Uninstall
    [2011/11/23 09:11:42 | 000,000,236 | ---- | M] () -- C:\WINDOWS\Tasks\OGALogon.job

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.* >
    [2009/03/26 15:25:49 | 000,000,211 | ---- | M] () -- C:\Boot.bak
    [2011/11/21 09:23:34 | 000,000,327 | RHS- | M] () -- C:\boot.ini
    [2004/08/03 23:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr
    [2011/11/22 09:38:33 | 000,019,663 | ---- | M] () -- C:\ComboFix.txt
    [2011/11/23 09:11:21 | 2073,288,704 | -HS- | M] () -- C:\hiberfil.sys
    [2006/02/28 02:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
    [2009/06/23 09:13:02 | 000,250,048 | RHS- | M] () -- C:\ntldr
    [2011/11/23 09:11:20 | 2145,386,496 | -HS- | M] () -- C:\pagefile.sys
    [2011/11/18 16:17:38 | 000,000,359 | ---- | M] () -- C:\rkill.log
    [2011/11/15 15:28:33 | 000,000,249 | ---- | M] () -- C:\rmzbot.log
    [2009/06/23 09:07:30 | 000,000,163 | ---- | M] () -- C:\Setup.log
    [2011/11/14 12:49:51 | 000,042,574 | ---- | M] () -- C:\TDSSKiller.2.5.3.0_14.11.2011_12.49.30_log.txt
    [2011/11/14 13:24:37 | 000,042,344 | ---- | M] () -- C:\TDSSKiller.2.5.3.0_14.11.2011_13.24.18_log.txt
    [2011/11/15 10:42:55 | 000,042,554 | ---- | M] () -- C:\TDSSKiller.2.5.3.0_15.11.2011_10.42.37_log.txt
    [2011/11/15 14:34:20 | 000,041,828 | ---- | M] () -- C:\TDSSKiller.2.5.3.0_15.11.2011_14.34.01_log.txt
    [2011/11/15 10:52:15 | 000,104,726 | ---- | M] () -- C:\TDSSKiller.2.6.18.0_15.11.2011_10.51.06_log.txt
    [2011/11/15 14:34:30 | 000,001,850 | ---- | M] () -- C:\TDSSKiller.2.6.18.0_15.11.2011_14.34.27_log.txt
    [2011/11/15 14:34:55 | 000,051,110 | ---- | M] () -- C:\TDSSKiller.2.6.18.0_15.11.2011_14.34.41_log.txt

    < %systemroot%\Fonts\*.com >
    [2006/04/18 15:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
    [2006/06/29 14:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
    [2006/04/18 15:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
    [2006/06/29 14:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\Fonts\*.ini >
    [2006/04/25 17:31:26 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >
    [2006/10/15 00:43:18 | 000,027,648 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
    [2008/01/16 17:45:58 | 000,241,664 | ---- | M] (Hewlett-Packard Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\hpzpp5k4.DLL
    [2007/04/09 12:23:54 | 000,028,552 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll
    [2008/07/06 10:50:04 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >
    [2006/11/15 11:00:58 | 000,473,403 | ---- | M] () -- C:\WINDOWS\hp2_1024x768.jpg
    [2006/11/15 10:45:40 | 000,366,564 | ---- | M] () -- C:\WINDOWS\hp3_1024x768.jpg
    [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

    < %systemroot%\*.png >

    < %systemroot%\*.scr >

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >

    < %PROGRAMFILES%\*.* >

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >
    [2006/04/25 17:17:52 | 000,094,208 | ---- | M] () -- C:\WINDOWS\System32\config\default.sav
    [2006/04/25 17:17:52 | 000,659,456 | ---- | M] () -- C:\WINDOWS\System32\config\software.sav
    [2006/04/25 17:17:50 | 000,864,256 | ---- | M] () -- C:\WINDOWS\System32\config\system.sav

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
    [2009/06/23 09:16:34 | 000,000,272 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

    < %systemroot%\system32\config\systemprofile\*.dat /x >

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >

    < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
    [2009/03/26 15:28:18 | 000,000,119 | -HS- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
    [2006/04/25 22:41:10 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

    < %USERPROFILE%\Desktop\*.exe >

    < %PROGRAMFILES%\Common Files\*.* >

    < %systemroot%\*.src >

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < %systemroot%\AppPatch\Custom\*.* >

    < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

    < %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

    < %PROGRAMFILES%\Internet Explorer\*.tmp >

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %USERPROFILE%\My Documents\*.exe >
    [2010/12/08 10:06:36 | 002,488,144 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\SearchElf_1.2.exe

    < %USERPROFILE%\*.exe >

    < %systemroot%\ADDINS\*.* >

    < %systemroot%\assembly\*.bak2 >

    < %systemroot%\Config\*.* >

    < %systemroot%\REPAIR\*.bak2 >

    < %systemroot%\SECURITY\Database\*.sdb /x >

    < %systemroot%\SYSTEM\*.bak2 >

    < %systemroot%\Web\*.bak2 >

    < %systemroot%\Driver Cache\*.* >

    < %PROGRAMFILES%\Mozilla Firefox\0*.exe >

    < %ProgramFiles%\Microsoft Common\*.* >

    < %ProgramFiles%\TinyProxy. >

    < %USERPROFILE%\Favorites\*.url /x >
    [2009/03/26 15:28:18 | 000,000,122 | -HS- | M] () -- C:\Documents and Settings\Administrator\Favorites\Desktop.ini

    < %systemroot%\system32\*.bk >

    < %systemroot%\*.te >

    < %systemroot%\system32\system32\*.* >

    < %ALLUSERSPROFILE%\*.dat /x >

    < %systemroot%\system32\drivers\*.rmv >

    < dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

    < dir /b "%systemroot%\*.exe" | find /i " " /c >

    < %PROGRAMFILES%\Microsoft\*.* >

    < %systemroot%\System32\Wbem\proquota.exe >

    < %PROGRAMFILES%\Mozilla Firefox\*.dat >

    < %USERPROFILE%\Cookies\*.txt /x >
    [2011/11/23 09:16:18 | 000,573,440 | ---- | M] () -- C:\Documents and Settings\Administrator\Cookies\index.dat

    < %SystemRoot%\system32\fonts\*.* >

    < %systemroot%\system32\winlog\*.* >

    < %systemroot%\system32\Language\*.* >

    < %systemroot%\system32\Settings\*.* >

    < %systemroot%\system32\*.quo >

    < %SYSTEMROOT%\AppPatch\*.exe >

    < %SYSTEMROOT%\inf\*.exe >
    [2008/04/14 00:12:38 | 000,208,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\inf\unregmp2.exe

    < %SYSTEMROOT%\Installer\*.exe >
    [2008/07/25 15:33:02 | 000,679,936 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\WINDOWS\Installer\HPPTSuiteInstallEngine.exe

    < %systemroot%\system32\config\*.bak2 >

    < %systemroot%\system32\Computers\*.* >

    < %SystemRoot%\system32\Sound\*.* >

    < %SystemRoot%\system32\SpecialImg\*.* >

    < %SystemRoot%\system32\code\*.* >

    < %SystemRoot%\system32\draft\*.* >

    < %SystemRoot%\system32\MSSSys\*.* >

    < %ProgramFiles%\Javascript\*.* >

    < %systemroot%\pchealth\helpctr\System\*.exe /s >

    < %systemroot%\Web\*.exe >

    < %systemroot%\system32\msn\*.* >

    < %systemroot%\system32\*.tro >

    < %AppData%\Microsoft\Installer\msupdates\*.* >

    < %ProgramFiles%\Messenger\*.* >
    [2008/04/14 00:11:51 | 000,033,792 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\custsat.dll
    [2004/08/04 08:06:34 | 000,004,821 | ---- | M] () -- C:\Program Files\Messenger\logowin.gif
    [2004/08/04 10:06:34 | 000,007,047 | ---- | M] () -- C:\Program Files\Messenger\lvback.gif
    [2008/05/02 14:01:49 | 000,083,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgsc.dll
    [2008/04/13 17:30:28 | 000,180,224 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgslang.dll
    [2008/04/14 00:12:28 | 001,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
    [2004/08/04 10:06:36 | 000,002,882 | ---- | M] () -- C:\Program Files\Messenger\newalert.wav
    [2004/08/04 10:06:36 | 000,006,156 | ---- | M] () -- C:\Program Files\Messenger\newemail.wav
    [2004/08/04 08:06:36 | 000,006,160 | ---- | M] () -- C:\Program Files\Messenger\online.wav
    [2004/08/04 10:06:36 | 000,004,454 | ---- | M] () -- C:\Program Files\Messenger\type.wav
    [2004/08/04 10:06:36 | 000,115,981 | ---- | M] () -- C:\Program Files\Messenger\xpmsgr.chm

    < %systemroot%\system32\systhem32\*.* >

    < %systemroot%\system\*.exe >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >


    < End of report >

    Extras.txt to follow on next post


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.