Inactive NT Authority System shutdown & lsass.exe error

Status
Not open for further replies.
S

Smashh

Posts: 7   +0
I have an XP Pro with SP3. I was using the computer with no problems when I noticed the automatic update shield in the task bar. I clicked on it and it vanished only to reappear a few minutes later. This process repeated several times without actually installing anything so I rebooted my computer just to see if it would stop. Ever since then I keep getting this error:

"This shutdown was initiated by NT Authority System. The system process C:\WINDOWS\SYSTEM32\LSASS.EXE terminated unexpectedly with status code 073741795. The system will shut down and restart in 60 seconds"

I've ran the a full scan with Microsoft Security Essentials and Malewarebytes Anti-Malware. I've also ran the Symantec removal tool for the MSBlast and Sasser virus and both scans came back clean, no signs of their respective viruses. I've ran the Microsoft Malicious Software tool and it came back clean as well. I'm at my wits end on what to do and I was hoping someone here might be able to provide a fix for me.

My HJT Log was run in safe mode with networking while logged in as an admin, as this is the only way I can log in. If I log in normally, the error message pops up before any icons or even the start button appear on the desktop.
 

Attachments

  • hijackthis.log
    4.6 KB · Views: 1
Welcome aboard
yahooo.gif


Please, complete all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
Attached logs won't be reviewed.

Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running tools or applying updates other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
 
lsass.exe shutdown problem

Okay, I read the steps in the link provided and I was able to boot into normal mode, however, just like every time before, the message pops up as soon as windows loads so I am unable to run any programs. The first thing I have to do is click start-->run type cmd, press enter and then type shutdown -a. This stops the shutdown timer and allows me to stay logged on. However, I am unable to run my antivirus (Microsoft Security Essentials), MalewareByet's Anti Malware. MSE won't even turn on and MBAN locks up a few seconds in the scan... every time. I've tried downloading Avira and Avast, but when I click "Save" the browser locks up. I'm also unable to update my Java from version 6 update 24 to version 6 update 25. When I click on update, nothing happens at all... even after waiting for 10 minutes or longer. Also, I can't download and install anything, including HijackThis, in normal boot mode. I have it downloaded in safe mode though.


What should I do next?
 
Below are the request logs in the order the scans were executed. Please note that I was unable to run my antivirus (Microsoft Security Essentials). When I tried to perform the scan, nothing happened. I let the scanning screen sit there for a good 10-15 minutes and there was absolutely no activity. I downloaded and installed Avira, linked in your 7 steps instructions, but it would not run, siting that it could not scan because there was a parallel Microsoft Update in progress. I was unable to find any evidence of this. I downloaded and installed Avast, linked in your 7 steps instructions, and it would not scan either, saying that the program was incorrectly installed and that I should reinstall it.

The remaining scans were executed in safe mode with networking enabled and I was logged in as Administrator.

MBAM LOG:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6630

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

5/20/2011 8:27:28 PM
mbam-log-2011-05-20 (20-27-28).txt

Scan type: Quick scan
Objects scanned: 146255
Time elapsed: 2 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\piffile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (???* %*) Good: ("%1" %*) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



GMER LOG:

GMER 1.0.15.15627 - http://www.gmer.net
Rootkit quick scan 2011-05-20 20:37:02
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 WDC_WD300AB-00BPA1 rev.18.20D18
Running: mfejy6vy.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kwpdypow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Tcp aswRdr.SYS (avast! TDI RDR Driver/AVAST Software)

---- EOF - GMER 1.0.15 ----


DDS LOGS:
DDS:
.
DDS (Ver_11-05-19.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Run by Administrator at 20:38:31 on 2011-05-20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1697 [GMT -5:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: ZoneAlarm Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr
C:\WINDOWS\system32\WSCRIPT.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2645238
uURLSearchHooks: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\prxtbZone.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\prxtbZone.dll
BHO: Trillian Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Trillian Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\prxtbZone.dll
TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [ISW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"
mRun: [C-Media Mixer] Mixer.exe /startup
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1304074353265
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
LSA: Notification Packages = scecli scecli
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\862a813j.default\
FF - plugin: c:\program files\checkpoint\zaforcefield\trustchecker\bin\npFFApi.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
.
============= SERVICES / DRIVERS ===============
.
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-5-20 441176]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-5-20 307928]
S1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-5-20 19544]
S2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-5-20 42184]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2011-5-9 27064]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2011-5-18 532224]
.
=============== File Associations ===============
.
piffile=???*no open command defined ***
.
=============== Created Last 30 ================
.
2011-05-21 01:22:18 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-05-21 01:22:08 40112 ----a-w- c:\windows\avastSS.scr
2011-05-21 01:21:54 -------- d-----w- c:\program files\AVAST Software
2011-05-21 01:21:54 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
2011-05-21 00:52:27 -------- d-----w- c:\documents and settings\administrator\application data\com.adobe.downloadassistant.AdobeDownloadAssistant
2011-05-21 00:52:16 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Adobe
2011-05-20 21:23:54 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e5d1cb4a-150f-4c49-bea4-a8c05ce57d57}\MpKsl6fd4304c.sys
2011-05-20 21:21:11 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e5d1cb4a-150f-4c49-bea4-a8c05ce57d57}\MpKsl7645f9a7.sys
2011-05-20 06:26:22 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e5d1cb4a-150f-4c49-bea4-a8c05ce57d57}\MpKsl5b6f13b0.sys
2011-05-19 08:11:40 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e5d1cb4a-150f-4c49-bea4-a8c05ce57d57}\MpKsl59a8ca47.sys
2011-05-19 07:40:41 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e5d1cb4a-150f-4c49-bea4-a8c05ce57d57}\MpKsl2357eaaa.sys
2011-05-19 06:27:03 -------- d-----w- c:\windows\pss
2011-05-19 05:55:12 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e5d1cb4a-150f-4c49-bea4-a8c05ce57d57}\MpKsle01e9af5.sys
2011-05-19 05:52:51 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e5d1cb4a-150f-4c49-bea4-a8c05ce57d57}\MpKslbe6189b9.sys
2011-05-19 05:50:01 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e5d1cb4a-150f-4c49-bea4-a8c05ce57d57}\MpKsl43c1a1c2.sys
2011-05-19 04:09:32 -------- d-----w- c:\documents and settings\administrator\application data\Mumble
2011-05-19 04:04:03 -------- d-----w- c:\documents and settings\administrator\application data\.purple
2011-05-19 03:35:22 -------- d-----w- c:\documents and settings\administrator\application data\Trillian
2011-05-19 02:33:35 -------- d-----w- c:\documents and settings\administrator\application data\CheckPoint
2011-05-19 02:27:33 -------- d-----w- c:\program files\Conduit
2011-05-19 02:27:29 -------- d-----w- c:\documents and settings\administrator\local settings\application data\ZoneAlarm_Security
2011-05-19 02:27:28 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Temp
2011-05-19 02:27:28 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Conduit
2011-05-19 02:27:25 -------- d-----w- c:\program files\ZoneAlarm_Security
2011-05-19 02:26:57 -------- d-----w- c:\program files\CheckPoint
2011-05-19 02:26:42 1238528 ----a-w- c:\windows\system32\zpeng25.dll
2011-05-19 02:26:42 -------- d-----w- c:\windows\system32\ZoneLabs
2011-05-19 02:26:38 -------- d-----w- c:\program files\Zone Labs
2011-05-19 02:25:55 -------- d-----w- c:\windows\Internet Logs
2011-05-19 02:18:46 -------- d-----w- c:\documents and settings\administrator\application data\Malwarebytes
2011-05-19 02:14:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-19 02:14:57 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-05-19 02:14:53 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-19 02:14:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-19 02:01:17 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Mozilla
2011-05-19 01:53:17 7071056 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e5d1cb4a-150f-4c49-bea4-a8c05ce57d57}\mpengine.dll
2011-05-19 01:48:15 -------- d-sh--w- c:\documents and settings\administrator\IECompatCache
2011-05-19 01:47:54 -------- d-sh--w- c:\documents and settings\administrator\PrivacIE
2011-05-19 01:47:01 -------- d-sh--w- c:\documents and settings\administrator\IETldCache
2011-05-18 08:37:22 -------- d-----w- c:\program files\Audacity
2011-05-17 02:04:12 197120 ----a-w- c:\windows\system32\System47.scr
2011-05-17 02:04:11 -------- d-----w- c:\windows\system32\System47 dir
2011-05-15 07:27:59 7071056 ------w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-05-15 03:59:46 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-05-15 03:56:01 -------- d-----w- c:\program files\Microsoft Security Client
2011-05-15 01:33:18 294912 ------w- c:\program files\windows media player\dlimport.exe
2011-05-15 01:33:15 294912 -c----w- c:\windows\system32\dllcache\dlimport.exe
2011-05-15 01:29:44 19569 ----a-w- c:\windows\005967_.tmp
2011-05-14 00:13:10 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-12 02:18:53 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-05-12 02:18:53 215920 ----a-w- c:\windows\system32\muweb.dll
2011-05-12 02:18:53 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2011-05-12 01:48:18 -------- d-----w- c:\windows\system32\appmgmt
2011-05-12 00:39:33 -------- d-----w- C:\tazti_2.0_xp_32-bit
2011-05-09 23:20:39 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
2011-05-09 23:20:32 -------- d-----w- c:\program files\VS Revo Group
2011-05-09 21:58:46 -------- dc-h--w- c:\windows\ie8
2011-05-09 21:25:29 -------- d-----w- c:\program files\Yahoo!
2011-05-08 21:09:02 -------- d-----w- c:\program files\VideoLAN
2011-05-08 20:37:06 -------- d-----w- c:\program files\GIMP-2.0
2011-05-06 17:59:49 -------- d-----w- c:\windows\system32\LogFiles
2011-05-06 17:58:09 -------- d-----w- c:\program files\Adobe Download Assistant
2011-05-04 19:58:26 -------- d-----w- c:\program files\Pidgin
2011-05-04 19:29:43 -------- d-----w- c:\program files\KVIrc
2011-05-03 16:50:14 819200 ----a-w- c:\windows\system32\xvidcore.dll
2011-05-03 16:50:14 77824 ----a-w- c:\windows\system32\xvid.ax
2011-05-03 16:50:14 180224 ----a-w- c:\windows\system32\xvidvfw.dll
2011-05-03 16:50:14 -------- d-----w- c:\program files\Xvid
2011-05-02 21:44:16 -------- d-----w- c:\program files\common files\Akamai
2011-04-30 02:43:03 -------- d-----w- c:\windows\system32\XPSViewer
2011-04-30 02:42:14 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
2011-04-30 02:41:21 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2011-04-30 02:41:21 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2011-04-30 02:41:21 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2011-04-30 02:41:21 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2011-04-30 02:41:21 575488 ------w- c:\windows\system32\xpsshhdr.dll
2011-04-30 02:41:21 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2011-04-30 02:41:21 1676288 ------w- c:\windows\system32\xpssvcs.dll
2011-04-30 02:41:21 117760 ------w- c:\windows\system32\prntvpt.dll
2011-04-30 02:37:14 -------- d-----w- c:\program files\MSXML 6.0
2011-04-30 02:17:10 28552 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\mdippr.dll
2011-04-30 02:17:10 28040 ----a-w- c:\windows\system32\mdimon.dll
2011-04-30 02:15:05 -------- d-----w- c:\program files\Microsoft ActiveSync
2011-04-30 02:13:47 -------- d-----w- c:\windows\SHELLNEW
2011-04-29 14:19:05 -------- d-----w- c:\windows\system32\NtmsData
2011-04-29 12:23:53 -------- d-----w- c:\windows\system32\ReinstallBackups
2011-04-29 11:58:09 -------- d-----w- c:\program files\BitTorrent
2011-04-29 11:34:22 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-29 11:34:22 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-29 10:58:40 -------- d-----w- c:\windows\system32\PreInstall
2011-04-29 10:58:39 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2011-04-29 10:58:38 -------- d--h--w- c:\windows\$hf_mig$
2011-04-29 10:54:10 21728 ----a-w- c:\windows\system32\wucltui.dll.mui
2011-04-29 10:54:10 17632 ----a-w- c:\windows\system32\wuaueng.dll.mui
2011-04-29 10:54:10 15072 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2011-04-29 10:54:09 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2011-04-29 10:54:09 -------- d-----w- c:\windows\system32\SoftwareDistribution
2011-04-29 10:00:38 -------- d-----r- c:\program files\Skype
2011-04-29 05:38:24 -------- d-----w- c:\program files\Ask.com
2011-04-29 05:25:49 -------- d-----w- c:\program files\Mumble
.
==================== Find3M ====================
.
2011-04-29 05:56:04 712704 ----a-w- c:\windows\inf\other\AUDIO3D.DLL
2011-03-04 19:44:14 59888 ------w- c:\windows\system32\pxwma.dll
2011-03-04 19:44:14 45648 ------w- c:\windows\system32\drivers\PxHelp20.sys
2011-03-04 19:44:14 133616 ------w- c:\windows\system32\pxafs.dll
2011-03-04 19:44:12 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys
2011-03-04 19:44:12 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2011-03-04 19:44:12 126448 ------w- c:\windows\system32\pxinsi64.exe
2011-03-04 19:44:12 123888 ------w- c:\windows\system32\pxcpyi64.exe
.
============= FINISH: 20:39:34.04 ===============

ATTACH LOG:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-05-19.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 4/28/2011 11:44:59 PM
System Uptime: 5/20/2011 8:28:56 PM (0 hours ago)
.
Motherboard: | | P4X400-8235
Processor: Intel(R) Celeron(R) CPU 2.70GHz | Socket 478 | 2888/107mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 28 GiB total, 14.976 GiB free.
D: is CDROM (CDFS)
E: is CDROM (CDFS)
F: is FIXED (NTFS) - 93 GiB total, 25.717 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Video Controller (VGA Compatible)
Device ID: PCI\VEN_1002&DEV_71C2&SUBSYS_030B1002&REV_00\4&283A33D&0&0008
Manufacturer:
Name: Video Controller (VGA Compatible)
PNP Device ID: PCI\VEN_1002&DEV_71C2&SUBSYS_030B1002&REV_00\4&283A33D&0&0008
Service:
.
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Video Controller
Device ID: PCI\VEN_1002&DEV_71E2&SUBSYS_030A1002&REV_00\4&283A33D&0&0108
Manufacturer:
Name: Video Controller
PNP Device ID: PCI\VEN_1002&DEV_71E2&SUBSYS_030A1002&REV_00\4&283A33D&0&0108
Service:
.
==== System Restore Points ===================
.
RP111: 5/20/2011 5:33:21 AM - System Checkpoint
.
==== Installed Programs ======================
.
7-Zip 9.20
Adobe AIR
Adobe Download Assistant
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Ask Toolbar
Audacity 1.2.6
avast! Free Antivirus
BitTorrent
GIMP 2.6.11
Google Talk Plugin
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB981793)
Java Auto Updater
Java(TM) 6 Update 24
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Office Professional Edition 2003
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual Studio 2010 Tools for Office Runtime (x86)
Mozilla Firefox 4.0.1 (x86 en-US)
MSXML 6 Service Pack 2 (KB973686)
Mumble 1.2.3
PCI Audio Driver
Pidgin
Revo Uninstaller Pro 2.5.3
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB982381)
Skype™ 5.3
System47 Screen Saver
Trillian
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VLC media player 1.1.9
WebFldrs XP
Winamp
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 8
Windows Media Format Runtime
Windows XP Service Pack 3
WinRAR 4.00 (32-bit)
Xvid 1.2.2 final uninstall
ZoneAlarm
ZoneAlarm Toolbar
.
==== Event Viewer Messages From Past Week ========
.
5/20/2011 8:30:57 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 aswSP aswTdi Fips intelppm MpFilter
5/20/2011 8:23:36 PM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\AVAST Software\Avast\AvastUI.exe. Reference error message: The operation completed successfully. .
5/20/2011 8:12:44 PM, error: SideBySide [59] - Generate Activation Context failed for C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\redist.dll. Reference error message: The operation completed successfully. .
5/20/2011 7:51:45 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.103.2031.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6802.0 Error code: 0x8007043c Error description: This service cannot be started in Safe Mode
5/20/2011 4:00:56 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.103.2031.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6802.0 Error code: 0x8007043c Error description: This service cannot be started in Safe Mode
5/20/2011 1:46:20 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.MFC. Reference error message: The referenced assembly is not installed on your system. .
5/20/2011 1:46:20 PM, error: SideBySide [59] - Generate Activation Context failed for C:\DOCUME~1\Michael\LOCALS~1\Temp\RarSFX0\redist.dll. Reference error message: The operation completed successfully. .
5/20/2011 1:46:20 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.MFC could not be found and Last Error was The referenced assembly is not installed on your system.
5/19/2011 9:28:48 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}
5/19/2011 5:07:12 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service ImapiService with arguments "-Service" in order to run the server: {520CCA63-51A5-11D3-9144-00104BA11C5E}
5/19/2011 3:54:06 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
5/19/2011 3:06:44 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
5/19/2011 2:50:45 AM, error: Service Control Manager [7024] - The Computer Browser service terminated with service-specific error 2146 (0x862).
5/19/2011 2:48:11 AM, error: Service Control Manager [7038] - The SSDPSRV service was unable to log on as NT AUTHORITY\LocalService with the currently configured password due to the following error: The handle is invalid. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
5/19/2011 2:47:39 AM, error: Service Control Manager [7023] - The Microsoft Antimalware Service service terminated with the following error: %%2147550931
5/19/2011 2:47:24 AM, error: Service Control Manager [7023] - The Remote Access Connection Manager service terminated with the following error: Incorrect function.
5/19/2011 2:47:24 AM, error: Rasman [20033] - Remote Access Connection Manager failed to start because it could not register with the local security authority. Restart the computer. Incorrect function.
5/19/2011 2:47:21 AM, error: Service Control Manager [7023] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: A security package specific error occurred.
5/19/2011 2:47:21 AM, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not start due to a logon failure.
5/19/2011 2:47:20 AM, error: Service Control Manager [7038] - The ALG service was unable to log on as NT AUTHORITY\LocalService with the currently configured password due to the following error: The handle is invalid. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
5/19/2011 2:47:18 AM, error: Service Control Manager [7038] - The SSDPSRV service was unable to log on as NT AUTHORITY\LocalService with the currently configured password due to the following error: An internal error occurred. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
5/19/2011 2:47:18 AM, error: Service Control Manager [7000] - The SSDP Discovery Service service failed to start due to the following error: The service did not start due to a logon failure.
5/19/2011 12:49:18 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
5/18/2011 8:51:43 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 0.0.0.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 0.0.0.0 Error code: 0x8007043c Error description: This service cannot be started in Safe Mode
5/18/2011 8:49:08 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 0.0.0.0 Update Source: Microsoft Malware Protection Center Update Stage: Install Source Path: http://go.microsoft.com/fwlink/?Lin...0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 0.0.0.0 Error code: 0x80070008 Error description: Not enough storage is available to process this command.
5/18/2011 8:49:08 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 0.0.0.0 Update Source: Microsoft Malware Protection Center Update Stage: Install Source Path: http://go.microsoft.com/fwlink/?Lin...0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 0.0.0.0 Error code: 0x80070008 Error description: Not enough storage is available to process this command.
5/18/2011 8:49:08 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 0.0.0.0 Update Source: Microsoft Malware Protection Center Update Stage: Install Source Path: http://go.microsoft.com/fwlink/?Lin...0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 0.0.0.0 Error code: 0x80070008 Error description: Not enough storage is available to process this command.
5/18/2011 8:49:08 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 0.0.0.0 Update Source: Microsoft Malware Protection Center Update Stage: Install Source Path: http://go.microsoft.com/fwlink/?Lin...0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiSpyware Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 0.0.0.0 Error code: 0x80070008 Error description: Not enough storage is available to process this command.
5/18/2011 8:49:08 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 0.0.0.0 Update Source: Microsoft Malware Protection Center Update Stage: Install Source Path: http://go.microsoft.com/fwlink/?Lin...0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiSpyware Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 0.0.0.0 Error code: 0x80070008 Error description: Not enough storage is available to process this command.
5/18/2011 8:47:53 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm MpFilter
5/18/2011 8:47:37 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 0.0.0.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 0.0.0.0 Error code: 0x8007043c Error description: This service cannot be started in Safe Mode
5/18/2011 8:47:37 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
5/18/2011 8:46:55 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
5/18/2011 8:46:36 PM, error: Microsoft Antimalware [2004] - Microsoft Antimalware has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures. Signatures Attempted: Backup Error Code: 0x8050a005 Error description: The program can't find definition files that help detect unwanted software. Check for updates to the definition files, and then try again. For information on installing updates, see Help and Support. Signature version: 1.103.1845.0;1.103.1845.0 Engine version: 1.1.6802.0
5/18/2011 8:44:12 PM, error: Microsoft Antimalware [2004] - Microsoft Antimalware has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures. Signatures Attempted: Backup Error Code: 0x8050a005 Error description: The program can't find definition files that help detect unwanted software. Check for updates to the definition files, and then try again. For information on installing updates, see Help and Support. Signature version: 1.103.1845.0;1.103.1845.0 Engine version: 1.1.6802.0
5/18/2011 8:41:42 PM, error: Microsoft Antimalware [2004] - Microsoft Antimalware has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures. Signatures Attempted: Backup Error Code: 0x8050a005 Error description: The program can't find definition files that help detect unwanted software. Check for updates to the definition files, and then try again. For information on installing updates, see Help and Support. Signature version: 1.103.1845.0;1.103.1845.0 Engine version: 1.1.6802.0
5/18/2011 8:39:09 PM, error: Microsoft Antimalware [2004] - Microsoft Antimalware has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures. Signatures Attempted: Backup Error Code: 0x8050a005 Error description: The program can't find definition files that help detect unwanted software. Check for updates to the definition files, and then try again. For information on installing updates, see Help and Support. Signature version: 1.103.1845.0;1.103.1845.0 Engine version: 1.1.6802.0
5/18/2011 8:36:21 PM, error: Microsoft Antimalware [2004] - Microsoft Antimalware has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures. Signatures Attempted: Backup Error Code: 0x8050a005 Error description: The program can't find definition files that help detect unwanted software. Check for updates to the definition files, and then try again. For information on installing updates, see Help and Support. Signature version: 1.103.1845.0;1.103.1845.0 Engine version: 1.1.6802.0
5/18/2011 8:34:02 PM, error: Microsoft Antimalware [2004] - Microsoft Antimalware has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures. Signatures Attempted: Backup Error Code: 0x8050a005 Error description: The program can't find definition files that help detect unwanted software. Check for updates to the definition files, and then try again. For information on installing updates, see Help and Support. Signature version: 1.103.1845.0;1.103.1845.0 Engine version: 1.1.6802.0
5/18/2011 8:33:53 PM, error: Microsoft Antimalware [2004] - Microsoft Antimalware has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures. Signatures Attempted: Current Error Code: 0x8050a005 Error description: The program can't find definition files that help detect unwanted software. Check for updates to the definition files, and then try again. For information on installing updates, see Help and Support. Signature version: 1.103.1952.0;1.103.1952.0 Engine version: 1.1.6802.0
5/18/2011 8:33:47 PM, error: W32Time [46] - The time service encountered an error and was forced to shut down. The error was: 0x800706BA
5/18/2011 8:33:47 PM, error: Distributed Link Tracking Client [12502] - Service failed to start. Error = 80070862
5/18/2011 8:33:47 PM, error: Distributed Link Tracking Client [12500] - An internal error occured in Distributed Link Tracking. The error code was 80070862.
5/18/2011 6:33:57 PM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Definition Update for Microsoft Security Essentials - KB2310138 (Definition 1.103.2031.0).
5/18/2011 6:33:52 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.103.1952.0 Update Source: Microsoft Update Server Update Stage: Install Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6802.0 Error code: 0x80070643 Error description: Fatal error during installation.
5/18/2011 6:33:49 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: 1.103.2031.0 Previous Signature Version: 1.103.1952.0 Update Source: User Update Stage: Install Source Path: Signature Type: AntiVirus Update Type: Delta User: NT AUTHORITY\SYSTEM Current Engine Version: 1.1.6802.0 Previous Engine Version: 1.1.6802.0 Error code: 0x8050a005 Error description: The program can't find definition files that help detect unwanted software. Check for updates to the definition files, and then try again. For information on installing updates, see Help and Support.
5/18/2011 6:33:49 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: 1.103.2031.0 Previous Signature Version: 1.103.1952.0 Update Source: User Update Stage: Install Source Path: Signature Type: AntiSpyware Update Type: Delta User: NT AUTHORITY\SYSTEM Current Engine Version: 1.1.6802.0 Previous Engine Version: 1.1.6802.0 Error code: 0x8050a005 Error description: The program can't find definition files that help detect unwanted software. Check for updates to the definition files, and then try again. For information on installing updates, see Help and Support.
5/16/2011 6:27:59 PM, error: Microsoft Antimalware [2004] - Microsoft Antimalware has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures. Signatures Attempted: Backup Error Code: 0x80096010 Error description: The digital signature of the object did not verify. Signature version: 1.103.1753.0;1.103.1753.0 Engine version: 1.1.6802.0
5/16/2011 6:27:28 PM, error: Microsoft Antimalware [2004] - Microsoft Antimalware has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures. Signatures Attempted: Current Error Code: 0x8050a005 Error description: The program can't find definition files that help detect unwanted software. Check for updates to the definition files, and then try again. For information on installing updates, see Help and Support. Signature version: 1.103.1771.0;1.103.1771.0 Engine version: 1.1.6802.0
5/15/2011 11:19:36 PM, error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\D.
5/15/2011 11:19:36 PM, error: atapi [5] - A parity error was detected on \Device\Ide\IdePort0.
5/14/2011 7:28:16 PM, error: Schannel [36865] - A fatal error occurred while opening the system DSS cryptographic module. Operations that require the SSL or TLS cryptographic protocols will not work correctly. The error code is 0x80090006.
5/14/2011 10:53:09 PM, error: Disk [11] - The driver detected a controller error on \Device\Harddisk0\D.
5/13/2011 8:39:26 PM, error: Dhcp [1002] - The IP address lease 69.247.11.212 for the Network Card with network address 00502C07EFF1 has been denied by the DHCP server 192.168.100.1 (The DHCP Server sent a DHCPNACK message).
5/13/2011 8:35:44 PM, error: Dhcp [1002] - The IP address lease 192.168.1.2 for the Network Card with network address 00502C07EFF1 has been denied by the DHCP server 68.87.68.19 (The DHCP Server sent a DHCPNACK message).
5/13/2011 7:33:57 PM, error: Service Control Manager [7023] - The IPSEC Services service terminated with the following error: Invalid Signature.
.
==== End Of File ===========================
 
Good :)

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
Click the "Scan" button to start scan:


On completion of the scan click "Save log", save it to your desktop and post in your next reply:


====================================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
Both scans were conducted in safe mode with networking and logged in as administrator.

aswMBR LOG:

aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-20 21:11:43
-----------------------------
21:11:43.140 OS Version: Windows 5.1.2600 Service Pack 3
21:11:43.140 Number of processors: 1 586 0x209
21:11:43.140 ComputerName: MICHAEL-C1C5524 UserName: Administrator
21:11:43.593 Initialize success
21:11:48.546 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
21:11:48.562 Disk 0 Vendor: WDC_WD300AB-00BPA1 18.20D18 Size: 28629MB BusType: 3
21:11:48.578 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-c
21:11:48.593 Disk 1 Vendor: Maxtor_6L100P0 BAJ41G20 Size: 95611MB BusType: 3
21:11:50.625 Disk 0 MBR read successfully
21:11:50.656 Disk 0 MBR scan
21:11:50.671 Disk 0 Windows XP default MBR code
21:11:52.687 Disk 0 scanning sectors +58605120
21:11:52.718 Disk 0 scanning C:\WINDOWS\system32\drivers
21:12:00.343 Service scanning
21:12:02.953 Disk 0 trace - called modules:
21:12:03.000 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys viaide.sys PCIIDEX.SYS
21:12:03.015 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89bc9ab8]
21:12:03.031 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\00000056[0x89bc63b8]
21:12:07.390 5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x89b86d98]
21:12:07.703 Scan finished successfully
21:12:34.625 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
21:12:34.640 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"


COMBOFIX LOG:

ComboFix 11-05-19.02 - Administrator 05/20/2011 22:14:27.2.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1678 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Michael\Local Settings\Temp\IswTmp\WH\0
.
-- Previous Run --
.
Infected copy of c:\windows\system32\mshtml.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\mshtml.dll
.
Infected copy of c:\windows\system32\mshtml.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\mshtml.dll
.
Infected copy of c:\windows\system32\msvcrt.dll was found and disinfected
Restored copy from - c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.5512_x-ww_3fd60d63\msvcrt.dll
.
Infected copy of c:\windows\system32\mshtml.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\mshtml.dll
.
Infected copy of c:\windows\system32\msvcrt.dll was found and disinfected
Restored copy from - c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.5512_x-ww_3fd60d63\msvcrt.dll
.
Infected copy of c:\windows\pchealth\helpctr\binaries\helpsvc.exe was found and disinfected
Restored copy from - c:\windows\$hf_mig$\KB2229593\SP2QFE\helpsvc.exe
.
Infected copy of c:\windows\system32\mshtml.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\mshtml.dll
.
Infected copy of c:\windows\system32\msvcrt.dll was found and disinfected
Restored copy from - c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.5512_x-ww_3fd60d63\msvcrt.dll
.
Infected copy of c:\windows\pchealth\helpctr\binaries\helpsvc.exe was found and disinfected
Restored copy from - c:\windows\$hf_mig$\KB2229593\SP2QFE\helpsvc.exe
.
Infected copy of c:\windows\system32\wbem\wmiprvse.exe was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\wmiprvse.exe
.
--------
.
.
((((((((((((((((((((((((( Files Created from 2011-04-21 to 2011-05-21 )))))))))))))))))))))))))))))))
.
.
2011-05-12 00:39 . 2011-05-12 00:39 -------- d-----w- C:\tazti_2.0_xp_32-bit
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-29 05:56 . 2011-04-29 05:54 712704 ----a-w- c:\windows\inf\OTHER\AUDIO3D.DLL
2011-04-30 09:14 . 2011-04-29 05:34 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\prxtbZone.dll" [2011-03-28 176936]
.
[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
2011-03-28 16:22 176936 ----a-w- c:\program files\ZoneAlarm_Security\prxtbZone.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-02-02 00:17 1487240 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-02-02 1487240]
"{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\prxtbZone.dll" [2011-03-28 176936]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2011-03-18 1043968]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2011-03-22 74752]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2011-02-15 738808]
"C-Media Mixer"="Mixer.exe" [2002-07-12 1581056]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"idsvc"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\Michael\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Winamp\\winamp.exe"=
"c:\\Program Files\\BitTorrent\\BitTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
.
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [5/9/2011 6:20 PM 27064]
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-115176313-725345543-1003Core.job
- c:\documents and settings\Michael\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-04-29 02:39]
.
2011-05-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-115176313-725345543-1003UA.job
- c:\documents and settings\Michael\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-04-29 02:39]
.
2011-05-21 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 17:26]
.
2011-05-21 c:\windows\Tasks\MpIdleTask.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 17:26]
.
2011-05-21 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2011-02-02 00:17]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2645238
FF - ProfilePath - c:\documents and settings\Michael\Application Data\Mozilla\Firefox\Profiles\oxt0fo8d.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-20 22:21
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-05-20 22:24:38
ComboFix-quarantined-files.txt 2011-05-21 03:24
.
Pre-Run: 19,702,448,128 bytes free
Post-Run: 19,659,681,792 bytes free
.
- - End Of File - - A853E9B5D84AE75584260F0395F83518
 
The only change is that the error now makes no mention of NT Authority System. Instead, it now reads:

"This system is shutting down. Please save all work and log off. Any unsaved work will be lost. This shutdown was initiated by \.

The system process C:\WINDOWS\SYSTEM32\LSASS.EXE terminated unexpectedly with status code 073741795. The system will shut down and restart in 60 seconds"
 
Here's the fresh ComboFix log, run again in safe mode, logged in as administrator.

ComboFix Log:

ComboFix 11-05-19.02 - Administrator 05/21/2011 0:12.3.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1682 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Michael\Local Settings\Temp\IswTmp\WH\0
.
.
((((((((((((((((((((((((( Files Created from 2011-04-21 to 2011-05-21 )))))))))))))))))))))))))))))))
.
.
2011-05-12 00:39 . 2011-05-12 00:39 -------- d-----w- C:\tazti_2.0_xp_32-bit
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-29 05:56 . 2011-04-29 05:54 712704 ----a-w- c:\windows\inf\OTHER\AUDIO3D.DLL
2011-04-30 09:14 . 2011-04-29 05:34 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\prxtbZone.dll" [2011-03-28 176936]
.
[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
2011-03-28 16:22 176936 ----a-w- c:\program files\ZoneAlarm_Security\prxtbZone.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-02-02 00:17 1487240 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-02-02 1487240]
"{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\prxtbZone.dll" [2011-03-28 176936]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2011-03-18 1043968]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2011-03-22 74752]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2011-02-15 738808]
"C-Media Mixer"="Mixer.exe" [2002-07-12 1581056]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"idsvc"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\Michael\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Winamp\\winamp.exe"=
"c:\\Program Files\\BitTorrent\\BitTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
.
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [5/9/2011 6:20 PM 27064]
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-115176313-725345543-1003Core.job
- c:\documents and settings\Michael\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-04-29 02:39]
.
2011-05-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-115176313-725345543-1003UA.job
- c:\documents and settings\Michael\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-04-29 02:39]
.
2011-05-21 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 17:26]
.
2011-05-21 c:\windows\Tasks\MpIdleTask.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 17:26]
.
2011-05-21 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2011-02-02 00:17]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2645238
FF - ProfilePath - c:\documents and settings\Michael\Application Data\Mozilla\Firefox\Profiles\oxt0fo8d.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-21 00:18
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-05-21 00:20:45
ComboFix-quarantined-files.txt 2011-05-21 05:20
ComboFix2.txt 2011-05-21 03:24
.
Pre-Run: 19,645,243,392 bytes free
Post-Run: 19,642,585,088 bytes free
.
- - End Of File - - 93FA745FB38F8B58DBB7D0C607E919BA
 
Download SUPERAntiSpyware Free for Home Users:
http://www.superantispyware.com/


  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
  • Close SUPERAntiSpyware.
Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; pick Safe Mode; you'll see "Safe Mode" in all four corners of your screen

  • Open SUPERAntiSpyware.
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Post SUPERAntiSpyware log.
 
Status
Not open for further replies.

Similar threads

R
Solved Norton blocked attack by: System Infected: Miner.Bitcoinminer Activity #
2
Replies
32
Views
3K
Broni
Broni
A
Windows UI for disk formatting was a temporary solution that stuck for 30 years
Replies
14
Views
301
VariableSpike
VariableSpike
D
Wifi suddenly stopped working but ethernet works
Replies
1
Views
487
learninmypc
learninmypc

Latest posts

Back