Solved Windows XP virus/trojan - found by AVG resident shield but not able to remove

[chrizba]

Hello,

I have some sort of trojan/virus that makes my computer behave erratically (sometimes google redirect, sometimes opens multiple windows of some type or other, sometimes makes VAG resident shield pop-up claiming to have found a trojan in windows\temp with different filenames that have always disappeared by the time it gets to cleaning them). I have run various scans etc, and occasionally these find something, but often they do not, though I know the problem has not gone away.

Also, my system restore was completely corrupted so I couldn't restore to any point prior to when these beasties may have appeared.

I have followed the 5 step instructions and will include the relevant logs in subsequent posts

Would be extremely grateful for any help, as I have my PhD viva next week and need my computer to behave itself between now and then!

Many thanks

Chris

 

[chrizba]

MBAM log

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.27.02

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 6.0.2900.5512
Chris :: CHRIZZA [administrator]

27/01/2012 12:31:08
mbam-log-2012-01-27 (12-31-08).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 189430
Time elapsed: 8 minute(s), 14 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

 

[chrizba]

gmer.log

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-01-27 12:41:34
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD800BEVT-22ZCT0 rev.11.01A11
Running: y77rt8kv.exe; Driver: C:\DOCUME~1\Chris\LOCALS~1\Temp\ufldqpob.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys ZwCreateKey [0xF732D320]
Code mfehidk.sys ZwMapViewOfSection [0xF732D3B0]
Code mfehidk.sys ZwOpenKey [0xF732D30C]
Code mfehidk.sys ZwOpenProcess [0xF732D2E4]
Code mfehidk.sys ZwOpenThread [0xF732D2F8]
Code mfehidk.sys ZwRenameKey [0xF732D348]
Code mfehidk.sys ZwSetSecurityObject [0xF732D386]
Code mfehidk.sys ZwUnmapViewOfSection [0xF732D3C6]
Code mfehidk.sys ZwYieldExecution [0xF732D39A]
Code mfehidk.sys NtMapViewOfSection
Code mfehidk.sys NtOpenProcess
Code mfehidk.sys NtOpenThread
Code mfehidk.sys NtSetSecurityObject

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys
AttachedDevice \Driver\Tcpip \Device\Ip WRkrn.sys (Webroot SecureAnywhere/Webroot)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys
AttachedDevice \Driver\Tcpip \Device\Tcp WRkrn.sys (Webroot SecureAnywhere/Webroot)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys
AttachedDevice \Driver\Tcpip \Device\Udp WRkrn.sys (Webroot SecureAnywhere/Webroot)
AttachedDevice \Driver\Tcpip \Device\RawIp WRkrn.sys (Webroot SecureAnywhere/Webroot)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 WRkrn.sys (Webroot SecureAnywhere/Webroot)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 WRkrn.sys (Webroot SecureAnywhere/Webroot)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- Processes - GMER 1.0.15 ----

Process C:\WINDOWS\system32\ping.exe (*** hidden *** ) 3216

---- EOF - GMER 1.0.15 ----

 

[chrizba]

DDS.txt

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_24
Run by Chris at 12:42:49 on 2012-01-27
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.623 [GMT 0:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\System Control Manager\MSIService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\System Control Manager\MGSysCtrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.bbc.co.uk/
mDefault_Page_URL = hxxp://www.msi.com.tw
uInternet Connection Wizard,ShellNext = hxxp://www.msi.com.tw/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [MGSysCtrl] c:\program files\system control manager\MGSysCtrl.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
mPolicies-explorer: HonorAutoRunSetting = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: acaptuser32.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\chris\application data\mozilla\firefox\profiles\rig7qma3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/|https://login.live.com/login.srf?wa...0&lc=2057&id=64855&mkt=en-gb&cbcxt=mai&snsc=1
FF - prefs.js: network.proxy.ftp - localhost
FF - prefs.js: network.proxy.ftp_port - 3128
FF - prefs.js: network.proxy.gopher - localhost
FF - prefs.js: network.proxy.gopher_port - 3128
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.socks - localhost
FF - prefs.js: network.proxy.socks_port - 3128
FF - prefs.js: network.proxy.ssl - localhost
FF - prefs.js: network.proxy.ssl_port - 3128
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla\firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla\firefox\plugins\npdeployJava1.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys --> c:\windows\system32\drivers\mfehidk.sys [?]
R0 WRkrn;WRkrn;c:\windows\system32\drivers\WRkrn.sys [2012-1-26 109072]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 40016]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys --> c:\windows\system32\drivers\mfetdi2k.sys [?]
R1 SASDIFSV;SASDIFSV;c:\docume~1\chris\locals~1\temp\sas_selfextract\SASDIFSV.SYS [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\docume~1\chris\locals~1\temp\sas_selfextract\SASKUTIL.SYS [2011-7-12 67664]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R2 Micro Star SCM;Micro Star SCM;c:\program files\system control manager\MSIService.exe [2008-6-11 159744]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys --> c:\windows\system32\drivers\mfeavfk.sys [?]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2008-6-11 156160]
S2 McShield;McAfee McShield;"c:\program files\common files\mcafee\systemcore\\mcshield.exe" --> c:\program files\common files\mcafee\systemcore\\mcshield.exe [?]
S2 McTaskManager;McAfee Task Manager;"c:\program files\mcafee\virusscan enterprise\vstskmgr.exe" --> c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [?]
S2 mfevtp;McAfee Validation Trust Protection Service;"c:\windows\system32\mfevtps.exe" --> c:\windows\system32\mfevtps.exe [?]
S3 L6TPortB;Service - Line 6 TonePort UX2;c:\windows\system32\drivers\l6tportb.sys --> c:\windows\system32\drivers\L6TPortB.sys [?]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys --> c:\windows\system32\drivers\mfebopk.sys [?]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys --> c:\windows\system32\drivers\mferkdet.sys [?]
.
=============== Created Last 30 ================
.
2012-01-27 11:56:39 23624 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
2012-01-27 11:56:22 -------- d-----w- c:\documents and settings\all users\application data\HitmanPro
2012-01-27 11:00:59 -------- d-----w- c:\documents and settings\chris\application data\McAfee
2012-01-27 10:59:58 74848 ----a-w- c:\windows\system32\MfeOtlkAddin.dll
2012-01-27 10:59:58 22816 ----a-w- c:\windows\system32\MFEOtlk.dll
2012-01-27 10:59:48 148520 ----a-w- c:\windows\system32\mfevtps.exe.7fc4.deleteme
2012-01-27 10:58:47 -------- d-----w- c:\program files\McAfee
2012-01-27 10:58:47 -------- d-----w- c:\program files\common files\McAfee
2012-01-27 10:52:14 -------- d-----w- c:\documents and settings\all users\application data\WRData
2012-01-27 10:52:13 -------- d-----w- c:\documents and settings\chris\application data\IObit
2012-01-26 12:04:27 109072 ----a-w- c:\windows\system32\drivers\WRkrn.sys
2012-01-25 23:49:19 -------- d-----w- c:\documents and settings\chris\application data\SUPERAntiSpyware.com
2012-01-25 23:29:33 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-23 11:47:07 719872 ----a-w- c:\windows\system32\devil.dll
2012-01-23 11:47:07 70656 ----a-w- c:\windows\system32\yv12vfw.dll
2012-01-23 11:47:07 70656 ----a-w- c:\windows\system32\i420vfw.dll
2012-01-23 11:47:07 369152 ----a-w- c:\windows\system32\avisynth.dll
2012-01-23 11:47:07 32256 ----a-w- c:\windows\system32\AVSredirect.dll
2012-01-23 11:47:01 -------- d-----w- c:\program files\AviSynth 2.5
2012-01-17 12:15:11 -------- d-----w- c:\documents and settings\chris\.elan_data
2012-01-17 12:12:52 -------- d-----w- c:\program files\ELAN 4.1.2
2012-01-16 11:58:20 -------- d-----w- c:\documents and settings\chris\application data\UAMCTAppData
2012-01-10 11:29:41 -------- d-----w- c:\program files\Weka-3-6
2012-01-10 11:04:17 -------- d-----w- c:\program files\jEdit
2012-01-03 13:13:12 -------- d-----w- c:\documents and settings\chris\local settings\application data\Identities
2012-01-03 12:36:47 -------- d-----w- C:\Perl
.
==================== Find3M ====================
.
2011-12-08 15:35:48 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-25 21:57:19 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35:08 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21:44 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21:44 152064 ----a-w- c:\windows\system32\schannel.dll
2011-11-03 15:28:36 386048 ----a-w- c:\windows\system32\qdvd.dll
2011-11-03 15:28:36 1292288 ----a-w- c:\windows\system32\quartz.dll
2011-11-02 10:07:21 100 ----a-w- c:\windows\system32\prsgrc.dll
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
.
============= FINISH: 12:44:24.81 ===============

 

[chrizba]

Attach.txt

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 21/08/2008 08:26:46
System Uptime: 27/01/2012 12:08:41 (0 hours ago)
.
Motherboard: MICRO-STAR INTERNATIONAL CO., LTD | | U-100
Processor: Intel(R) Atom(TM) CPU N270 @ 1.60GHz | CPU 1 | 1600/533mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 39 GiB total, 13.096 GiB free.
D: is FIXED (NTFS) - 32 GiB total, 8.176 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1: 27/01/2012 12:18:45 - System Checkpoint
RP2: 27/01/2012 12:23:40 - Removed McAfee VirusScan Enterprise.
RP3: 27/01/2012 12:26:31 - Removed McAfee Agent.
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
ActivePerl 5.12.4 Build 1205
Adobe Acrobat 9 Pro Extended - English, Français, Deutsch
Adobe AIR
Adobe Flash Player 11 Plugin
Adobe Flash Player ActiveX
AiO_Scan_CDA
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AVG 2012
AVI Codec Pack
BitTorrent
Bluetooth Stack for Windows by Toshiba
Bonjour
BurnRecovery
CCleaner
CutePDF Writer 2.7
Dexter Coder
Dexter Converter
DNA
ELAN 4.1.2
GIMP 2.7.0
Google Calendar Sync
GPL Ghostscript 8.63
GSview 4.9
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Photosmart All-In-One Driver Software 10.0 Rel .2
HP Photosmart, Officejet and Deskjet 7.0.A
Intel(R) Graphics Media Accelerator Driver
iTunes
JabRef
Java Auto Updater
Java DB 10.6.2.1
Java(TM) 6 Update 24
Java(TM) SE Development Kit 6 Update 24
jEdit 4.5pre1
Line 6 Uninstaller
Malwarebytes Anti-Malware version 1.60.0.1800
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
MiKTeX 2.8
Mozilla Firefox 9.0.1 (x86 en-GB)
Mozilla Thunderbird 9.0.1 (x86 en-GB)
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
PS_AIO_02_Software_Min
QFolder
QuickTime
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
REALTEK RTL8187SE Wireless LAN Driver
Registry Mechanic 7.0
Scan
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2553089)
Security Update for 2007 Microsoft Office System (KB2553090)
Security Update for 2007 Microsoft Office System (KB2584063)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft Office InfoPath 2007 (KB2510061)
Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
Security Update for Microsoft Office Publisher 2007 (KB2284697)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Segoe UI
Skype™ 4.2
SPSS 16.0 for Windows
Synaptics Pointing Device Driver
System Control Manager
TeXnicCenter Version 1.0 Stable RC1
TomTom HOME Visual Studio Merge Modules
Toolbox
TortoiseSVN 1.6.1.16129 (32 bit)
TUGZip 3.5
Ulead Burn.Now 4.5
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596686) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB898461)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
USB 2.0 Card Reader
VLC media player 1.1.11
WebFldrs XP
Weka 3.6.6
Windows Installer Clean Up
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format Runtime
.
==== Event Viewer Messages From Past Week ========
.
27/01/2012 12:11:20, error: Service Control Manager [7024] - The HitmanPro 3.6 Crusader (Boot) service terminated with service-specific error 0 (0x0).
27/01/2012 11:54:12, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
27/01/2012 11:54:03, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
27/01/2012 11:51:19, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
27/01/2012 11:10:11, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Avgldx86 Avgmfx86 Fips intelppm SASDIFSV SASKUTIL Tosrfcom
27/01/2012 11:09:20, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
27/01/2012 10:57:12, error: Service Control Manager [7031] - The AVG WatchDog service terminated unexpectedly. It has done this 3 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
27/01/2012 10:57:06, error: Service Control Manager [7031] - The AVG WatchDog service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
27/01/2012 10:57:01, error: Service Control Manager [7031] - The AVG WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
27/01/2012 10:56:51, error: Service Control Manager [7034] - The Windows User Mode Driver Framework service terminated unexpectedly. It has done this 1 time(s).
27/01/2012 10:56:28, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
27/01/2012 10:56:25, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
27/01/2012 10:55:44, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
27/01/2012 10:36:51, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
27/01/2012 10:26:00, error: Schedule [7901] - The At21.job command failed to start due to the following error: %%2147942402
27/01/2012 09:26:00, error: Schedule [7901] - The At19.job command failed to start due to the following error: %%2147942402
27/01/2012 06:26:00, error: Schedule [7901] - The At13.job command failed to start due to the following error: %%2147942402
27/01/2012 04:26:00, error: Schedule [7901] - The At9.job command failed to start due to the following error: %%2147942402
27/01/2012 01:26:00, error: Schedule [7901] - The At3.job command failed to start due to the following error: %%2147942402
26/01/2012 22:26:00, error: Schedule [7901] - The At45.job command failed to start due to the following error: %%2147942402
26/01/2012 19:26:00, error: Schedule [7901] - The At39.job command failed to start due to the following error: %%2147942402
26/01/2012 18:09:56, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
26/01/2012 18:08:22, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
26/01/2012 10:27:30, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Dnscache service.
25/01/2012 09:33:37, error: Dhcp [1002] - The IP address lease 192.168.1.72 for the Network Card with network address 001D92C9C145 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
.
==== End Of File ===========================

 

[Bobbye]

Welcome to TechSpot! I'll help with the malware, but we need to do some Housekeeping first:

1. You are running 2 security suites> McAfee and AVG2012. Please decide which you want to keep and remove the other. Multiple AV or FW make system more vulnerable, not less.
Note: I am going to have you run Combofix and it will not run with AVG. Nor can AVG be disabled, so it will have to be temporarily uninstalled If McAfee is current and functional, keep it and use the AppRemover for AVG. If McAfee is not current and functional, you can download one of the temporary AV offered.
Please reboot after the uninstall of the AV.
2. You are running a register cleaner. We do not recommend that anyone use these programs as the risk is greater than any benefit. If you want to keep is anyway, please disable it while I'm helping you.
3. I recommend uninstalling Hitman Pro. This is a program that is bundled with security programs that are free on the internet. The big difference is that Hitman will only remove bad entries for free during the trial period, whereas the free-standing, free programs are fully functional.
4. Do not use Bit Torrent while I'm helping you. I recommend uninstalling it..
=====================================
To proceed: Please run the following online virus scan:
To run the Eset Online Virus Scan:
If you use Internet Explorer:

1. Open the ESETOnlineScan
2. Skip to #4 to "Continue with the directions"
   
   If you are using a browser other than Internet Explorer
3. Open Eset Smart Installer
   [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
   [o] Double click on the desktop icon to run.
   [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
   
4. Continue with the directions.
   
5. Check 'Yes I accept terms of use.'
6. Click Start button
7. Accept any security warnings from your browser.
   
   
8. Uncheck 'Remove found threats'
9. Check 'Scan archives/
10. Leave remaining settings as is.
11. Press the Start button.
12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
13. When the scan completes, press List of found threats
14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
15. Push the Back button, then Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
=====================================
When the Eset scan is complete, you can go on to the following:

You will need to temporarily uninstall AVG as follows: if applicable

Download AppRemover and save to the desktop

1. Double click the setup on the desktop> click Next
2. Select “Remove Security Application”
3. Let scan finish to determine security apps
4. A screen like below will appear:
   
   
5. Click on Next after choice has been made
6. Check the AVG program you want to uninstall
7. After uninstall shows complete, follow online prompts to Exit the program.

Temporary AV: Use one: if needed
Avira-AntiVir-Personal-Free-Antivirus
Avast Free Version
=============================
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

--------------------------------------
Expect these- they are normal:
1. If asked to install or or update the Recovery Console, allow. (you will need internet connection for this)
2. Before you run the Combofix scan, please disable any security software you have running.
3. Combofix may need to reboot your computer more than once to do its job this is normal.

Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop

• Double click combofix.exe
  
  & follow the prompts.
• If prompted for Recovery Console, please allow.
• Once installed, you should see a blue screen prompt that says:
  • The Recovery Console was successfully installed.[/b]
  • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
  • Note: No query will be made if the Recovery Console is already on the system.
• .Close/disable all anti virus and anti malware programs
  (If you need help with this, please see HERE)
• .Close any open browsers.
• .Click on Yes, to continue scanning for malware
• .If Combofix asks you to update the program, allow
• When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.
Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
=========================================
Please post both logs in next reply.
=======================================
My Guidelines: please read and follow:

• Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
• Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
• If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
• File sharing programs should be uninstalled or disabled during the cleaning process..
• Observe these:
  [o] Don't follow directions given to someone else
  [o] Don't use any other cleaning programs or scans while I'm helping you.
  [o] Don't use a Registry cleaner or make any changes in the Registry.
  [o] Don't download and install new programs- except those I give you.

If I haven't replied back to you within 48 hours, you can send a PMwith your thread link in it as a reminder. Do not include technical problems from your thread. Support is given only in the forum.
Threads are closed after 5 days if there is no reply.

Edit: you're using FoxyProxy, correct. You may need to disable that.

 

[chrizba]

Hello

Firstly thanks for helping me with this!

I ran the scans (see logs below) and all sorts of things have happened. Right now my keyboard (msi wind netbook) is dead so I have e-mailed myself this from my phone to cut n paste here...

Chris

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinWebdirb2.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\16\6d83d510-4006cb0e a variant of Win32/Kryptik.ZOF trojan
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\40\7129ce28-5cafcf7e a variant of Java/Exploit.CVE-2011-3544.AF trojan
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\8L2VCPQV\mazezu5.net[1] HTML/Iframe.B.Gen virus
C:\WINDOWS\system32\drivers\i8042prt.sys a variant of Win32/Rootkit.Kryptik.IF trojan
Operating memory multiple threats


ComboFix 12-01-27.01 - Chris 27/01/2012 22:14:43.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.610 [GMT 0:00]
Running from: c:\documents and settings\Chris\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Chris\GoToAssistDownloadHelper.exe
c:\documents and settings\Chris\WINDOWS
c:\windows\$NtUninstallKB24531$
c:\windows\$NtUninstallKB24531$\205541420
c:\windows\$NtUninstallKB24531$\3857431096\@
c:\windows\$NtUninstallKB24531$\3857431096\bckfg.tmp
c:\windows\$NtUninstallKB24531$\3857431096\cfg.ini
c:\windows\$NtUninstallKB24531$\3857431096\Desktop.ini
c:\windows\$NtUninstallKB24531$\3857431096\keywords
c:\windows\$NtUninstallKB24531$\3857431096\kwrd.dll
c:\windows\$NtUninstallKB24531$\3857431096\L\urapuonr
c:\windows\$NtUninstallKB24531$\3857431096\oemid
c:\windows\$NtUninstallKB24531$\3857431096\U\00000001.@
c:\windows\$NtUninstallKB24531$\3857431096\U\00000002.@
c:\windows\$NtUninstallKB24531$\3857431096\U\00000004.@
c:\windows\$NtUninstallKB24531$\3857431096\U\80000000.@
c:\windows\$NtUninstallKB24531$\3857431096\U\80000004.@
c:\windows\$NtUninstallKB24531$\3857431096\U\80000032.@
c:\windows\$NtUninstallKB24531$\3857431096\version
c:\windows\Fonts\._QUEEN_Mary.TTF
c:\windows\system32\prsgrc.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-12-27 to 2012-01-27 )))))))))))))))))))))))))))))))
.
.
2012-01-27 22:28 . 2012-01-27 22:28 -------- d-----w- c:\windows\LastGood
2012-01-27 22:14 . 2012-01-27 22:14 0 ----a-w- c:\windows\system32\drivers\SET4.tmp
2012-01-27 21:38 . 2012-01-27 21:38 -------- d-----w- c:\documents and settings\Chris\Application Data\Avira
2012-01-27 21:37 . 2011-09-18 08:39 134344 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-01-27 21:37 . 2011-09-15 23:55 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2012-01-27 21:37 . 2011-09-15 23:55 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-01-27 21:37 . 2012-01-27 21:37 -------- d-----w- c:\program files\Avira
2012-01-27 21:37 . 2012-01-27 21:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2012-01-27 17:43 . 2012-01-27 17:43 -------- d-----w- c:\program files\ESET
2012-01-27 11:56 . 2012-01-27 12:10 23624 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
2012-01-27 11:56 . 2012-01-27 12:07 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2012-01-27 11:00 . 2012-01-27 11:00 -------- d-----w- c:\documents and settings\Chris\Application Data\McAfee
2012-01-27 10:59 . 2012-01-27 10:59 74848 ----a-w- c:\windows\system32\MfeOtlkAddin.dll
2012-01-27 10:59 . 2012-01-27 10:59 22816 ----a-w- c:\windows\system32\MFEOtlk.dll
2012-01-27 10:58 . 2012-01-27 12:26 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2012-01-27 10:58 . 2012-01-27 12:24 -------- d-----w- c:\program files\McAfee
2012-01-27 10:52 . 2012-01-27 10:52 -------- d-----w- c:\documents and settings\All Users\Application Data\WRData
2012-01-27 10:52 . 2012-01-27 10:52 -------- d-----w- c:\documents and settings\Chris\Application Data\IObit
2012-01-26 12:04 . 2012-01-26 12:04 109072 ----a-w- c:\windows\system32\drivers\WRkrn.sys
2012-01-25 23:49 . 2012-01-25 23:49 -------- d-----w- c:\documents and settings\Chris\Application Data\SUPERAntiSpyware.com
2012-01-25 23:29 . 2011-12-10 15:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-25 23:02 . 2012-01-25 23:02 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2012-01-23 12:18 . 2012-01-23 12:18 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software
2012-01-23 11:47 . 2009-09-27 09:39 369152 ----a-w- c:\windows\system32\avisynth.dll
2012-01-23 11:47 . 2005-07-14 12:31 32256 ----a-w- c:\windows\system32\AVSredirect.dll
2012-01-23 11:47 . 2004-02-22 10:11 719872 ----a-w- c:\windows\system32\devil.dll
2012-01-23 11:47 . 2004-01-25 00:00 70656 ----a-w- c:\windows\system32\yv12vfw.dll
2012-01-23 11:47 . 2004-01-25 00:00 70656 ----a-w- c:\windows\system32\i420vfw.dll
2012-01-23 11:47 . 2012-01-23 11:47 -------- d-----w- c:\program files\AviSynth 2.5
2012-01-17 12:15 . 2012-01-23 11:27 -------- d-----w- c:\documents and settings\Chris\.elan_data
2012-01-17 12:12 . 2012-01-17 12:14 -------- d-----w- c:\program files\ELAN 4.1.2
2012-01-16 11:58 . 2012-01-16 11:59 -------- d-----w- c:\documents and settings\Chris\Application Data\UAMCTAppData
2012-01-10 11:29 . 2012-01-10 11:30 -------- d-----w- c:\program files\Weka-3-6
2012-01-10 11:04 . 2012-01-10 11:06 -------- d-----w- c:\program files\jEdit
2012-01-03 13:13 . 2012-01-03 13:13 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\Identities
2012-01-03 12:36 . 2012-01-03 12:45 -------- d-----w- C:\Perl
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-08 15:35 . 2011-05-26 10:11 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-25 21:57 . 2008-06-11 01:46 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2008-06-11 01:46 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2008-06-11 01:46 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2008-06-11 01:46 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2008-06-11 01:46 152064 ----a-w- c:\windows\system32\schannel.dll
2011-11-03 15:28 . 2008-06-11 01:46 386048 ----a-w- c:\windows\system32\qdvd.dll
2011-11-03 15:28 . 2008-06-11 01:46 1292288 ----a-w- c:\windows\system32\quartz.dll
2011-11-01 16:07 . 2008-06-11 01:46 1288704 ----a-w- c:\windows\system32\ole32.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-07 16862208]
"MGSysCtrl"="c:\program files\System Control Manager\MGSysCtrl.exe" [2008-06-10 782336]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-11 1028096]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-09-23 258512]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Martin\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HonorAutoRunSetting"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\acaptuser32.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SPSS16\\spss.com"=
"c:\\Program Files\\SPSS16\\spss.exe"=
"c:\\Program Files\\SPSS16\\SPSSWinWrapIDE.exe"=
"c:\\Program Files\\PuTTy\\putty.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\eclipse\\eclipse.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R0 WRkrn;WRkrn;c:\windows\system32\drivers\WRkrn.sys [26/01/2012 12:04 109072]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [27/01/2012 21:37 36000]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [27/01/2012 21:37 86224]
R2 Micro Star SCM;Micro Star SCM;c:\program files\System Control Manager\MSIService.exe [11/06/2008 23:19 159744]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [11/06/2008 23:18 156160]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\Chris\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\Chris\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\Chris\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\Chris\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]
S3 L6TPortB;Service - Line 6 TonePort UX2;c:\windows\system32\Drivers\L6TPortB.sys --> c:\windows\system32\Drivers\L6TPortB.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bbc.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://www.msi.com.tw/
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{ABD78E04-874A-41B5-B6AF-2878FA0BB260}: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\rig7qma3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/|https://login.live.com/login.srf?wa...0&lc=2057&id=64855&mkt=en-gb&cbcxt=mai&snsc=1
FF - prefs.js: network.proxy.ftp - localhost
FF - prefs.js: network.proxy.ftp_port - 3128
FF - prefs.js: network.proxy.gopher - localhost
FF - prefs.js: network.proxy.gopher_port - 3128
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.socks - localhost
FF - prefs.js: network.proxy.socks_port - 3128
FF - prefs.js: network.proxy.ssl - localhost
FF - prefs.js: network.proxy.ssl_port - 3128
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-klmdb.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-27 22:28
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2332106328-2196180437-3818924662-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1140)
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\rundll32.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2012-01-27 22:36:16 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-27 22:36
.
Pre-Run: 13,914,992,640 bytes free
Post-Run: 14,337,220,608 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - A093821ED793551E9DA91AA9AAACAA04

 

[Bobbye]

Questions/Comments:

Antivirus
AVG removed
McAfee >>> shows Restore point show RP2: 27/01/2012 12:23:40 - Removed McAfee VirusScan Enterprise.
RP3: 27/01/2012 12:26:31 - Removed McAfee Agent.
Then installed 1/27>> not disabled for Combofix. Full program running.

Please get the antivirus down to one and disable the security when running Combofix.
================================
Please run the MGA Diagnostics tool

• You will be prompted to either “Run” or “Save” the tool. Choose to “Run” the tool and follow the on-screen prompts.
• You will receive an Internet Explorer-Security Warning dialog box for the Windows Genuine Advantage Diagnostic Tool>
• You must choose to Run this tool when prompted.
• Once you are presented with the Diagnostics tool choose Continue to run the diagnostic report.
• If the RESOLVE button is available after running the diagnostics, please click RESOLVE to allow the diagnostic tool to attempt a repair.
• After running the MGA Diagnostic tool, click on the Windows tab and then click on Copy
• Please return to this thread and Paste the results here for review.

------------------------------------------
This tool will is to look on the computer itself, in the documentation you received with the computer or with your retail purchase of Windows to see if you have a Certificate of Authenticity (COA). If you have one, tell us about the COA. Tell us:

1. What edition of Windows XP is it for, Home, Pro, or Media Center, or another version of Windows?
2. Does it read "OEM Software" or "OEM Product" in black lettering?
3. Or, does it have the computer manufacturer's name in black lettering?
4. DO NOT post the Product Key.

NOTE: The data collected with the Genuine Diagnostics Tool does NOT contain any information that can personally identify you and can be fully reviewed, by you, before being posted.
.
Avira installed 1/27

 

[chrizba]

MGA results

Hi Bobbye

I have no idea why McAfee thought it was still installed. Silly me for thinking that uninstalling it would have the desired effect (and I certainly didn't subsequently reinstall it) I ran the AppRemover for failed uninstall, but it didn't find McAfee either. Please advise!

The MGA results are shown below

I'm afraid I can't find the physical COA, and the COA sticker on the bottom of the laptop doesn't seem to say any of the details requested.

Chris

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Genuine
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: *****-*****-WFM92-V2TVC-J2YBJ
Windows Product Key Hash: iqUeChZ1VgXrb6DNrz+0ntLIHzY=
Windows Product ID: 76477-OEM-2111907-00323
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 5.1.2600.2.00010300.3.0.hom
ID: {EDFF69D2-4C7F-4154-A84B-355B5B8521E1}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: Registered, 1.9.42.0
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A
Version: N/A

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 100 Genuine
Microsoft Office Enterprise 2007 - 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: B4D0AA8B-604-645_025D1FF3-230-1

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Default Browser: C:\Program Files\Mozilla\Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{EDFF69D2-4C7F-4154-A84B-355B5B8521E1}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010300.3.0.hom</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-J2YBJ</PKey><PID>76477-OEM-2111907-00323</PID><PIDType>2</PIDType><SID>S-1-5-21-2332106328-2196180437-3818924662</SID><SYSTEM><Manufacturer>MICRO-STAR INTERNATIONAL CO., LTD</Manufacturer><Model>U-100</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>4.6.3</Version><SMBIOSVersion major="2" minor="4"/><Date>20080716000000.000000+000</Date></BIOS><HWID>94430B900184C065</HWID><UserLCID>0809</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>GMT Standard Time(GMT+00:00)</TimeZone><iJoin>0</iJoin><SBID><stat>2</stat><msppid></msppid><name>Micro-Star Int'l Co.,Ltd.</name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90120000-0030-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Enterprise 2007</Name><Ver>12</Ver><Val>64BC76978749586</Val><Hash>GW6PzcEVEDTVKeO5Ym5UUm41dBk=</Hash><Pid>89388-707-0441865-65798</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="44" Version="12" Result="100"/><App Id="A1" Version="12" Result="100"/><App Id="BA" Version="12" Result="100"/></Applications></Office></Software></GenuineResults>

Licensing Data-->
N/A

Windows Activation Technologies-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 1F574:MICRO-STAR INTERNATIONAL CO., LTD
Marker string from OEMBIOS.DAT: N/A, hr = 0x80004005

OEM Activation 2.0 Data-->
N/A

 

[chrizba]

combifix

Ok, so what I have done now (I hope!) is reinstall McAfee and uninstall Avira.

I have then disabled the onaccess scanner and rerun combifix - see below...

Still no keyboard function


Chris

ComboFix 12-01-28.01 - Chris 28/01/2012 12:03:21.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.609 [GMT 0:00]
Running from: c:\documents and settings\Chris\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise+AntiSpyware Enterprise *Disabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.
.
((((((((((((((((((((((((( Files Created from 2011-12-28 to 2012-01-28 )))))))))))))))))))))))))))))))
.
.
2012-01-28 11:24 . 2012-01-28 11:23 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2012-01-28 11:24 . 2012-01-28 11:23 87808 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2012-01-28 11:24 . 2012-01-28 11:23 59288 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2012-01-28 11:24 . 2012-01-28 11:23 119968 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2012-01-28 11:24 . 2012-01-28 11:23 180072 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2012-01-28 11:24 . 2012-01-28 11:23 461864 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2012-01-28 11:24 . 2012-01-28 11:23 148520 ----a-w- c:\windows\system32\mfevtps.exe
2012-01-28 11:24 . 2012-01-28 11:23 89624 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2012-01-28 11:22 . 2012-01-28 11:23 -------- d-----w- c:\program files\Common Files\McAfee
2012-01-28 09:51 . 2012-01-28 09:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2012-01-27 22:14 . 2012-01-27 22:14 0 ----a-w- c:\windows\system32\drivers\SET4.tmp
2012-01-27 17:43 . 2012-01-27 17:43 -------- d-----w- c:\program files\ESET
2012-01-27 11:56 . 2012-01-27 12:10 23624 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
2012-01-27 11:56 . 2012-01-27 12:07 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2012-01-27 11:00 . 2012-01-27 11:00 -------- d-----w- c:\documents and settings\Chris\Application Data\McAfee
2012-01-27 10:59 . 2012-01-28 11:23 74848 ----a-w- c:\windows\system32\MfeOtlkAddin.dll
2012-01-27 10:59 . 2012-01-28 11:23 22816 ----a-w- c:\windows\system32\MFEOtlk.dll
2012-01-27 10:58 . 2012-01-28 11:23 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2012-01-27 10:58 . 2012-01-28 11:22 -------- d-----w- c:\program files\McAfee
2012-01-27 10:52 . 2012-01-27 10:52 -------- d-----w- c:\documents and settings\All Users\Application Data\WRData
2012-01-27 10:52 . 2012-01-27 10:52 -------- d-----w- c:\documents and settings\Chris\Application Data\IObit
2012-01-26 12:04 . 2012-01-26 12:04 109072 ----a-w- c:\windows\system32\drivers\WRkrn.sys
2012-01-25 23:49 . 2012-01-25 23:49 -------- d-----w- c:\documents and settings\Chris\Application Data\SUPERAntiSpyware.com
2012-01-25 23:29 . 2011-12-10 15:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-25 23:02 . 2012-01-25 23:02 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2012-01-23 12:18 . 2012-01-23 12:18 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software
2012-01-23 11:47 . 2009-09-27 09:39 369152 ----a-w- c:\windows\system32\avisynth.dll
2012-01-23 11:47 . 2005-07-14 12:31 32256 ----a-w- c:\windows\system32\AVSredirect.dll
2012-01-23 11:47 . 2004-02-22 10:11 719872 ----a-w- c:\windows\system32\devil.dll
2012-01-23 11:47 . 2004-01-25 00:00 70656 ----a-w- c:\windows\system32\yv12vfw.dll
2012-01-23 11:47 . 2004-01-25 00:00 70656 ----a-w- c:\windows\system32\i420vfw.dll
2012-01-23 11:47 . 2012-01-23 11:47 -------- d-----w- c:\program files\AviSynth 2.5
2012-01-17 12:15 . 2012-01-23 11:27 -------- d-----w- c:\documents and settings\Chris\.elan_data
2012-01-17 12:12 . 2012-01-17 12:14 -------- d-----w- c:\program files\ELAN 4.1.2
2012-01-16 11:58 . 2012-01-16 11:59 -------- d-----w- c:\documents and settings\Chris\Application Data\UAMCTAppData
2012-01-10 11:29 . 2012-01-10 11:30 -------- d-----w- c:\program files\Weka-3-6
2012-01-10 11:04 . 2012-01-10 11:06 -------- d-----w- c:\program files\jEdit
2012-01-03 13:13 . 2012-01-03 13:13 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\Identities
2012-01-03 12:36 . 2012-01-03 12:45 -------- d-----w- C:\Perl
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-08 15:35 . 2011-05-26 10:11 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-25 21:57 . 2008-06-11 01:46 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2008-06-11 01:46 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2008-06-11 01:46 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2008-06-11 01:46 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2008-06-11 01:46 152064 ----a-w- c:\windows\system32\schannel.dll
2011-11-03 15:28 . 2008-06-11 01:46 386048 ----a-w- c:\windows\system32\qdvd.dll
2011-11-03 15:28 . 2008-06-11 01:46 1292288 ----a-w- c:\windows\system32\quartz.dll
2011-11-01 16:07 . 2008-06-11 01:46 1288704 ----a-w- c:\windows\system32\ole32.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-27_22.29.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-28 11:56 . 2012-01-28 11:56 16384 c:\windows\Temp\Perflib_Perfdata_80.dat
+ 2012-01-28 11:25 . 2012-01-28 11:25 10134 c:\windows\Installer\{CE15D1B6-19B6-4D4D-8F43-CF5D2C3356FF}\ARPPRODUCTICON.exe
+ 2012-01-28 11:23 . 2012-01-28 11:23 10134 c:\windows\Installer\{2AAB21C2-4CDA-4189-A0EC-5ED666113F84}\ARPPRODUCTICON.exe
+ 2009-06-25 13:20 . 2009-06-25 13:20 1485176 c:\windows\system32\LegitCheckControl.DLL
+ 2012-01-28 11:23 . 2012-01-28 11:23 1623040 c:\windows\Installer\59fd6.msi
+ 2012-01-28 11:24 . 2012-01-28 11:25 13156352 c:\windows\Installer\59fda.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-07 16862208]
"MGSysCtrl"="c:\program files\System Control Manager\MGSysCtrl.exe" [2008-06-10 782336]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-11 1028096]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2011-01-12 161088]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2011-09-14 215360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Martin\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HonorAutoRunSetting"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\acaptuser32.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SPSS16\\spss.com"=
"c:\\Program Files\\SPSS16\\spss.exe"=
"c:\\Program Files\\SPSS16\\SPSSWinWrapIDE.exe"=
"c:\\Program Files\\PuTTy\\putty.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\eclipse\\eclipse.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
.
R0 WRkrn;WRkrn;c:\windows\system32\drivers\WRkrn.sys [26/01/2012 12:04 109072]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [28/01/2012 11:24 89624]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [28/01/2012 11:24 148520]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [11/06/2008 23:18 156160]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\Chris\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\Chris\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\Chris\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\Chris\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]
S2 Micro Star SCM;Micro Star SCM;c:\program files\System Control Manager\MSIService.exe [11/06/2008 23:19 159744]
S3 L6TPortB;Service - Line 6 TonePort UX2;c:\windows\system32\Drivers\L6TPortB.sys --> c:\windows\system32\Drivers\L6TPortB.sys [?]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [28/01/2012 11:24 87808]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bbc.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://www.msi.com.tw/
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{ABD78E04-874A-41B5-B6AF-2878FA0BB260}: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\rig7qma3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/|https://login.live.com/login.srf?wa...0&lc=2057&id=64855&mkt=en-gb&cbcxt=mai&snsc=1
FF - prefs.js: network.proxy.ftp - localhost
FF - prefs.js: network.proxy.ftp_port - 3128
FF - prefs.js: network.proxy.gopher - localhost
FF - prefs.js: network.proxy.gopher_port - 3128
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.socks - localhost
FF - prefs.js: network.proxy.socks_port - 3128
FF - prefs.js: network.proxy.ssl - localhost
FF - prefs.js: network.proxy.ssl_port - 3128
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-28 12:14
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2332106328-2196180437-3818924662-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2520)
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\program files\McAfee\Common Framework\McTrayLegacySupportPlugin.dll
c:\program files\McAfee\Common Framework\McTrayInterfaceLib.dll
c:\program files\McAfee\Common Framework\McAfeeWin32GUISupportDLL.dll
.
Completion time: 2012-01-28 12:18:36
ComboFix-quarantined-files.txt 2012-01-28 12:18
ComboFix2.txt 2012-01-27 22:36
.
Pre-Run: 13,887,287,296 bytes free
Post-Run: 13,898,567,680 bytes free
.
- - End Of File - - 377EFF1BE3A89C256207EF03AAC36818

 

[Bobbye]

my keyboard (msi wind netbook) is dead

Here's the keyboard problem:> The driver had malware and was probably corrupted: C:\WINDOWS\system32\drivers\i8042prt.sys>
Disabling I8042PRT.SYS Mouse Driver Also Disables the Keyboard
Rather than try to find and replace the driver, since the keyboard is such a vital part of the system, Microsoft recommends the following:

The PS/2 mouse driver is normally set as System in the Devices portion of Control Panel. If it is disabled and the keyboard is inoperative, use the Last Known Good Configuration menu on startup of Windows NT to restore the driver and the keyboard.

Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Last known good configuration> option when the Windows Advanced Options menu appears, and then press ENTER.

Please let me know if this restores the keyboard. If it does not, I'll have you look for a copy on the system.

(PS/2 Mouse Port driver is built into the computer as the Intel 8042 (or Intel 8742) auxiliary device. The keyboard is also connected to the Intel 8042, and is supported by the same driver.)
====================================
For the Eset entries:
Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  

  :Files 
  C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinWebdirb2.zip 
  C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\16\6d83d510-4006cb0e 
  C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\40\7129ce28-5cafcf7e 
  C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\8L2VCPQV\mazezu5.net[1] 
  C:\WINDOWS\system32\drivers\i8042prt.sys 
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
=====================================
Since we will be doing some backtracking, I'd like you to Update and rescan with Malwarebytes: Note: On the Scanner tab, make sure the the Perform Full Scan option is selected and then click on the Scan button.
When scan has finished, you will see this image:

• Click on OK to close box and continue.
• Click on the Show Results button.
• Click on the Remove Selected button to remove all the listed malware.
• At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format> Uncheck Word Wrap before copying the log to paste in your next reply.

Please update Java: Java Updates . Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.

Be sure to check all download screens for any pre-check toolbars or BHO> if found, remove the check before the download..
=======================================
You will have remove the Eset entries in OTM by now. So please update Eset and run another scan.
======================================
Please uninstall all of the following in Add/Remove Programs
BitTorrent
Java(TM) 6 Update 24
Java(TM) SE Development Kit 6 Update 24
jEdit 4.5pre1
Line 6 Uninstaller
Registry Mechanic 7.0
The HitmanPro 3.6 Crusader (Boot)
When finished, use Windows explorer to access Computer> Local Drive (C)> Programs> find folder for each of the uninstalled programs except Java and do a Right Click> Delete.
==================================
Can you please tell me if these are programs you're using in conjunction with your dissertation? I've included a capsule description:
1. SPSS is a computer program used for survey authoring and deployment (IBM SPSS Data Collection), data mining (IBM SPSS Modeler), text analytics, statistical analysis, and collaboration and deployment (batch and automated scoring services).
2. c:\program files\Weka-3-6 >> Data mining software in Java.
3. c:\program files\ELAN 4.1.2 >> ELAN - A professional tool for the creation of complex annotations on video and audio resources.
4. PuTTY is an SSH and telnet client, Use in UK possibly not legal.
5. TUGZip is a powerful award-winning freeware archiving utility for Windows®
=============================
I will have some script for you to run in Combofix after you've finished the above.

Please leave logs in next reply.

 

[chrizba]

Hi Bobbye

Thanks for this - sorry about the PM -I didn't mean to bother you over the weekend, but I think I failed to take the time difference between London and Florida into account!

The last known good configuration didn't start my keyboard working sadly.

All the programs listed 1-5 are ones for my degree.

Some of the programs to remove didn't show up in add/remove programs.They were: Line 6 Uninstaller and The HitmanPro 3.6 Crusader (Boot)

Chris

All processes killed
========== FILES ==========
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinWebdirb2.zip moved successfully.
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\16\6d83d510-4006cb0e moved successfully.
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\40\7129ce28-5cafcf7e moved successfully.
File/Folder C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\8L2VCPQV\mazezu5.net[1] not found.
C:\WINDOWS\system32\drivers\i8042prt.sys moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Chris
->Temp folder emptied: 15342315 bytes
->Temporary Internet Files folder emptied: 1610186 bytes
->Java cache emptied: 3630831 bytes
->FireFox cache emptied: 55183006 bytes
->Flash cache emptied: 41530 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 41044 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: Martin
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->FireFox cache emptied: 14224306 bytes
->Flash cache emptied: 639 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Java cache emptied: 890 bytes
->Flash cache emptied: 2264 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 86.00 mb


OTM by OldTimer - Version 3.1.19.0 log created on 01302012_175007

Files moved on Reboot...
C:\Documents and Settings\Chris\Local Settings\Temp\McAfeeLogs\UpdaterUI_CHRIZZA.log moved successfully.
C:\Documents and Settings\Chris\Local Settings\Temp\McAfeeLogs\UpdaterUI_CHRIZZA_error.log moved successfully.

Registry entries deleted on Reboot...

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.30.03

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 6.0.2900.5512
Chris :: CHRIZZA [administrator]

30/01/2012 18:04:36
mbam-log-2012-01-30 (18-04-36).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 294989
Time elapsed: 3 hour(s), 2 minute(s), 53 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


C:\System Volume Information\_restore{29FCC5FA-EBD7-491E-8808-604B0E4B3356}\RP3\A0000300.sys a variant of Win32/Rootkit.Kryptik.IF trojan
C:\System Volume Information\_restore{29FCC5FA-EBD7-491E-8808-604B0E4B3356}\RP3\A0000336.sys a variant of Win32/Rootkit.Kryptik.IF trojan
C:\System Volume Information\_restore{29FCC5FA-EBD7-491E-8808-604B0E4B3356}\RP3\A0000454.sys a variant of Win32/Rootkit.Kryptik.IF trojan
C:\System Volume Information\_restore{29FCC5FA-EBD7-491E-8808-604B0E4B3356}\RP3\A0001659.sys a variant of Win32/Rootkit.Kryptik.IF trojan
C:\_OTM\MovedFiles\01302012_175007\C_Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinWebdirb2.zip Win32/Bagle.gen.zip worm
C:\_OTM\MovedFiles\01302012_175007\C_Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\16\6d83d510-4006cb0e a variant of Win32/Kryptik.ZOF trojan
C:\_OTM\MovedFiles\01302012_175007\C_Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\40\7129ce28-5cafcf7e a variant of Java/Exploit.CVE-2011-3544.AF trojan

 

[chrizba]

Keyboard trauma

Hello,

I wondered if you had any advise for me to get my keyboard functioning again...

Weirdly, the trackpad works when it starts up but then stops working after I try to press a key - though my usb mouse works fine.

In device manager, there is a warning triangle next to the entry for the keyboard with the error message: "This device cannot find enough free resources that it can use. (Code 12)"

I have my viva (thesis defense) tomorrow and am beginning to panic!

Thanks

Chris

 

[Bobbye]

Chris, let see if we can find and replace the process that's messing up the keyboard:

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

For 64bit: http://jpshortstuff.247fixes.com/SystemLook_x64.exe

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  

  :filefind
  i8042PRT.SYS

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt
=========================================
Please keep in mind that if the problem is hardware related, this file won't help. It's not a common thing for malware to trash a keyboard. If 'Last Good' didn't fix it, I'm not encouraged.

 

[chrizba]

Oh dear - if you're not encouraged then neither am I!

Log below - btw, I have just discovered that the function key to switch on bluetooth (fn+F11) still works...?

Chris

SystemLook 30.07.11 by jpshortstuff
Log created at 21:30 on 01/02/2012 by Chris
Administrator - Elevation successful

========== filefind ==========

Searching for "i8042PRT.SYS"
C:\WINDOWS\system32\dllcache\i8042prt.sys --a--c- 52480 bytes [00:48 14/04/2008] [00:48 14/04/2008] 4A0B06AA8943C1E332520F7440C0AA30
C:\WINDOWS\system32\drivers\i8042prt.sys --a---- 52480 bytes [00:48 14/04/2008] [00:48 14/04/2008] 4A0B06AA8943C1E332520F7440C0AA30
C:\WINDOWS\system32\ReinstallBackups\0010\DriverFiles\i386\i8042prt.sys --a---- 52480 bytes [17:39 01/02/2012] [00:48 14/04/2008] 4A0B06AA8943C1E332520F7440C0AA30
C:\_OTM\MovedFiles\01302012_175007\C_WINDOWS\system32\drivers\i8042prt.sys --a---- 52480 bytes [00:48 14/04/2008] [00:48 14/04/2008] 4A0B06AA8943C1E332520F7440C0AA30

-= EOF =-

 

[Bobbye]

Chris, with the additional info from the Device Manager, this becomes more complicated! I was going to have you check the Device Manager originaly, but opted for the 'last good' instead. As far as I can tell there are 2 different problems- so I'm going to try to help with both:

In the Device Manager:
This device cannot find enough free resources that it can use. If you want to use this device, you will need to disable one of the other devices on this system. (Code 12)

Diagnosis
Two devices have been assigned the same input/output (I/O) ports, the same interrupt, or the same Direct Memory Access channel. The assignment was made by either the basic input/output system (BIOS), the operating system, or a combination of the two.

Resolution
The resolution for this issue can be very hardware specific. For detailed information, try searching for “code 12” and your hardware type, name, or model number on the Microsoft support site (http://go.microsoft.com/fwlink/?LinkID=538). For example, for code 12 issues with a CS4281 card, search for “code 12” CS4281.
(Source: Microsoft)
Do the search and see if there is any resolution there.
======================================
Missing driver:
This is strange. Usually when Combofix find an infected file, it will attempt to replace it. We removed the infected copy in OTM. I'm hoping these backups are clean:

Please run this Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:

FCopy::
C:\WINDOWS\system32\ReinstallBackups\0010\DriverFiles\i386\i8042prt.sys | C_WINDOWS\system32\drivers\i8042prt.sys

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
=============================================
I sincerely hope that one -or possibly both- of the above gets the keyboard working again. Having both a hardware and a software problem at the same time is not a good thing!

====================

 

[Bobbye]

I know you're very busy today- just checking in to see if we have the keyboard back.

 

[chrizba]

Nope, I'm afraid not.

And I also tried a usb keyboard but that didn't work either. I did however pass my viva so its not all bad!

I can also use the keyboard before windows starts (I was trying to see allocated resources in the bios thing but no idea what I'm looking for) so I don't think its a hardware problem. Also the thing it thinks its clashing with is the trackpad, but there is no option to disable that in device manager.

I found someone with a similar problem here: http://www.bleepingcomputer.com/forums/topic433638.html

Any more advise greatly appreciated (even if it involves reinstallin indows - though note its a netbook so no cd drive or cd)

Thanks

Chris

ComboFix 12-02-02.01 - Chris 02/02/2012 11:13:02.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.385 [GMT 0:00]
Running from: c:\documents and settings\Chris\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Chris\Desktop\CFscript.txt
AV: McAfee VirusScan Enterprise+AntiSpyware Enterprise *Disabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.
.
((((((((((((((((((((((((( Files Created from 2012-01-02 to 2012-02-02 )))))))))))))))))))))))))))))))
.
.
2012-01-30 22:53 . 2012-02-01 22:21 -------- d-----w- c:\program files\Common Files\Java
2012-01-30 22:52 . 2012-01-30 22:51 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-01-30 20:10 . 2012-02-01 15:11 -------- d-----w- C:\QUARANTINE
2012-01-30 17:50 . 2012-01-30 17:50 -------- d-----w- C:\_OTM
2012-01-28 11:24 . 2012-01-28 11:23 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2012-01-28 11:24 . 2012-01-28 11:23 87808 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2012-01-28 11:24 . 2012-01-28 11:23 59288 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2012-01-28 11:24 . 2012-01-28 11:23 119968 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2012-01-28 11:24 . 2012-01-28 11:23 180072 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2012-01-28 11:24 . 2012-01-28 11:23 461864 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2012-01-28 11:24 . 2012-01-28 11:23 148520 ----a-w- c:\windows\system32\mfevtps.exe
2012-01-28 11:24 . 2012-01-28 11:23 89624 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2012-01-28 11:22 . 2012-01-28 11:23 -------- d-----w- c:\program files\Common Files\McAfee
2012-01-28 09:51 . 2012-01-28 09:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2012-01-27 17:43 . 2012-01-27 17:43 -------- d-----w- c:\program files\ESET
2012-01-27 11:56 . 2012-01-27 12:10 23624 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
2012-01-27 11:56 . 2012-01-27 12:07 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2012-01-27 11:00 . 2012-01-27 11:00 -------- d-----w- c:\documents and settings\Chris\Application Data\McAfee
2012-01-27 10:59 . 2012-01-28 11:23 74848 ----a-w- c:\windows\system32\MfeOtlkAddin.dll
2012-01-27 10:59 . 2012-01-28 11:23 22816 ----a-w- c:\windows\system32\MFEOtlk.dll
2012-01-27 10:58 . 2012-01-28 11:23 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2012-01-27 10:58 . 2012-01-28 11:22 -------- d-----w- c:\program files\McAfee
2012-01-27 10:52 . 2012-01-27 10:52 -------- d-----w- c:\documents and settings\All Users\Application Data\WRData
2012-01-27 10:52 . 2012-01-27 10:52 -------- d-----w- c:\documents and settings\Chris\Application Data\IObit
2012-01-26 12:04 . 2012-01-26 12:04 109072 ----a-w- c:\windows\system32\drivers\WRkrn.sys
2012-01-25 23:49 . 2012-01-25 23:49 -------- d-----w- c:\documents and settings\Chris\Application Data\SUPERAntiSpyware.com
2012-01-25 23:29 . 2011-12-10 15:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-25 23:02 . 2012-01-25 23:02 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2012-01-23 12:18 . 2012-01-23 12:18 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software
2012-01-23 11:47 . 2009-09-27 09:39 369152 ----a-w- c:\windows\system32\avisynth.dll
2012-01-23 11:47 . 2005-07-14 12:31 32256 ----a-w- c:\windows\system32\AVSredirect.dll
2012-01-23 11:47 . 2004-02-22 10:11 719872 ----a-w- c:\windows\system32\devil.dll
2012-01-23 11:47 . 2004-01-25 00:00 70656 ----a-w- c:\windows\system32\yv12vfw.dll
2012-01-23 11:47 . 2004-01-25 00:00 70656 ----a-w- c:\windows\system32\i420vfw.dll
2012-01-23 11:47 . 2012-01-23 11:47 -------- d-----w- c:\program files\AviSynth 2.5
2012-01-17 12:15 . 2012-01-23 11:27 -------- d-----w- c:\documents and settings\Chris\.elan_data
2012-01-17 12:12 . 2012-01-17 12:14 -------- d-----w- c:\program files\ELAN 4.1.2
2012-01-16 11:58 . 2012-01-16 11:59 -------- d-----w- c:\documents and settings\Chris\Application Data\UAMCTAppData
2012-01-10 11:29 . 2012-01-10 11:30 -------- d-----w- c:\program files\Weka-3-6
2012-01-03 13:13 . 2012-01-03 13:13 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\Identities
2012-01-03 12:36 . 2012-01-03 12:45 -------- d-----w- C:\Perl
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-30 22:51 . 2010-09-10 12:28 472808 -c--a-w- c:\windows\system32\deployJava1.dll
2011-12-08 15:35 . 2011-05-26 10:11 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-25 21:57 . 2008-06-11 01:46 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2008-06-11 01:46 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2008-06-11 01:46 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2008-06-11 01:46 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2008-06-11 01:46 152064 ----a-w- c:\windows\system32\schannel.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-27_22.29.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-02-02 08:48 . 2012-02-02 08:48 16384 c:\windows\Temp\Perflib_Perfdata_9c.dat
+ 2012-02-02 09:27 . 2012-02-02 09:27 16384 c:\windows\Temp\Perflib_Perfdata_6b0.dat
+ 2008-06-11 17:00 . 2008-04-14 00:48 52480 c:\windows\system32\ReinstallBackups\0010\DriverFiles\i386\i8042prt.sys
- 2008-06-11 17:00 . 2008-04-14 12:00 52480 c:\windows\system32\ReinstallBackups\0010\DriverFiles\i386\i8042prt.sys
- 2008-04-14 00:09 . 2008-04-14 12:00 24576 c:\windows\system32\drivers\kbdclass.sys
+ 2008-04-14 00:09 . 2008-04-14 00:09 24576 c:\windows\system32\drivers\kbdclass.sys
+ 2008-04-14 00:09 . 2008-04-14 00:09 24576 c:\windows\system32\dllcache\kbdclass.sys
+ 2012-01-28 11:25 . 2012-01-28 11:25 10134 c:\windows\Installer\{CE15D1B6-19B6-4D4D-8F43-CF5D2C3356FF}\ARPPRODUCTICON.exe
+ 2012-01-28 11:23 . 2012-01-28 11:23 10134 c:\windows\Installer\{2AAB21C2-4CDA-4189-A0EC-5ED666113F84}\ARPPRODUCTICON.exe
- 2011-05-22 10:48 . 2011-05-22 10:47 157472 c:\windows\system32\javaws.exe
+ 2012-01-30 22:52 . 2012-01-30 22:51 157472 c:\windows\system32\javaws.exe
+ 2012-01-30 22:52 . 2012-01-30 22:51 149280 c:\windows\system32\javaw.exe
+ 2012-01-30 22:52 . 2012-01-30 22:51 149280 c:\windows\system32\java.exe
+ 2012-01-30 22:53 . 2012-01-30 22:53 203776 c:\windows\Installer\111d964.msi
+ 2012-01-30 22:51 . 2012-01-30 22:51 902656 c:\windows\Installer\111d95e.msi
+ 2012-01-27 10:41 . 2012-02-01 22:21 4657352 c:\windows\system32\Restore\rstrlog.dat
+ 2009-06-25 13:20 . 2009-06-25 13:20 1485176 c:\windows\system32\LegitCheckControl.DLL
+ 2012-01-28 11:23 . 2012-01-28 11:23 1623040 c:\windows\Installer\59fd6.msi
+ 2012-01-28 11:24 . 2012-01-28 11:25 13156352 c:\windows\Installer\59fda.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-07 16862208]
"MGSysCtrl"="c:\program files\System Control Manager\MGSysCtrl.exe" [2008-06-10 782336]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-11 1028096]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2011-01-12 161088]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2011-09-14 215360]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Martin\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HonorAutoRunSetting"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\acaptuser32.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SPSS16\\spss.com"=
"c:\\Program Files\\SPSS16\\spss.exe"=
"c:\\Program Files\\SPSS16\\SPSSWinWrapIDE.exe"=
"c:\\Program Files\\PuTTy\\putty.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\eclipse\\eclipse.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
.
R0 WRkrn;WRkrn;c:\windows\system32\drivers\WRkrn.sys [26/01/2012 12:04 109072]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [28/01/2012 11:24 89624]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [28/01/2012 11:24 148520]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [11/06/2008 23:18 156160]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\Chris\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\Chris\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\Chris\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\Chris\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]
S2 Micro Star SCM;Micro Star SCM;c:\program files\System Control Manager\MSIService.exe [11/06/2008 23:19 159744]
S3 L6TPortB;Service - Line 6 TonePort UX2;c:\windows\system32\Drivers\L6TPortB.sys --> c:\windows\system32\Drivers\L6TPortB.sys [?]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [28/01/2012 11:24 87808]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bbc.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://www.msi.com.tw/
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{ABD78E04-874A-41B5-B6AF-2878FA0BB260}: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\rig7qma3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/|https://login.live.com/login.srf?wa...0&lc=2057&id=64855&mkt=en-gb&cbcxt=mai&snsc=1
FF - prefs.js: network.proxy.ftp - localhost
FF - prefs.js: network.proxy.ftp_port - 3128
FF - prefs.js: network.proxy.gopher - localhost
FF - prefs.js: network.proxy.gopher_port - 3128
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.socks - localhost
FF - prefs.js: network.proxy.socks_port - 3128
FF - prefs.js: network.proxy.ssl - localhost
FF - prefs.js: network.proxy.ssl_port - 3128
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-02 11:24
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2332106328-2196180437-3818924662-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(5372)
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\program files\McAfee\Common Framework\McTrayLegacySupportPlugin.dll
c:\program files\McAfee\Common Framework\McTrayInterfaceLib.dll
c:\program files\McAfee\Common Framework\McAfeeWin32GUISupportDLL.dll
.
Completion time: 2012-02-02 11:29:07
ComboFix-quarantined-files.txt 2012-02-02 11:29
ComboFix2.txt 2012-01-28 12:18
ComboFix3.txt 2012-01-27 22:36
.
Pre-Run: 13,364,588,544 bytes free
Post-Run: 13,430,407,168 bytes free
.
- - End Of File - - 5E47F38A362F14A6C1E405F5949AF2A2

 

[Bobbye]

Hey Chris- that's great! Can I call you Dr. Chris now?

 

[chrizba]

You certainly can!

Dr Chris(!)

 

[chrizba]

Keyboard issue resolved

Hello,

Just a note to let you know that following the advise from that forum thread I included in one of my previous posts has resulted in my keyboard function returning (better late than never, but I was getting quite proficient in using the onscreen keyboard!)

So hopefully its all good and all I need from you is the all-clear (which scans should I run again etc) and a clear out of the stuff used, and I can start my new life as a post graduate research assistant with a fully functioning laptop!

Cheers

(Dr) Chris

 

[Bobbye]

Dr. Chris:
Now that you're over the biggest hurdle, if you haven't come across this yet, let me introduce you:Piled High and Deeper- AKA PhD Maybe you have time now to look back with humor! (Please don't hold me responsible to all the content!)

I am so glad you got the keyboard back! Did you use the UNetbootin and xPUD links? I had that on my desktop to have you try yesterday but ran out of time. I am glad to know it handled the pesky problem! It was a bit hard to trouble shoot because the process was infected, then wouldn't respond to the FCopy.

Now that you're fully functional (except maybe for lack of sleep!) let's cleanup a few entries:
There was a hidden file I want to check out:
Download catchme.exe ( 137KB ) and save to your desktop.

• Double click the catchme.exe to run it
• Click the "Scan" button to start scan
  
  
• Open catchme.log to see results

Copy the log to Notepad, making sure that 'Word Wrap' is unchecked in Format. Then paste the log in your next reply.
========================================
Combofix looks pretty good- just a few removals:
Please run this Custom CFScript:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:

File::
c:\windows\system32\drivers\SET4.tmp
c:\windows\system32\drivers\hitmanpro36.sys
Folder::
c:\documents and settings\All Users\Application Data\HitmanPro
DDS::
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=-
"c:\\Program Files\\DNA\\btdna.exe"=-
Clearjavacache::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================
I strongly recommend that you uninstall the HitmanPro program. That program is a bundle of other programs, all found free on the internet and all fully functional. The scam with Hitman is that it will only 'fix' processes free during the trial period. After that, you have to buy the full program to get that functionality.
Consider removing Bit Torrent also.
====================================
I'd like you to run the Eset scan once more- just to be sure no processes got back in.

I'll give the logs a quick look and if clean, will have you remove the tools we used.

 

[chrizba]

Okay, so either something has snuck back in when I sorted the keyboard thing (using xPud boot from flash drive) or there is a whole other problem, because things that need to access the web (updates, etc) don't seem to be able to in normal mode... This extended to combofix and eset, so I ran those in safe mode with networking...

Logs below....

Chris

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-04 18:34:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

source file error: C:\WINDOWS\system32\config\system
scanning hidden registry entries ...

source file error: C:\WINDOWS\system32\config\software
scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

ComboFix 12-02-05.01 - Chris 04/02/2012 19:00:48.1.2 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.664 [GMT 0:00]
Running from: c:\documents and settings\Chris\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Chris\Desktop\CFScript.txt
.
FILE ::
"c:\windows\system32\drivers\hitmanpro36.sys"
"c:\windows\system32\drivers\SET4.tmp"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\HitmanPro
c:\documents and settings\All Users\Application Data\HitmanPro\Banner.bin
c:\documents and settings\All Users\Application Data\HitmanPro\HitmanPro.key
c:\documents and settings\All Users\Application Data\HitmanPro\HitmanPro.lic
.
.
((((((((((((((((((((((((( Files Created from 2012-01-04 to 2012-02-04 )))))))))))))))))))))))))))))))
.
.
2012-02-02 12:47 . 2008-04-14 00:09 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2012-02-02 12:47 . 2008-04-14 00:09 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2012-02-02 12:42 . 2012-02-02 12:42 -------- d-----w- c:\documents and settings\Martin\Application Data\McAfee
2012-01-30 22:53 . 2012-02-01 22:21 -------- d-----w- c:\program files\Common Files\Java
2012-01-30 22:52 . 2012-01-30 22:51 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-01-30 20:10 . 2012-02-01 15:11 -------- d-----w- C:\QUARANTINE
2012-01-30 17:50 . 2012-01-30 17:50 -------- d-----w- C:\_OTM
2012-01-28 11:24 . 2012-01-28 11:23 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2012-01-28 11:24 . 2012-01-28 11:23 87808 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2012-01-28 11:24 . 2012-01-28 11:23 59288 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2012-01-28 11:24 . 2012-01-28 11:23 119968 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2012-01-28 11:24 . 2012-01-28 11:23 180072 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2012-01-28 11:24 . 2012-01-28 11:23 461864 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2012-01-28 11:24 . 2012-01-28 11:23 148520 ----a-w- c:\windows\system32\mfevtps.exe
2012-01-28 11:24 . 2012-01-28 11:23 89624 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2012-01-28 11:22 . 2012-01-28 11:23 -------- d-----w- c:\program files\Common Files\McAfee
2012-01-28 09:51 . 2012-01-28 09:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2012-01-27 17:43 . 2012-01-27 17:43 -------- d-----w- c:\program files\ESET
2012-01-27 11:56 . 2012-01-27 12:10 23624 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
2012-01-27 11:00 . 2012-01-27 11:00 -------- d-----w- c:\documents and settings\Chris\Application Data\McAfee
2012-01-27 10:59 . 2012-01-28 11:23 74848 ----a-w- c:\windows\system32\MfeOtlkAddin.dll
2012-01-27 10:59 . 2012-01-28 11:23 22816 ----a-w- c:\windows\system32\MFEOtlk.dll
2012-01-27 10:58 . 2012-01-28 11:23 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2012-01-27 10:58 . 2012-01-28 11:22 -------- d-----w- c:\program files\McAfee
2012-01-27 10:52 . 2012-01-27 10:52 -------- d-----w- c:\documents and settings\All Users\Application Data\WRData
2012-01-27 10:52 . 2012-01-27 10:52 -------- d-----w- c:\documents and settings\Chris\Application Data\IObit
2012-01-26 12:04 . 2012-01-26 12:04 109072 ----a-w- c:\windows\system32\drivers\WRkrn.sys
2012-01-25 23:49 . 2012-01-25 23:49 -------- d-----w- c:\documents and settings\Chris\Application Data\SUPERAntiSpyware.com
2012-01-25 23:29 . 2011-12-10 15:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-25 23:02 . 2012-01-25 23:02 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2012-01-23 12:18 . 2012-01-23 12:18 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software
2012-01-23 11:47 . 2009-09-27 09:39 369152 ----a-w- c:\windows\system32\avisynth.dll
2012-01-23 11:47 . 2005-07-14 12:31 32256 ----a-w- c:\windows\system32\AVSredirect.dll
2012-01-23 11:47 . 2004-02-22 10:11 719872 ----a-w- c:\windows\system32\devil.dll
2012-01-23 11:47 . 2004-01-25 00:00 70656 ----a-w- c:\windows\system32\yv12vfw.dll
2012-01-23 11:47 . 2004-01-25 00:00 70656 ----a-w- c:\windows\system32\i420vfw.dll
2012-01-23 11:47 . 2012-01-23 11:47 -------- d-----w- c:\program files\AviSynth 2.5
2012-01-17 12:15 . 2012-01-23 11:27 -------- d-----w- c:\documents and settings\Chris\.elan_data
2012-01-17 12:12 . 2012-01-17 12:14 -------- d-----w- c:\program files\ELAN 4.1.2
2012-01-16 11:58 . 2012-01-16 11:59 -------- d-----w- c:\documents and settings\Chris\Application Data\UAMCTAppData
2012-01-10 11:29 . 2012-01-10 11:30 -------- d-----w- c:\program files\Weka-3-6
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-30 22:51 . 2010-09-10 12:28 472808 -c--a-w- c:\windows\system32\deployJava1.dll
2011-12-08 15:35 . 2011-05-26 10:11 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-25 21:57 . 2008-06-11 01:46 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2008-06-11 01:46 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2008-06-11 01:46 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2008-06-11 01:46 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2008-06-11 01:46 152064 ----a-w- c:\windows\system32\schannel.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-07 16862208]
"MGSysCtrl"="c:\program files\System Control Manager\MGSysCtrl.exe" [2008-06-10 782336]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-11 1028096]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2011-01-12 161088]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2011-09-14 215360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Martin\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2008-2-22 2938184]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HonorAutoRunSetting"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\acaptuser32.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SPSS16\\spss.com"=
"c:\\Program Files\\SPSS16\\spss.exe"=
"c:\\Program Files\\SPSS16\\SPSSWinWrapIDE.exe"=
"c:\\Program Files\\PuTTy\\putty.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\eclipse\\eclipse.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
.
R0 WRkrn;WRkrn;c:\windows\system32\drivers\WRkrn.sys [26/01/2012 12:04 109072]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [28/01/2012 11:24 89624]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [28/01/2012 11:24 148520]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [11/06/2008 23:18 156160]
S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys --> c:\windows\system32\DRIVERS\AVGIDSEH.Sys [?]
S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys --> c:\windows\system32\DRIVERS\avgrkx86.sys [?]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys --> c:\windows\system32\DRIVERS\avgldx86.sys [?]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\Chris\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\Chris\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\Chris\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\Chris\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]
S2 avgwd;AVG WatchDog;"c:\program files\AVG\AVG2012\avgwdsvc.exe" --> c:\program files\AVG\AVG2012\avgwdsvc.exe [?]
S2 Micro Star SCM;Micro Star SCM;c:\program files\System Control Manager\MSIService.exe [11/06/2008 23:19 159744]
S3 L6TPortB;Service - Line 6 TonePort UX2;c:\windows\system32\Drivers\L6TPortB.sys --> c:\windows\system32\Drivers\L6TPortB.sys [?]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [28/01/2012 11:24 87808]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - PXHELP20
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bbc.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://www.msi.com.tw/
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{ABD78E04-874A-41B5-B6AF-2878FA0BB260}: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\rig7qma3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/|https://login.live.com/login.srf?wa...0&lc=2057&id=64855&mkt=en-gb&cbcxt=mai&snsc=1
FF - prefs.js: network.proxy.ftp - localhost
FF - prefs.js: network.proxy.ftp_port - 3128
FF - prefs.js: network.proxy.gopher - localhost
FF - prefs.js: network.proxy.gopher_port - 3128
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.socks - localhost
FF - prefs.js: network.proxy.socks_port - 3128
FF - prefs.js: network.proxy.ssl - localhost
FF - prefs.js: network.proxy.ssl_port - 3128
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-AVG_TRAY - c:\program files\AVG\AVG2012\avgtray.exe
AddRemove-AVG - c:\program files\AVG\AVG2012\avgmfapx.exe
AddRemove-jEdit_is1 - c:\program files\jEdit\unins000.exe
AddRemove-Registry Mechanic_is1 - c:\program files\Registry Mechanic\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-04 19:11
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2332106328-2196180437-3818924662-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2012-02-04 19:15:19
ComboFix-quarantined-files.txt 2012-02-04 19:15
ComboFix2.txt 2012-02-02 11:29
ComboFix3.txt 2012-01-28 12:18
ComboFix4.txt 2012-01-27 22:36
.
Pre-Run: 14,371,913,728 bytes free
Post-Run: 14,358,192,128 bytes free
.
- - End Of File - - 8D131BCAB9E88F45D618424ACCDB374A


C:\System Volume Information\_restore{29FCC5FA-EBD7-491E-8808-604B0E4B3356}\RP3\A0000300.sys a variant of Win32/Rootkit.Kryptik.IM trojan
C:\System Volume Information\_restore{29FCC5FA-EBD7-491E-8808-604B0E4B3356}\RP3\A0000336.sys a variant of Win32/Rootkit.Kryptik.IM trojan
C:\System Volume Information\_restore{29FCC5FA-EBD7-491E-8808-604B0E4B3356}\RP3\A0000454.sys a variant of Win32/Rootkit.Kryptik.IM trojan
C:\System Volume Information\_restore{29FCC5FA-EBD7-491E-8808-604B0E4B3356}\RP3\A0001659.sys a variant of Win32/Rootkit.Kryptik.IM trojan
C:\_OTM\MovedFiles\01302012_175007\C_Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinWebdirb2.zip Win32/Bagle.gen.zip worm
C:\_OTM\MovedFiles\01302012_175007\C_Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\16\6d83d510-4006cb0e a variant of Win32/Kryptik.ZOF trojan

 

[Bobbye]

Chris, looking at the entries in Combofix, it appears that both AVG and McAfee are running. I put you through an App Removal for AVG early on, before you ran the first Combofix. If you removed it then, perhaps you put it back. You need to have only 1 AV running. If you want it to be McAfee, use the AppRemover for AVG and make sure McAfee is currently updated.

Current entry in Combofix:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart

Reboot when through.
=================================
There are no new entries in the Est scan. Qoobox is for Combofix quarantines and System Volume is for Restore Points. Neither of these are active n the system.
================================
The current Combofix logs looks good. There is only the AVG registry entry and a folder for Hitman that needs removing.
=================================
About the current problem:
What are the "things" that need to access the web? Browser? Programs> executable files?
What happens when you try? Do you get any message? What?
Have you check the internet connections? They may have been reset.
Can you even boot into Normal Mode?
==================================================
The error message that came up in catchme, source file error: C:\WINDOWS\system32\config\system indicates a corrupt registry. If that is the case, the following is a step by step fix for that:
This appears to be well set up so that you can follow it. Take care to print the directions first, and follow the steps exactly as given:

Recover a corrupted registry that prevents Windows XP from starting

 

[chrizba]

Hi Bobbye

The network issue was just the settings for McAfee - which I have now resolved. Other than that the computer seems to be behaving itself perfectly - in normal mode - so I'm not sure that recovery article is quite appropriate.

As for the AVG, I did not reinstall it - perhaps some components reinstated themselves when I fixed the keyboard issue? AppRemover doesn't find it so I think it could be related to the registry thing

And I still have no idea where the HitMan Pro is hiding - Nothing to uninstall anywhere (folder in Qoobox but you said that was related to combofix and inactive), though there is a Hitmanpro36.sys in the drivers file - or could it be a rogue registry entry?

Chris