Windows XP virus/trojan - found by AVG resident shield but not able to remove

Solved
By chrizba
Jan 27, 2012
Topic Status:
Not open for further replies.
  1. Hello,

    I have some sort of trojan/virus that makes my computer behave erratically (sometimes google redirect, sometimes opens multiple windows of some type or other, sometimes makes VAG resident shield pop-up claiming to have found a trojan in windows\temp with different filenames that have always disappeared by the time it gets to cleaning them). I have run various scans etc, and occasionally these find something, but often they do not, though I know the problem has not gone away.

    Also, my system restore was completely corrupted so I couldn't restore to any point prior to when these beasties may have appeared.

    I have followed the 5 step instructions and will include the relevant logs in subsequent posts

    Would be extremely grateful for any help, as I have my PhD viva next week and need my computer to behave itself between now and then!

    Many thanks

    Chris
  2. chrizba

    chrizba Newcomer, in training Topic Starter Posts: 18

    MBAM log

    Malwarebytes Anti-Malware 1.60.0.1800
    www.malwarebytes.org

    Database version: v2012.01.27.02

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 6.0.2900.5512
    Chris :: CHRIZZA [administrator]

    27/01/2012 12:31:08
    mbam-log-2012-01-27 (12-31-08).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 189430
    Time elapsed: 8 minute(s), 14 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
  3. chrizba

    chrizba Newcomer, in training Topic Starter Posts: 18

    gmer.log

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2012-01-27 12:41:34
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD800BEVT-22ZCT0 rev.11.01A11
    Running: y77rt8kv.exe; Driver: C:\DOCUME~1\Chris\LOCALS~1\Temp\ufldqpob.sys


    ---- System - GMER 1.0.15 ----

    Code mfehidk.sys ZwCreateKey [0xF732D320]
    Code mfehidk.sys ZwMapViewOfSection [0xF732D3B0]
    Code mfehidk.sys ZwOpenKey [0xF732D30C]
    Code mfehidk.sys ZwOpenProcess [0xF732D2E4]
    Code mfehidk.sys ZwOpenThread [0xF732D2F8]
    Code mfehidk.sys ZwRenameKey [0xF732D348]
    Code mfehidk.sys ZwSetSecurityObject [0xF732D386]
    Code mfehidk.sys ZwUnmapViewOfSection [0xF732D3C6]
    Code mfehidk.sys ZwYieldExecution [0xF732D39A]
    Code mfehidk.sys NtMapViewOfSection
    Code mfehidk.sys NtOpenProcess
    Code mfehidk.sys NtOpenThread
    Code mfehidk.sys NtSetSecurityObject

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys
    AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys
    AttachedDevice \Driver\Tcpip \Device\Ip WRkrn.sys (Webroot SecureAnywhere/Webroot)
    AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys
    AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys
    AttachedDevice \Driver\Tcpip \Device\Tcp WRkrn.sys (Webroot SecureAnywhere/Webroot)
    AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys
    AttachedDevice \Driver\Tcpip \Device\Udp WRkrn.sys (Webroot SecureAnywhere/Webroot)
    AttachedDevice \Driver\Tcpip \Device\RawIp WRkrn.sys (Webroot SecureAnywhere/Webroot)
    AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 WRkrn.sys (Webroot SecureAnywhere/Webroot)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 WRkrn.sys (Webroot SecureAnywhere/Webroot)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

    ---- Processes - GMER 1.0.15 ----

    Process C:\WINDOWS\system32\ping.exe (*** hidden *** ) 3216

    ---- EOF - GMER 1.0.15 ----
  4. chrizba

    chrizba Newcomer, in training Topic Starter Posts: 18

    DDS.txt

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_24
    Run by Chris at 12:42:49 on 2012-01-27
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.623 [GMT 0:00]
    .
    AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\rundll32.exe
    svchost.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\AVG\AVG2012\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\System Control Manager\MSIService.exe
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\AVG\AVG2012\avgtray.exe
    C:\Program Files\System Control Manager\MGSysCtrl.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\wbem\unsecapp.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.bbc.co.uk/
    mDefault_Page_URL = hxxp://www.msi.com.tw
    uInternet Connection Wizard,ShellNext = hxxp://www.msi.com.tw/
    uInternet Settings,ProxyOverride = *.local
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
    mRun: [MGSysCtrl] c:\program files\system control manager\MGSysCtrl.exe
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    mPolicies-explorer: HonorAutoRunSetting = 0 (0x0)
    IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    LSP: mswsock.dll
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: igfxcui - igfxdev.dll
    AppInit_DLLs: acaptuser32.dll
    Hosts: 127.0.0.1 www.spywareinfo.com
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\chris\application data\mozilla\firefox\profiles\rig7qma3.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/|https://login.live.com/login.srf?wa...0&lc=2057&id=64855&mkt=en-gb&cbcxt=mai&snsc=1
    FF - prefs.js: network.proxy.ftp - localhost
    FF - prefs.js: network.proxy.ftp_port - 3128
    FF - prefs.js: network.proxy.gopher - localhost
    FF - prefs.js: network.proxy.gopher_port - 3128
    FF - prefs.js: network.proxy.http - localhost
    FF - prefs.js: network.proxy.http_port - 3128
    FF - prefs.js: network.proxy.socks - localhost
    FF - prefs.js: network.proxy.socks_port - 3128
    FF - prefs.js: network.proxy.ssl - localhost
    FF - prefs.js: network.proxy.ssl_port - 3128
    FF - prefs.js: network.proxy.type - 0
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla\firefox\plugins\npbittorrent.dll
    FF - plugin: c:\program files\mozilla\firefox\plugins\npdeployJava1.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 23120]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]
    R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys --> c:\windows\system32\drivers\mfehidk.sys [?]
    R0 WRkrn;WRkrn;c:\windows\system32\drivers\WRkrn.sys [2012-1-26 109072]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 230608]
    R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 40016]
    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys --> c:\windows\system32\drivers\mfetdi2k.sys [?]
    R1 SASDIFSV;SASDIFSV;c:\docume~1\chris\locals~1\temp\sas_selfextract\SASDIFSV.SYS [2011-7-22 12880]
    R1 SASKUTIL;SASKUTIL;c:\docume~1\chris\locals~1\temp\sas_selfextract\SASKUTIL.SYS [2011-7-12 67664]
    R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
    R2 Micro Star SCM;Micro Star SCM;c:\program files\system control manager\MSIService.exe [2008-6-11 159744]
    R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys --> c:\windows\system32\drivers\mfeavfk.sys [?]
    R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2008-6-11 156160]
    S2 McShield;McAfee McShield;"c:\program files\common files\mcafee\systemcore\\mcshield.exe" --> c:\program files\common files\mcafee\systemcore\\mcshield.exe [?]
    S2 McTaskManager;McAfee Task Manager;"c:\program files\mcafee\virusscan enterprise\vstskmgr.exe" --> c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [?]
    S2 mfevtp;McAfee Validation Trust Protection Service;"c:\windows\system32\mfevtps.exe" --> c:\windows\system32\mfevtps.exe [?]
    S3 L6TPortB;Service - Line 6 TonePort UX2;c:\windows\system32\drivers\l6tportb.sys --> c:\windows\system32\drivers\L6TPortB.sys [?]
    S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys --> c:\windows\system32\drivers\mfebopk.sys [?]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys --> c:\windows\system32\drivers\mferkdet.sys [?]
    .
    =============== Created Last 30 ================
    .
    2012-01-27 11:56:39 23624 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
    2012-01-27 11:56:22 -------- d-----w- c:\documents and settings\all users\application data\HitmanPro
    2012-01-27 11:00:59 -------- d-----w- c:\documents and settings\chris\application data\McAfee
    2012-01-27 10:59:58 74848 ----a-w- c:\windows\system32\MfeOtlkAddin.dll
    2012-01-27 10:59:58 22816 ----a-w- c:\windows\system32\MFEOtlk.dll
    2012-01-27 10:59:48 148520 ----a-w- c:\windows\system32\mfevtps.exe.7fc4.deleteme
    2012-01-27 10:58:47 -------- d-----w- c:\program files\McAfee
    2012-01-27 10:58:47 -------- d-----w- c:\program files\common files\McAfee
    2012-01-27 10:52:14 -------- d-----w- c:\documents and settings\all users\application data\WRData
    2012-01-27 10:52:13 -------- d-----w- c:\documents and settings\chris\application data\IObit
    2012-01-26 12:04:27 109072 ----a-w- c:\windows\system32\drivers\WRkrn.sys
    2012-01-25 23:49:19 -------- d-----w- c:\documents and settings\chris\application data\SUPERAntiSpyware.com
    2012-01-25 23:29:33 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-01-23 11:47:07 719872 ----a-w- c:\windows\system32\devil.dll
    2012-01-23 11:47:07 70656 ----a-w- c:\windows\system32\yv12vfw.dll
    2012-01-23 11:47:07 70656 ----a-w- c:\windows\system32\i420vfw.dll
    2012-01-23 11:47:07 369152 ----a-w- c:\windows\system32\avisynth.dll
    2012-01-23 11:47:07 32256 ----a-w- c:\windows\system32\AVSredirect.dll
    2012-01-23 11:47:01 -------- d-----w- c:\program files\AviSynth 2.5
    2012-01-17 12:15:11 -------- d-----w- c:\documents and settings\chris\.elan_data
    2012-01-17 12:12:52 -------- d-----w- c:\program files\ELAN 4.1.2
    2012-01-16 11:58:20 -------- d-----w- c:\documents and settings\chris\application data\UAMCTAppData
    2012-01-10 11:29:41 -------- d-----w- c:\program files\Weka-3-6
    2012-01-10 11:04:17 -------- d-----w- c:\program files\jEdit
    2012-01-03 13:13:12 -------- d-----w- c:\documents and settings\chris\local settings\application data\Identities
    2012-01-03 12:36:47 -------- d-----w- C:\Perl
    .
    ==================== Find3M ====================
    .
    2011-12-08 15:35:48 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-11-25 21:57:19 293376 ----a-w- c:\windows\system32\winsrv.dll
    2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
    2011-11-18 12:35:08 60416 ----a-w- c:\windows\system32\packager.exe
    2011-11-16 14:21:44 354816 ----a-w- c:\windows\system32\winhttp.dll
    2011-11-16 14:21:44 152064 ----a-w- c:\windows\system32\schannel.dll
    2011-11-03 15:28:36 386048 ----a-w- c:\windows\system32\qdvd.dll
    2011-11-03 15:28:36 1292288 ----a-w- c:\windows\system32\quartz.dll
    2011-11-02 10:07:21 100 ----a-w- c:\windows\system32\prsgrc.dll
    2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
    .
    ============= FINISH: 12:44:24.81 ===============
  5. chrizba

    chrizba Newcomer, in training Topic Starter Posts: 18

    Attach.txt

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume2
    Install Date: 21/08/2008 08:26:46
    System Uptime: 27/01/2012 12:08:41 (0 hours ago)
    .
    Motherboard: MICRO-STAR INTERNATIONAL CO., LTD | | U-100
    Processor: Intel(R) Atom(TM) CPU N270 @ 1.60GHz | CPU 1 | 1600/533mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 39 GiB total, 13.096 GiB free.
    D: is FIXED (NTFS) - 32 GiB total, 8.176 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP1: 27/01/2012 12:18:45 - System Checkpoint
    RP2: 27/01/2012 12:23:40 - Removed McAfee VirusScan Enterprise.
    RP3: 27/01/2012 12:26:31 - Removed McAfee Agent.
    .
    ==== Installed Programs ======================
    .
    32 Bit HP CIO Components Installer
    ActivePerl 5.12.4 Build 1205
    Adobe Acrobat 9 Pro Extended - English, Français, Deutsch
    Adobe AIR
    Adobe Flash Player 11 Plugin
    Adobe Flash Player ActiveX
    AiO_Scan_CDA
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    AVG 2012
    AVI Codec Pack
    BitTorrent
    Bluetooth Stack for Windows by Toshiba
    Bonjour
    BurnRecovery
    CCleaner
    CutePDF Writer 2.7
    Dexter Coder
    Dexter Converter
    DNA
    ELAN 4.1.2
    GIMP 2.7.0
    Google Calendar Sync
    GPL Ghostscript 8.63
    GSview 4.9
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB2570791)
    Hotfix for Windows XP (KB2633952)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    HP Photosmart All-In-One Driver Software 10.0 Rel .2
    HP Photosmart, Officejet and Deskjet 7.0.A
    Intel(R) Graphics Media Accelerator Driver
    iTunes
    JabRef
    Java Auto Updater
    Java DB 10.6.2.1
    Java(TM) 6 Update 24
    Java(TM) SE Development Kit 6 Update 24
    jEdit 4.5pre1
    Line 6 Uninstaller
    Malwarebytes Anti-Malware version 1.60.0.1800
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Software Update for Web Folders (English) 12
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    MiKTeX 2.8
    Mozilla Firefox 9.0.1 (x86 en-GB)
    Mozilla Thunderbird 9.0.1 (x86 en-GB)
    MSVCRT
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    PS_AIO_02_Software_Min
    QFolder
    QuickTime
    REALTEK GbE & FE Ethernet PCI-E NIC Driver
    Realtek High Definition Audio Driver
    REALTEK RTL8187SE Wireless LAN Driver
    Registry Mechanic 7.0
    Scan
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB2553089)
    Security Update for 2007 Microsoft Office System (KB2553090)
    Security Update for 2007 Microsoft Office System (KB2584063)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
    Security Update for Microsoft Office InfoPath 2007 (KB2510061)
    Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
    Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
    Security Update for Microsoft Office Publisher 2007 (KB2284697)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Security Update for Microsoft Windows (KB2564958)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2503665)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2510581)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB2536276)
    Security Update for Windows XP (KB2544893-v2)
    Security Update for Windows XP (KB2544893)
    Security Update for Windows XP (KB2555917)
    Security Update for Windows XP (KB2562937)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2567053)
    Security Update for Windows XP (KB2567680)
    Security Update for Windows XP (KB2570222)
    Security Update for Windows XP (KB2570947)
    Security Update for Windows XP (KB2584146)
    Security Update for Windows XP (KB2585542)
    Security Update for Windows XP (KB2592799)
    Security Update for Windows XP (KB2598479)
    Security Update for Windows XP (KB2603381)
    Security Update for Windows XP (KB2619339)
    Security Update for Windows XP (KB2620712)
    Security Update for Windows XP (KB2624667)
    Security Update for Windows XP (KB2631813)
    Security Update for Windows XP (KB2633171)
    Security Update for Windows XP (KB2639417)
    Security Update for Windows XP (KB2646524)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953838)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958215)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960714)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981349)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    Segoe UI
    Skype™ 4.2
    SPSS 16.0 for Windows
    Synaptics Pointing Device Driver
    System Control Manager
    TeXnicCenter Version 1.0 Stable RC1
    TomTom HOME Visual Studio Merge Modules
    Toolbox
    TortoiseSVN 1.6.1.16129 (32 bit)
    TUGZip 3.5
    Ulead Burn.Now 4.5
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
    Update for Microsoft Office 2007 suites (KB2596686) 32-Bit Edition
    Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
    Update for Microsoft Office 2007 System (KB2539530)
    Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB2607712)
    Update for Windows XP (KB2616676)
    Update for Windows XP (KB2641690)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB961503)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    USB 2.0 Card Reader
    VLC media player 1.1.11
    WebFldrs XP
    Weka 3.6.6
    Windows Installer Clean Up
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Messenger
    Windows Live Sign-in Assistant
    Windows Live Upload Tool
    Windows Media Format Runtime
    .
    ==== Event Viewer Messages From Past Week ========
    .
    27/01/2012 12:11:20, error: Service Control Manager [7024] - The HitmanPro 3.6 Crusader (Boot) service terminated with service-specific error 0 (0x0).
    27/01/2012 11:54:12, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
    27/01/2012 11:54:03, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
    27/01/2012 11:51:19, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
    27/01/2012 11:10:11, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Avgldx86 Avgmfx86 Fips intelppm SASDIFSV SASKUTIL Tosrfcom
    27/01/2012 11:09:20, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    27/01/2012 10:57:12, error: Service Control Manager [7031] - The AVG WatchDog service terminated unexpectedly. It has done this 3 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
    27/01/2012 10:57:06, error: Service Control Manager [7031] - The AVG WatchDog service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
    27/01/2012 10:57:01, error: Service Control Manager [7031] - The AVG WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
    27/01/2012 10:56:51, error: Service Control Manager [7034] - The Windows User Mode Driver Framework service terminated unexpectedly. It has done this 1 time(s).
    27/01/2012 10:56:28, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    27/01/2012 10:56:25, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    27/01/2012 10:55:44, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
    27/01/2012 10:36:51, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
    27/01/2012 10:26:00, error: Schedule [7901] - The At21.job command failed to start due to the following error: %%2147942402
    27/01/2012 09:26:00, error: Schedule [7901] - The At19.job command failed to start due to the following error: %%2147942402
    27/01/2012 06:26:00, error: Schedule [7901] - The At13.job command failed to start due to the following error: %%2147942402
    27/01/2012 04:26:00, error: Schedule [7901] - The At9.job command failed to start due to the following error: %%2147942402
    27/01/2012 01:26:00, error: Schedule [7901] - The At3.job command failed to start due to the following error: %%2147942402
    26/01/2012 22:26:00, error: Schedule [7901] - The At45.job command failed to start due to the following error: %%2147942402
    26/01/2012 19:26:00, error: Schedule [7901] - The At39.job command failed to start due to the following error: %%2147942402
    26/01/2012 18:09:56, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    26/01/2012 18:08:22, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    26/01/2012 10:27:30, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Dnscache service.
    25/01/2012 09:33:37, error: Dhcp [1002] - The IP address lease 192.168.1.72 for the Network Card with network address 001D92C9C145 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
    .
    ==== End Of File ===========================
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Welcome to TechSpot! I'll help with the malware, but we need to do some Housekeeping first:

    1. You are running 2 security suites> McAfee and AVG2012. Please decide which you want to keep and remove the other. Multiple AV or FW make system more vulnerable, not less.
    Note: I am going to have you run Combofix and it will not run with AVG. Nor can AVG be disabled, so it will have to be temporarily uninstalled If McAfee is current and functional, keep it and use the AppRemover for AVG. If McAfee is not current and functional, you can download one of the temporary AV offered.
    Please reboot after the uninstall of the AV.
    2. You are running a register cleaner. We do not recommend that anyone use these programs as the risk is greater than any benefit. If you want to keep is anyway, please disable it while I'm helping you.
    3. I recommend uninstalling Hitman Pro. This is a program that is bundled with security programs that are free on the internet. The big difference is that Hitman will only remove bad entries for free during the trial period, whereas the free-standing, free programs are fully functional.
    4. Do not use Bit Torrent while I'm helping you. I recommend uninstalling it..
    =====================================
    To proceed: Please run the following online virus scan:
    To run the Eset Online Virus Scan:
    If you use Internet Explorer:
    1. Open the ESETOnlineScan
    2. Skip to #4 to "Continue with the directions"

      If you are using a browser other than Internet Explorer
    3. Open Eset Smart Installer
      [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
      [o] Double click on the desktop icon to run.
      [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
    4. Continue with the directions.
    5. Check 'Yes I accept terms of use.'
    6. Click Start button
    7. Accept any security warnings from your browser.
      [​IMG]
    8. Uncheck 'Remove found threats'
    9. Check 'Scan archives/
    10. Leave remaining settings as is.
    11. Press the Start button.
    12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    13. When the scan completes, press List of found threats
    14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    15. Push the Back button, then Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    =====================================
    When the Eset scan is complete, you can go on to the following:

    You will need to temporarily uninstall AVG as follows: if applicable

    Download AppRemover and save to the desktop
    1. Double click the setup on the desktop> click Next
    2. Select “Remove Security Application”
    3. Let scan finish to determine security apps
    4. A screen like below will appear:
      [​IMG]
    5. Click on Next after choice has been made
    6. Check the AVG program you want to uninstall
    7. After uninstall shows complete, follow online prompts to Exit the program.

    Temporary AV: Use one: if needed
    Avira-AntiVir-Personal-Free-Antivirus
    Avast Free Version
    =============================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Expect these- they are normal:
    1. If asked to install or or update the Recovery Console, allow. (you will need internet connection for this)
    2. Before you run the Combofix scan, please disable any security software you have running.
    3. Combofix may need to reboot your computer more than once to do its job this is normal.

    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe [​IMG]& follow the prompts.
    • If prompted for Recovery Console, please allow.
    • Once installed, you should see a blue screen prompt that says:
      • The Recovery Console was successfully installed.[/b]
      • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
      • Note: No query will be made if the Recovery Console is already on the system.
    • .Close/disable all anti virus and anti malware programs
      (If you need help with this, please see HERE)
    • .Close any open browsers.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
    Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    =========================================
    Please post both logs in next reply.
    =======================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't follow directions given to someone else
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    If I haven't replied back to you within 48 hours, you can send a PMwith your thread link in it as a reminder. Do not include technical problems from your thread. Support is given only in the forum.
    Threads are closed after 5 days if there is no reply.

    Edit: you're using FoxyProxy, correct. You may need to disable that.
  7. chrizba

    chrizba Newcomer, in training Topic Starter Posts: 18

    Hello

    Firstly thanks for helping me with this!

    I ran the scans (see logs below) and all sorts of things have happened. Right now my keyboard (msi wind netbook) is dead so I have e-mailed myself this from my phone to cut n paste here...

    Chris

    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinWebdirb2.zip Win32/Bagle.gen.zip worm
    C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\16\6d83d510-4006cb0e a variant of Win32/Kryptik.ZOF trojan
    C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\40\7129ce28-5cafcf7e a variant of Java/Exploit.CVE-2011-3544.AF trojan
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\8L2VCPQV\mazezu5.net[1] HTML/Iframe.B.Gen virus
    C:\WINDOWS\system32\drivers\i8042prt.sys a variant of Win32/Rootkit.Kryptik.IF trojan
    Operating memory multiple threats


    ComboFix 12-01-27.01 - Chris 27/01/2012 22:14:43.1.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.610 [GMT 0:00]
    Running from: c:\documents and settings\Chris\Desktop\ComboFix.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Chris\GoToAssistDownloadHelper.exe
    c:\documents and settings\Chris\WINDOWS
    c:\windows\$NtUninstallKB24531$
    c:\windows\$NtUninstallKB24531$\205541420
    c:\windows\$NtUninstallKB24531$\3857431096\@
    c:\windows\$NtUninstallKB24531$\3857431096\bckfg.tmp
    c:\windows\$NtUninstallKB24531$\3857431096\cfg.ini
    c:\windows\$NtUninstallKB24531$\3857431096\Desktop.ini
    c:\windows\$NtUninstallKB24531$\3857431096\keywords
    c:\windows\$NtUninstallKB24531$\3857431096\kwrd.dll
    c:\windows\$NtUninstallKB24531$\3857431096\L\urapuonr
    c:\windows\$NtUninstallKB24531$\3857431096\oemid
    c:\windows\$NtUninstallKB24531$\3857431096\U\00000001.@
    c:\windows\$NtUninstallKB24531$\3857431096\U\00000002.@
    c:\windows\$NtUninstallKB24531$\3857431096\U\00000004.@
    c:\windows\$NtUninstallKB24531$\3857431096\U\80000000.@
    c:\windows\$NtUninstallKB24531$\3857431096\U\80000004.@
    c:\windows\$NtUninstallKB24531$\3857431096\U\80000032.@
    c:\windows\$NtUninstallKB24531$\3857431096\version
    c:\windows\Fonts\._QUEEN_Mary.TTF
    c:\windows\system32\prsgrc.dll
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-12-27 to 2012-01-27 )))))))))))))))))))))))))))))))
    .
    .
    2012-01-27 22:28 . 2012-01-27 22:28 -------- d-----w- c:\windows\LastGood
    2012-01-27 22:14 . 2012-01-27 22:14 0 ----a-w- c:\windows\system32\drivers\SET4.tmp
    2012-01-27 21:38 . 2012-01-27 21:38 -------- d-----w- c:\documents and settings\Chris\Application Data\Avira
    2012-01-27 21:37 . 2011-09-18 08:39 134344 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2012-01-27 21:37 . 2011-09-15 23:55 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
    2012-01-27 21:37 . 2011-09-15 23:55 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2012-01-27 21:37 . 2012-01-27 21:37 -------- d-----w- c:\program files\Avira
    2012-01-27 21:37 . 2012-01-27 21:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2012-01-27 17:43 . 2012-01-27 17:43 -------- d-----w- c:\program files\ESET
    2012-01-27 11:56 . 2012-01-27 12:10 23624 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
    2012-01-27 11:56 . 2012-01-27 12:07 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
    2012-01-27 11:00 . 2012-01-27 11:00 -------- d-----w- c:\documents and settings\Chris\Application Data\McAfee
    2012-01-27 10:59 . 2012-01-27 10:59 74848 ----a-w- c:\windows\system32\MfeOtlkAddin.dll
    2012-01-27 10:59 . 2012-01-27 10:59 22816 ----a-w- c:\windows\system32\MFEOtlk.dll
    2012-01-27 10:58 . 2012-01-27 12:26 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
    2012-01-27 10:58 . 2012-01-27 12:24 -------- d-----w- c:\program files\McAfee
    2012-01-27 10:52 . 2012-01-27 10:52 -------- d-----w- c:\documents and settings\All Users\Application Data\WRData
    2012-01-27 10:52 . 2012-01-27 10:52 -------- d-----w- c:\documents and settings\Chris\Application Data\IObit
    2012-01-26 12:04 . 2012-01-26 12:04 109072 ----a-w- c:\windows\system32\drivers\WRkrn.sys
    2012-01-25 23:49 . 2012-01-25 23:49 -------- d-----w- c:\documents and settings\Chris\Application Data\SUPERAntiSpyware.com
    2012-01-25 23:29 . 2011-12-10 15:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-01-25 23:02 . 2012-01-25 23:02 -------- d-s---w- c:\documents and settings\NetworkService\UserData
    2012-01-23 12:18 . 2012-01-23 12:18 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software
    2012-01-23 11:47 . 2009-09-27 09:39 369152 ----a-w- c:\windows\system32\avisynth.dll
    2012-01-23 11:47 . 2005-07-14 12:31 32256 ----a-w- c:\windows\system32\AVSredirect.dll
    2012-01-23 11:47 . 2004-02-22 10:11 719872 ----a-w- c:\windows\system32\devil.dll
    2012-01-23 11:47 . 2004-01-25 00:00 70656 ----a-w- c:\windows\system32\yv12vfw.dll
    2012-01-23 11:47 . 2004-01-25 00:00 70656 ----a-w- c:\windows\system32\i420vfw.dll
    2012-01-23 11:47 . 2012-01-23 11:47 -------- d-----w- c:\program files\AviSynth 2.5
    2012-01-17 12:15 . 2012-01-23 11:27 -------- d-----w- c:\documents and settings\Chris\.elan_data
    2012-01-17 12:12 . 2012-01-17 12:14 -------- d-----w- c:\program files\ELAN 4.1.2
    2012-01-16 11:58 . 2012-01-16 11:59 -------- d-----w- c:\documents and settings\Chris\Application Data\UAMCTAppData
    2012-01-10 11:29 . 2012-01-10 11:30 -------- d-----w- c:\program files\Weka-3-6
    2012-01-10 11:04 . 2012-01-10 11:06 -------- d-----w- c:\program files\jEdit
    2012-01-03 13:13 . 2012-01-03 13:13 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\Identities
    2012-01-03 12:36 . 2012-01-03 12:45 -------- d-----w- C:\Perl
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-12-08 15:35 . 2011-05-26 10:11 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-11-25 21:57 . 2008-06-11 01:46 293376 ----a-w- c:\windows\system32\winsrv.dll
    2011-11-23 13:25 . 2008-06-11 01:46 1859584 ----a-w- c:\windows\system32\win32k.sys
    2011-11-18 12:35 . 2008-06-11 01:46 60416 ----a-w- c:\windows\system32\packager.exe
    2011-11-16 14:21 . 2008-06-11 01:46 354816 ----a-w- c:\windows\system32\winhttp.dll
    2011-11-16 14:21 . 2008-06-11 01:46 152064 ----a-w- c:\windows\system32\schannel.dll
    2011-11-03 15:28 . 2008-06-11 01:46 386048 ----a-w- c:\windows\system32\qdvd.dll
    2011-11-03 15:28 . 2008-06-11 01:46 1292288 ----a-w- c:\windows\system32\quartz.dll
    2011-11-01 16:07 . 2008-06-11 01:46 1288704 ----a-w- c:\windows\system32\ole32.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
    @="{C5994560-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
    2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
    @="{C5994561-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
    2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
    @="{C5994562-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
    2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
    @="{C5994563-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
    2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
    @="{C5994564-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
    2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
    @="{C5994565-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
    2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
    @="{C5994566-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
    2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
    @="{C5994567-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
    2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
    @="{C5994568-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
    2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
    "RTHDCPL"="RTHDCPL.EXE" [2008-05-07 16862208]
    "MGSysCtrl"="c:\program files\System Control Manager\MGSysCtrl.exe" [2008-06-10 782336]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-11 1028096]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-09-23 258512]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    .
    c:\documents and settings\Martin\Start Menu\Programs\Startup\
    OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [N/A]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "HonorAutoRunSetting"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\windows\system32\acaptuser32.dll
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\SPSS16\\spss.com"=
    "c:\\Program Files\\SPSS16\\spss.exe"=
    "c:\\Program Files\\SPSS16\\SPSSWinWrapIDE.exe"=
    "c:\\Program Files\\PuTTy\\putty.exe"=
    "c:\\Program Files\\BitTorrent\\bittorrent.exe"=
    "c:\\Program Files\\DNA\\btdna.exe"=
    "c:\\Program Files\\eclipse\\eclipse.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\WINDOWS\\system32\\java.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    R0 WRkrn;WRkrn;c:\windows\system32\drivers\WRkrn.sys [26/01/2012 12:04 109072]
    R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [27/01/2012 21:37 36000]
    R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [27/01/2012 21:37 86224]
    R2 Micro Star SCM;Micro Star SCM;c:\program files\System Control Manager\MSIService.exe [11/06/2008 23:19 159744]
    R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [11/06/2008 23:18 156160]
    S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\Chris\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\Chris\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
    S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\Chris\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\Chris\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]
    S3 L6TPortB;Service - Line 6 TonePort UX2;c:\windows\system32\Drivers\L6TPortB.sys --> c:\windows\system32\Drivers\L6TPortB.sys [?]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-01-23 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:57]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.bbc.co.uk/
    uInternet Connection Wizard,ShellNext = hxxp://www.msi.com.tw/
    uInternet Settings,ProxyOverride = *.local
    IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.254
    TCP: Interfaces\{ABD78E04-874A-41B5-B6AF-2878FA0BB260}: DhcpNameServer = 192.168.1.254
    FF - ProfilePath - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\rig7qma3.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/|https://login.live.com/login.srf?wa...0&lc=2057&id=64855&mkt=en-gb&cbcxt=mai&snsc=1
    FF - prefs.js: network.proxy.ftp - localhost
    FF - prefs.js: network.proxy.ftp_port - 3128
    FF - prefs.js: network.proxy.gopher - localhost
    FF - prefs.js: network.proxy.gopher_port - 3128
    FF - prefs.js: network.proxy.http - localhost
    FF - prefs.js: network.proxy.http_port - 3128
    FF - prefs.js: network.proxy.socks - localhost
    FF - prefs.js: network.proxy.socks_port - 3128
    FF - prefs.js: network.proxy.ssl - localhost
    FF - prefs.js: network.proxy.ssl_port - 3128
    FF - prefs.js: network.proxy.type - 0
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    .
    - - - - ORPHANS REMOVED - - - -
    .
    SafeBoot-klmdb.sys
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-01-27 22:28
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-2332106328-2196180437-3818924662-1005\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(1140)
    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    c:\program files\TortoiseSVN\bin\TortoiseStub.dll
    c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
    c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\rundll32.exe
    c:\windows\system32\rundll32.exe
    c:\windows\system32\rundll32.exe
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
    c:\windows\system32\wdfmgr.exe
    c:\program files\Avira\AntiVir Desktop\avshadow.exe
    c:\windows\system32\rundll32.exe
    c:\program files\TortoiseSVN\bin\TSVNCache.exe
    c:\windows\RTHDCPL.EXE
    c:\windows\system32\wbem\unsecapp.exe
    .
    **************************************************************************
    .
    Completion time: 2012-01-27 22:36:16 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-01-27 22:36
    .
    Pre-Run: 13,914,992,640 bytes free
    Post-Run: 14,337,220,608 bytes free
    .
    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
    .
    - - End Of File - - A093821ED793551E9DA91AA9AAACAA04
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Questions/Comments:

    Antivirus
    AVG removed
    McAfee >>> shows Restore point show RP2: 27/01/2012 12:23:40 - Removed McAfee VirusScan Enterprise.
    RP3: 27/01/2012 12:26:31 - Removed McAfee Agent.
    Then installed 1/27>> not disabled for Combofix. Full program running.

    Please get the antivirus down to one and disable the security when running Combofix.
    ================================
    Please run the MGA Diagnostics tool
    • You will be prompted to either “Run” or “Save” the tool. Choose to “Run” the tool and follow the on-screen prompts.
    • You will receive an Internet Explorer-Security Warning dialog box for the Windows Genuine Advantage Diagnostic Tool>
    • You must choose to Run this tool when prompted.
    • Once you are presented with the Diagnostics tool choose Continue to run the diagnostic report.
    • If the RESOLVE button is available after running the diagnostics, please click RESOLVE to allow the diagnostic tool to attempt a repair.
    • After running the MGA Diagnostic tool, click on the Windows tab and then click on Copy
    • Please return to this thread and Paste the results here for review.
    ------------------------------------------
    This tool will is to look on the computer itself, in the documentation you received with the computer or with your retail purchase of Windows to see if you have a Certificate of Authenticity (COA). If you have one, tell us about the COA. Tell us:

    1. What edition of Windows XP is it for, Home, Pro, or Media Center, or another version of Windows?
    2. Does it read "OEM Software" or "OEM Product" in black lettering?
    3. Or, does it have the computer manufacturer's name in black lettering?
    4. DO NOT post the Product Key.

    NOTE: The data collected with the Genuine Diagnostics Tool does NOT contain any information that can personally identify you and can be fully reviewed, by you, before being posted.
    .
    Avira installed 1/27
  9. chrizba

    chrizba Newcomer, in training Topic Starter Posts: 18

    MGA results

    Hi Bobbye

    I have no idea why McAfee thought it was still installed. Silly me for thinking that uninstalling it would have the desired effect (and I certainly didn't subsequently reinstall it) I ran the AppRemover for failed uninstall, but it didn't find McAfee either. Please advise!

    The MGA results are shown below

    I'm afraid I can't find the physical COA, and the COA sticker on the bottom of the laptop doesn't seem to say any of the details requested.

    Chris

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->
    Validation Status: Genuine
    Validation Code: 0
    Cached Validation Code: N/A
    Windows Product Key: *****-*****-WFM92-V2TVC-J2YBJ
    Windows Product Key Hash: iqUeChZ1VgXrb6DNrz+0ntLIHzY=
    Windows Product ID: 76477-OEM-2111907-00323
    Windows Product ID Type: 2
    Windows License Type: OEM SLP
    Windows OS version: 5.1.2600.2.00010300.3.0.hom
    ID: {EDFF69D2-4C7F-4154-A84B-355B5B8521E1}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: Registered, 1.9.42.0
    Signed By: Microsoft
    Product Name: N/A
    Architecture: N/A
    Build lab: N/A
    TTS Error: N/A
    Validation Diagnostic: 025D1FF3-230-1
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A
    Version: N/A

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 100 Genuine
    Microsoft Office Enterprise 2007 - 100 Genuine
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: B4D0AA8B-604-645_025D1FF3-230-1

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
    Default Browser: C:\Program Files\Mozilla\Firefox\firefox.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{EDFF69D2-4C7F-4154-A84B-355B5B8521E1}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010300.3.0.hom</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-J2YBJ</PKey><PID>76477-OEM-2111907-00323</PID><PIDType>2</PIDType><SID>S-1-5-21-2332106328-2196180437-3818924662</SID><SYSTEM><Manufacturer>MICRO-STAR INTERNATIONAL CO., LTD</Manufacturer><Model>U-100</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>4.6.3</Version><SMBIOSVersion major="2" minor="4"/><Date>20080716000000.000000+000</Date></BIOS><HWID>94430B900184C065</HWID><UserLCID>0809</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>GMT Standard Time(GMT+00:00)</TimeZone><iJoin>0</iJoin><SBID><stat>2</stat><msppid></msppid><name>Micro-Star Int'l Co.,Ltd.</name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90120000-0030-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Enterprise 2007</Name><Ver>12</Ver><Val>64BC76978749586</Val><Hash>GW6PzcEVEDTVKeO5Ym5UUm41dBk=</Hash><Pid>89388-707-0441865-65798</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="44" Version="12" Result="100"/><App Id="A1" Version="12" Result="100"/><App Id="BA" Version="12" Result="100"/></Applications></Office></Software></GenuineResults>

    Licensing Data-->
    N/A

    Windows Activation Technologies-->
    N/A

    HWID Data-->
    N/A

    OEM Activation 1.0 Data-->
    BIOS string matches: yes
    Marker string from BIOS: 1F574:MICRO-STAR INTERNATIONAL CO., LTD
    Marker string from OEMBIOS.DAT: N/A, hr = 0x80004005

    OEM Activation 2.0 Data-->
    N/A
  10. chrizba

    chrizba Newcomer, in training Topic Starter Posts: 18

    combifix

    Ok, so what I have done now (I hope!) is reinstall McAfee and uninstall Avira.

    I have then disabled the onaccess scanner and rerun combifix - see below...

    Still no keyboard function


    Chris

    ComboFix 12-01-28.01 - Chris 28/01/2012 12:03:21.2.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.609 [GMT 0:00]
    Running from: c:\documents and settings\Chris\Desktop\ComboFix.exe
    AV: McAfee VirusScan Enterprise+AntiSpyware Enterprise *Disabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-12-28 to 2012-01-28 )))))))))))))))))))))))))))))))
    .
    .
    2012-01-28 11:24 . 2012-01-28 11:23 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
    2012-01-28 11:24 . 2012-01-28 11:23 87808 ----a-w- c:\windows\system32\drivers\mferkdet.sys
    2012-01-28 11:24 . 2012-01-28 11:23 59288 ----a-w- c:\windows\system32\drivers\mfebopk.sys
    2012-01-28 11:24 . 2012-01-28 11:23 119968 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
    2012-01-28 11:24 . 2012-01-28 11:23 180072 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
    2012-01-28 11:24 . 2012-01-28 11:23 461864 ----a-w- c:\windows\system32\drivers\mfehidk.sys
    2012-01-28 11:24 . 2012-01-28 11:23 148520 ----a-w- c:\windows\system32\mfevtps.exe
    2012-01-28 11:24 . 2012-01-28 11:23 89624 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
    2012-01-28 11:22 . 2012-01-28 11:23 -------- d-----w- c:\program files\Common Files\McAfee
    2012-01-28 09:51 . 2012-01-28 09:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
    2012-01-27 22:14 . 2012-01-27 22:14 0 ----a-w- c:\windows\system32\drivers\SET4.tmp
    2012-01-27 17:43 . 2012-01-27 17:43 -------- d-----w- c:\program files\ESET
    2012-01-27 11:56 . 2012-01-27 12:10 23624 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
    2012-01-27 11:56 . 2012-01-27 12:07 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
    2012-01-27 11:00 . 2012-01-27 11:00 -------- d-----w- c:\documents and settings\Chris\Application Data\McAfee
    2012-01-27 10:59 . 2012-01-28 11:23 74848 ----a-w- c:\windows\system32\MfeOtlkAddin.dll
    2012-01-27 10:59 . 2012-01-28 11:23 22816 ----a-w- c:\windows\system32\MFEOtlk.dll
    2012-01-27 10:58 . 2012-01-28 11:23 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
    2012-01-27 10:58 . 2012-01-28 11:22 -------- d-----w- c:\program files\McAfee
    2012-01-27 10:52 . 2012-01-27 10:52 -------- d-----w- c:\documents and settings\All Users\Application Data\WRData
    2012-01-27 10:52 . 2012-01-27 10:52 -------- d-----w- c:\documents and settings\Chris\Application Data\IObit
    2012-01-26 12:04 . 2012-01-26 12:04 109072 ----a-w- c:\windows\system32\drivers\WRkrn.sys
    2012-01-25 23:49 . 2012-01-25 23:49 -------- d-----w- c:\documents and settings\Chris\Application Data\SUPERAntiSpyware.com
    2012-01-25 23:29 . 2011-12-10 15:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-01-25 23:02 . 2012-01-25 23:02 -------- d-s---w- c:\documents and settings\NetworkService\UserData
    2012-01-23 12:18 . 2012-01-23 12:18 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software
    2012-01-23 11:47 . 2009-09-27 09:39 369152 ----a-w- c:\windows\system32\avisynth.dll
    2012-01-23 11:47 . 2005-07-14 12:31 32256 ----a-w- c:\windows\system32\AVSredirect.dll
    2012-01-23 11:47 . 2004-02-22 10:11 719872 ----a-w- c:\windows\system32\devil.dll
    2012-01-23 11:47 . 2004-01-25 00:00 70656 ----a-w- c:\windows\system32\yv12vfw.dll
    2012-01-23 11:47 . 2004-01-25 00:00 70656 ----a-w- c:\windows\system32\i420vfw.dll
    2012-01-23 11:47 . 2012-01-23 11:47 -------- d-----w- c:\program files\AviSynth 2.5
    2012-01-17 12:15 . 2012-01-23 11:27 -------- d-----w- c:\documents and settings\Chris\.elan_data
    2012-01-17 12:12 . 2012-01-17 12:14 -------- d-----w- c:\program files\ELAN 4.1.2
    2012-01-16 11:58 . 2012-01-16 11:59 -------- d-----w- c:\documents and settings\Chris\Application Data\UAMCTAppData
    2012-01-10 11:29 . 2012-01-10 11:30 -------- d-----w- c:\program files\Weka-3-6
    2012-01-10 11:04 . 2012-01-10 11:06 -------- d-----w- c:\program files\jEdit
    2012-01-03 13:13 . 2012-01-03 13:13 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\Identities
    2012-01-03 12:36 . 2012-01-03 12:45 -------- d-----w- C:\Perl
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-12-08 15:35 . 2011-05-26 10:11 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-11-25 21:57 . 2008-06-11 01:46 293376 ----a-w- c:\windows\system32\winsrv.dll
    2011-11-23 13:25 . 2008-06-11 01:46 1859584 ----a-w- c:\windows\system32\win32k.sys
    2011-11-18 12:35 . 2008-06-11 01:46 60416 ----a-w- c:\windows\system32\packager.exe
    2011-11-16 14:21 . 2008-06-11 01:46 354816 ----a-w- c:\windows\system32\winhttp.dll
    2011-11-16 14:21 . 2008-06-11 01:46 152064 ----a-w- c:\windows\system32\schannel.dll
    2011-11-03 15:28 . 2008-06-11 01:46 386048 ----a-w- c:\windows\system32\qdvd.dll
    2011-11-03 15:28 . 2008-06-11 01:46 1292288 ----a-w- c:\windows\system32\quartz.dll
    2011-11-01 16:07 . 2008-06-11 01:46 1288704 ----a-w- c:\windows\system32\ole32.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-01-27_22.29.04 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2012-01-28 11:56 . 2012-01-28 11:56 16384 c:\windows\Temp\Perflib_Perfdata_80.dat
    + 2012-01-28 11:25 . 2012-01-28 11:25 10134 c:\windows\Installer\{CE15D1B6-19B6-4D4D-8F43-CF5D2C3356FF}\ARPPRODUCTICON.exe
    + 2012-01-28 11:23 . 2012-01-28 11:23 10134 c:\windows\Installer\{2AAB21C2-4CDA-4189-A0EC-5ED666113F84}\ARPPRODUCTICON.exe
    + 2009-06-25 13:20 . 2009-06-25 13:20 1485176 c:\windows\system32\LegitCheckControl.DLL
    + 2012-01-28 11:23 . 2012-01-28 11:23 1623040 c:\windows\Installer\59fd6.msi
    + 2012-01-28 11:24 . 2012-01-28 11:25 13156352 c:\windows\Installer\59fda.msi
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
    @="{C5994560-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
    2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
    @="{C5994561-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
    2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
    @="{C5994562-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
    2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
    @="{C5994563-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
    2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
    @="{C5994564-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
    2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
    @="{C5994565-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
    2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
    @="{C5994566-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
    2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
    @="{C5994567-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
    2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
    @="{C5994568-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
    2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
    "RTHDCPL"="RTHDCPL.EXE" [2008-05-07 16862208]
    "MGSysCtrl"="c:\program files\System Control Manager\MGSysCtrl.exe" [2008-06-10 782336]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-11 1028096]
    "McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2011-01-12 161088]
    "ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2011-09-14 215360]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    .
    c:\documents and settings\Martin\Start Menu\Programs\Startup\
    OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [N/A]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "HonorAutoRunSetting"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\windows\system32\acaptuser32.dll
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\SPSS16\\spss.com"=
    "c:\\Program Files\\SPSS16\\spss.exe"=
    "c:\\Program Files\\SPSS16\\SPSSWinWrapIDE.exe"=
    "c:\\Program Files\\PuTTy\\putty.exe"=
    "c:\\Program Files\\BitTorrent\\bittorrent.exe"=
    "c:\\Program Files\\DNA\\btdna.exe"=
    "c:\\Program Files\\eclipse\\eclipse.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\WINDOWS\\system32\\java.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
    .
    R0 WRkrn;WRkrn;c:\windows\system32\drivers\WRkrn.sys [26/01/2012 12:04 109072]
    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [28/01/2012 11:24 89624]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [28/01/2012 11:24 148520]
    R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [11/06/2008 23:18 156160]
    S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\Chris\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\Chris\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
    S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\Chris\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\Chris\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]
    S2 Micro Star SCM;Micro Star SCM;c:\program files\System Control Manager\MSIService.exe [11/06/2008 23:19 159744]
    S3 L6TPortB;Service - Line 6 TonePort UX2;c:\windows\system32\Drivers\L6TPortB.sys --> c:\windows\system32\Drivers\L6TPortB.sys [?]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [28/01/2012 11:24 87808]
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - mfeavfk01
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-01-23 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:57]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.bbc.co.uk/
    uInternet Connection Wizard,ShellNext = hxxp://www.msi.com.tw/
    uInternet Settings,ProxyOverride = *.local
    IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.254
    TCP: Interfaces\{ABD78E04-874A-41B5-B6AF-2878FA0BB260}: DhcpNameServer = 192.168.1.254
    FF - ProfilePath - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\rig7qma3.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/|https://login.live.com/login.srf?wa...0&lc=2057&id=64855&mkt=en-gb&cbcxt=mai&snsc=1
    FF - prefs.js: network.proxy.ftp - localhost
    FF - prefs.js: network.proxy.ftp_port - 3128
    FF - prefs.js: network.proxy.gopher - localhost
    FF - prefs.js: network.proxy.gopher_port - 3128
    FF - prefs.js: network.proxy.http - localhost
    FF - prefs.js: network.proxy.http_port - 3128
    FF - prefs.js: network.proxy.socks - localhost
    FF - prefs.js: network.proxy.socks_port - 3128
    FF - prefs.js: network.proxy.ssl - localhost
    FF - prefs.js: network.proxy.ssl_port - 3128
    FF - prefs.js: network.proxy.type - 0
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-01-28 12:14
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-2332106328-2196180437-3818924662-1005\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(2520)
    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    c:\program files\TortoiseSVN\bin\TortoiseStub.dll
    c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
    c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
    c:\program files\McAfee\Common Framework\McTrayLegacySupportPlugin.dll
    c:\program files\McAfee\Common Framework\McTrayInterfaceLib.dll
    c:\program files\McAfee\Common Framework\McAfeeWin32GUISupportDLL.dll
    .
    Completion time: 2012-01-28 12:18:36
    ComboFix-quarantined-files.txt 2012-01-28 12:18
    ComboFix2.txt 2012-01-27 22:36
    .
    Pre-Run: 13,887,287,296 bytes free
    Post-Run: 13,898,567,680 bytes free
    .
    - - End Of File - - 377EFF1BE3A89C256207EF03AAC36818
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Here's the keyboard problem:> The driver had malware and was probably corrupted: C:\WINDOWS\system32\drivers\i8042prt.sys>
    Disabling I8042PRT.SYS Mouse Driver Also Disables the Keyboard
    Rather than try to find and replace the driver, since the keyboard is such a vital part of the system, Microsoft recommends the following:
    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Last known good configuration> option when the Windows Advanced Options menu appears, and then press ENTER.

    Please let me know if this restores the keyboard. If it does not, I'll have you look for a copy on the system.

    (PS/2 Mouse Port driver is built into the computer as the Intel 8042 (or Intel 8742) auxiliary device. The keyboard is also connected to the Intel 8042, and is supported by the same driver.)
    ====================================
    For the Eset entries:
    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files 
      C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinWebdirb2.zip 
      C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\16\6d83d510-4006cb0e 
      C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\40\7129ce28-5cafcf7e 
      C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\8L2VCPQV\mazezu5.net[1] 
      C:\WINDOWS\system32\drivers\i8042prt.sys 
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    =====================================
    Since we will be doing some backtracking, I'd like you to Update and rescan with Malwarebytes: Note: On the Scanner tab, make sure the the Perform Full Scan option is selected and then click on the Scan button.
    When scan has finished, you will see this image:
    [​IMG]
    • Click on OK to close box and continue.
    • Click on the Show Results button.
    • Click on the Remove Selected button to remove all the listed malware.
    • At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format> Uncheck Word Wrap before copying the log to paste in your next reply.
    Please update Java: Java Updates . Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.

    Be sure to check all download screens for any pre-check toolbars or BHO> if found, remove the check before the download..
    =======================================
    You will have remove the Eset entries in OTM by now. So please update Eset and run another scan.
    ======================================
    Please uninstall all of the following in Add/Remove Programs
    BitTorrent
    Java(TM) 6 Update 24
    Java(TM) SE Development Kit 6 Update 24
    jEdit 4.5pre1
    Line 6 Uninstaller
    Registry Mechanic 7.0
    The HitmanPro 3.6 Crusader (Boot)
    When finished, use Windows explorer to access Computer> Local Drive (C)> Programs> find folder for each of the uninstalled programs except Java and do a Right Click> Delete.
    ==================================
    Can you please tell me if these are programs you're using in conjunction with your dissertation? I've included a capsule description:
    1. SPSS is a computer program used for survey authoring and deployment (IBM SPSS Data Collection), data mining (IBM SPSS Modeler), text analytics, statistical analysis, and collaboration and deployment (batch and automated scoring services).
    2. c:\program files\Weka-3-6 >> Data mining software in Java.
    3. c:\program files\ELAN 4.1.2 >> ELAN - A professional tool for the creation of complex annotations on video and audio resources.
    4. PuTTY is an SSH and telnet client, Use in UK possibly not legal.
    5. TUGZip is a powerful award-winning freeware archiving utility for Windows®
    =============================
    I will have some script for you to run in Combofix after you've finished the above.

    Please leave logs in next reply.
     
  12. chrizba

    chrizba Newcomer, in training Topic Starter Posts: 18

    Hi Bobbye

    Thanks for this - sorry about the PM -I didn't mean to bother you over the weekend, but I think I failed to take the time difference between London and Florida into account!

    The last known good configuration didn't start my keyboard working sadly.

    All the programs listed 1-5 are ones for my degree.

    Some of the programs to remove didn't show up in add/remove programs.They were: Line 6 Uninstaller and The HitmanPro 3.6 Crusader (Boot)

    Chris

    All processes killed
    ========== FILES ==========
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinWebdirb2.zip moved successfully.
    C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\16\6d83d510-4006cb0e moved successfully.
    C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\40\7129ce28-5cafcf7e moved successfully.
    File/Folder C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\8L2VCPQV\mazezu5.net[1] not found.
    C:\WINDOWS\system32\drivers\i8042prt.sys moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Chris
    ->Temp folder emptied: 15342315 bytes
    ->Temporary Internet Files folder emptied: 1610186 bytes
    ->Java cache emptied: 3630831 bytes
    ->FireFox cache emptied: 55183006 bytes
    ->Flash cache emptied: 41530 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Flash cache emptied: 41044 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: Martin
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->FireFox cache emptied: 14224306 bytes
    ->Flash cache emptied: 639 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Java cache emptied: 890 bytes
    ->Flash cache emptied: 2264 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 2577 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 86.00 mb


    OTM by OldTimer - Version 3.1.19.0 log created on 01302012_175007

    Files moved on Reboot...
    C:\Documents and Settings\Chris\Local Settings\Temp\McAfeeLogs\UpdaterUI_CHRIZZA.log moved successfully.
    C:\Documents and Settings\Chris\Local Settings\Temp\McAfeeLogs\UpdaterUI_CHRIZZA_error.log moved successfully.

    Registry entries deleted on Reboot...

    Malwarebytes Anti-Malware 1.60.0.1800
    www.malwarebytes.org

    Database version: v2012.01.30.03

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 6.0.2900.5512
    Chris :: CHRIZZA [administrator]

    30/01/2012 18:04:36
    mbam-log-2012-01-30 (18-04-36).txt

    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 294989
    Time elapsed: 3 hour(s), 2 minute(s), 53 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)


    C:\System Volume Information\_restore{29FCC5FA-EBD7-491E-8808-604B0E4B3356}\RP3\A0000300.sys a variant of Win32/Rootkit.Kryptik.IF trojan
    C:\System Volume Information\_restore{29FCC5FA-EBD7-491E-8808-604B0E4B3356}\RP3\A0000336.sys a variant of Win32/Rootkit.Kryptik.IF trojan
    C:\System Volume Information\_restore{29FCC5FA-EBD7-491E-8808-604B0E4B3356}\RP3\A0000454.sys a variant of Win32/Rootkit.Kryptik.IF trojan
    C:\System Volume Information\_restore{29FCC5FA-EBD7-491E-8808-604B0E4B3356}\RP3\A0001659.sys a variant of Win32/Rootkit.Kryptik.IF trojan
    C:\_OTM\MovedFiles\01302012_175007\C_Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinWebdirb2.zip Win32/Bagle.gen.zip worm
    C:\_OTM\MovedFiles\01302012_175007\C_Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\16\6d83d510-4006cb0e a variant of Win32/Kryptik.ZOF trojan
    C:\_OTM\MovedFiles\01302012_175007\C_Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\40\7129ce28-5cafcf7e a variant of Java/Exploit.CVE-2011-3544.AF trojan
  13. chrizba

    chrizba Newcomer, in training Topic Starter Posts: 18

    Keyboard trauma

    Hello,

    I wondered if you had any advise for me to get my keyboard functioning again...

    Weirdly, the trackpad works when it starts up but then stops working after I try to press a key - though my usb mouse works fine.

    In device manager, there is a warning triangle next to the entry for the keyboard with the error message: "This device cannot find enough free resources that it can use. (Code 12)"

    I have my viva (thesis defense) tomorrow and am beginning to panic!

    Thanks

    Chris
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Chris, let see if we can find and replace the process that's messing up the keyboard:

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2


    For 64bit: http://jpshortstuff.247fixes.com/SystemLook_x64.exe
    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      
      :filefind
      i8042PRT.SYS
      
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
    =========================================
    Please keep in mind that if the problem is hardware related, this file won't help. It's not a common thing for malware to trash a keyboard. If 'Last Good' didn't fix it, I'm not encouraged.
  15. chrizba

    chrizba Newcomer, in training Topic Starter Posts: 18

    Oh dear - if you're not encouraged then neither am I!

    Log below - btw, I have just discovered that the function key to switch on bluetooth (fn+F11) still works...?

    Chris

    SystemLook 30.07.11 by jpshortstuff
    Log created at 21:30 on 01/02/2012 by Chris
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "i8042PRT.SYS"
    C:\WINDOWS\system32\dllcache\i8042prt.sys --a--c- 52480 bytes [00:48 14/04/2008] [00:48 14/04/2008] 4A0B06AA8943C1E332520F7440C0AA30
    C:\WINDOWS\system32\drivers\i8042prt.sys --a---- 52480 bytes [00:48 14/04/2008] [00:48 14/04/2008] 4A0B06AA8943C1E332520F7440C0AA30
    C:\WINDOWS\system32\ReinstallBackups\0010\DriverFiles\i386\i8042prt.sys --a---- 52480 bytes [17:39 01/02/2012] [00:48 14/04/2008] 4A0B06AA8943C1E332520F7440C0AA30
    C:\_OTM\MovedFiles\01302012_175007\C_WINDOWS\system32\drivers\i8042prt.sys --a---- 52480 bytes [00:48 14/04/2008] [00:48 14/04/2008] 4A0B06AA8943C1E332520F7440C0AA30

    -= EOF =-
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Chris, with the additional info from the Device Manager, this becomes more complicated! I was going to have you check the Device Manager originaly, but opted for the 'last good' instead. As far as I can tell there are 2 different problems- so I'm going to try to help with both:

    In the Device Manager:
    This device cannot find enough free resources that it can use. If you want to use this device, you will need to disable one of the other devices on this system. (Code 12)

    Diagnosis
    Two devices have been assigned the same input/output (I/O) ports, the same interrupt, or the same Direct Memory Access channel. The assignment was made by either the basic input/output system (BIOS), the operating system, or a combination of the two.

    Resolution
    The resolution for this issue can be very hardware specific. For detailed information, try searching for “code 12” and your hardware type, name, or model number on the Microsoft support site (http://go.microsoft.com/fwlink/?LinkID=538). For example, for code 12 issues with a CS4281 card, search for “code 12” CS4281.
    (Source: Microsoft)
    Do the search and see if there is any resolution there.
    ======================================
    Missing driver:
    This is strange. Usually when Combofix find an infected file, it will attempt to replace it. We removed the infected copy in OTM. I'm hoping these backups are clean:

    Please run this Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    
    FCopy::
    C:\WINDOWS\system32\ReinstallBackups\0010\DriverFiles\i386\i8042prt.sys | C_WINDOWS\system32\drivers\i8042prt.sys
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe
    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    =============================================
    I sincerely hope that one -or possibly both- of the above gets the keyboard working again. Having both a hardware and a software problem at the same time is not a good thing!

    ====================
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    I know you're very busy today- just checking in to see if we have the keyboard back.
  18. chrizba

    chrizba Newcomer, in training Topic Starter Posts: 18

    Nope, I'm afraid not.

    And I also tried a usb keyboard but that didn't work either. I did however pass my viva so its not all bad!

    I can also use the keyboard before windows starts (I was trying to see allocated resources in the bios thing but no idea what I'm looking for) so I don't think its a hardware problem. Also the thing it thinks its clashing with is the trackpad, but there is no option to disable that in device manager.

    I found someone with a similar problem here: http://www.bleepingcomputer.com/forums/topic433638.html

    Any more advise greatly appreciated (even if it involves reinstallin indows - though note its a netbook so no cd drive or cd)

    Thanks

    Chris

    ComboFix 12-02-02.01 - Chris 02/02/2012 11:13:02.3.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.385 [GMT 0:00]
    Running from: c:\documents and settings\Chris\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Chris\Desktop\CFscript.txt
    AV: McAfee VirusScan Enterprise+AntiSpyware Enterprise *Disabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-01-02 to 2012-02-02 )))))))))))))))))))))))))))))))
    .
    .
    2012-01-30 22:53 . 2012-02-01 22:21 -------- d-----w- c:\program files\Common Files\Java
    2012-01-30 22:52 . 2012-01-30 22:51 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2012-01-30 20:10 . 2012-02-01 15:11 -------- d-----w- C:\QUARANTINE
    2012-01-30 17:50 . 2012-01-30 17:50 -------- d-----w- C:\_OTM
    2012-01-28 11:24 . 2012-01-28 11:23 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
    2012-01-28 11:24 . 2012-01-28 11:23 87808 ----a-w- c:\windows\system32\drivers\mferkdet.sys
    2012-01-28 11:24 . 2012-01-28 11:23 59288 ----a-w- c:\windows\system32\drivers\mfebopk.sys
    2012-01-28 11:24 . 2012-01-28 11:23 119968 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
    2012-01-28 11:24 . 2012-01-28 11:23 180072 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
    2012-01-28 11:24 . 2012-01-28 11:23 461864 ----a-w- c:\windows\system32\drivers\mfehidk.sys
    2012-01-28 11:24 . 2012-01-28 11:23 148520 ----a-w- c:\windows\system32\mfevtps.exe
    2012-01-28 11:24 . 2012-01-28 11:23 89624 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
    2012-01-28 11:22 . 2012-01-28 11:23 -------- d-----w- c:\program files\Common Files\McAfee
    2012-01-28 09:51 . 2012-01-28 09:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
    2012-01-27 17:43 . 2012-01-27 17:43 -------- d-----w- c:\program files\ESET
    2012-01-27 11:56 . 2012-01-27 12:10 23624 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
    2012-01-27 11:56 . 2012-01-27 12:07 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
    2012-01-27 11:00 . 2012-01-27 11:00 -------- d-----w- c:\documents and settings\Chris\Application Data\McAfee
    2012-01-27 10:59 . 2012-01-28 11:23 74848 ----a-w- c:\windows\system32\MfeOtlkAddin.dll
    2012-01-27 10:59 . 2012-01-28 11:23 22816 ----a-w- c:\windows\system32\MFEOtlk.dll
    2012-01-27 10:58 . 2012-01-28 11:23 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
    2012-01-27 10:58 . 2012-01-28 11:22 -------- d-----w- c:\program files\McAfee
    2012-01-27 10:52 . 2012-01-27 10:52 -------- d-----w- c:\documents and settings\All Users\Application Data\WRData
    2012-01-27 10:52 . 2012-01-27 10:52 -------- d-----w- c:\documents and settings\Chris\Application Data\IObit
    2012-01-26 12:04 . 2012-01-26 12:04 109072 ----a-w- c:\windows\system32\drivers\WRkrn.sys
    2012-01-25 23:49 . 2012-01-25 23:49 -------- d-----w- c:\documents and settings\Chris\Application Data\SUPERAntiSpyware.com
    2012-01-25 23:29 . 2011-12-10 15:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-01-25 23:02 . 2012-01-25 23:02 -------- d-s---w- c:\documents and settings\NetworkService\UserData
    2012-01-23 12:18 . 2012-01-23 12:18 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software
    2012-01-23 11:47 . 2009-09-27 09:39 369152 ----a-w- c:\windows\system32\avisynth.dll
    2012-01-23 11:47 . 2005-07-14 12:31 32256 ----a-w- c:\windows\system32\AVSredirect.dll
    2012-01-23 11:47 . 2004-02-22 10:11 719872 ----a-w- c:\windows\system32\devil.dll
    2012-01-23 11:47 . 2004-01-25 00:00 70656 ----a-w- c:\windows\system32\yv12vfw.dll
    2012-01-23 11:47 . 2004-01-25 00:00 70656 ----a-w- c:\windows\system32\i420vfw.dll
    2012-01-23 11:47 . 2012-01-23 11:47 -------- d-----w- c:\program files\AviSynth 2.5
    2012-01-17 12:15 . 2012-01-23 11:27 -------- d-----w- c:\documents and settings\Chris\.elan_data
    2012-01-17 12:12 . 2012-01-17 12:14 -------- d-----w- c:\program files\ELAN 4.1.2
    2012-01-16 11:58 . 2012-01-16 11:59 -------- d-----w- c:\documents and settings\Chris\Application Data\UAMCTAppData
    2012-01-10 11:29 . 2012-01-10 11:30 -------- d-----w- c:\program files\Weka-3-6
    2012-01-03 13:13 . 2012-01-03 13:13 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\Identities
    2012-01-03 12:36 . 2012-01-03 12:45 -------- d-----w- C:\Perl
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-01-30 22:51 . 2010-09-10 12:28 472808 -c--a-w- c:\windows\system32\deployJava1.dll
    2011-12-08 15:35 . 2011-05-26 10:11 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-11-25 21:57 . 2008-06-11 01:46 293376 ----a-w- c:\windows\system32\winsrv.dll
    2011-11-23 13:25 . 2008-06-11 01:46 1859584 ----a-w- c:\windows\system32\win32k.sys
    2011-11-18 12:35 . 2008-06-11 01:46 60416 ----a-w- c:\windows\system32\packager.exe
    2011-11-16 14:21 . 2008-06-11 01:46 354816 ----a-w- c:\windows\system32\winhttp.dll
    2011-11-16 14:21 . 2008-06-11 01:46 152064 ----a-w- c:\windows\system32\schannel.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-01-27_22.29.04 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2012-02-02 08:48 . 2012-02-02 08:48 16384 c:\windows\Temp\Perflib_Perfdata_9c.dat
    + 2012-02-02 09:27 . 2012-02-02 09:27 16384 c:\windows\Temp\Perflib_Perfdata_6b0.dat
    + 2008-06-11 17:00 . 2008-04-14 00:48 52480 c:\windows\system32\ReinstallBackups\0010\DriverFiles\i386\i8042prt.sys
    - 2008-06-11 17:00 . 2008-04-14 12:00 52480 c:\windows\system32\ReinstallBackups\0010\DriverFiles\i386\i8042prt.sys
    - 2008-04-14 00:09 . 2008-04-14 12:00 24576 c:\windows\system32\drivers\kbdclass.sys
    + 2008-04-14 00:09 . 2008-04-14 00:09 24576 c:\windows\system32\drivers\kbdclass.sys
    + 2008-04-14 00:09 . 2008-04-14 00:09 24576 c:\windows\system32\dllcache\kbdclass.sys
    + 2012-01-28 11:25 . 2012-01-28 11:25 10134 c:\windows\Installer\{CE15D1B6-19B6-4D4D-8F43-CF5D2C3356FF}\ARPPRODUCTICON.exe
    + 2012-01-28 11:23 . 2012-01-28 11:23 10134 c:\windows\Installer\{2AAB21C2-4CDA-4189-A0EC-5ED666113F84}\ARPPRODUCTICON.exe
    - 2011-05-22 10:48 . 2011-05-22 10:47 157472 c:\windows\system32\javaws.exe
    + 2012-01-30 22:52 . 2012-01-30 22:51 157472 c:\windows\system32\javaws.exe
    + 2012-01-30 22:52 . 2012-01-30 22:51 149280 c:\windows\system32\javaw.exe
    + 2012-01-30 22:52 . 2012-01-30 22:51 149280 c:\windows\system32\java.exe
    + 2012-01-30 22:53 . 2012-01-30 22:53 203776 c:\windows\Installer\111d964.msi
    + 2012-01-30 22:51 . 2012-01-30 22:51 902656 c:\windows\Installer\111d95e.msi
    + 2012-01-27 10:41 . 2012-02-01 22:21 4657352 c:\windows\system32\Restore\rstrlog.dat
    + 2009-06-25 13:20 . 2009-06-25 13:20 1485176 c:\windows\system32\LegitCheckControl.DLL
    + 2012-01-28 11:23 . 2012-01-28 11:23 1623040 c:\windows\Installer\59fd6.msi
    + 2012-01-28 11:24 . 2012-01-28 11:25 13156352 c:\windows\Installer\59fda.msi
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
    @="{C5994560-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
    2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
    @="{C5994561-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
    2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
    @="{C5994562-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
    2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
    @="{C5994563-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
    2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
    @="{C5994564-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
    2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
    @="{C5994565-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
    2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
    @="{C5994566-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
    2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
    @="{C5994567-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
    2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
    @="{C5994568-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
    2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
    "RTHDCPL"="RTHDCPL.EXE" [2008-05-07 16862208]
    "MGSysCtrl"="c:\program files\System Control Manager\MGSysCtrl.exe" [2008-06-10 782336]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-11 1028096]
    "McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2011-01-12 161088]
    "ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2011-09-14 215360]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    .
    c:\documents and settings\Martin\Start Menu\Programs\Startup\
    OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [N/A]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "HonorAutoRunSetting"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\windows\system32\acaptuser32.dll
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\SPSS16\\spss.com"=
    "c:\\Program Files\\SPSS16\\spss.exe"=
    "c:\\Program Files\\SPSS16\\SPSSWinWrapIDE.exe"=
    "c:\\Program Files\\PuTTy\\putty.exe"=
    "c:\\Program Files\\DNA\\btdna.exe"=
    "c:\\Program Files\\eclipse\\eclipse.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\WINDOWS\\system32\\java.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
    .
    R0 WRkrn;WRkrn;c:\windows\system32\drivers\WRkrn.sys [26/01/2012 12:04 109072]
    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [28/01/2012 11:24 89624]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [28/01/2012 11:24 148520]
    R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [11/06/2008 23:18 156160]
    S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\Chris\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\Chris\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
    S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\Chris\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\Chris\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]
    S2 Micro Star SCM;Micro Star SCM;c:\program files\System Control Manager\MSIService.exe [11/06/2008 23:19 159744]
    S3 L6TPortB;Service - Line 6 TonePort UX2;c:\windows\system32\Drivers\L6TPortB.sys --> c:\windows\system32\Drivers\L6TPortB.sys [?]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [28/01/2012 11:24 87808]
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - mfeavfk01
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-01-23 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:57]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.bbc.co.uk/
    uInternet Connection Wizard,ShellNext = hxxp://www.msi.com.tw/
    uInternet Settings,ProxyOverride = *.local
    IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.254
    TCP: Interfaces\{ABD78E04-874A-41B5-B6AF-2878FA0BB260}: DhcpNameServer = 192.168.1.254
    FF - ProfilePath - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\rig7qma3.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/|https://login.live.com/login.srf?wa...0&lc=2057&id=64855&mkt=en-gb&cbcxt=mai&snsc=1
    FF - prefs.js: network.proxy.ftp - localhost
    FF - prefs.js: network.proxy.ftp_port - 3128
    FF - prefs.js: network.proxy.gopher - localhost
    FF - prefs.js: network.proxy.gopher_port - 3128
    FF - prefs.js: network.proxy.http - localhost
    FF - prefs.js: network.proxy.http_port - 3128
    FF - prefs.js: network.proxy.socks - localhost
    FF - prefs.js: network.proxy.socks_port - 3128
    FF - prefs.js: network.proxy.ssl - localhost
    FF - prefs.js: network.proxy.ssl_port - 3128
    FF - prefs.js: network.proxy.type - 0
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-02-02 11:24
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-2332106328-2196180437-3818924662-1005\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(5372)
    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    c:\program files\TortoiseSVN\bin\TortoiseStub.dll
    c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
    c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
    c:\program files\McAfee\Common Framework\McTrayLegacySupportPlugin.dll
    c:\program files\McAfee\Common Framework\McTrayInterfaceLib.dll
    c:\program files\McAfee\Common Framework\McAfeeWin32GUISupportDLL.dll
    .
    Completion time: 2012-02-02 11:29:07
    ComboFix-quarantined-files.txt 2012-02-02 11:29
    ComboFix2.txt 2012-01-28 12:18
    ComboFix3.txt 2012-01-27 22:36
    .
    Pre-Run: 13,364,588,544 bytes free
    Post-Run: 13,430,407,168 bytes free
    .
    - - End Of File - - 5E47F38A362F14A6C1E405F5949AF2A2
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Hey Chris- that's great! Can I call you Dr. Chris now?

    [​IMG]
  20. chrizba

    chrizba Newcomer, in training Topic Starter Posts: 18

    You certainly can!

    Dr Chris(!)
  21. chrizba

    chrizba Newcomer, in training Topic Starter Posts: 18

    Keyboard issue resolved

    Hello,

    Just a note to let you know that following the advise from that forum thread I included in one of my previous posts has resulted in my keyboard function returning (better late than never, but I was getting quite proficient in using the onscreen keyboard!)

    So hopefully its all good and all I need from you is the all-clear (which scans should I run again etc) and a clear out of the stuff used, and I can start my new life as a post graduate research assistant with a fully functioning laptop!

    Cheers

    (Dr) Chris
  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Dr. Chris:
    Now that you're over the biggest hurdle, if you haven't come across this yet, let me introduce you:Piled High and Deeper- AKA PhD Maybe you have time now to look back with humor! (Please don't hold me responsible to all the content!)

    I am so glad you got the keyboard back! Did you use the UNetbootin and xPUD links? I had that on my desktop to have you try yesterday but ran out of time. I am glad to know it handled the pesky problem! It was a bit hard to trouble shoot because the process was infected, then wouldn't respond to the FCopy.

    Now that you're fully functional (except maybe for lack of sleep!) let's cleanup a few entries:
    There was a hidden file I want to check out:
    Download catchme.exe ( 137KB ) and save to your desktop.
    • Double click the catchme.exe to run it
    • Click the "Scan" button to start scan
      [​IMG]
    • Open catchme.log to see results
    Copy the log to Notepad, making sure that 'Word Wrap' is unchecked in Format. Then paste the log in your next reply.
    ========================================
    Combofix looks pretty good- just a few removals:
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    File::
    c:\windows\system32\drivers\SET4.tmp
    c:\windows\system32\drivers\hitmanpro36.sys
    Folder::
    c:\documents and settings\All Users\Application Data\HitmanPro
    DDS::
    DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\BitTorrent\\bittorrent.exe"=-
    "c:\\Program Files\\DNA\\btdna.exe"=-
    Clearjavacache::
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    I strongly recommend that you uninstall the HitmanPro program. That program is a bundle of other programs, all found free on the internet and all fully functional. The scam with Hitman is that it will only 'fix' processes free during the trial period. After that, you have to buy the full program to get that functionality.
    Consider removing Bit Torrent also.
    ====================================
    I'd like you to run the Eset scan once more- just to be sure no processes got back in.

    I'll give the logs a quick look and if clean, will have you remove the tools we used.
  23. chrizba

    chrizba Newcomer, in training Topic Starter Posts: 18

    Okay, so either something has snuck back in when I sorted the keyboard thing (using xPud boot from flash drive) or there is a whole other problem, because things that need to access the web (updates, etc) don't seem to be able to in normal mode... This extended to combofix and eset, so I ran those in safe mode with networking...

    Logs below....

    Chris

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-02-04 18:34:58
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden services & system hive ...

    source file error: C:\WINDOWS\system32\config\system
    scanning hidden registry entries ...

    source file error: C:\WINDOWS\system32\config\software
    scanning hidden files ...

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0

    ComboFix 12-02-05.01 - Chris 04/02/2012 19:00:48.1.2 - x86 NETWORK
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.664 [GMT 0:00]
    Running from: c:\documents and settings\Chris\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Chris\Desktop\CFScript.txt
    .
    FILE ::
    "c:\windows\system32\drivers\hitmanpro36.sys"
    "c:\windows\system32\drivers\SET4.tmp"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Application Data\HitmanPro
    c:\documents and settings\All Users\Application Data\HitmanPro\Banner.bin
    c:\documents and settings\All Users\Application Data\HitmanPro\HitmanPro.key
    c:\documents and settings\All Users\Application Data\HitmanPro\HitmanPro.lic
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-01-04 to 2012-02-04 )))))))))))))))))))))))))))))))
    .
    .
    2012-02-02 12:47 . 2008-04-14 00:09 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
    2012-02-02 12:47 . 2008-04-14 00:09 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
    2012-02-02 12:42 . 2012-02-02 12:42 -------- d-----w- c:\documents and settings\Martin\Application Data\McAfee
    2012-01-30 22:53 . 2012-02-01 22:21 -------- d-----w- c:\program files\Common Files\Java
    2012-01-30 22:52 . 2012-01-30 22:51 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2012-01-30 20:10 . 2012-02-01 15:11 -------- d-----w- C:\QUARANTINE
    2012-01-30 17:50 . 2012-01-30 17:50 -------- d-----w- C:\_OTM
    2012-01-28 11:24 . 2012-01-28 11:23 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
    2012-01-28 11:24 . 2012-01-28 11:23 87808 ----a-w- c:\windows\system32\drivers\mferkdet.sys
    2012-01-28 11:24 . 2012-01-28 11:23 59288 ----a-w- c:\windows\system32\drivers\mfebopk.sys
    2012-01-28 11:24 . 2012-01-28 11:23 119968 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
    2012-01-28 11:24 . 2012-01-28 11:23 180072 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
    2012-01-28 11:24 . 2012-01-28 11:23 461864 ----a-w- c:\windows\system32\drivers\mfehidk.sys
    2012-01-28 11:24 . 2012-01-28 11:23 148520 ----a-w- c:\windows\system32\mfevtps.exe
    2012-01-28 11:24 . 2012-01-28 11:23 89624 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
    2012-01-28 11:22 . 2012-01-28 11:23 -------- d-----w- c:\program files\Common Files\McAfee
    2012-01-28 09:51 . 2012-01-28 09:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
    2012-01-27 17:43 . 2012-01-27 17:43 -------- d-----w- c:\program files\ESET
    2012-01-27 11:56 . 2012-01-27 12:10 23624 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
    2012-01-27 11:00 . 2012-01-27 11:00 -------- d-----w- c:\documents and settings\Chris\Application Data\McAfee
    2012-01-27 10:59 . 2012-01-28 11:23 74848 ----a-w- c:\windows\system32\MfeOtlkAddin.dll
    2012-01-27 10:59 . 2012-01-28 11:23 22816 ----a-w- c:\windows\system32\MFEOtlk.dll
    2012-01-27 10:58 . 2012-01-28 11:23 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
    2012-01-27 10:58 . 2012-01-28 11:22 -------- d-----w- c:\program files\McAfee
    2012-01-27 10:52 . 2012-01-27 10:52 -------- d-----w- c:\documents and settings\All Users\Application Data\WRData
    2012-01-27 10:52 . 2012-01-27 10:52 -------- d-----w- c:\documents and settings\Chris\Application Data\IObit
    2012-01-26 12:04 . 2012-01-26 12:04 109072 ----a-w- c:\windows\system32\drivers\WRkrn.sys
    2012-01-25 23:49 . 2012-01-25 23:49 -------- d-----w- c:\documents and settings\Chris\Application Data\SUPERAntiSpyware.com
    2012-01-25 23:29 . 2011-12-10 15:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-01-25 23:02 . 2012-01-25 23:02 -------- d-s---w- c:\documents and settings\NetworkService\UserData
    2012-01-23 12:18 . 2012-01-23 12:18 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software
    2012-01-23 11:47 . 2009-09-27 09:39 369152 ----a-w- c:\windows\system32\avisynth.dll
    2012-01-23 11:47 . 2005-07-14 12:31 32256 ----a-w- c:\windows\system32\AVSredirect.dll
    2012-01-23 11:47 . 2004-02-22 10:11 719872 ----a-w- c:\windows\system32\devil.dll
    2012-01-23 11:47 . 2004-01-25 00:00 70656 ----a-w- c:\windows\system32\yv12vfw.dll
    2012-01-23 11:47 . 2004-01-25 00:00 70656 ----a-w- c:\windows\system32\i420vfw.dll
    2012-01-23 11:47 . 2012-01-23 11:47 -------- d-----w- c:\program files\AviSynth 2.5
    2012-01-17 12:15 . 2012-01-23 11:27 -------- d-----w- c:\documents and settings\Chris\.elan_data
    2012-01-17 12:12 . 2012-01-17 12:14 -------- d-----w- c:\program files\ELAN 4.1.2
    2012-01-16 11:58 . 2012-01-16 11:59 -------- d-----w- c:\documents and settings\Chris\Application Data\UAMCTAppData
    2012-01-10 11:29 . 2012-01-10 11:30 -------- d-----w- c:\program files\Weka-3-6
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-01-30 22:51 . 2010-09-10 12:28 472808 -c--a-w- c:\windows\system32\deployJava1.dll
    2011-12-08 15:35 . 2011-05-26 10:11 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-11-25 21:57 . 2008-06-11 01:46 293376 ----a-w- c:\windows\system32\winsrv.dll
    2011-11-23 13:25 . 2008-06-11 01:46 1859584 ----a-w- c:\windows\system32\win32k.sys
    2011-11-18 12:35 . 2008-06-11 01:46 60416 ----a-w- c:\windows\system32\packager.exe
    2011-11-16 14:21 . 2008-06-11 01:46 354816 ----a-w- c:\windows\system32\winhttp.dll
    2011-11-16 14:21 . 2008-06-11 01:46 152064 ----a-w- c:\windows\system32\schannel.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
    @="{C5994560-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
    2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
    @="{C5994561-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
    2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
    @="{C5994562-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
    2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
    @="{C5994563-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
    2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
    @="{C5994564-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
    2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
    @="{C5994565-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
    2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
    @="{C5994566-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
    2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
    @="{C5994567-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
    2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
    @="{C5994568-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
    2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
    "RTHDCPL"="RTHDCPL.EXE" [2008-05-07 16862208]
    "MGSysCtrl"="c:\program files\System Control Manager\MGSysCtrl.exe" [2008-06-10 782336]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-11 1028096]
    "McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2011-01-12 161088]
    "ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2011-09-14 215360]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    .
    c:\documents and settings\Martin\Start Menu\Programs\Startup\
    OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [N/A]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2008-2-22 2938184]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "HonorAutoRunSetting"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\windows\system32\acaptuser32.dll
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\SPSS16\\spss.com"=
    "c:\\Program Files\\SPSS16\\spss.exe"=
    "c:\\Program Files\\SPSS16\\SPSSWinWrapIDE.exe"=
    "c:\\Program Files\\PuTTy\\putty.exe"=
    "c:\\Program Files\\DNA\\btdna.exe"=
    "c:\\Program Files\\eclipse\\eclipse.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\WINDOWS\\system32\\java.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
    .
    R0 WRkrn;WRkrn;c:\windows\system32\drivers\WRkrn.sys [26/01/2012 12:04 109072]
    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [28/01/2012 11:24 89624]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [28/01/2012 11:24 148520]
    R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [11/06/2008 23:18 156160]
    S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys --> c:\windows\system32\DRIVERS\AVGIDSEH.Sys [?]
    S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys --> c:\windows\system32\DRIVERS\avgrkx86.sys [?]
    S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys --> c:\windows\system32\DRIVERS\avgldx86.sys [?]
    S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\Chris\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\Chris\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
    S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\Chris\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\Chris\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]
    S2 avgwd;AVG WatchDog;"c:\program files\AVG\AVG2012\avgwdsvc.exe" --> c:\program files\AVG\AVG2012\avgwdsvc.exe [?]
    S2 Micro Star SCM;Micro Star SCM;c:\program files\System Control Manager\MSIService.exe [11/06/2008 23:19 159744]
    S3 L6TPortB;Service - Line 6 TonePort UX2;c:\windows\system32\Drivers\L6TPortB.sys --> c:\windows\system32\Drivers\L6TPortB.sys [?]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [28/01/2012 11:24 87808]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - PXHELP20
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-01-23 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:57]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.bbc.co.uk/
    uInternet Connection Wizard,ShellNext = hxxp://www.msi.com.tw/
    uInternet Settings,ProxyOverride = *.local
    IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.254
    TCP: Interfaces\{ABD78E04-874A-41B5-B6AF-2878FA0BB260}: DhcpNameServer = 192.168.1.254
    FF - ProfilePath - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\rig7qma3.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/|https://login.live.com/login.srf?wa...0&lc=2057&id=64855&mkt=en-gb&cbcxt=mai&snsc=1
    FF - prefs.js: network.proxy.ftp - localhost
    FF - prefs.js: network.proxy.ftp_port - 3128
    FF - prefs.js: network.proxy.gopher - localhost
    FF - prefs.js: network.proxy.gopher_port - 3128
    FF - prefs.js: network.proxy.http - localhost
    FF - prefs.js: network.proxy.http_port - 3128
    FF - prefs.js: network.proxy.socks - localhost
    FF - prefs.js: network.proxy.socks_port - 3128
    FF - prefs.js: network.proxy.ssl - localhost
    FF - prefs.js: network.proxy.ssl_port - 3128
    FF - prefs.js: network.proxy.type - 0
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKLM-Run-AVG_TRAY - c:\program files\AVG\AVG2012\avgtray.exe
    AddRemove-AVG - c:\program files\AVG\AVG2012\avgmfapx.exe
    AddRemove-jEdit_is1 - c:\program files\jEdit\unins000.exe
    AddRemove-Registry Mechanic_is1 - c:\program files\Registry Mechanic\unins000.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-02-04 19:11
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-2332106328-2196180437-3818924662-1005\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    .
    Completion time: 2012-02-04 19:15:19
    ComboFix-quarantined-files.txt 2012-02-04 19:15
    ComboFix2.txt 2012-02-02 11:29
    ComboFix3.txt 2012-01-28 12:18
    ComboFix4.txt 2012-01-27 22:36
    .
    Pre-Run: 14,371,913,728 bytes free
    Post-Run: 14,358,192,128 bytes free
    .
    - - End Of File - - 8D131BCAB9E88F45D618424ACCDB374A


    C:\System Volume Information\_restore{29FCC5FA-EBD7-491E-8808-604B0E4B3356}\RP3\A0000300.sys a variant of Win32/Rootkit.Kryptik.IM trojan
    C:\System Volume Information\_restore{29FCC5FA-EBD7-491E-8808-604B0E4B3356}\RP3\A0000336.sys a variant of Win32/Rootkit.Kryptik.IM trojan
    C:\System Volume Information\_restore{29FCC5FA-EBD7-491E-8808-604B0E4B3356}\RP3\A0000454.sys a variant of Win32/Rootkit.Kryptik.IM trojan
    C:\System Volume Information\_restore{29FCC5FA-EBD7-491E-8808-604B0E4B3356}\RP3\A0001659.sys a variant of Win32/Rootkit.Kryptik.IM trojan
    C:\_OTM\MovedFiles\01302012_175007\C_Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinWebdirb2.zip Win32/Bagle.gen.zip worm
    C:\_OTM\MovedFiles\01302012_175007\C_Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\16\6d83d510-4006cb0e a variant of Win32/Kryptik.ZOF trojan
  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Chris, looking at the entries in Combofix, it appears that both AVG and McAfee are running. I put you through an App Removal for AVG early on, before you ran the first Combofix. If you removed it then, perhaps you put it back. You need to have only 1 AV running. If you want it to be McAfee, use the AppRemover for AVG and make sure McAfee is currently updated.

    Current entry in Combofix:
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart

    Reboot when through.
    =================================
    There are no new entries in the Est scan. Qoobox is for Combofix quarantines and System Volume is for Restore Points. Neither of these are active n the system.
    ================================
    The current Combofix logs looks good. There is only the AVG registry entry and a folder for Hitman that needs removing.
    =================================
    About the current problem:
    What are the "things" that need to access the web? Browser? Programs> executable files?
    What happens when you try? Do you get any message? What?
    Have you check the internet connections? They may have been reset.
    Can you even boot into Normal Mode?
    ==================================================
    The error message that came up in catchme, source file error: C:\WINDOWS\system32\config\system indicates a corrupt registry. If that is the case, the following is a step by step fix for that:
    This appears to be well set up so that you can follow it. Take care to print the directions first, and follow the steps exactly as given:

    Recover a corrupted registry that prevents Windows XP from starting
  25. chrizba

    chrizba Newcomer, in training Topic Starter Posts: 18

    Hi Bobbye

    The network issue was just the settings for McAfee - which I have now resolved. Other than that the computer seems to be behaving itself perfectly - in normal mode - so I'm not sure that recovery article is quite appropriate.

    As for the AVG, I did not reinstall it - perhaps some components reinstated themselves when I fixed the keyboard issue? AppRemover doesn't find it so I think it could be related to the registry thing

    And I still have no idea where the HitMan Pro is hiding - Nothing to uninstall anywhere (folder in Qoobox but you said that was related to combofix and inactive), though there is a Hitmanpro36.sys in the drivers file - or could it be a rogue registry entry?

    Chris
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.