Solved Unknown virus stopping everything from running

[swisstonyholmes]

Anybody who can help,

I have a system which boots ok but when loading into any user profile no antivirus programs load and I'm unable to manually run anything i.e. exe's or any programs without getting the "Open with" menu.

I have tried to slave the HDD up to another machine and run multiple scans with Malwarebytes, AVG, ESET and Panda online scanners but they find nothing.

Something seems to be stopping me from running anything to do with virus removal as well, i.e. I can’t run Malwarebytes, AVG or even GMER properly without this virus intervening.

I have been able to run DDS and have the report shown below if this is any use.

Any help would be greatly appreciated.

Thanks in advance,

Tony.

 

[swisstonyholmes]

DDs log part 1


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 19/05/2008 14:57:29
System Uptime: 18/05/2011 19:44:19 (0 hours ago)
.
Motherboard: Gigabyte Technology Co., Ltd. | | K8VM800M
Processor: AMD Sempron(tm) Processor 2800+ | Socket 754 | 1607/200mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 75 GiB total, 52.148 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: VIA Rhine II Fast Ethernet Adapter
Device ID: PCI\VEN_1106&DEV_3065&SUBSYS_E0001458&REV_78\3&13C0B0C5&0&90
Manufacturer: VIA Technologies, Inc.
Name: VIA Rhine II Fast Ethernet Adapter #2
PNP Device ID: PCI\VEN_1106&DEV_3065&SUBSYS_E0001458&REV_78\3&13C0B0C5&0&90
Service: FET5X86V
.
==== System Restore Points ===================
.
RP547: 04/02/2011 19:44:37 - System Checkpoint
RP548: 07/02/2011 16:48:09 - System Checkpoint
RP549: 18/02/2011 18:13:33 - System Checkpoint
RP550: 23/02/2011 17:55:34 - System Checkpoint
RP551: 25/02/2011 19:16:07 - System Checkpoint
RP552: 27/02/2011 11:57:55 - System Checkpoint
RP553: 05/03/2011 12:17:43 - System Checkpoint
RP554: 06/03/2011 20:17:44 - System Checkpoint
RP555: 15/03/2011 18:16:58 - Avg Update
RP556: 15/03/2011 18:19:12 - Avg Update
RP557: 17/03/2011 19:08:58 - System Checkpoint
RP558: 20/03/2011 13:32:12 - System Checkpoint
RP559: 15/04/2011 19:58:10 - System Checkpoint
RP560: 15/04/2011 20:07:37 - Installed Java(TM) 6 Update 24
RP561: 15/04/2011 20:20:28 - Installed Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
RP562: 15/04/2011 20:21:07 - Installed AVG 2011
RP563: 15/04/2011 20:23:53 - Removed AVG Free 9.0
RP564: 15/04/2011 20:28:52 - Installed AVG 2011
RP565: 15/04/2011 21:33:23 - Software Distribution Service 3.0
RP566: 16/04/2011 09:25:44 - Software Distribution Service 3.0
RP567: 16/04/2011 09:52:04 - Software Distribution Service 3.0
RP568: 17/04/2011 10:20:41 - System Checkpoint
RP569: 18/04/2011 08:30:45 - Software Distribution Service 3.0
RP570: 20/04/2011 09:07:31 - Software Distribution Service 3.0
RP571: 20/04/2011 09:22:57 - Installed FW LiveUpdate
RP572: 20/04/2011 09:28:18 - Removed FW LiveUpdate
RP573: 20/04/2011 09:37:32 - Installed DirectX
RP574: 20/04/2011 09:39:25 - Installed Nero 9 Essentials 4.4.9.0
RP575: 20/04/2011 10:19:33 - Installed Nero InCD.
RP576: 21/04/2011 08:43:39 - Software Distribution Service 3.0
RP577: 21/04/2011 08:48:21 - Stable System
RP578: 28/04/2011 16:50:04 - Installed Rapport
RP579: 30/04/2011 18:20:17 - System Checkpoint
RP580: 18/05/2011 19:30:11 - Restore Operation
.
==== Installed Programs ======================
.
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Media Player
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Advertising Center
Apple Mobile Device Support
Apple Software Update
AVG 2011
CCleaner
CCScore
Coupon Printer
Critical Update for Windows Media Player 11 (KB959772)
DolbyFiles
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESSini
ESSPCD
ESSPDock
ESSTOOLS
essvatgt
fflink
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB945060-v3)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
ImagXpress
iTunes
Java Auto Updater
Java(TM) 6 Update 24
kgcbaby
kgchday
kgchlwn
kgcinvt
kgckids
kgcmove
kgcvday
Kodak EasyShare software
Lexmark 2200 Series
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable - KB2467175
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero 9 Essentials
Nero BurnRights
Nero BurnRights Help
Nero ControlCenter
Nero CoverDesigner
Nero CoverDesigner Help
Nero DiscSpeed
Nero DiscSpeed Help
Nero DriveSpeed
Nero DriveSpeed Help
Nero Express Help
Nero InCD
Nero InfoTool
Nero InfoTool Help
Nero Installer
Nero Online Upgrade
Nero PhotoSnap
Nero PhotoSnap Help
Nero Recode
Nero Recode Help
Nero ShowTime
Nero StartSmart
Nero StartSmart Help
Nero StartSmart OEM
Nero Vision
Nero Vision Help
NeroExpress
neroxml
netbrdg
OfotoXMI
QuickTime
Rapport
Realtek AC'97 Audio
S3GSetup
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982665)
SFR
SHASTA
skin0001
SKINXSDK
staticcr
tooltips
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2345886)
Update for Windows XP (KB898461)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VIA Rhine-Family Fast-Ethernet Adapter
VIA/S3G Display Driver
VPRINTOL
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Management Framework Core
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WIRELESS
.
==== Event Viewer Messages From Past Week ========
.
18/05/2011 19:54:04, error: Service Control Manager [7016] - The SmartLinkService service has reported an invalid current state 0.
18/05/2011 19:43:03, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.103.130.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Lin...0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.6802.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved
18/05/2011 19:43:03, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.103.130.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Lin...0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiSpyware Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.6802.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved
18/05/2011 19:43:02, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.103.130.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Lin...0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.6802.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved
18/05/2011 19:43:02, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.103.130.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Lin...0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiSpyware Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.6802.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved
18/05/2011 19:42:43, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.103.130.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6802.0 Error code: 0x80070424 Error description: The specified service does not exist as an installed service.
18/05/2011 19:09:05, error: Service Control Manager [7031] - The Microsoft Antimalware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.
18/05/2011 19:07:48, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdPPM Avgldx86 Avgmfx86 Avgtdix Fips InCDRec IPSec MpFilter MRxSmb NetBIOS NetBT RapportKELL RasAcd Rdbss Tcpip
18/05/2011 19:07:48, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
18/05/2011 19:07:48, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
18/05/2011 19:07:48, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
18/05/2011 19:07:48, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
18/05/2011 19:07:48, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
18/05/2011 19:07:04, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
11/05/2011 22:53:21, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
11/05/2011 22:52:25, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
11/05/2011 22:52:08, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
11/05/2011 21:14:10, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdPPM Avgldx86 Avgmfx86 Fips InCDRec MpFilter RapportKELL
11/05/2011 21:03:22, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.103.130.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Lin...0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.6802.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved
11/05/2011 21:03:22, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.103.130.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Lin...0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.6802.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved
11/05/2011 21:03:22, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.103.130.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Lin...0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiSpyware Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.6802.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved
11/05/2011 21:03:22, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.103.130.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Lin...0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiSpyware Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.6802.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved
11/05/2011 21:03:21, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.103.130.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6802.0 Error code: 0x80070424 Error description: The specified service does not exist as an installed service.
.
==== End Of File ===========================



DDS log part 2



.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Alan at 19:54:00.05 on 18/05/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1215.596 [GMT 1:00]
.
AV: Microsoft Security Essentials *Enabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Nero\Tools\InCD\InCDSrv.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\Nero\Tools\InCD\NBHRegInCDSrv.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Documents and Settings\Alan\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mDefault_Page_URL = hxxp://uk.yahoo.com
mStart Page = hxxp://uk.yahoo.com
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
uRun: [tSfkTNduxrPpGPr.exe] c:\docume~1\alan\locals~1\temp\tSfkTNduxrPpGPr.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [Lexmark 2200 Series] "c:\program files\lexmark 2200 series\lxbvbmgr.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [NBHGui] c:\program files\nero\tools\incd\NBHGui.exe
mRun: [InCD] c:\program files\nero\tools\incd\InCD.exe
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [VTTrayp] VTtrayp.exe
mRun: [VTTimer] VTTimer.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {958A1A47-CD7C-4E5E-8F97-067DA0900DAE} = 194.72.9.34,194.72.0.98
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-1-19 32464]
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2011-4-8 53816]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 248656]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 34896]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-2-10 296400]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 MpKsl8363c67c;MpKsl8363c67c;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{91ff1576-442d-465d-975f-e6e70be0893d}\MpKsl8363c67c.sys [2011-5-18 28752]
R1 MpKsle8ac809a;MpKsle8ac809a;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{91ff1576-442d-465d-975f-e6e70be0893d}\MpKsle8ac809a.sys [2011-5-18 28752]
R1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [2010-3-6 390528]
R1 RapportCerberus_26169;RapportCerberus_26169;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\26169\RapportCerberus_26169.sys [2011-5-2 57144]
R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2011-4-8 66360]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2011-4-8 158904]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-2-15 7421280]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
R2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\nero\tools\incd\NBHRegInCDSrv.exe [2009-10-16 53560]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2011-4-8 870200]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-3-30 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 27216]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2006-2-28 14336]
.
=============== Created Last 30 ================
.
2011-05-18 18:45:11 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{91ff1576-442d-465d-975f-e6e70be0893d}\MpKsl8363c67c.sys
2011-05-18 18:32:14 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{91ff1576-442d-465d-975f-e6e70be0893d}\MpKsle8ac809a.sys
2011-05-18 17:56:52 446464 ----a-w- C:\TFC.exe
2011-05-18 17:56:52 1407280 ----a-w- C:\TDSSKiller.exe
2011-05-11 19:50:58 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{91ff1576-442d-465d-975f-e6e70be0893d}\MpKsl21a78748.sys
2011-04-27 20:41:17 -------- d-----w- c:\docume~1\alan\locals~1\applic~1\Trusteer
2011-04-20 09:20:02 19096 ----a-w- c:\windows\system32\drivers\InCDRec.sys
2011-04-20 09:19:59 130200 ----a-w- c:\windows\system32\drivers\InCDFs.sys
2011-04-20 09:19:43 48280 ----a-w- c:\windows\system32\drivers\InCDPass.sys
2011-04-20 08:41:30 -------- d-----w- c:\program files\Nero
2011-04-20 08:40:58 -------- d-----w- c:\docume~1\alluse~1\applic~1\Nero
2011-04-20 08:08:14 7071056 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{91ff1576-442d-465d-975f-e6e70be0893d}\mpengine.dll
.
==================== Find3M ====================
.
2011-04-15 19:00:27 0 ----a-w- c:\windows\Nmoyozewa.bin
2011-03-07 05:33:50 692736 ------w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ------w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ------w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ------w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ------w- c:\windows\system32\html.iec
2009-04-26 09:31:44 62270256 -c----w- c:\program files\avg8.exe
2009-01-30 17:18:22 51812984 -c----w- c:\program files\avg.exe
.
============= FINISH: 19:55:28.86 ===============

 

[Bobbye]

Tony, marking a thread Active is done by Broni or myself when we pick up a thread. You're lucky I checked or it would be next week with 'your' active thread!

Please download randmbam.exe

It will try to create random names and shortcuts for Malwarebytes Anti Malware(MBAM) if you have it installed already.

Once done, try running a scan again.
===================================
Part of the AV problem could be because you have 3 different versions lf AVG loading:
AVG v8
AVG v9
AVG 2010
===================================
Additionally, you ran these:
2011-05-18 17:56:52 446464 ----a-w- C:\TFC.exe>> We pulled this from the thread because there have been some problems noted
2011-05-18 17:56:52 1407280 ----a-w- C:\TDSSKiller.exe>> more trying to fix?

RP577: 21/04/2011 08:48:21 - Stable System>> What happened after this?
RP578: 28/04/2011 16:50:04 - Installed Rapport> Why did you install more security?
RP580: 18/05/2011 19:30:11 - Restore Operation>> System Restore? What had you done previously trying to fix the problem.

We now follow this: TFC was removed before you ran the program.
Preliminary Virus and Malware Removal thread HERE.

NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

When you have finished, leave the logs for review in your next reply .
NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
.

 

[swisstonyholmes]

Bobbye,

Firstly sorry for the late response, I’m back on the case now. Secondly sorry again for marking the thread Active for some reason I marked it can’t remember why, but now know for the future.

I will try running randmbam.exe and let you know the results.

2011-05-18 17:56:52 446464 ----a-w- C:\TFC.exe>> We pulled this from the thread because there have been some problems noted

I’ve only run this because I personally see this as a good tool and having seen no problems using it in the past I thought it wouldn’t harm now. Tell me if I’m wrong and why or if you could advise another similar tool that would be great.

RP577: 21/04/2011 08:48:21 - Stable System>> What happened after this?
Ok about a month ago this same computer came to me with another fake antivirus tool installed, your colleague Broni helped me disinfect the system which I then passed back to my friend.

Please check my previous posts if you wish to see the history of the system so far with Broni’s help.

After disinfecting the system I created a stable system restore point, so as far as I as concerned the system was functioning fine with no problems.


RP578: 28/04/2011 16:50:04 - Installed Rapport> Why did you install more security?
A week later I have the computer back again with a similar problem i.e. the one we have here. I have spoken to the owner about installing another duplicate security program, but they have no knowledge of doing so. I can therefore only presume its part of the infection?


RP580: 18/05/2011 19:30:11 - Restore Operation>> System Restore? What had you done previously trying to fix the problem?
As you can see one of the programs I had previously run was TDSSKILLER.exe and amongst other things mentioned at the beginning of the post, I tried to see if a system restore would help things, apparently not.

So after all that I will try your suggestion and post any results I have here ASAP.

Thanks for your help so far.

Tony.

 

[swisstonyholmes]

Bobbye,

Ok story so far, I've tried running randmbam.exe with no success I have included some pictures of the error messages as I can’t even run paint properly to copy and paste them.

When trying to run the program it wants to again open an "open with" box and refuses to go any further. I have to right click and run as administrator to get the program to do anything.

Also another concerning thing is that upon turning the system on it now thinks that the hardware has changed and now wants to re-activate windows again?? I can’t understand why this has happened and can only presume it’s all part of what we are trying to fix.

I now have 3 days in which to activate windows....again!

I will wait for a response from you before proceeding any further.

Tony.

 

[Bobbye]

I’ve only run this because I personally see this as a good tool and having seen no problems using it in the past I thought it wouldn’t harm now. Tell me if I’m wrong and why or if you could advise another similar tool that would be great.

We also ran it because it was a good tool. But if got a glitch in it that was causing programs an/or entries to be removed that should not be and they couldn't be recovered. So until that is resolved, we pulled it.
==========================================
Here is an alternative Temporary File Cleaner:
Download ATC Cleaner by Attribuneto your desktop

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
• NOTE: If you would like to keep your saved passwords, please click No at the prompt

.
If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  • [/B]
    
    This will remove all files from the items that are checked so if you have some cookies you'd like to save. please move them to a different directory first.
    
    Notes for Windows Vista users:
    
    On Windows Vista that "Windows Temp" is disabled, to empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator"
    Prefetch has been disabled on Windows Vista.
    =====================================
    For Malwarebytes:
    Download it and save to the desktop first
    Once downloaded, then run randmbam
    When it has finished, try the Mbam scan again.
    
    IF it still won't scan:
    Try renaming the setup file to install.com {right click> rename)
    -or-
    Try installing in safe mode
    =========================================
    Regarding this:
    

    RP578: 28/04/2011 16:50:04 - Installed Rapport> Why did you install more security?
    A week later I have the computer back again with a similar problem i.e. the one we have here. I have spoken to the owner about installing another duplicate security program, but they have no knowledge of doing so. I can therefore only presume its part of the infection?

    
    
    

    Rapport is a lightweight security software solution that protects web communication between enterprises, such as banks, and their customers and employees.
    Rapport implements a completely new approach to protecting customers and employees. By locking down customer browsers and creating a tunnel for safe communication with the online website,

    ==========================================
    There is a rogue program named System Defragmentor running:
    uRun: [tSfkTNduxrPpGPr.exe] c:\docume~1\alan\locals~1\temp\tSfkTNduxrPpGPr.exe
    
    It should be removed in Malwarebytes.
    It cn be moved in HijackThis.
    I can use script ro move it in Combofix.
    
    1. Try the new dirsctions to run Mbam.
    2. Follow with Eset online virus scan:
    
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the
      
      on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      
      
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish
    
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    =======================================
    Follow with HijackThis:
    Please note: If you have Combofix on the desktop already, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • [
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there./list]
      --------------------------------------
      You will hve to uninstall AVG to run Combofix:
      Download AppRemover and save to the desktop
      1. Double click the setup on the desktop> click Next
      2. Select “Remove Security Application”
      3. Let scan finish to determine security apps
      4. A screen like below will appear:
         
         
      5. Click on Next after choice has been made
      6. Check the AVG program you want to uninstall
      7. After uninstall shows complete, follow online prompts to Exit the program.
      
      Temporary AV: Use one:
      Avira-AntiVir-Personal-Free-Antivirus
      Avast Free Version
      =============================
      Note: If Combofix is already on the desktop, please uninstall it and reinstall the current version. Uninstall directions, if needed:
      • Click START> then RUN
      • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      ------------------------------------------------
      Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop
      • Double click combofix.exe & follow the prompts.
      • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
        **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
      • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
      • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
        
        
      • .Click on Yes, to continue scanning for malware
      • .If Combofix asks you to update the program, allow
      • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • .Close any open browsers.
      • .Double click combofix.exe
        
        & follow the prompts to run.
      • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
      Re-enable your Antivirus software.
      Notes:
      1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
      
      Please leave the follow logs in the next reply:
      1. Mbam is able to run
      2. Eset scan
      3. Combofix log
      I do not need a log for the AVG app Remover.

 

[swisstonyholmes]

Bobbye,

As I mentioned before Windows now wants to activate before letting me log into the machine, should I do this with my original product key or do you have another suggestion?

As I can't log in I've not tried any of the above mentioned fixes so far, I will wait for your response.

Tony.

 

[Bobbye]

Sorry- internet has been down. If you have the original key for the OS, go ahead with the resctivatrion.

As for Combofix: :
NOTE: If, for some reason, Combofix refuses to run, try one of the following:
1. Run Combofix from Safe Mode.
2. Delete Combofix file, download fresh one, but rename combofix.exe to
mcirish.exe BEFORE saving it to your desktop.
Do NOT run it yet.
3. Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
There are 4 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

• Rkill.com
• Rkill.scr
• Rkill.pif
• Rkill.exe
  
• Double-click on the Rkill desktop icon to run the tool.
• If using Vista or Windows 7 right-click on it and choose Run As Administrator.
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
• If not, delete the file, then download and use the one provided in Link 2.
• If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
• Do not reboot until instructed.
• If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run then try to immediately run the following>>>>.

Please download exeHelper by Raktor and save it to your desktop.

• Double-click on exeHelper.com or exeHelper.scr to run the fix tool.
• A black window should pop up, press any key to close once the fix is completed.
• A log file called exehelperlog.txt will be created and should open at the end of the scan)
• A copy of that log will also be saved in the directory where you ran exeHelper.com
• Copy and paste the contents of exehelperlog.txt in your next reply.

Note: If the window shows a message that says "Error deleting file", please re-run the tool again before posting a log and then post the two logs together (they both will be in the one file).

Rkill instructions
*************************************
Once you've gotten one of them to run, immediately run

mcirish.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

 

[swisstonyholmes]

Bobbye,

After re-activating windows all of my scans and instalations of applications have been done in safe mode because I can run nothing in normal mode.

I have attached the required log files for your viewing note that Eset did not find any virus so no log file is included.

Thanks,

Tony.

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6748

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

01/06/2011 22:25:02
mbam-log-2011-06-01 (22-25-02).txt

Scan type: Full scan (C:\|)
Objects scanned: 257772
Time elapsed: 19 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


ComboFix 11-06-01.07 - Administrator 02/06/2011 19:21:28.1.1 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1215.890 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Microsoft Security Essentials *Disabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Alan\Application Data\Elbo
c:\documents and settings\Alan\Application Data\Elbo\seod.ryx
c:\documents and settings\Alan\Application Data\Esha
c:\documents and settings\Alan\Application Data\Esha\ozuv.nex
c:\documents and settings\Alan\Application Data\Hage
c:\documents and settings\Alan\Application Data\Hage\fiif.ubf
c:\documents and settings\Alan\Local Settings\Application Data\{86EAEFBC-B625-4ACC-AF7B-3EA9D5046AE5}
c:\documents and settings\Alan\Local Settings\Application Data\{86EAEFBC-B625-4ACC-AF7B-3EA9D5046AE5}\chrome.manifest
c:\documents and settings\Alan\Local Settings\Application Data\{86EAEFBC-B625-4ACC-AF7B-3EA9D5046AE5}\chrome\content\_cfg.js
c:\documents and settings\Alan\Local Settings\Application Data\{86EAEFBC-B625-4ACC-AF7B-3EA9D5046AE5}\chrome\content\overlay.xul
c:\documents and settings\Alan\Local Settings\Application Data\{86EAEFBC-B625-4ACC-AF7B-3EA9D5046AE5}\install.rdf
c:\documents and settings\PAULINE\Application Data\Loofm
c:\documents and settings\PAULINE\Application Data\Loofm\ehavb.kee
c:\documents and settings\PAULINE\Local Settings\Application Data\{E1D60807-30A7-420A-8F8B-E3844EBF72B8}
c:\documents and settings\PAULINE\Local Settings\Application Data\{E1D60807-30A7-420A-8F8B-E3844EBF72B8}\chrome.manifest
c:\documents and settings\PAULINE\Local Settings\Application Data\{E1D60807-30A7-420A-8F8B-E3844EBF72B8}\chrome\content\_cfg.js
c:\documents and settings\PAULINE\Local Settings\Application Data\{E1D60807-30A7-420A-8F8B-E3844EBF72B8}\chrome\content\overlay.xul
c:\documents and settings\PAULINE\Local Settings\Application Data\{E1D60807-30A7-420A-8F8B-E3844EBF72B8}\install.rdf
C:\Microsoft
c:\microsoft\Protect\CREDHIST
c:\windows\system\oeminfo.ini
.
.
((((((((((((((((((((((((( Files Created from 2011-05-02 to 2011-06-02 )))))))))))))))))))))))))))))))
.
.
2011-06-02 18:13 . 2011-06-02 18:13 -------- d-----w- c:\program files\Avira
2011-06-02 18:13 . 2011-06-02 18:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-06-02 18:13 . 2011-04-01 16:07 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-06-02 18:13 . 2011-04-01 16:07 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-06-02 18:13 . 2010-06-17 14:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-06-02 18:13 . 2010-06-17 14:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-06-01 21:32 . 2011-06-01 21:32 -------- d-----w- c:\windows\LastGood
2011-06-01 21:32 . 2011-06-01 21:32 -------- d-----w- c:\program files\ESET
2011-06-01 21:25 . 2011-06-02 05:34 -------- d-----w- C:\01 06 11
2011-06-01 20:59 . 2011-06-01 20:58 9435312 ----a-w- C:\mbam-setup-1.51.0.1200.exe
2011-06-01 20:59 . 2011-05-25 21:32 222714 ----a-w- C:\randmbam.exe
2011-05-18 17:56 . 2011-05-18 17:55 1407280 ----a-w- C:\TDSSKiller.exe
2011-05-18 17:56 . 2011-05-17 21:23 446464 ----a-w- C:\TFC.exe
2011-05-11 20:12 . 2011-06-01 21:26 -------- d-----w- c:\documents and settings\Administrator
2011-05-11 19:50 . 2011-05-11 19:50 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{91FF1576-442D-465D-975F-E6E70BE0893D}\MpKsl21a78748.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-29 08:11 . 2011-04-15 19:10 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 08:11 . 2011-04-15 19:10 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-14 15:30 . 2011-04-16 08:38 6792528 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-04-11 07:04 . 2011-04-20 08:08 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{91FF1576-442D-465D-975F-E6E70BE0893D}\mpengine.dll
2011-04-08 09:17 . 2011-04-08 09:17 53816 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2011-03-08 08:22 . 2004-12-16 12:36 48128 ----a-w- c:\windows\system32\drivers\fetnd5bv.sys
2011-03-07 05:33 . 2008-05-19 13:51 692736 ------w- c:\windows\system32\inetcomm.dll
2009-04-26 09:31 . 2009-04-26 09:31 62270256 -c----w- c:\program files\avg8.exe
2009-01-30 17:18 . 2009-01-30 17:18 51812984 -c----w- c:\program files\avg.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\NBHShellExt]
@="{8D2223A2-B3C6-4e32-B096-CDD11F628C60}"
[HKEY_CLASSES_ROOT\CLSID\{8D2223A2-B3C6-4e32-B096-CDD11F628C60}]
2009-10-16 09:44 97072 ----a-w- c:\program files\Nero\Tools\InCD\NBHshx.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
"Lexmark 2200 Series"="c:\program files\Lexmark 2200 Series\lxbvbmgr.exe" [2004-02-13 57344]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"NBHGui"="c:\program files\Nero\Tools\InCD\NBHGui.exe" [2009-10-16 1600816]
"InCD"="c:\program files\Nero\Tools\InCD\InCD.exe" [2009-10-16 1060136]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-05-29 1047656]
"VTTimer"="VTTimer.exe" [2004-10-22 53248]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"LexPPS.exe"="c:\windows\system32\lexpps.exe" [2004-01-14 174592]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]
openURL.vbs [2011-6-2 271]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-06-02 10:13 267048 ------w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
S0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [08/04/2011 10:17 53816]
S1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [06/03/2010 17:05 390528]
S1 RapportCerberus_26169;RapportCerberus_26169;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\26169\RapportCerberus_26169.sys [02/05/2011 18:11 57144]
S1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [08/04/2011 10:17 66360]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [08/04/2011 10:17 158904]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [02/06/2011 19:13 136360]
S2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\Nero\Tools\InCD\NBHRegInCDSrv.exe [16/10/2009 10:44 53560]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [08/04/2011 10:17 870200]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [28/02/2006 13:00 14336]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ANTIVIRSERVICE
*NewlyCreated* - AVGNTFLT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-02 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 11:26]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://uk.yahoo.com
TCP: Interfaces\{958A1A47-CD7C-4E5E-8F97-067DA0900DAE}: NameServer = 194.72.9.34,194.72.0.98
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-VTTrayp - VTtrayp.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-02 19:25
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1708537768-1390067357-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,bd,91,b0,48,49,0b,d9,4e,80,3a,bb,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,bd,91,b0,48,49,0b,d9,4e,80,3a,bb,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(580)
c:\windows\system32\l3codeca.acm
.
Completion time: 2011-06-02 19:27:40
ComboFix-quarantined-files.txt 2011-06-02 18:27
.
Pre-Run: 56,189,702,144 bytes free
Post-Run: 56,247,771,136 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect
.
- - End Of File - - 8A9B92B841A75884885198FFC2AB8523

 

[Bobbye]

I think that who ever owns this computer is doing more than you are aware of. Is this the prior work on this system you refderred to> https://www.techspot.com/vb/topic162314.html

If it is, the user is going right back with outdated or insufficient security. I see things now not getting done. And upon reviewing this:

the system on it now thinks that the hardware has changed and now wants to re-activate windows again??

I'm wondering what 'hardware' is causing this. And if this has a legitimate copy of the OS on it, it makes no sense at all that on reactivating, it won't run in Normal Mode!
================================
This is curious: the winlogon.exe shows this:

Process name: l3codec.acm
Application using this process: MPEG Layer-3 Audio Codec for MSACM
Process author: Fraunhofer Institut Integrierte Schaltungen IIS

===================================
Please decide whether you want to run MSE or Avira. Uninstall the one you don't want to use. They are both running now. It doesn't matter that one is outdates and disabled. They are both loading:
AV: AntiVir Desktop *Disabled/Outdated*
AV: Microsoft Security Essentials
=======================================
Please run this Custom CFScript:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.

File::
C:\TDSSKiller.exe
C:\TFC.exe
C:\mbam-setup-1.51.0.1200.exe
c:\program files\avg8.exe
c:\program files\avg.exe
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-
"FirewallOverride"=--
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"=-
RegLock::
[HKEY_USERS\S-1-5-21-1708537768-1390067357-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
What is this? I don't want to open it and have a gazillion files fall out! 2011-06-02 05:34 -------- d-----w- C:\01 06 11

When you finish with this, try booting into Normal Mode.

 

[swisstonyholmes]

Bobbye,

You are correct that the topic you mentioned was in your last post was indeed the same computer. I have spoken to the user and from completing the last topic with Broni and giving it back to the user now working and clean they are telling me that they have not installed any security software or modified any settings. There are however multiple family users of this computer and that’s not to say that someone else may have modified something.

As far as I’m aware this computer came from a legitimate store and the user has had no previous encounters of having to re-activate windows until now.

There may be some confusion over my description of "Normal Mode" I have had to run all programs in safe mode because through the normal logon process i.e. not in safe mode or any other diagnostic mode I'm unable to run any programs at all without an "Open With” box popping up when I double click on any icon on the desktop.

I will uninstall MSE and for now use AVIRA, but I would however like to go back to the latest free version of AVG when we are done.

C:\01 06 11 is a folder I created to put the up to date log files I have been creating for you.

After completing the running of your latest script file starting off in safe mode I let the computer re-start in normal mode this logged in ok and seemed to start up the usual tasks in the bottom right hand corner on the task bar, which is the first time I've seen this happen so far.

Shown below is the new log file.

Thanks,

Tony.





ComboFix 11-06-01.07 - Administrator 03/06/2011 0:01.2.1 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1215.934 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Microsoft Security Essentials *Disabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
FILE ::
"C:\mbam-setup-1.51.0.1200.exe"
"c:\program files\avg.exe"
"c:\program files\avg8.exe"
"C:\TDSSKiller.exe"
"C:\TFC.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\mbam-setup-1.51.0.1200.exe
c:\program files\avg.exe
c:\program files\avg8.exe
C:\TDSSKiller.exe
C:\TFC.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-05-02 to 2011-06-02 )))))))))))))))))))))))))))))))
.
.
2011-06-02 23:08 . 2011-06-02 23:08 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{91FF1576-442D-465D-975F-E6E70BE0893D}\MpKsl4b91ceab.sys
2011-06-02 18:13 . 2011-06-02 18:13 -------- d-----w- c:\program files\Avira
2011-06-02 18:13 . 2011-06-02 18:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-06-02 18:13 . 2011-04-01 16:07 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-06-02 18:13 . 2011-04-01 16:07 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-06-02 18:13 . 2010-06-17 14:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-06-02 18:13 . 2010-06-17 14:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-06-01 21:32 . 2011-06-01 21:32 -------- d-----w- c:\program files\ESET
2011-06-01 21:25 . 2011-06-02 18:28 -------- d-----w- C:\01 06 11
2011-06-01 20:59 . 2011-05-25 21:32 222714 ----a-w- C:\randmbam.exe
2011-05-11 20:12 . 2011-06-01 21:26 -------- d-----w- c:\documents and settings\Administrator
2011-05-11 19:50 . 2011-05-11 19:50 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{91FF1576-442D-465D-975F-E6E70BE0893D}\MpKsl21a78748.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-29 08:11 . 2011-04-15 19:10 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 08:11 . 2011-04-15 19:10 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-14 15:30 . 2011-04-16 08:38 6792528 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-04-11 07:04 . 2011-04-20 08:08 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{91FF1576-442D-465D-975F-E6E70BE0893D}\mpengine.dll
2011-04-08 09:17 . 2011-04-08 09:17 53816 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2011-03-08 08:22 . 2004-12-16 12:36 48128 ----a-w- c:\windows\system32\drivers\fetnd5bv.sys
2011-03-07 05:33 . 2008-05-19 13:51 692736 ------w- c:\windows\system32\inetcomm.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\NBHShellExt]
@="{8D2223A2-B3C6-4e32-B096-CDD11F628C60}"
[HKEY_CLASSES_ROOT\CLSID\{8D2223A2-B3C6-4e32-B096-CDD11F628C60}]
2009-10-16 09:44 97072 ----a-w- c:\program files\Nero\Tools\InCD\NBHshx.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
"Lexmark 2200 Series"="c:\program files\Lexmark 2200 Series\lxbvbmgr.exe" [2004-02-13 57344]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"NBHGui"="c:\program files\Nero\Tools\InCD\NBHGui.exe" [2009-10-16 1600816]
"InCD"="c:\program files\Nero\Tools\InCD\InCD.exe" [2009-10-16 1060136]
"VTTimer"="VTTimer.exe" [2004-10-22 53248]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Taskman"=""
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-06-02 10:13 267048 ------w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [08/04/2011 10:17 53816]
R1 MpKsl4b91ceab;MpKsl4b91ceab;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{91FF1576-442D-465D-975F-E6E70BE0893D}\MpKsl4b91ceab.sys [03/06/2011 00:08 28752]
R1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [06/03/2010 17:05 390528]
R1 RapportCerberus_26169;RapportCerberus_26169;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\26169\RapportCerberus_26169.sys [02/05/2011 18:11 57144]
R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [08/04/2011 10:17 66360]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [08/04/2011 10:17 158904]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [02/06/2011 19:13 136360]
R2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\Nero\Tools\InCD\NBHRegInCDSrv.exe [16/10/2009 10:44 53560]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [08/04/2011 10:17 870200]
S3 CFcatchme;CFcatchme;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\CFcatchme.sys --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\CFcatchme.sys [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [28/02/2006 13:00 14336]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL4B91CEAB
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4163f87f-25ac-11dd-92c3-0014851fb060}]
\Shell\AutoRun\command - E:\support.bat
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{adcc9d45-25b7-11dd-92c6-0014851fb060}]
\Shell\AutoRun\command - E:\support.bat
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-02 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 11:26]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://uk.yahoo.com
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: Interfaces\{958A1A47-CD7C-4E5E-8F97-067DA0900DAE}: NameServer = 194.72.9.34,194.72.0.98
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-msnmsgr - c:\program files\MSN Messenger\msnmsgr.exe
HKCU-Run-tSfkTNduxrPpGPr.exe - c:\docume~1\Alan\LOCALS~1\Temp\tSfkTNduxrPpGPr.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-03 00:13
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(7488)
c:\windows\system32\WININET.dll
c:\program files\Nero\Tools\InCD\NBHshx.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.5592_x-ww_179798c8\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Nero\Tools\InCD\InCDSrv.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\windows\SOUNDMAN.EXE
c:\program files\Lexmark 2200 Series\lxbvbmon.exe
c:\windows\system32\VTTimer.exe
.
**************************************************************************
.
Completion time: 2011-06-03 00:19:01 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-02 23:18
ComboFix2.txt 2011-06-02 18:27
.
Pre-Run: 56,256,282,624 bytes free
Post-Run: 55,856,316,416 bytes free
.
- - End Of File - - 9B5B32FC7C549F4B4AC1A8A90A2DD79A

 

[swisstonyholmes]

Bobbye,

From the outside the system looks fine I now have access to all programs as usual everything seems to function and look as normal.

I've also run up Malwarebytes which now starts fine I could run another scan if you want?

I will wait for further instructions.

Thanks,

Tony.

 

[Bobbye]

I will uninstall MSE and for now use AVIRA, but I would however like to go back to the latest free version of AVG when we are done.

This is your choice, but I do not advise going back to AVG. You have better security with either Avira or Avast. I would encourage you to install a firewall also:
Free and good: Use only one:
Comodo
Zone Alarm

C:\01 06 11 is a folder I created to put the up to date log files I have been creating for you.

I thought it was something like that. No problem.
===================================================
I don't understand what you mean by this:

From the outside the system looks fine I now have access to all programs as usual everything seems to function and look as normal.

Do you mean the problem have been resolved?

 

[swisstonyholmes]

Bobbye,

Why would you not recommend AVG I have used this for years now on my own computer with no problems?

I have now installed Zone Alarm as my firewall.

Everything now looks ok with the system I'm now running the usual scans and windows updates before returning the computer to its owner......again!

Are there any more scans you wish me to complete? If I find anything during these scans I'm doing now I will post under this message.

Thanks for your help so far,

Tony.

 

[Bobbye]

Why would you not recommend AVG I have used this for years now on my own computer with no problems?

1. AVG misses much malware.
2. AVG doesn't quarantine much of the malware it finds.
3. AVG frequently finds only Tracking Cookies.
4. AVG has released numerous wrong updates causing users to get False Positive Win32Heur notices.
5. AVG has not left any way to disable it to run a security scan- such as Combofix. This makes it necessary to uninstall it entirely.
5. IMO, there are much better AV programs than AVG.
============================================
One entry to remove:
Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Taskman"=-

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================
Please update and rescan with the Eset Online Virus scan.

After I check that, I will have you remove the cleaning tools and then close this thread now since the problems have been resolved.

 

[swisstonyholmes]

Bobbye,

New log files shown below for your viewing, please note that Eset did not find any problems although Avira did.

On a side note what would you recomend to replace AVG with regards to a free anti virus program?

Thanks,

Tony.

ComboFix 11-06-03.02 - Alan 03/06/2011 23:05:38.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1215.714 [GMT 1:00]
Running from: c:\documents and settings\Alan\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Alan\Desktop\CFScript.txt.txt
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
((((((((((((((((((((((((( Files Created from 2011-05-03 to 2011-06-03 )))))))))))))))))))))))))))))))
.
.
2011-06-03 09:50 . 2011-06-03 11:10 -------- d-----w- c:\windows\system32\NtmsData
2011-06-03 09:40 . 2011-06-03 09:40 -------- d-----w- c:\windows\LastGood
2011-06-03 09:01 . 2011-06-03 09:01 -------- d-----w- c:\documents and settings\Alan\Application Data\CheckPoint
2011-06-03 08:59 . 2011-06-03 22:09 -------- d-----w- c:\windows\Internet Logs
2011-06-02 23:22 . 2011-06-02 23:22 -------- d-----w- c:\documents and settings\Alan\Application Data\Avira
2011-06-02 18:13 . 2011-06-02 18:13 -------- d-----w- c:\program files\Avira
2011-06-02 18:13 . 2011-06-02 18:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-06-02 18:13 . 2011-04-01 16:07 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-06-02 18:13 . 2011-04-01 16:07 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-06-02 18:13 . 2010-06-17 14:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-06-02 18:13 . 2010-06-17 14:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-06-01 21:32 . 2011-06-01 21:32 -------- d-----w- c:\program files\ESET
2011-06-01 21:25 . 2011-06-02 23:22 -------- d-----w- C:\01 06 11
2011-06-01 20:59 . 2011-05-25 21:32 222714 ----a-w- C:\randmbam.exe
2011-05-11 20:12 . 2011-06-01 21:26 -------- d-----w- c:\documents and settings\Administrator
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-29 08:11 . 2011-04-15 19:10 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 08:11 . 2011-04-15 19:10 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-01 06:37 . 2004-12-16 12:36 48128 ----a-w- c:\windows\system32\drivers\fetnd5bv.sys
2011-03-07 05:33 . 2008-05-19 13:51 692736 ------w- c:\windows\system32\inetcomm.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-06-02_18.25.58 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-06-03 09:04 . 2011-06-03 09:04 16384 c:\windows\temp\Perflib_Perfdata_7c0.dat
+ 2011-06-03 09:00 . 2011-03-18 00:24 99328 c:\windows\system32\ZoneLabs\zlquarantine.dll
+ 2011-06-03 09:00 . 2011-03-18 00:24 70656 c:\windows\system32\ZoneLabs\zatray.exe
+ 2011-06-03 09:00 . 2011-03-18 00:25 21504 c:\windows\system32\ZoneLabs\lib\zsys.zip.dll
+ 2011-06-03 09:00 . 2011-03-18 00:25 14336 c:\windows\system32\ZoneLabs\lib\zmenu.zip.dll
+ 2011-06-03 09:00 . 2011-03-18 00:25 48640 c:\windows\system32\ZoneLabs\lib\zfde.zip.dll
+ 2011-06-03 09:00 . 2011-03-18 00:25 85504 c:\windows\system32\ZoneLabs\lib\ZAlert.zip.dll
+ 2011-06-03 09:00 . 2011-03-18 00:25 37376 c:\windows\system32\ZoneLabs\lib\UpdateUI.zip.dll
+ 2011-06-03 09:00 . 2011-03-18 00:25 12800 c:\windows\system32\ZoneLabs\lib\oem_1488.zip.dll
+ 2011-06-03 09:00 . 2011-03-18 00:25 12800 c:\windows\system32\ZoneLabs\lib\oem_1487.zip.dll
+ 2011-06-03 09:00 . 2011-03-18 00:25 12800 c:\windows\system32\ZoneLabs\lib\oem_1486.zip.dll
+ 2011-06-03 09:00 . 2011-03-18 00:25 20992 c:\windows\system32\ZoneLabs\lib\oem_1466.zip.dll
+ 2011-06-03 09:00 . 2011-03-18 00:25 12800 c:\windows\system32\ZoneLabs\lib\oem_1460.zip.dll
+ 2011-06-03 09:00 . 2011-03-18 00:25 10240 c:\windows\system32\ZoneLabs\lib\oem_1454.zip.dll
+ 2011-06-03 09:00 . 2011-03-18 00:25 11264 c:\windows\system32\ZoneLabs\lib\oem_1445.zip.dll
+ 2011-06-03 09:00 . 2011-03-18 00:25 14336 c:\windows\system32\ZoneLabs\lib\oem_1440.zip.dll
+ 2011-06-03 09:00 . 2011-03-18 00:25 12288 c:\windows\system32\ZoneLabs\lib\oem_1413.zip.dll
+ 2011-06-03 09:00 . 2011-03-18 00:24 11264 c:\windows\system32\ZoneLabs\lib\oem_1010.zip.dll
+ 2011-06-03 09:00 . 2011-03-18 00:24 29184 c:\windows\system32\ZoneLabs\lib\NavBar.zip.dll
+ 2011-06-03 09:00 . 2011-03-18 00:24 13312 c:\windows\system32\ZoneLabs\lib\MainLoop.zip.dll
+ 2011-06-03 09:00 . 2011-03-18 00:24 35840 c:\windows\system32\ZoneLabs\lib\Alert.zip.dll
+ 2011-06-03 09:00 . 2011-03-18 00:24 38912 c:\windows\system32\ZoneLabs\featuremap.dll
+ 2011-06-03 09:00 . 2011-03-18 00:24 75776 c:\windows\system32\ZoneLabs\camupd.dll
+ 2011-06-03 09:00 . 2011-03-18 00:24 69120 c:\windows\system32\zlcomm.dll
+ 2011-06-03 09:00 . 2011-03-18 00:24 43008 c:\windows\system32\vswmi.dll
+ 2011-06-03 09:00 . 2011-03-18 00:24 58368 c:\windows\system32\vsregexp.dll
+ 2011-06-03 09:40 . 2006-10-27 07:26 69632 c:\windows\system32\ReinstallBackups\0001\DriverFiles\vuins32.dll
+ 2011-06-03 09:40 . 2011-03-08 08:22 48128 c:\windows\system32\ReinstallBackups\0001\DriverFiles\fetnd5bv.sys
+ 2006-02-28 12:00 . 2011-06-03 09:41 71962 c:\windows\system32\perfc009.dat
- 2006-02-28 12:00 . 2011-05-18 19:16 71962 c:\windows\system32\perfc009.dat
+ 2011-06-03 09:40 . 2006-10-27 07:26 69632 c:\windows\LastGood\system32\vuins32.dll
+ 2011-06-03 09:40 . 2011-03-08 08:22 48128 c:\windows\LastGood\system32\DRIVERS\fetnd5bv.sys
+ 2008-11-14 21:21 . 2011-06-03 08:47 23040 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2008-11-14 21:21 . 2011-04-15 21:39 23040 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2008-11-14 21:21 . 2011-06-03 08:47 27136 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2008-11-14 21:21 . 2011-04-15 21:39 27136 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2008-11-14 21:21 . 2011-04-15 21:39 11264 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2008-11-14 21:21 . 2011-06-03 08:47 11264 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2008-11-14 21:21 . 2011-06-03 08:47 12288 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2008-11-14 21:21 . 2011-04-15 21:39 12288 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2011-06-03 09:00 . 2011-06-03 09:00 4212 c:\windows\system32\zllictbl.dat
- 2008-11-14 21:21 . 2011-04-15 21:39 4096 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2008-11-14 21:21 . 2011-06-03 08:47 4096 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2011-06-03 09:00 . 2011-03-18 00:24 141824 c:\windows\system32\ZoneLabs\zlupdate.dll
+ 2011-06-03 09:00 . 2011-03-18 00:24 173056 c:\windows\system32\ZoneLabs\vsvault.dll
+ 2011-06-03 08:59 . 2011-03-18 00:24 211456 c:\windows\system32\ZoneLabs\vsdb.dll
+ 2011-06-03 09:00 . 2007-10-11 15:51 832984 c:\windows\system32\ZoneLabs\updating.dll
+ 2011-06-03 09:00 . 2011-03-18 00:24 434688 c:\windows\system32\ZoneLabs\ssleay32.dll
+ 2011-06-03 09:00 . 2011-03-18 00:24 135680 c:\windows\system32\ZoneLabs\scheduler.dll
+ 2011-06-03 09:00 . 2009-07-13 22:58 722392 c:\windows\system32\ZoneLabs\qrbase.dll
+ 2011-06-03 09:00 . 2011-03-18 00:25 126976 c:\windows\system32\ZoneLabs\lib\zui.zip.dll
+ 2011-06-03 09:00 . 2011-03-18 00:25 280064 c:\windows\system32\ZoneLabs\lib\TrayTest.zip.dll
+ 2011-06-03 09:00 . 2011-03-18 00:25 225792 c:\windows\system32\ZoneLabs\lib\Overview.zip.dll
+ 2011-06-03 09:00 . 2011-03-18 00:24 368640 c:\windows\system32\ZoneLabs\lib\LicenseUI.zip.dll
+ 2011-06-03 09:00 . 2011-03-18 00:24 184832 c:\windows\system32\ZoneLabs\lib\DashBoard.zip.dll
+ 2011-06-03 09:00 . 2011-03-18 00:24 375296 c:\windows\system32\ZoneLabs\lib\ConfigWizard.zip.dll
+ 2011-06-03 08:59 . 2010-02-08 07:41 595432 c:\windows\system32\ZoneLabs\icslta.dll
+ 2011-06-03 09:01 . 2010-11-08 17:58 284136 c:\windows\system32\ZoneLabs\ffapi.dll
+ 2011-06-03 09:00 . 2011-03-18 00:24 169984 c:\windows\system32\ZoneLabs\fbl.dll
+ 2011-06-03 09:00 . 2008-03-17 15:52 813568 c:\windows\system32\ZoneLabs\dbghelp.dll
+ 2011-06-03 09:00 . 2011-03-18 00:24 104448 c:\windows\system32\zlcommdb.dll
+ 2011-06-03 09:00 . 2011-03-18 00:24 110080 c:\windows\system32\vsxml.dll
+ 2011-06-03 08:59 . 2011-03-18 00:24 715264 c:\windows\system32\vsutil.dll
+ 2011-06-03 09:00 . 2011-03-18 00:24 302592 c:\windows\system32\vspubapi.dll
+ 2011-06-03 09:00 . 2011-03-18 00:24 108032 c:\windows\system32\vsmonapi.dll
+ 2011-06-03 08:59 . 2011-03-18 00:24 228864 c:\windows\system32\vsinit.dll
+ 2011-06-03 09:00 . 2010-05-13 09:02 532224 c:\windows\system32\vsdatant.sys
+ 2011-06-03 08:59 . 2011-03-18 00:24 112128 c:\windows\system32\vsdata.dll
+ 2011-06-03 09:40 . 2006-11-01 22:21 319456 c:\windows\system32\ReinstallBackups\0001\DriverFiles\difxapi.dll
- 2006-02-28 12:00 . 2011-05-18 19:16 443896 c:\windows\system32\perfh009.dat
+ 2006-02-28 12:00 . 2011-06-03 09:41 443896 c:\windows\system32\perfh009.dat
+ 2011-06-03 09:40 . 2006-11-01 22:21 319456 c:\windows\LastGood\system32\difxapi.dll
+ 2008-11-14 21:21 . 2011-06-03 08:47 409600 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2008-11-14 21:21 . 2011-04-15 21:39 409600 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2008-11-14 21:21 . 2011-04-15 21:39 286720 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2008-11-14 21:21 . 2011-06-03 08:47 286720 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2008-11-14 21:21 . 2011-06-03 08:47 249856 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2008-11-14 21:21 . 2011-04-15 21:39 249856 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2008-11-14 21:21 . 2011-04-15 21:39 794624 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2008-11-14 21:21 . 2011-06-03 08:47 794624 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2008-11-14 21:21 . 2011-04-15 21:39 135168 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-11-14 21:21 . 2011-06-03 08:47 135168 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2011-06-03 09:00 . 2011-03-18 00:24 1238528 c:\windows\system32\zpeng25.dll
+ 2011-06-03 09:00 . 2011-03-18 00:24 1790464 c:\windows\system32\ZoneLabs\vsruledb.dll
+ 2011-06-03 09:00 . 2011-03-18 00:26 2435592 c:\windows\system32\ZoneLabs\vsmon.exe
+ 2011-06-03 09:00 . 2011-03-18 00:25 1536512 c:\windows\system32\ZoneLabs\lib\zpy.zip.dll
+ 2011-04-27 10:14 . 2011-04-27 10:14 5520384 c:\windows\Installer\d87e.msp
+ 2011-04-29 12:04 . 2011-04-29 12:04 5053440 c:\windows\Installer\d86c.msp
+ 2008-05-19 15:30 . 2011-04-29 10:29 42829768 c:\windows\system32\MRT.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\prxtbZone.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
2011-05-09 09:49 176936 ----a-w- c:\program files\ZoneAlarm_Security\prxtbZone.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\prxtbZone.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{91DA5E8A-3318-4F8C-B67E-5964DE3AB546}"= "c:\program files\ZoneAlarm_Security\prxtbZone.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\NBHShellExt]
@="{8D2223A2-B3C6-4e32-B096-CDD11F628C60}"
[HKEY_CLASSES_ROOT\CLSID\{8D2223A2-B3C6-4e32-B096-CDD11F628C60}]
2009-10-16 09:44 97072 ----a-w- c:\program files\Nero\Tools\InCD\NBHshx.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
"Lexmark 2200 Series"="c:\program files\Lexmark 2200 Series\lxbvbmgr.exe" [2004-02-13 57344]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"NBHGui"="c:\program files\Nero\Tools\InCD\NBHGui.exe" [2009-10-16 1600816]
"InCD"="c:\program files\Nero\Tools\InCD\InCD.exe" [2009-10-16 1060136]
"VTTimer"="VTTimer.exe" [2004-10-22 53248]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2011-03-18 1043968]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2011-02-15 738808]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-06-02 10:13 267048 ------w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
.
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [02/06/2011 19:13 136360]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [15/02/2011 16:25 26872]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [15/02/2011 16:25 488952]
R2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\Nero\Tools\InCD\NBHRegInCDSrv.exe [16/10/2009 10:44 53560]
S1 RapportBuka;RapportBuka;\??\c:\windows\system32\drivers\RapportBuka.sys --> c:\windows\system32\drivers\RapportBuka.sys [?]
S3 CFcatchme;CFcatchme;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\CFcatchme.sys --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\CFcatchme.sys [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [28/02/2006 13:00 14336]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - NTMSSVC
*NewlyCreated* - SWPRV
*NewlyCreated* - VSMON
*NewlyCreated* - VSS
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://uk.yahoo.com
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: Interfaces\{958A1A47-CD7C-4E5E-8F97-067DA0900DAE}: NameServer = 194.72.9.34,194.72.0.98
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-03 23:11
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(684)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
- - - - - - - > 'lsass.exe'(740)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
- - - - - - - > 'explorer.exe'(2336)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.5592_x-ww_179798c8\MSVCR80.dll
c:\program files\Nero\Tools\InCD\NBHshx.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-06-03 23:13:33
ComboFix-quarantined-files.txt 2011-06-03 22:13
ComboFix2.txt 2011-06-02 23:19
ComboFix3.txt 2011-06-02 18:27
.
Pre-Run: 55,888,941,056 bytes free
Post-Run: 55,891,496,960 bytes free
.
- - End Of File - - BAA5B3755FE882D3003AC2D6182AD1C4




Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6758

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

03/06/2011 11:19:32
mbam-log-2011-06-03 (11-19-32).txt

Scan type: Full scan (C:\|)
Objects scanned: 261234
Time elapsed: 43 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)






Avira AntiVir Personal
Report file date: 03 June 2011 11:28

Scanning for 2710957 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : ALAN-2CB3E130BF

Version information:
BUILD.DAT : 10.0.0.648 31823 Bytes 01/04/2011 18:36:00
AVSCAN.EXE : 10.0.4.2 442024 Bytes 01/04/2011 16:07:43
AVSCAN.DLL : 10.0.3.0 46440 Bytes 01/04/2011 16:07:57
LUKE.DLL : 10.0.3.2 104296 Bytes 01/04/2011 16:07:53
LUKERES.DLL : 10.0.0.1 12648 Bytes 10/02/2010 23:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 06/11/2009 09:05:36
VBASE001.VDF : 7.11.0.0 13342208 Bytes 14/12/2010 15:15:47
VBASE002.VDF : 7.11.3.0 1950720 Bytes 09/02/2011 15:15:47
VBASE003.VDF : 7.11.5.225 1980416 Bytes 07/04/2011 23:10:27
VBASE004.VDF : 7.11.8.178 2354176 Bytes 31/05/2011 23:10:35
VBASE005.VDF : 7.11.8.179 2048 Bytes 31/05/2011 23:10:35
VBASE006.VDF : 7.11.8.180 2048 Bytes 31/05/2011 23:10:35
VBASE007.VDF : 7.11.8.181 2048 Bytes 31/05/2011 23:10:35
VBASE008.VDF : 7.11.8.182 2048 Bytes 31/05/2011 23:10:36
VBASE009.VDF : 7.11.8.183 2048 Bytes 31/05/2011 23:10:36
VBASE010.VDF : 7.11.8.184 2048 Bytes 31/05/2011 23:10:36
VBASE011.VDF : 7.11.8.185 2048 Bytes 31/05/2011 23:10:36
VBASE012.VDF : 7.11.8.186 2048 Bytes 31/05/2011 23:10:36
VBASE013.VDF : 7.11.8.222 121856 Bytes 02/06/2011 23:10:37
VBASE014.VDF : 7.11.8.223 2048 Bytes 02/06/2011 23:10:37
VBASE015.VDF : 7.11.8.224 2048 Bytes 02/06/2011 23:10:37
VBASE016.VDF : 7.11.8.225 2048 Bytes 02/06/2011 23:10:37
VBASE017.VDF : 7.11.8.226 2048 Bytes 02/06/2011 23:10:38
VBASE018.VDF : 7.11.8.227 2048 Bytes 02/06/2011 23:10:38
VBASE019.VDF : 7.11.8.228 2048 Bytes 02/06/2011 23:10:38
VBASE020.VDF : 7.11.8.229 2048 Bytes 02/06/2011 23:10:38
VBASE021.VDF : 7.11.8.230 2048 Bytes 02/06/2011 23:10:39
VBASE022.VDF : 7.11.8.231 2048 Bytes 02/06/2011 23:10:39
VBASE023.VDF : 7.11.8.232 2048 Bytes 02/06/2011 23:10:39
VBASE024.VDF : 7.11.8.233 2048 Bytes 02/06/2011 23:10:39
VBASE025.VDF : 7.11.8.234 2048 Bytes 02/06/2011 23:10:39
VBASE026.VDF : 7.11.8.235 2048 Bytes 02/06/2011 23:10:39
VBASE027.VDF : 7.11.8.236 2048 Bytes 02/06/2011 23:10:40
VBASE028.VDF : 7.11.8.237 2048 Bytes 02/06/2011 23:10:40
VBASE029.VDF : 7.11.8.238 2048 Bytes 02/06/2011 23:10:40
VBASE030.VDF : 7.11.8.239 2048 Bytes 02/06/2011 23:10:40
VBASE031.VDF : 7.11.8.253 76288 Bytes 03/06/2011 09:18:04
Engineversion : 8.2.5.12
AEVDF.DLL : 8.1.2.1 106868 Bytes 28/03/2011 15:15:27
AESCRIPT.DLL : 8.1.3.65 1606010 Bytes 02/06/2011 23:10:55
AESCN.DLL : 8.1.7.2 127349 Bytes 28/03/2011 15:15:27
AESBX.DLL : 8.2.1.34 323957 Bytes 02/06/2011 23:11:01
AERDL.DLL : 8.1.9.9 639347 Bytes 25/03/2011 11:21:38
AEPACK.DLL : 8.2.6.8 557430 Bytes 02/06/2011 23:10:54
AEOFFICE.DLL : 8.1.1.25 205178 Bytes 02/06/2011 23:10:53
AEHEUR.DLL : 8.1.2.123 3502456 Bytes 02/06/2011 23:10:52
AEHELP.DLL : 8.1.17.2 246135 Bytes 02/06/2011 23:10:44
AEGEN.DLL : 8.1.5.6 401780 Bytes 02/06/2011 23:10:44
AEEMU.DLL : 8.1.3.0 393589 Bytes 28/03/2011 15:15:19
AECORE.DLL : 8.1.21.1 196983 Bytes 02/06/2011 23:10:43
AEBB.DLL : 8.1.1.0 53618 Bytes 28/03/2011 15:15:19
AVWINLL.DLL : 10.0.0.0 19304 Bytes 28/03/2011 15:15:31
AVPREF.DLL : 10.0.0.0 44904 Bytes 01/04/2011 16:07:42
AVREP.DLL : 10.0.0.10 174120 Bytes 02/06/2011 23:11:02
AVREG.DLL : 10.0.3.2 53096 Bytes 01/04/2011 16:07:42
AVSCPLR.DLL : 10.0.4.2 84840 Bytes 01/04/2011 16:07:43
AVARKT.DLL : 10.0.22.6 231784 Bytes 01/04/2011 16:07:38
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 01/04/2011 16:07:41
SQLITE3.DLL : 3.6.19.0 355688 Bytes 17/06/2010 14:27:22
AVSMTP.DLL : 10.0.0.17 63848 Bytes 28/03/2011 15:15:30
NETNT.DLL : 10.0.0.0 11624 Bytes 28/03/2011 15:15:39
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 01/04/2011 16:07:58
RCTEXT.DLL : 10.0.58.0 97128 Bytes 28/03/2011 15:15:52

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: C:\Program Files\Avira\AntiVir Desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: 03 June 2011 11:28

Starting search for hidden objects.

The scan of running processes will be started
Scan process 'dllhost.exe' - '57' Module(s) have been scanned
Scan process 'vssvc.exe' - '57' Module(s) have been scanned
Scan process 'avscan.exe' - '79' Module(s) have been scanned
Scan process 'avcenter.exe' - '72' Module(s) have been scanned
Scan process 'msdtc.exe' - '52' Module(s) have been scanned
Scan process 'dllhost.exe' - '71' Module(s) have been scanned
Scan process 'svchost.exe' - '41' Module(s) have been scanned
Scan process 'EasyShare.exe' - '172' Module(s) have been scanned
Scan process 'ctfmon.exe' - '37' Module(s) have been scanned
Scan process 'avgnt.exe' - '60' Module(s) have been scanned
Scan process 'VTTimer.exe' - '25' Module(s) have been scanned
Scan process 'InCD.exe' - '38' Module(s) have been scanned
Scan process 'NBHGui.exe' - '35' Module(s) have been scanned
Scan process 'jusched.exe' - '32' Module(s) have been scanned
Scan process 'lxbvbmon.exe' - '31' Module(s) have been scanned
Scan process 'lxbvbmgr.exe' - '29' Module(s) have been scanned
Scan process 'SOUNDMAN.EXE' - '33' Module(s) have been scanned
Scan process 'alg.exe' - '45' Module(s) have been scanned
Scan process 'svchost.exe' - '47' Module(s) have been scanned
Scan process 'slserv.exe' - '21' Module(s) have been scanned
Scan process 'NBHRegInCDSrv.exe' - '25' Module(s) have been scanned
Scan process 'NBService.exe' - '54' Module(s) have been scanned
Scan process 'avshadow.exe' - '26' Module(s) have been scanned
Scan process 'jqs.exe' - '41' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '28' Module(s) have been scanned
Scan process 'avguard.exe' - '55' Module(s) have been scanned
Scan process 'svchost.exe' - '43' Module(s) have been scanned
Scan process 'sched.exe' - '47' Module(s) have been scanned
Scan process 'spoolsv.exe' - '67' Module(s) have been scanned
Scan process 'LEXPPS.EXE' - '34' Module(s) have been scanned
Scan process 'LEXBCES.EXE' - '34' Module(s) have been scanned
Scan process 'Explorer.EXE' - '124' Module(s) have been scanned
Scan process 'svchost.exe' - '49' Module(s) have been scanned
Scan process 'svchost.exe' - '44' Module(s) have been scanned
Scan process 'InCDSrv.exe' - '30' Module(s) have been scanned
Scan process 'svchost.exe' - '174' Module(s) have been scanned
Scan process 'svchost.exe' - '47' Module(s) have been scanned
Scan process 'svchost.exe' - '58' Module(s) have been scanned
Scan process 'lsass.exe' - '66' Module(s) have been scanned
Scan process 'services.exe' - '42' Module(s) have been scanned
Scan process 'winlogon.exe' - '76' Module(s) have been scanned
Scan process 'csrss.exe' - '12' Module(s) have been scanned
Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '1653' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

[0] Archive type: NSIS
--> ProgramFilesDir/handle.cfxxe
[1] Archive type: RSRC
--> Object
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\Qoobox\Quarantine\C\mbam-setup-1.51.0.1200.exe.vir
[DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm
C:\Qoobox\Quarantine\C\TDSSKiller.exe.vir
[DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm
C:\Qoobox\Quarantine\C\TFC.exe.vir
[DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm
C:\System Volume Information\_restore{277102AF-CF18-4900-992D-7F2CB4FE30A2}\RP567\A0284450.exe
[DETECTION] Is the TR/Trash.Gen Trojan
C:\System Volume Information\_restore{277102AF-CF18-4900-992D-7F2CB4FE30A2}\RP580\A0289084.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\System Volume Information\_restore{D49A7662-467B-4DEC-A560-D477F86C24CE}\RP16\A0002118.dll
[DETECTION] Is the TR/Trash.Gen Trojan
C:\System Volume Information\_restore{D49A7662-467B-4DEC-A560-D477F86C24CE}\RP16\A0002119.dll
[DETECTION] Is the TR/Trash.Gen Trojan

Beginning disinfection:
C:\System Volume Information\_restore{D49A7662-467B-4DEC-A560-D477F86C24CE}\RP16\A0002119.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '471cfcfd.qua'.
C:\System Volume Information\_restore{D49A7662-467B-4DEC-A560-D477F86C24CE}\RP16\A0002118.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '5f8bd35a.qua'.
C:\System Volume Information\_restore{277102AF-CF18-4900-992D-7F2CB4FE30A2}\RP580\A0289084.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '0dd689b2.qua'.
C:\System Volume Information\_restore{277102AF-CF18-4900-992D-7F2CB4FE30A2}\RP567\A0284450.exe
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '6be1c670.qua'.
C:\Qoobox\Quarantine\C\TFC.exe.vir
[DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm
[NOTE] The file was moved to the quarantine directory under the name '2e52ebb4.qua'.
C:\Qoobox\Quarantine\C\TDSSKiller.exe.vir
[DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm
[NOTE] The file was moved to the quarantine directory under the name '5159d9db.qua'.
C:\Qoobox\Quarantine\C\mbam-setup-1.51.0.1200.exe.vir
[DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm
[NOTE] The file was moved to the quarantine directory under the name '1d97f5b3.qua'.
C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '6193b5f4.qua'.


End of the scan: 03 June 2011 22:55
Used time: 43:17 Minute(s)

The scan has been done completely.

7011 Scanned directories
267009 Files were scanned
8 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
8 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
267001 Files not concerned
1402 Archives were scanned
0 Warnings
8 Notes
321983 Objects were scanned with rootkit scan
0 Hidden objects were found

 

[Bobbye]

I did not request the Avira scan. The entries 'found' are in the Qoobox, which i s where Combofix sends the quarantined entries. The other entries were found in System Volume, which is the restore points.

All of these entries have been previously handled. The restore points are in the removal below.
=========================================
Removing all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• Select Yes when the "Begin cleanup Process?" prompt appears.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

-----
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
------------------------------------------

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Choose Disc Cleanup
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin

 

[swisstonyholmes]

Bobbye,

First of all can you answer my question re recommended antivirus to replace AVG as per my last post.

Secondly, I have completed all of the above and all seems to be ok.......with this account.....but not with two others. There are five user accounts on the system these are:

Alan (which works ok no problems, this is the profile I have been doing all of our work in)
Kayleigh (This also works fine.)
Kimberly (This also works fine.)
Pauline (This one still refuses to run any programs from the desktop and insists on executing all files with an "Open With" popup, it also fails to start Zone Alarm and Avira amongst other things. Basically it’s doing exactly the same as Alans profile until you fixed it.)
Samantha (Does the same as Pauline's)

Let me know what you think,

Tony.

 

[Bobbye]

Please note: Combofix found entries in these 2 accounts, which mean it checked them.
Alan
PAULINE
===========================

Reply #16
On a side note what would you recomend to replace AVG with regards to a free anti virus program

See below:
Reply #13

I will uninstall MSE and for now use AVIRA, but I would however like to go back to the latest free version of AVG when we are done.

This is your choice, but I do not advise going back to AVG. You have better security with either Avira or Avast.
Adding links:
Avira-AntiVir-Personal-Free-Antivirus
Avast-Free Antivirus
I would encourage you to install a firewall also:
Free and good: Use only one:
Comodo
Zone Alarm

If you want a good paid AV, I highly recommend Esst Nod32

See Reply #13

On a side note what would you recomend to replace AVG with regards to a free anti virus program?

Accounts:

Alan (which works ok no problems, this is the profile I have been doing all of our work in)But Combofix also removed entries for Pauline.
Kayleigh (This also works fine.)
Kimberly (This also works fine.)
Pauline (This one still refuses to run any programs from the desktop and insists on executing all files with an "Open With" popup, it also fails to start Zone Alarm and Avira amongst other things. Basically it’s doing exactly the same as Alans profile until you fixed it.)
Samantha (Does the same as Pauline's)

Have the individuals check their own settings. The malware is gone and not the issue.

 

[swisstonyholmes]

Bobbye,

Just to let you know all problems have now been fixed, I done some research on the "Open with exe problem" and came across the same fix on a few forums. It involved running a script file from the "Kellys Korner" website link named "exe fix" I ran this on both the profiles that were no longer running desktop icons and this fixed the problem.

Weather this was the right "Technical" thing to do I'm not sure but I'm happy all the same.

Thanks for your time and support with this matter I know it has been a long slog but we got there in the end ,

Cheers again.

Tony.

 

[Bobbye]

You're welcome. Thank you for the update. Since the issues have been resolved, I'll close this thread. Leaving some additional tips:

Tips for added security and safer browsing: (Links are in Bold Blue)

1. Browser Security
   [o] Safe Settings (Please ignore the suggestion to use the Registry Editior in this section "Creating a Custom Security Zone")
   [o] ZonedOut. This manages the Zones in Internet Explorer. (For IE7 and IE8, Windows 2000 thru Vista. No Windows 7)
   [o] Replace the Host Files
   [o] Google Toolbar Pop Up Blocker
   [o]Web of Trust (WOT) Site Advisor. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.
   
2. Have layered Security:
   [o]Antivirus :(only one):Both of the following programs are free and known to be good:
   [o]Avira-AntiVir-Personal-Free-Antivirus
   [o] [o]Avast-Free Antivirus
   [o]Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
   [o]Comodo
   [o]Zone Alarm
   
3. Antimalware: I recommend all of the following:
   [o]Spywareblaster: SpywareBlaster protects against bad ActiveX.
   [o]Spybot Search & Destroy
   
4. Updates: Stay current:
   [o] the Microsoft Download Sitefrequently. All updates marked Critical and the current SP updates.
   [o]Adobe Reader Install current, uninstall old.
   [o]Java Updates Install current, uninstall old.
   
5. Tracking Cookies
   Reset Cookie:
   [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
   [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
   I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
   AdBlock Plus
   Easy List
   [o]For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
   
6. Do regular Maintenance
   [o] Temporary File Cleaner
7. Restore Points:
   [o]See System Restore Guide
8. Safe Email Handling
   [o] Don't open email from anyone you don't know.
   [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
   [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.

Please let me know if you find any bad link.