Inactive Virus preventing me from following 6-step virus removal + google redirect problem

Z

zooker

Posts: 8   +0
I believe my computer has a virus and/or some form of malware. It started with the google redirect problem which alerted me to a problem. I also noticed that in the task manager the CPU would occasionally be running at 100%, apparently caused by an svchost.exe using a massive amount of memory.

I've tried to follow the 6-step removal instructions but have failed miserably.
- I originally uninstalled AVG anti virus because it would not run a scan.
- I downloaded the recommended Avira program, however when it tried to update it just exited the program.
- I downloaded, updated then ran Malwarebytes but during the Quick Scan it exited the program. When I tried to re-open it I get the error 'Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item'
- I downloaded GMER and tried to run it. During the scan the program exited. I then ran it in Safe Mode and during the scan the computer just shut down and restarted itself.
- I managed to download and run DDS sucessfully. Logs are below.

I am at a loss as to how I can fix this computer. Please help me.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_27
Run by Katie Lloyd at 21:23:21 on 2011-10-12
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1451 [GMT 11:00]
.
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\400631341:3537444584.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Mozilla Firefox 4.0 Beta 8\firefox.exe
C:\Program Files\Mozilla Firefox 4.0 Beta 8\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com.au/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - c:\program files\bittorrentbar\tbBitT.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - c:\program files\bittorrentbar\tbBitT.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - c:\program files\bittorrentbar\tbBitT.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVIMlctM1NYM0UtR0hHWDktQUZISjMtUFcyUU4tWjlLSDQ"&"inst=NzctNzI1NTI0NzE2LUxJQysxLUZMMTArMS1TUDErMS1TUDFUQisxLVNVUCs0LVNQMVM0KzEtRERUKzU0NzkwLUREMTBGKzEtTFNEKzItU1QxMEZBUFArMS1TMTBGRERGKzE"&"prod=90"&"ver=10.0.1410
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 10.1.1.1
TCP: Interfaces\{1D99A002-D5A1-4225-81FD-E48DD72A1B14} : DhcpNameServer = 10.1.1.1
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\katie lloyd\application data\mozilla\firefox\profiles\m2mwbwff.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
.
---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v2.01.01
============= SERVICES / DRIVERS ===============
.
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-10-12 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-10-12 136360]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-10-12 66616]
S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-10-12 269480]
S3 bsusbser;Basecom USB Device for Legacy Serial Communication;c:\windows\system32\drivers\bsusbser.sys --> c:\windows\system32\drivers\bsusbser.sys [?]
.
=============== Created Last 30 ================
.
2011-10-12 09:51:09 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-12 09:51:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-12 09:45:55 -------- d-----w- c:\documents and settings\katie lloyd\application data\Avira
2011-10-12 09:36:10 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-10-12 09:36:10 -------- d-----w- c:\program files\Avira
2011-10-12 09:36:10 -------- d-----w- c:\documents and settings\all users\application data\Avira
2011-10-12 08:53:50 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-10-12 08:43:58 -------- d-----w- c:\windows\system32\appmgmt
2011-09-26 11:24:43 -------- d-----w- C:\TDSSKiller_Quarantine
2011-09-22 00:43:04 -------- d-----w- c:\program files\Antivirus Programs
2011-09-21 13:05:43 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-20 08:07:30 -------- d-----w- c:\documents and settings\katie lloyd\application data\Malwarebytes
2011-09-20 08:07:18 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
.
==================== Find3M ====================
.
2011-10-12 08:53:36 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-08-31 13:20:13 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 21:23:51.76 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 12/01/2011 10:57:08 PM
System Uptime: 12/10/2011 9:20:58 PM (0 hours ago)
.
Motherboard: Dell Inc. | | 0KD882
Processor: Intel(R) Core(TM)2 CPU T5500 @ 1.66GHz | Microprocessor | 1662/166mhz
Processor: Intel(R) Core(TM)2 CPU T5500 @ 1.66GHz | Microprocessor | 1662/166mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 142 GiB total, 35.009 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP162: 10/07/2011 11:38:17 PM - System Checkpoint
RP163: 12/07/2011 12:11:29 AM - System Checkpoint
RP164: 13/07/2011 12:22:38 AM - System Checkpoint
RP165: 13/07/2011 1:03:05 PM - Removed AVG 2011
RP166: 14/07/2011 3:00:15 AM - Software Distribution Service 3.0
RP167: 15/07/2011 3:50:02 AM - System Checkpoint
RP168: 16/07/2011 4:35:30 AM - System Checkpoint
RP169: 17/07/2011 5:35:30 AM - System Checkpoint
RP170: 18/07/2011 6:27:22 AM - System Checkpoint
RP171: 19/07/2011 7:09:37 AM - System Checkpoint
RP172: 19/07/2011 6:34:11 PM - Removed AVG 2011
RP173: 20/07/2011 11:46:31 PM - System Checkpoint
RP174: 22/07/2011 12:02:47 AM - System Checkpoint
RP175: 23/07/2011 1:15:27 AM - System Checkpoint
RP176: 24/07/2011 1:19:12 AM - System Checkpoint
RP177: 25/07/2011 2:05:50 AM - System Checkpoint
RP178: 26/07/2011 6:09:18 AM - System Checkpoint
RP179: 27/07/2011 8:08:39 AM - System Checkpoint
RP180: 28/07/2011 11:50:10 AM - System Checkpoint
RP181: 29/07/2011 10:26:06 PM - System Checkpoint
RP182: 30/07/2011 10:38:44 PM - System Checkpoint
RP183: 31/07/2011 11:16:08 PM - System Checkpoint
RP184: 2/08/2011 8:33:43 PM - System Checkpoint
RP185: 3/08/2011 10:19:52 PM - System Checkpoint
RP186: 4/08/2011 10:48:20 PM - System Checkpoint
RP187: 5/08/2011 7:20:47 PM - Removed AVG 2011
RP188: 6/08/2011 11:08:24 PM - System Checkpoint
RP189: 7/08/2011 12:57:42 AM - Removed AVG 2011
RP190: 8/08/2011 1:12:17 AM - System Checkpoint
RP191: 9/08/2011 7:28:04 PM - System Checkpoint
RP192: 10/08/2011 12:08:38 PM - Removed AVG 2011
RP193: 11/08/2011 3:00:15 AM - Software Distribution Service 3.0
RP194: 12/08/2011 1:14:41 PM - System Checkpoint
RP195: 17/08/2011 6:50:28 PM - System Checkpoint
RP196: 24/08/2011 8:23:13 PM - System Checkpoint
RP197: 25/08/2011 11:28:44 PM - System Checkpoint
RP198: 26/08/2011 11:59:18 PM - System Checkpoint
RP199: 28/08/2011 12:47:13 AM - System Checkpoint
RP200: 30/08/2011 5:58:15 PM - System Checkpoint
RP201: 31/08/2011 7:37:47 PM - System Checkpoint
RP202: 1/09/2011 8:44:57 PM - System Checkpoint
RP203: 3/09/2011 6:39:15 PM - System Checkpoint
RP204: 5/09/2011 11:22:57 PM - System Checkpoint
RP205: 7/09/2011 12:38:17 AM - System Checkpoint
RP206: 9/09/2011 5:28:33 PM - System Checkpoint
RP207: 10/09/2011 5:34:49 PM - System Checkpoint
RP208: 11/09/2011 8:05:20 PM - System Checkpoint
RP209: 12/09/2011 10:44:39 PM - System Checkpoint
RP210: 13/09/2011 11:48:17 PM - System Checkpoint
RP211: 17/09/2011 11:18:15 PM - Software Distribution Service 3.0
RP212: 19/09/2011 2:50:33 AM - System Checkpoint
RP213: 19/09/2011 10:09:41 AM - Removed AVG 2011
RP214: 20/09/2011 1:30:47 PM - System Checkpoint
RP215: 21/09/2011 2:06:43 PM - System Checkpoint
RP216: 28/09/2011 2:38:40 PM - System Checkpoint
RP217: 10/10/2011 10:08:03 AM - System Checkpoint
RP218: 12/10/2011 7:43:24 PM - Removed Java(TM) 6 Update 22
RP219: 12/10/2011 7:51:40 PM - Removed AVG 2011
RP220: 12/10/2011 7:53:10 PM - Removed AVG 2011
RP221: 12/10/2011 7:53:26 PM - Installed Java(TM) 6 Update 27
RP222: 12/10/2011 7:54:44 PM - Removed Adobe Reader X.
.
==== Installed Programs ======================
.
µTorrent
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader X (10.1.1)
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Avira AntiVir Personal - Free Antivirus
Bonjour
Broadcom 440x 10/100 Integrated Controller
Conexant HDA D110 MDC V.92 Modem
ConvertHelper 2.2
Dell Resource CD
e-tax 2011
High Definition Audio Driver Package - KB835221
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB896256)
Hotfix for Windows XP (KB908673)
Hotfix for Windows XP (KB914642)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB981793)
Image Resizer Powertoy for Windows XP
Intel(R) Graphics Media Accelerator Driver
Intel(R) PROSet/Wireless Software
iTunes
Java Auto Updater
Java(TM) 6 Update 27
Malwarebytes' Anti-Malware version 1.51.2.1300
mCore
mDriver
mDrWiFi
Memory-Map
mHlpDell
Microsoft Office XP Professional with FrontPage
Microsoft Office XP Web Components
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
mIWA
mLogView
mMHouse
Mozilla Firefox 6.0.2 (x86 en-US)
mPfMgr
mPfWiz
mProSafe
mSSO
MSXML 4.0 SP2 (KB973688)
mWlsSafe
mWMI
mXML
mZConfig
Nero 6 Ultra Edition
QuickTime
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981350)
Security Update for Windows XP (KB982381)
SigmaTel Audio
Switch Sound File Converter
Synaptics Pointing Device Driver
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB898461)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VideoPad Video Editor
VLC media player 1.1.9
WavePad Sound Editor
WebFldrs XP
WIDCOMM Bluetooth Software
Windows Driver Package - Ricoh Company Memorystick Host Controller (07/09/2005 1.00.01.12)
Windows Driver Package - Ricoh Company MMC Host Controller (07/14/2005 1.00.00.06)
Windows Driver Package - Ricoh Company xD-Picture Card/SmartMedia Host Controller (07/14/2005 1.00.02.04)
Windows Genuine Advantage Notifications (KB905474)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows XP Hotfix - KB885855
Windows XP Hotfix - KB885884
ZENcast Organizer
.
==== Event Viewer Messages From Past Week ========
.
7/10/2011 8:39:43 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
7/10/2011 4:38:56 PM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
7/10/2011 4:22:02 PM, error: Dhcp [1002] - The IP address lease 192.168.1.52 for the Network Card with network address 001B7799764D has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
7/10/2011 4:21:55 PM, error: Service Control Manager [7000] - The AVGIDSAgent service failed to start due to the following error: Access is denied.
12/10/2011 9:21:43 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000043' while processing the file 'afd.sys' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
12/10/2011 9:06:27 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD avgio avipbb Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss ssmdrv Tcpip
12/10/2011 9:06:27 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
12/10/2011 9:06:27 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/10/2011 9:06:27 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/10/2011 9:06:27 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
12/10/2011 9:06:27 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/10/2011 9:06:27 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/10/2011 9:05:49 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
12/10/2011 9:05:47 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
12/10/2011 9:01:59 PM, error: Service Control Manager [7031] - The Avira AntiVir Guard service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
12/10/2011 9:01:59 PM, error: Service Control Manager [7000] - The Avira AntiVir Guard service failed to start due to the following error: Access is denied.
12/10/2011 9:01:18 PM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
11/10/2011 9:55:00 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
11/10/2011 9:55:00 PM, error: Service Control Manager [7024] - The Background Intelligent Transfer Service service terminated with service-specific error 2147500037 (0x80004005).
.
==== End Of File ===========================
 
Welcome to TechSpot! Let's see if we can get the scans running:
1.
  • Download the file TDSSKiller.zip and save to the desktop.
    (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
  • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
  • Double click on TDSSKiller.exe. to run the scan
  • When the scan is over, the utility outputs a list of detected objects with description.
    The utility automatically selects an action (Cure or Delete) for malicious objects.
    The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
  • Select the action Quarantine to quarantine detected objects.
    The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
  • After clicking Next, the utility applies selected actions and outputs the result.
  • A reboot is required after disinfection.
=======================================
2. Then try this for Malwqrebytes:
Please download randmbam.exe
It will try to create random names and shortcuts for Malwarebytes Anti Malware(MBAM) if you have it installed already.

Once done, try running a scan again
=======================================
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
--------------------------------------
3. Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop
  • Double click combofix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once installed, you should see a blue screen prompt that says:
    The Recovery Console was successfully installed.
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • .Close any open browsers.
  • .Double click combofix.exe
    cf-icon.jpg
    & follow the prompts to run.
  • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
Re-enable your Antivirus software.

Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
=====================================
4.
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESETOnlineScan
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    [o] Double click on the
    esetSmartInstallDesktopIcon.png
    on your desktop.
  • Check 'Yes I accept terms of use.'
  • Click Start button
  • Accept any security warnings from your browser.
    esetonlinescannersettings_thumb.jpg
  • Uncheck 'Remove found threats'
  • Check 'Scan archives/
  • Leave remaining settings as is.
  • Press the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
  • When the scan completes, press List of found threats
  • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
  • Push the Back button
  • Push Finish

Please post the entire log with heading resembling this:
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
esets_scanner_update returned -1 esets_gle=1
Click to expand...

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
======================================
If any of these programs are a problem to scan, please let me know.
=======================================
My Guidelines: please read and follow:
  • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
  • Read my instructions carefully. If you don't understand or have a problem, ask me.
  • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
  • Follow the order of the tasks I give you. Order is crucial in cleaning process.
  • File sharing programs should be uninstalled or disabled during the cleaning process..
  • Observe these:
    [o] Don't use any other cleaning programs or scans while I'm helping you.
    [o] Don't use a Registry cleaner or make any changes in the Registry.
    [o] Don't download and install new programs- except those I give you.
  • Please let me know if there is any change in the system.

If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
=====================================
 
Hey Bobbye, thanks for helping me out.

- I ran TDSSKiller successfully and it found two suspicious files which I quarantined. Do you need to see a log for this?
- I tried the randomly named malwarebytes shortcut and it opened, however, when I tried to run the Quick Scan it shut down the program after about 5 seconds.

Do you want me to continue with ComboFix?
 
Yes, I need the TDSSKiller log.
============================
Please do the following and then run Mbam, DDS and follow with Combofix:

Please download and run the tool below named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 3 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
  • Rkill.com
  • Rkill.scr
  • Rkill.exe
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run then try to immediately run the following>>>>.

Please download exeHelper by Raktor and save it to your desktop.
  • Double-click on exeHelper.com or exeHelper.scr to run the fix tool.
  • A black window should pop up, press any key to close once the fix is completed.
  • A log file called exehelperlog.txt will be created and should open at the end of the scan)
  • A copy of that log will also be saved in the directory where you ran exeHelper.com
  • Copy and paste the contents of exehelperlog.txt in your next reply.

Note: If the window shows a message that says "Error deleting file", please re-run the tool again before posting a log and then post the two logs together (they both will be in the one file).
=======================
Logs in next reply.
 
Ok, I've run RKill followed by exeHelper and they ran sucessfully (logs below). However Malwarebytes still shuts down after about 5 seconds of starting the quick scan.

11:05:17.0500 0976 TDSS rootkit removing tool 2.6.8.0 Oct 12 2011 07:30:54
11:05:18.0390 0976 ============================================================
11:05:18.0390 0976 Current date / time: 2011/10/13 11:05:18.0390
11:05:18.0390 0976 SystemInfo:
11:05:18.0390 0976
11:05:18.0390 0976 OS Version: 5.1.2600 ServicePack: 2.0
11:05:18.0390 0976 Product type: Workstation
11:05:18.0390 0976 ComputerName: KATIE-988DDAD9B
11:05:18.0390 0976 UserName: Katie Lloyd
11:05:18.0390 0976 Windows directory: C:\WINDOWS
11:05:18.0390 0976 System windows directory: C:\WINDOWS
11:05:18.0390 0976 Processor architecture: Intel x86
11:05:18.0390 0976 Number of processors: 2
11:05:18.0390 0976 Page size: 0x1000
11:05:18.0390 0976 Boot type: Normal boot
11:05:18.0390 0976 ============================================================
11:05:20.0546 0976 Initialize success
11:05:24.0109 2940 ============================================================
11:05:24.0109 2940 Scan started
11:05:24.0109 2940 Mode: Manual;
11:05:24.0109 2940 ============================================================
11:05:25.0421 2940 2d26e117 (6434d69be3c62614117f85cc10329f2c) C:\WINDOWS\400631341:3537444584.exe
11:05:25.0437 2940 Suspicious file (Hidden): C:\WINDOWS\400631341:3537444584.exe. md5: 6434d69be3c62614117f85cc10329f2c
11:05:25.0437 2940 2d26e117 ( HiddenFile.Multi.Generic ) - warning
11:05:25.0437 2940 2d26e117 - detected HiddenFile.Multi.Generic (1)
11:05:25.0453 2940 Abiosdsk - ok
11:05:25.0468 2940 abp480n5 - ok
11:05:25.0515 2940 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
11:05:25.0531 2940 ACPI - ok
11:05:25.0562 2940 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
11:05:25.0562 2940 ACPIEC - ok
11:05:25.0578 2940 adpu160m - ok
11:05:25.0625 2940 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys
11:05:25.0640 2940 aec - ok
11:05:25.0703 2940 AegisP (375eb0b97e3950adef3633c27a82438b) C:\WINDOWS\system32\DRIVERS\AegisP.sys
11:05:25.0703 2940 AegisP - ok
11:05:25.0750 2940 AFD (298a94d6afc5c37e22310f24bf3e0ed0) C:\WINDOWS\System32\drivers\afd.sys
11:05:25.0750 2940 Suspicious file (Forged): C:\WINDOWS\System32\drivers\afd.sys. Real md5: 298a94d6afc5c37e22310f24bf3e0ed0, Fake md5: 55e6e1c51b6d30e54335750955453702
11:05:25.0750 2940 AFD ( ForgedFile.Multi.Generic ) - warning
11:05:25.0750 2940 AFD - detected ForgedFile.Multi.Generic (1)
11:05:25.0765 2940 Aha154x - ok
11:05:25.0781 2940 aic78u2 - ok
11:05:25.0796 2940 aic78xx - ok
11:05:25.0812 2940 AliIde - ok
11:05:25.0812 2940 amsint - ok
11:05:25.0859 2940 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
11:05:25.0859 2940 Arp1394 - ok
11:05:25.0875 2940 asc - ok
11:05:25.0875 2940 asc3350p - ok
11:05:25.0890 2940 asc3550 - ok
11:05:25.0921 2940 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
11:05:25.0921 2940 AsyncMac - ok
11:05:25.0984 2940 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
11:05:25.0984 2940 atapi - ok
11:05:25.0984 2940 Atdisk - ok
11:05:26.0015 2940 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
11:05:26.0031 2940 Atmarpc - ok
11:05:26.0093 2940 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
11:05:26.0093 2940 audstub - ok
11:05:26.0296 2940 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
11:05:26.0296 2940 avgio - ok
11:05:26.0359 2940 avgntflt (1e4114685de1ffa9675e09c6a1fb3f4b) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
11:05:26.0359 2940 avgntflt - ok
11:05:26.0390 2940 avipbb (0f78d3dae6dedd99ae54c9491c62adf2) C:\WINDOWS\system32\DRIVERS\avipbb.sys
11:05:26.0390 2940 avipbb - ok
11:05:26.0437 2940 bcm4sbxp (cd4646067cc7dcba1907fa0acf7e3966) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
11:05:26.0437 2940 bcm4sbxp - ok
11:05:26.0468 2940 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
11:05:26.0468 2940 Beep - ok
11:05:26.0500 2940 bsusbser - ok
11:05:26.0546 2940 btaudio (8893ae0b6b9b60e0521a60e8b2160216) C:\WINDOWS\system32\drivers\btaudio.sys
11:05:26.0562 2940 btaudio - ok
11:05:26.0593 2940 BTDriver (fde318e3569f57264af74b7e431f60ae) C:\WINDOWS\system32\DRIVERS\btport.sys
11:05:26.0593 2940 BTDriver - ok
11:05:26.0703 2940 BTKRNL (9c3c8b9e2eda516eb44b51dab81dbd68) C:\WINDOWS\system32\DRIVERS\btkrnl.sys
11:05:26.0718 2940 BTKRNL - ok
11:05:26.0734 2940 BTSERIAL (089f7526ff41c17b0a43896d0553d5a2) C:\WINDOWS\system32\drivers\btserial.sys
11:05:26.0734 2940 BTSERIAL - ok
11:05:26.0765 2940 BTWDNDIS (28531ab3183f498e58d93d585e6a6b70) C:\WINDOWS\system32\DRIVERS\btwdndis.sys
11:05:26.0765 2940 BTWDNDIS - ok
11:05:26.0812 2940 btwhid (c5c0e21c67089f053b964e0a8b8adbac) C:\WINDOWS\system32\DRIVERS\btwhid.sys
11:05:26.0812 2940 btwhid - ok
11:05:26.0843 2940 btwmodem (7d295223c172ab4d61dc256721b2f09e) C:\WINDOWS\system32\DRIVERS\btwmodem.sys
11:05:26.0843 2940 btwmodem - ok
11:05:26.0921 2940 BTWUSB (56c701580f2891952761362ba7594b3d) C:\WINDOWS\system32\Drivers\btwusb.sys
11:05:26.0921 2940 BTWUSB - ok
11:05:26.0968 2940 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
11:05:26.0968 2940 cbidf2k - ok
11:05:26.0968 2940 cd20xrnt - ok
11:05:27.0015 2940 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
11:05:27.0015 2940 Cdaudio - ok
11:05:27.0062 2940 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
11:05:27.0062 2940 Cdfs - ok
11:05:27.0093 2940 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
11:05:27.0093 2940 Cdrom - ok
11:05:27.0109 2940 Changer - ok
11:05:27.0156 2940 CmBatt (4266be808f85826aedf3c64c1e240203) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
11:05:27.0156 2940 CmBatt - ok
11:05:27.0203 2940 CmdIde - ok
11:05:27.0218 2940 Compbatt (df1b1a24bf52d0ebc01ed4ece8979f50) C:\WINDOWS\system32\DRIVERS\compbatt.sys
11:05:27.0218 2940 Compbatt - ok
11:05:27.0234 2940 Cpqarray - ok
11:05:27.0250 2940 dac2w2k - ok
11:05:27.0265 2940 dac960nt - ok
11:05:27.0281 2940 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
11:05:27.0281 2940 Disk - ok
11:05:27.0375 2940 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
11:05:27.0390 2940 dmboot - ok
11:05:27.0406 2940 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
11:05:27.0421 2940 dmio - ok
11:05:27.0437 2940 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
11:05:27.0437 2940 dmload - ok
11:05:27.0484 2940 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
11:05:27.0484 2940 DMusic - ok
11:05:27.0484 2940 dpti2o - ok
11:05:27.0500 2940 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
11:05:27.0500 2940 drmkaud - ok
11:05:27.0562 2940 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
11:05:27.0578 2940 Fastfat - ok
11:05:27.0640 2940 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys
11:05:27.0640 2940 Fdc - ok
11:05:27.0656 2940 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
11:05:27.0656 2940 Fips - ok
11:05:27.0671 2940 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys
11:05:27.0671 2940 Flpydisk - ok
11:05:27.0718 2940 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
11:05:27.0718 2940 FltMgr - ok
11:05:27.0750 2940 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
11:05:27.0750 2940 Fs_Rec - ok
11:05:27.0765 2940 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
11:05:27.0781 2940 Ftdisk - ok
11:05:27.0828 2940 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
11:05:27.0828 2940 GEARAspiWDM - ok
11:05:27.0859 2940 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
11:05:27.0859 2940 Gpc - ok
11:05:27.0921 2940 HDAudBus (e31363d186b3e1d7c4e9117884a6aee5) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
11:05:27.0921 2940 HDAudBus - ok
11:05:27.0968 2940 hidusb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
11:05:27.0968 2940 hidusb - ok
11:05:27.0984 2940 hpn - ok
11:05:28.0062 2940 HSF_DPV (e8ec1767ea315a39a0dd8989952ca0e9) C:\WINDOWS\system32\DRIVERS\HSX_DPV.sys
11:05:28.0078 2940 HSF_DPV - ok
11:05:28.0140 2940 HSXHWAZL (61478fa42ee04562e7f11f4dca87e9c8) C:\WINDOWS\system32\DRIVERS\HSXHWAZL.sys
11:05:28.0140 2940 HSXHWAZL - ok
11:05:28.0203 2940 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
11:05:28.0203 2940 HTTP - ok
11:05:28.0265 2940 i2omgmt - ok
11:05:28.0265 2940 i2omp - ok
11:05:28.0312 2940 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
11:05:28.0312 2940 i8042prt - ok
11:05:28.0406 2940 ialm (cc449157474d5e43daea7e20f52c635a) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
11:05:28.0437 2940 ialm - ok
11:05:28.0500 2940 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
11:05:28.0500 2940 Imapi - ok
11:05:28.0531 2940 ini910u - ok
11:05:28.0546 2940 IntelIde - ok
11:05:28.0593 2940 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
11:05:28.0593 2940 intelppm - ok
11:05:28.0625 2940 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
11:05:28.0625 2940 Ip6Fw - ok
11:05:28.0656 2940 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
11:05:28.0656 2940 IpFilterDriver - ok
11:05:28.0671 2940 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
11:05:28.0671 2940 IpInIp - ok
11:05:28.0703 2940 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys
11:05:28.0718 2940 IpNat - ok
11:05:28.0765 2940 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
11:05:28.0765 2940 IPSec - ok
11:05:28.0843 2940 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
11:05:28.0843 2940 IRENUM - ok
11:05:28.0875 2940 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
11:05:28.0890 2940 isapnp - ok
11:05:28.0921 2940 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
11:05:28.0937 2940 Kbdclass - ok
11:05:28.0953 2940 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
11:05:28.0953 2940 kbdhid - ok
11:05:29.0000 2940 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
11:05:29.0015 2940 kmixer - ok
11:05:29.0062 2940 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys
11:05:29.0078 2940 KSecDD - ok
11:05:29.0109 2940 lbrtfdc - ok
11:05:29.0156 2940 mdmxsdk (e246a32c445056996074a397da56e815) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
11:05:29.0156 2940 mdmxsdk - ok
11:05:29.0187 2940 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
11:05:29.0187 2940 mnmdd - ok
11:05:29.0218 2940 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
11:05:29.0234 2940 Modem - ok
11:05:29.0265 2940 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
11:05:29.0265 2940 Mouclass - ok
11:05:29.0281 2940 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
11:05:29.0281 2940 mouhid - ok
11:05:29.0312 2940 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
11:05:29.0312 2940 MountMgr - ok
11:05:29.0343 2940 mraid35x - ok
11:05:29.0375 2940 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
11:05:29.0375 2940 MRxDAV - ok
11:05:29.0437 2940 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
11:05:29.0453 2940 MRxSmb - ok
11:05:29.0484 2940 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
11:05:29.0484 2940 Msfs - ok
11:05:29.0531 2940 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
11:05:29.0531 2940 MSKSSRV - ok
11:05:29.0546 2940 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
11:05:29.0546 2940 MSPCLOCK - ok
11:05:29.0562 2940 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
11:05:29.0562 2940 MSPQM - ok
11:05:29.0640 2940 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
11:05:29.0640 2940 mssmbios - ok
11:05:29.0671 2940 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
11:05:29.0671 2940 Mup - ok
11:05:29.0703 2940 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
11:05:29.0718 2940 NDIS - ok
11:05:29.0750 2940 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
11:05:29.0765 2940 NdisTapi - ok
11:05:29.0796 2940 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
11:05:29.0796 2940 Ndisuio - ok
11:05:29.0828 2940 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
11:05:29.0828 2940 NdisWan - ok
11:05:29.0859 2940 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
11:05:29.0859 2940 NDProxy - ok
11:05:29.0875 2940 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
11:05:29.0875 2940 NetBIOS - ok
11:05:29.0937 2940 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
11:05:29.0937 2940 NetBT - ok
11:05:30.0062 2940 NETw3x32 (71371ed9086a3d65f43967c89634e9a9) C:\WINDOWS\system32\DRIVERS\NETw3x32.sys
11:05:30.0109 2940 NETw3x32 - ok
11:05:30.0140 2940 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys
11:05:30.0140 2940 NIC1394 - ok
11:05:30.0203 2940 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
11:05:30.0203 2940 Npfs - ok
11:05:30.0250 2940 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
11:05:30.0265 2940 Ntfs - ok
11:05:30.0312 2940 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
11:05:30.0312 2940 Null - ok
11:05:30.0359 2940 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
11:05:30.0359 2940 NwlnkFlt - ok
11:05:30.0359 2940 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
11:05:30.0375 2940 NwlnkFwd - ok
11:05:30.0390 2940 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
11:05:30.0390 2940 ohci1394 - ok
11:05:30.0453 2940 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\drivers\Parport.sys
11:05:30.0453 2940 Parport - ok
11:05:30.0484 2940 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
11:05:30.0484 2940 PartMgr - ok
11:05:30.0515 2940 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
11:05:30.0515 2940 ParVdm - ok
11:05:30.0546 2940 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
11:05:30.0562 2940 PCI - ok
11:05:30.0562 2940 PCIDump - ok
11:05:30.0578 2940 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
11:05:30.0578 2940 PCIIde - ok
11:05:30.0625 2940 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
11:05:30.0625 2940 Pcmcia - ok
11:05:30.0640 2940 PDCOMP - ok
11:05:30.0656 2940 PDFRAME - ok
11:05:30.0656 2940 PDRELI - ok
11:05:30.0671 2940 PDRFRAME - ok
11:05:30.0687 2940 perc2 - ok
11:05:30.0703 2940 perc2hib - ok
11:05:30.0734 2940 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
11:05:30.0734 2940 PptpMiniport - ok
11:05:30.0796 2940 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
11:05:30.0796 2940 PSched - ok
11:05:30.0828 2940 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
11:05:30.0828 2940 Ptilink - ok
11:05:30.0843 2940 ql1080 - ok
11:05:30.0859 2940 Ql10wnt - ok
11:05:30.0875 2940 ql12160 - ok
11:05:30.0890 2940 ql1240 - ok
11:05:30.0890 2940 ql1280 - ok
11:05:30.0921 2940 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
11:05:30.0921 2940 RasAcd - ok
11:05:30.0953 2940 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
11:05:30.0953 2940 Rasl2tp - ok
11:05:30.0968 2940 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
11:05:30.0968 2940 RasPppoe - ok
11:05:30.0968 2940 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
11:05:30.0968 2940 Raspti - ok
11:05:31.0000 2940 Rdbss (29d66245adba878fff574cd66abd2884) C:\WINDOWS\system32\DRIVERS\rdbss.sys
11:05:31.0000 2940 Rdbss - ok
11:05:31.0015 2940 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
11:05:31.0015 2940 RDPCDD - ok
11:05:31.0046 2940 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
11:05:31.0046 2940 rdpdr - ok
11:05:31.0093 2940 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys
11:05:31.0109 2940 RDPWD - ok
11:05:31.0203 2940 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
11:05:31.0203 2940 redbook - ok
11:05:31.0234 2940 rimmptsk (24ed7af20651f9fa1f249482e7c1f165) C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
11:05:31.0234 2940 rimmptsk - ok
11:05:31.0250 2940 rimsptsk (1bdba2d2d402415a78a4ba766dfe0f7b) C:\WINDOWS\system32\DRIVERS\rimsptsk.sys
11:05:31.0250 2940 rimsptsk - ok
11:05:31.0296 2940 rismxdp (f774ecd11a064f0debb2d4395418153c) C:\WINDOWS\system32\DRIVERS\rixdptsk.sys
11:05:31.0296 2940 rismxdp - ok
11:05:31.0359 2940 s24trans (daef68fc328342d219de928c8ee610b2) C:\WINDOWS\system32\DRIVERS\s24trans.sys
11:05:31.0359 2940 s24trans - ok
11:05:31.0406 2940 sdbus (02fc71b020ec8700ee8a46c58bc6f276) C:\WINDOWS\system32\DRIVERS\sdbus.sys
11:05:31.0421 2940 sdbus - ok
11:05:31.0437 2940 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys
11:05:31.0437 2940 Secdrv - ok
11:05:31.0515 2940 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\drivers\Serial.sys
11:05:31.0531 2940 Serial - ok
11:05:31.0546 2940 sffdisk (1d9f1bec651815741f088a8fb88e17ee) C:\WINDOWS\system32\DRIVERS\sffdisk.sys
11:05:31.0546 2940 sffdisk - ok
11:05:31.0562 2940 sffp_sd (586499fd312ffd7f78553f408e71682e) C:\WINDOWS\system32\DRIVERS\sffp_sd.sys
11:05:31.0562 2940 sffp_sd - ok
11:05:31.0593 2940 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
11:05:31.0593 2940 Sfloppy - ok
11:05:31.0609 2940 Simbad - ok
11:05:31.0625 2940 Sparrow - ok
11:05:31.0656 2940 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
11:05:31.0656 2940 splitter - ok
11:05:31.0703 2940 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
11:05:31.0703 2940 sr - ok
11:05:31.0750 2940 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
11:05:31.0765 2940 Srv - ok
11:05:31.0843 2940 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
11:05:31.0843 2940 ssmdrv - ok
11:05:31.0921 2940 STHDA (3ad78e22210d3fbd9f76de84a8df19b5) C:\WINDOWS\system32\drivers\sthda.sys
11:05:31.0937 2940 STHDA - ok
11:05:32.0000 2940 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
11:05:32.0000 2940 swenum - ok
11:05:32.0031 2940 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
11:05:32.0031 2940 swmidi - ok
11:05:32.0093 2940 symc810 - ok
11:05:32.0109 2940 symc8xx - ok
11:05:32.0109 2940 sym_hi - ok
11:05:32.0125 2940 sym_u3 - ok
11:05:32.0187 2940 SynTP (fa2daa32bed908023272a0f77d625dae) C:\WINDOWS\system32\DRIVERS\SynTP.sys
11:05:32.0187 2940 SynTP - ok
11:05:32.0218 2940 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
11:05:32.0218 2940 sysaudio - ok
11:05:32.0281 2940 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
11:05:32.0296 2940 Tcpip - ok
11:05:32.0312 2940 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
11:05:32.0328 2940 TDPIPE - ok
11:05:32.0343 2940 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
11:05:32.0343 2940 TDTCP - ok
11:05:32.0421 2940 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
11:05:32.0421 2940 TermDD - ok
11:05:32.0437 2940 TosIde - ok
11:05:32.0484 2940 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
11:05:32.0484 2940 Udfs - ok
11:05:32.0500 2940 ultra - ok
11:05:32.0531 2940 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
11:05:32.0531 2940 Update - ok
11:05:32.0578 2940 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
11:05:32.0578 2940 usbccgp - ok
11:05:32.0609 2940 usbehci (708579b01fed227aadb393cb0c3b4a2c) C:\WINDOWS\system32\DRIVERS\usbehci.sys
11:05:32.0609 2940 usbehci - ok
11:05:32.0625 2940 usbhub (ace960e54148821e8e48f5d191562c28) C:\WINDOWS\system32\DRIVERS\usbhub.sys
11:05:32.0640 2940 usbhub - ok
11:05:32.0687 2940 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
11:05:32.0687 2940 USBSTOR - ok
11:05:32.0781 2940 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
11:05:32.0781 2940 usbuhci - ok
11:05:32.0812 2940 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
11:05:32.0812 2940 VgaSave - ok
11:05:32.0812 2940 ViaIde - ok
11:05:32.0859 2940 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
11:05:32.0859 2940 VolSnap - ok
11:05:32.0890 2940 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
11:05:32.0890 2940 Wanarp - ok
11:05:32.0890 2940 WDICA - ok
11:05:32.0953 2940 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
11:05:32.0953 2940 wdmaud - ok
11:05:33.0015 2940 winachsf (ba6b6fb242a6ba4068c8b763063beb63) C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys
11:05:33.0031 2940 winachsf - ok
11:05:33.0140 2940 WmiAcpi (ae2c8544e747c20062db27456ea2d67a) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
11:05:33.0140 2940 WmiAcpi - ok
11:05:33.0203 2940 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
11:05:33.0203 2940 WpdUsb - ok
11:05:33.0250 2940 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
11:05:33.0265 2940 WudfPf - ok
11:05:33.0265 2940 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
11:05:33.0281 2940 WudfRd - ok
11:05:33.0312 2940 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
11:05:33.0453 2940 \Device\Harddisk0\DR0 - ok
11:05:33.0453 2940 Boot (0x1200) (d0081d4c561a6ae3504f51832644b1a8) \Device\Harddisk0\DR0\Partition0
11:05:33.0453 2940 \Device\Harddisk0\DR0\Partition0 - ok
11:05:33.0453 2940 ============================================================
11:05:33.0453 2940 Scan finished
11:05:33.0453 2940 ============================================================
11:05:33.0468 3256 Detected object count: 2
11:05:33.0468 3256 Actual detected object count: 2
11:06:12.0140 3256 C:\WINDOWS\400631341:3537444584.exe - copied to quarantine
11:06:12.0140 3256 2d26e117 ( HiddenFile.Multi.Generic ) - User select action: Quarantine
11:06:12.0218 3256 C:\WINDOWS\System32\drivers\afd.sys - copied to quarantine
11:06:12.0218 3256 AFD ( ForgedFile.Multi.Generic ) - User select action: Quarantine
11:06:17.0656 1100 Deinitialize success



This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 14/10/2011 at 12:47:48.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:

C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE


Rkill completed on 14/10/2011 at 12:47:54.




exeHelper by Raktor
Build 20100414
Run at 12:49:01 on 10/14/11
Now searching...
Checking for numerical processes...
Killed numerical process 400631341:3537444584
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--
 
Combofix ran successfully.

ComboFix 11-10-14.04 - Katie Lloyd 16/10/2011 8:38.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1673 [GMT 11:00]
Running from: c:\documents and settings\Katie Lloyd\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Katie Lloyd\Application Data\PriceGong
c:\documents and settings\Katie Lloyd\Application Data\PriceGong\Data\1.xml
c:\documents and settings\Katie Lloyd\Application Data\PriceGong\Data\a.xml
c:\documents and settings\Katie Lloyd\Application Data\PriceGong\Data\b.xml
c:\documents and settings\Katie Lloyd\Application Data\PriceGong\Data\c.xml
c:\documents and settings\Katie Lloyd\Application Data\PriceGong\Data\d.xml
c:\documents and settings\Katie Lloyd\Application Data\PriceGong\Data\e.xml
c:\documents and settings\Katie Lloyd\Application Data\PriceGong\Data\f.xml
c:\documents and settings\Katie Lloyd\Application Data\PriceGong\Data\g.xml
c:\documents and settings\Katie Lloyd\Application Data\PriceGong\Data\h.xml
c:\documents and settings\Katie Lloyd\Application Data\PriceGong\Data\i.xml
c:\documents and settings\Katie Lloyd\Application Data\PriceGong\Data\J.xml
c:\documents and settings\Katie Lloyd\Application Data\PriceGong\Data\k.xml
c:\documents and settings\Katie Lloyd\Application Data\PriceGong\Data\l.xml
c:\documents and settings\Katie Lloyd\Application Data\PriceGong\Data\m.xml
c:\documents and settings\Katie Lloyd\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Katie Lloyd\Application Data\PriceGong\Data\n.xml
c:\documents and settings\Katie Lloyd\Application Data\PriceGong\Data\o.xml
c:\documents and settings\Katie Lloyd\Application Data\PriceGong\Data\p.xml
c:\documents and settings\Katie Lloyd\Application Data\PriceGong\Data\q.xml
c:\documents and settings\Katie Lloyd\Application Data\PriceGong\Data\r.xml
c:\documents and settings\Katie Lloyd\Application Data\PriceGong\Data\s.xml
c:\documents and settings\Katie Lloyd\Application Data\PriceGong\Data\t.xml
c:\documents and settings\Katie Lloyd\Application Data\PriceGong\Data\u.xml
c:\documents and settings\Katie Lloyd\Application Data\PriceGong\Data\v.xml
c:\documents and settings\Katie Lloyd\Application Data\PriceGong\Data\w.xml
c:\documents and settings\Katie Lloyd\Application Data\PriceGong\Data\x.xml
c:\documents and settings\Katie Lloyd\Application Data\PriceGong\Data\y.xml
c:\documents and settings\Katie Lloyd\Application Data\PriceGong\Data\z.xml
c:\windows\$NtUninstallKB13262$
c:\windows\$NtUninstallKB13262$\450235846
c:\windows\$NtUninstallKB13262$\757522711\@
c:\windows\$NtUninstallKB13262$\757522711\bckfg.tmp
c:\windows\$NtUninstallKB13262$\757522711\cfg.ini
c:\windows\$NtUninstallKB13262$\757522711\Desktop.ini
c:\windows\$NtUninstallKB13262$\757522711\keywords
c:\windows\$NtUninstallKB13262$\757522711\kwrd.dll
c:\windows\$NtUninstallKB13262$\757522711\L\drriaddo
c:\windows\$NtUninstallKB13262$\757522711\U\00000001.@
c:\windows\$NtUninstallKB13262$\757522711\U\00000002.@
c:\windows\$NtUninstallKB13262$\757522711\U\80000000.@
c:\windows\$NtUninstallKB13262$\757522711\U\80000032.@
c:\windows\system32\d3d9caps.dat
c:\windows\system32\drivers\1028_DELL_XPS_MM061 .MRK
c:\windows\system32\drivers\DELL_XPS_MM061 .MRK
.
Infected copy of c:\windows\system32\drivers\afd.sys was found and disinfected
Restored copy from - The cat found it :)
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_2d26e117
.
.
((((((((((((((((((((((((( Files Created from 2011-09-15 to 2011-10-15 )))))))))))))))))))))))))))))))
.
.
2011-10-15 04:18 . 2008-08-14 09:51 138368 -c--a-w- c:\windows\system32\dllcache\afd.sys
2011-10-15 04:18 . 2008-08-14 09:51 138368 ----a-w- c:\windows\system32\drivers\afd.sys
2011-10-13 00:28 . 2011-10-14 01:58 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-10-13 00:27 . 2011-10-14 01:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-13 00:27 . 2011-08-31 06:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-12 09:45 . 2011-10-12 09:45 -------- d-----w- c:\documents and settings\Katie Lloyd\Application Data\Avira
2011-10-12 09:36 . 2011-07-21 01:15 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-10-12 09:36 . 2011-10-12 09:36 -------- d-----w- c:\program files\Avira
2011-10-12 09:36 . 2011-10-12 09:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-10-12 09:36 . 2011-07-21 01:15 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-10-12 09:36 . 2010-06-17 04:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-10-12 09:36 . 2010-06-17 04:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-10-12 08:55 . 2011-10-12 08:55 -------- d-----w- c:\program files\Common Files\Adobe
2011-10-12 08:53 . 2011-10-12 08:53 -------- d-----w- c:\program files\Common Files\Java
2011-10-12 08:53 . 2011-10-12 08:53 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-10-12 08:53 . 2011-10-12 08:53 -------- d-----w- c:\program files\Java
2011-09-28 02:51 . 2011-09-28 02:51 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-09-28 02:51 . 2011-09-28 02:51 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp
2011-09-26 11:24 . 2011-09-26 11:24 -------- d-----w- C:\TDSSKiller_Quarantine
2011-09-22 00:43 . 2011-10-13 00:11 -------- d-----w- c:\program files\Antivirus Programs
2011-09-21 01:31 . 2011-09-21 01:35 -------- d-----w- c:\documents and settings\Administrator
2011-09-20 08:07 . 2011-09-20 08:07 -------- d-----w- c:\documents and settings\Katie Lloyd\Application Data\Malwarebytes
2011-09-20 08:07 . 2011-09-20 08:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-09-20 06:15 . 2011-09-20 06:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2011-09-20 06:15 . 2011-09-20 06:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-09-20 05:39 . 2011-09-20 05:39 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-12 08:53 . 2011-02-02 09:46 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-08-31 13:20 . 2011-07-26 12:05 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 868352]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-20 281768]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVIMlctM1NYM0UtR0hHWDktQUZISjMtUFcyUU4tWjlLSDQ&inst=NzctNzI1NTI0NzE2LUxJQysxLUZMMTArMS1TUDErMS1TUDFUQisxLVNVUCs0LVNQMVM0KzEtRERUKzU0NzkwLUREMTBGKzEtTFNEKzItU1QxMEZBUFArMS1TMTBGRERGKzE&prod=90&ver=10.0.1410" [?]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-5-24 622653]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/10/2011 8:36 PM 136360]
S3 bsusbser;Basecom USB Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\bsusbser.sys --> c:\windows\system32\DRIVERS\bsusbser.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 00:50]
.
2011-02-18 c:\windows\Tasks\switchSevenDays.job
- c:\program files\NCH Swift Sound\Switch\switch.exe [2011-02-18 13:21]
.
2011-02-18 c:\windows\Tasks\switchShakeIcon.job
- c:\program files\NCH Swift Sound\Switch\switch.exe [2011-02-18 13:21]
.
2011-08-07 c:\windows\Tasks\videopadDowngrade.job
- c:\program files\NCH Software\VideoPad\videopad.exe [2011-07-10 09:15]
.
2011-08-02 c:\windows\Tasks\videopadShakeIcon.job
- c:\program files\NCH Software\VideoPad\videopad.exe [2011-07-10 09:15]
.
2011-08-07 c:\windows\Tasks\wavepadDowngrade.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2011-02-18 13:04]
.
2011-08-02 c:\windows\Tasks\wavepadShakeIcon.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2011-02-18 13:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Katie Lloyd\Application Data\Mozilla\Firefox\Profiles\m2mwbwff.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v2.01.01
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{88c7f2aa-f93f-432c-8f0e-b7d85967a527} - c:\program files\BitTorrentBar\tbBitT.dll
BHO-{88c7f2aa-f93f-432c-8f0e-b7d85967a527} - c:\program files\BitTorrentBar\tbBitT.dll
Toolbar-{88c7f2aa-f93f-432c-8f0e-b7d85967a527} - c:\program files\BitTorrentBar\tbBitT.dll
WebBrowser-{88C7F2AA-F93F-432C-8F0E-B7D85967A527} - c:\program files\BitTorrentBar\tbBitT.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-16 08:57
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(288)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
c:\windows\system32\igfxsrvc.exe
c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
c:\program files\iPod\bin\iPodService.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2011-10-16 09:00:20 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-15 22:00
.
Pre-Run: 37,182,332,928 bytes free
Post-Run: 40,276,930,560 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 9B853D07A5B752EFAF53E833406AE5BA
 
Okay- looks good!- just a few more to remove:

Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
Code: 
File::
Folder::
c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
c:\documents and settings\LocalService\Local Settings\Application Data\Adobe c:\documents and settings\LocalService\Local Settings\Application Data\Temp
c:\program files\Antivirus Programs
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=-
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
============================================
Please run the following:
Download CKScanner and save to your desktop.
  • Doubleclick CKScanner.exe and click Search For Files.
  • When the cursor hourglass disappears, click Save List To File.
  • A message box will verify that the file is saved.
  • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents
    in your next reply.
==========================================
Download Security Check by screen317 from one of these links:
Link1
Link 2
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
 
All three ran sucessfully.


ComboFix 11-10-15.04 - Katie Lloyd 16/10/2011 20:12:30.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1550 [GMT 11:00]
Running from: c:\documents and settings\Katie Lloyd\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Katie Lloyd\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
c:\program files\Antivirus Programs
c:\program files\Antivirus Programs\807zsspv.exe
c:\program files\Antivirus Programs\AppRemover(1).exe
c:\program files\Antivirus Programs\avira_antivir_personal_en.exe
c:\program files\Antivirus Programs\logs\attach.txt
c:\program files\Antivirus Programs\logs\DDS.txt
c:\program files\Antivirus Programs\logs\exehelperlog.txt
c:\program files\Antivirus Programs\logs\rkill.log
c:\program files\Antivirus Programs\logs\TDSSKiller.2.6.8.0_13.10.2011_11.05.17_log.txt
c:\program files\Antivirus Programs\randmbam.exe
c:\program files\Antivirus Programs\tdsskiller\eula.txt
c:\program files\Antivirus Programs\tdsskiller\TDSSKiller.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-09-16 to 2011-10-16 )))))))))))))))))))))))))))))))
.
.
2011-10-15 22:47 . 2011-10-15 22:47 -------- d-----w- c:\program files\ESET
2011-10-15 04:18 . 2008-08-14 09:51 138368 -c--a-w- c:\windows\system32\dllcache\afd.sys
2011-10-15 04:18 . 2008-08-14 09:51 138368 ----a-w- c:\windows\system32\drivers\afd.sys
2011-10-13 00:28 . 2011-10-14 01:58 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-10-13 00:27 . 2011-10-14 01:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-13 00:27 . 2011-08-31 06:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-12 09:45 . 2011-10-12 09:45 -------- d-----w- c:\documents and settings\Katie Lloyd\Application Data\Avira
2011-10-12 09:36 . 2011-07-21 01:15 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-10-12 09:36 . 2011-10-12 09:36 -------- d-----w- c:\program files\Avira
2011-10-12 09:36 . 2011-10-12 09:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-10-12 09:36 . 2011-07-21 01:15 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-10-12 09:36 . 2010-06-17 04:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-10-12 09:36 . 2010-06-17 04:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-10-12 08:55 . 2011-10-12 08:55 -------- d-----w- c:\program files\Common Files\Adobe
2011-10-12 08:53 . 2011-10-12 08:53 -------- d-----w- c:\program files\Common Files\Java
2011-10-12 08:53 . 2011-10-12 08:53 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-10-12 08:53 . 2011-10-12 08:53 -------- d-----w- c:\program files\Java
2011-09-28 02:51 . 2011-09-28 02:51 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-09-28 02:51 . 2011-09-28 02:51 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp
2011-09-26 11:24 . 2011-09-26 11:24 -------- d-----w- C:\TDSSKiller_Quarantine
2011-09-21 01:31 . 2011-09-21 01:35 -------- d-----w- c:\documents and settings\Administrator
2011-09-20 08:07 . 2011-09-20 08:07 -------- d-----w- c:\documents and settings\Katie Lloyd\Application Data\Malwarebytes
2011-09-20 08:07 . 2011-09-20 08:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-09-20 06:15 . 2011-09-20 06:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-09-20 05:39 . 2011-09-20 05:39 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-12 08:53 . 2011-02-02 09:46 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-08-31 13:20 . 2011-07-26 12:05 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((( SnapShot@2011-10-15_21.57.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-10-16 09:00 . 2011-10-16 09:00 16384 c:\windows\Temp\Perflib_Perfdata_280.dat
+ 2001-08-23 12:00 . 2011-10-16 09:04 40394 c:\windows\system32\perfc009.dat
- 2001-08-23 12:00 . 2011-10-15 21:43 40394 c:\windows\system32\perfc009.dat
+ 2001-08-23 12:00 . 2011-10-16 09:04 312172 c:\windows\system32\perfh009.dat
- 2001-08-23 12:00 . 2011-10-15 21:43 312172 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 868352]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-20 281768]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVIMlctM1NYM0UtR0hHWDktQUZISjMtUFcyUU4tWjlLSDQ&inst=NzctNzI1NTI0NzE2LUxJQysxLUZMMTArMS1TUDErMS1TUDFUQisxLVNVUCs0LVNQMVM0KzEtRERUKzU0NzkwLUREMTBGKzEtTFNEKzItU1QxMEZBUFArMS1TMTBGRERGKzE&prod=90&ver=10.0.1410" [?]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-5-24 622653]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/10/2011 8:36 PM 136360]
S3 bsusbser;Basecom USB Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\bsusbser.sys --> c:\windows\system32\DRIVERS\bsusbser.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 00:50]
.
2011-02-18 c:\windows\Tasks\switchSevenDays.job
- c:\program files\NCH Swift Sound\Switch\switch.exe [2011-02-18 13:21]
.
2011-02-18 c:\windows\Tasks\switchShakeIcon.job
- c:\program files\NCH Swift Sound\Switch\switch.exe [2011-02-18 13:21]
.
2011-08-07 c:\windows\Tasks\videopadDowngrade.job
- c:\program files\NCH Software\VideoPad\videopad.exe [2011-07-10 09:15]
.
2011-08-02 c:\windows\Tasks\videopadShakeIcon.job
- c:\program files\NCH Software\VideoPad\videopad.exe [2011-07-10 09:15]
.
2011-08-07 c:\windows\Tasks\wavepadDowngrade.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2011-02-18 13:04]
.
2011-08-02 c:\windows\Tasks\wavepadShakeIcon.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2011-02-18 13:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: DhcpNameServer = 10.1.1.1
FF - ProfilePath - c:\documents and settings\Katie Lloyd\Application Data\Mozilla\Firefox\Profiles\m2mwbwff.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v2.01.01
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-16 20:17
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-10-16 20:18:20
ComboFix-quarantined-files.txt 2011-10-16 09:18
ComboFix2.txt 2011-10-15 22:00
.
Pre-Run: 40,224,841,728 bytes free
Post-Run: 40,128,217,088 bytes free
.
- - End Of File - - 53396A0992328EB0AC519DBBCE8D50E8


================================================================

CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.RP.11.MFAAVH
----- EOF -----


================================================================


Results of screen317's Security Check version 0.99.24
Windows XP Service Pack 2 x86
Out of date service pack!!
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
Avira AntiVir Personal - Free Antivirus
ESET Online Scanner v3
Antivirus up to date! (On Access scanning disabled!)
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Java(TM) 6 Update 27
Adobe Flash Player ( 10.3.183.7) Flash Player Out of Date!
Adobe Reader X (10.1.1)
Mozilla Firefox (x86 en-US..)
````````````````````````````````
Process Check:
objlist.exe by Laurent
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
``````````End of Log````````````
 
I'm not sure what these deletions are:
c:\program files\Antivirus Programs
c:\program files\Antivirus Programs\807zsspv.exe
c:\program files\Antivirus Programs\AppRemover(1).exe
c:\program files\Antivirus Programs\avira_antivir_personal_en.exe
c:\program files\Antivirus Programs\logs\attach.txt
c:\program files\Antivirus Programs\logs\DDS.txt
c:\program files\Antivirus Programs\logs\exehelperlog.txt
c:\program files\Antivirus Programs\logs\rkill.log
c:\program files\Antivirus Programs\logs\TDSSKiller.2.6.8.0_13.10.2011_11.05.17_log.txt
c:\program files\Antivirus Programs\randmbam.exe
c:\program files\Antivirus Programs\tdsskiller\eula.txt
c:\program files\Antivirus Programs\tdsskiller\TDSSKiller.exe
Click to expand...

I put the 1 entry c:\program files\Antivirus Programs for removal because there is no program named Antivirus Programs If you wanted to create a Directory to keep all these programs together it would have been C:\Antivirus Programs NOT in C:\Program files.

If that is the case, then I need to restore those files and you need to set up a directory correctly

Please let me know before we go any further. Don't try to do anything yourself- just let me know.The scans I had you run were to be saved to the desktop not program files.
 
Sorry about that. I think I created that folder to store some antivirus software when I was trying to fix this myself (silly me). All of the programs you have asked me to run have been saved to my desktop, except TDSSKiller for some reason. I'm not sure why I didn't save this to the desktop.

Apologies if this has caused you some trouble. I appreciate all the help you've been providing and I'll follow any further steps exactly.
 
Yes I'd like to continue. I was awaiting your reply about restoring the deleted files and whatever the next steps were.

Cheers
 
Do you understand about a 'directory' vs a 'program folder'? You can set up a Directory, which can be a folder to group processes: Example could be C:\malwarescans. Then you could put all the scanning programs in that Directory. (Please don't do this now!)

But a Program folder contains processes for a specific program including dll, exe, sys, etc. files. Example would be c:\program files\Avira which is a folder containing the files needed for Avira.

But you cannot use one program folder to 'store' processes for multiple programs.There are 8 different programs stashed in the one 'program folder'!

Please make sure that Avira is still on the system. The other programs can be downloaded again
=======================================
I suspect the the PriceGong was keeping your CPU busy. I see quote a few logs with Combofix deleting the many processes it puts on system- but it should be gone now, with the exception of being in Add/Remove Programs and it's program folder on the C drive> Programs. Please check both places: if in Add/Remove Programs, uninstall it. Then delete the program folder.
=====================================
I see Malwarebytes data on the system from over a month ago: This is most likely the reqson you can't run it now:
2011-09-20 08:07 -------- d-----w- c:\documents and settings\Katie Lloyd\Application Data\Malwarebytes
2011-09-20 08:07 . 2011-09-20 08:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
Please uninstall Mbam now. Make sure it's gone from Add/Remove Programs and that it's program folder has been deleted.
----------------------------------------------
Reboot the computer
---------------------------------------------
Note: Both Mbam and SAS have a line for you to check to remove entries that are found. Be sure to do that in both.

malwarebytesgc8.png

Malwarebytes' Anti-Malware
  • Please download Malwarebytes' Anti-Malware from from HERE
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    [o] Update Malwarebytes' Anti-Malware
    [o] and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please attach this log with your reply
    Note: on opening Notepad, click on Format> make sure Word Wrap is unchecked.
    [o] If you accidentally close it, the log file is saved here and will be named like this:
    [o] C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
========================
The run this:
SASLogo48x48.gif

SuperAntiSpyware Home Edition Free Version
  • Please download SuperAntiSpyware from HERE
  • Launch SuperAntiSpyware and click on 'Check for updates'.
  • Wait for the updates to be installed
  • On the main screen click on 'Scan your computer'.
  • Check: 'Perform Complete Scan then Click 'Next' to start the scan.
  • Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
  • Make sure everything found has a checkmark next to it,then press 'Next'.
  • Click on 'Finish' when you've done.
It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
  • Click on 'Preferences'.
  • Click on the 'Statistics/Logs' tab.
  • Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad. Paste the notepad file here on your reply
=====================================
Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
Code: 
File::
Folder::
c:\documents and settings\LocalService\Local Settings\Application Data\Temp
C:\TDSSKiller_Quarantine
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=-
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
=============================
Logs from Mbam, SAS and Combofix in next reply please.
 
Thanks for getting back to me. I've completed all the steps successfully. The computer seems to be running alot better now.

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8015

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

25/10/2011 2:46:30 PM
mbam-log-2011-10-25 (14-46-30).txt

Scan type: Quick scan
Objects scanned: 169627
Time elapsed: 3 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

==============================================================

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/25/2011 at 03:31 PM

Application Version : 5.0.1132

Core Rules Database Version : 7843
Trace Rules Database Version: 5655

Scan type : Complete Scan
Total Scan Time : 00:27:26

Operating System Information
Windows XP Professional 32-bit, Service Pack 2 (Build 5.01.2600)
Administrator

Memory items scanned : 571
Memory threats detected : 0
Registry items scanned : 36405
Registry threats detected : 0
File items scanned : 24520
File threats detected : 9

Adware.Tracking Cookie
media.lvrj.com [ C:\DOCUMENTS AND SETTINGS\KATIE LLOYD\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\8D7KG3UK ]
stat.easydate.biz [ C:\DOCUMENTS AND SETTINGS\KATIE LLOYD\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\8D7KG3UK ]
.e-2dj6ael4qgdpmeq.stats.esomniture.com [ C:\DOCUMENTS AND SETTINGS\KATIE LLOYD\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\M2MWBWFF.DEFAULT\COOKIES.SQLITE ]
.serving-sys.com [ C:\DOCUMENTS AND SETTINGS\KATIE LLOYD\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\M2MWBWFF.DEFAULT\COOKIES.SQLITE ]
.serving-sys.com [ C:\DOCUMENTS AND SETTINGS\KATIE LLOYD\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\M2MWBWFF.DEFAULT\COOKIES.SQLITE ]
cloud.video.unrulymedia.com [ C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\S2JELK7R ]
media.mtvnservices.com [ C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\S2JELK7R ]
secure-us.imrworldwide.com [ C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\S2JELK7R ]
stat.easydate.biz [ C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\S2JELK7R ]

=================================================================

ComboFix 11-10-24.05 - Katie Lloyd 25/10/2011 15:50:50.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1321 [GMT 11:00]
Running from: c:\documents and settings\Katie Lloyd\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Katie Lloyd\Desktop\CFScript.txt.txt
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\LocalService\Local Settings\Application Data\Temp
C:\TDSSKiller_Quarantine
c:\tdsskiller_quarantine\13.10.2011_11.05.18\susp0000\object.ini
c:\tdsskiller_quarantine\13.10.2011_11.05.18\susp0000\svc0000\object.ini
c:\tdsskiller_quarantine\13.10.2011_11.05.18\susp0000\svc0000\tsk0000.dta
c:\tdsskiller_quarantine\13.10.2011_11.05.18\susp0000\svc0000\tsk0000.ini
c:\tdsskiller_quarantine\13.10.2011_11.05.18\susp0001\object.ini
c:\tdsskiller_quarantine\13.10.2011_11.05.18\susp0001\svc0000\object.ini
c:\tdsskiller_quarantine\13.10.2011_11.05.18\susp0001\svc0000\tsk0000.dta
c:\tdsskiller_quarantine\13.10.2011_11.05.18\susp0001\svc0000\tsk0000.ini
c:\tdsskiller_quarantine\13.10.2011_11.05.18\susp0001\svc0000\tsk0001.dta
c:\tdsskiller_quarantine\13.10.2011_11.05.18\susp0001\svc0000\tsk0001.ini
c:\tdsskiller_quarantine\26.09.2011_21.22.24\susp0000\object.ini
c:\tdsskiller_quarantine\26.09.2011_21.22.24\susp0000\svc0000\object.ini
c:\tdsskiller_quarantine\26.09.2011_21.22.24\susp0000\svc0000\tsk0000.dta
c:\tdsskiller_quarantine\26.09.2011_21.22.24\susp0000\svc0000\tsk0000.ini
c:\windows\help\tours\htmltour\unlock_playing.htm
.
.
((((((((((((((((((((((((( Files Created from 2011-09-25 to 2011-10-25 )))))))))))))))))))))))))))))))
.
.
2011-10-25 03:56 . 2011-10-25 03:56 -------- d-----w- c:\documents and settings\Katie Lloyd\Application Data\SUPERAntiSpyware.com
2011-10-25 03:55 . 2011-10-25 03:56 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-10-25 03:55 . 2011-10-25 03:55 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-10-25 03:42 . 2011-08-31 06:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-25 03:42 . 2011-10-25 03:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-15 22:47 . 2011-10-15 22:47 -------- d-----w- c:\program files\ESET
2011-10-15 04:18 . 2008-08-14 09:51 138368 -c--a-w- c:\windows\system32\dllcache\afd.sys
2011-10-15 04:18 . 2008-08-14 09:51 138368 ----a-w- c:\windows\system32\drivers\afd.sys
2011-10-12 10:06 . 2011-10-12 10:06 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2011-10-12 09:45 . 2011-10-12 09:45 -------- d-----w- c:\documents and settings\Katie Lloyd\Application Data\Avira
2011-10-12 09:36 . 2011-07-21 01:15 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-10-12 09:36 . 2011-10-12 09:36 -------- d-----w- c:\program files\Avira
2011-10-12 09:36 . 2011-10-12 09:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-10-12 09:36 . 2011-07-21 01:15 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-10-12 09:36 . 2010-06-17 04:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-10-12 09:36 . 2010-06-17 04:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-10-12 08:55 . 2011-10-12 08:55 -------- d-----w- c:\program files\Common Files\Adobe
2011-10-12 08:53 . 2011-10-12 08:53 -------- d-----w- c:\program files\Common Files\Java
2011-10-12 08:53 . 2011-10-12 08:53 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-10-12 08:53 . 2011-10-12 08:53 -------- d-----w- c:\program files\Java
2011-09-28 02:51 . 2011-09-28 02:51 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-12 08:53 . 2011-02-02 09:46 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-08-31 13:20 . 2011-07-26 12:05 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((( SnapShot@2011-10-15_21.57.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-10-25 03:17 . 2011-10-25 03:17 16384 c:\windows\Temp\Perflib_Perfdata_2a4.dat
- 2001-08-23 12:00 . 2011-10-15 21:43 40394 c:\windows\system32\perfc009.dat
+ 2001-08-23 12:00 . 2011-10-25 03:21 40394 c:\windows\system32\perfc009.dat
- 2011-04-04 10:07 . 2011-06-17 14:11 49152 c:\windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIcon.dll
+ 2011-04-04 10:07 . 2011-10-21 08:57 49152 c:\windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIcon.dll
- 2001-08-23 12:00 . 2011-10-15 21:43 312172 c:\windows\system32\perfh009.dat
+ 2001-08-23 12:00 . 2011-10-25 03:21 312172 c:\windows\system32\perfh009.dat
+ 2011-02-02 10:04 . 2011-10-04 23:09 48324552 c:\windows\system32\MRT.exe
+ 2011-10-21 08:56 . 2011-10-21 08:56 20333568 c:\windows\Installer\1b4ec.msp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 868352]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-10-12 4615552]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-20 281768]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVIMlctM1NYM0UtR0hHWDktQUZISjMtUFcyUU4tWjlLSDQ&inst=NzctNzI1NTI0NzE2LUxJQysxLUZMMTArMS1TUDErMS1TUDFUQisxLVNVUCs0LVNQMVM0KzEtRERUKzU0NzkwLUREMTBGKzEtTFNEKzItU1QxMEZBUFArMS1TMTBGRERGKzE&prod=90&ver=10.0.1410" [?]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-5-24 622653]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [23/07/2011 3:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [13/07/2011 8:55 AM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [12/08/2011 10:38 AM 116608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/10/2011 8:36 PM 136360]
S3 bsusbser;Basecom USB Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\bsusbser.sys --> c:\windows\system32\DRIVERS\bsusbser.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - !SASCORE
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 00:50]
.
2011-02-18 c:\windows\Tasks\switchSevenDays.job
- c:\program files\NCH Swift Sound\Switch\switch.exe [2011-02-18 13:21]
.
2011-02-18 c:\windows\Tasks\switchShakeIcon.job
- c:\program files\NCH Swift Sound\Switch\switch.exe [2011-02-18 13:21]
.
2011-08-07 c:\windows\Tasks\videopadDowngrade.job
- c:\program files\NCH Software\VideoPad\videopad.exe [2011-07-10 09:15]
.
2011-08-02 c:\windows\Tasks\videopadShakeIcon.job
- c:\program files\NCH Software\VideoPad\videopad.exe [2011-07-10 09:15]
.
2011-08-07 c:\windows\Tasks\wavepadDowngrade.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2011-02-18 13:04]
.
2011-08-02 c:\windows\Tasks\wavepadShakeIcon.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2011-02-18 13:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: DhcpNameServer = 10.1.1.1
FF - ProfilePath - c:\documents and settings\Katie Lloyd\Application Data\Mozilla\Firefox\Profiles\m2mwbwff.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v2.01.01
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-25 15:54
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-10-25 15:55:45
ComboFix-quarantined-files.txt 2011-10-25 04:55
ComboFix2.txt 2011-10-16 09:18
ComboFix3.txt 2011-10-15 22:00
.
Pre-Run: 39,873,527,808 bytes free
Post-Run: 39,862,759,424 bytes free
.
- - End Of File - - 697AAE94D1235EC446EB8809F903F216
 
I recently got a newsletter detailing how malware authors are using Scheduled Tasks to get malware on to a system.
http://www.infoworld.com/t/malware/...ler-177047?source=IFWNLE_nlt_daily_2011-10-25

I strongly recommend that you stop all of these:
Contents of the 'Scheduled Tasks' folder
.
2011-09-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 00:50]
2011-02-18 c:\windows\Tasks\switchSevenDays.job
- c:\program files\NCH Swift Sound\Switch\switch.exe [2011-02-18 13:21]
2011-02-18 c:\windows\Tasks\switchShakeIcon.job
- c:\program files\NCH Swift Sound\Switch\switch.exe [2011-02-18 13:21]
2011-08-07 c:\windows\Tasks\videopadDowngrade.job
- c:\program files\NCH Software\VideoPad\videopad.exe [2011-07-10 09:15]
2011-08-02 c:\windows\Tasks\videopadShakeIcon.job
- c:\program files\NCH Software\VideoPad\videopad.exe [2011-07-10 09:15]
2011-08-07 c:\windows\Tasks\wavepadDowngrade.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2011-02-18 13:04]
2011-08-02 c:\windows\Tasks\wavepadShakeIcon.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2011-02-18 13:04]
Click to expand...

Scheduled Tasks
Most of these found are usually auto-updates scheduled for programs that do not need them. They will make numerous internet connections every day, looking for updates that you can find manually. You want to keep these connection attempts as few as possible and then only if needed for the system. The only[/b[ auto-update I get is for the AV program.

Opening scheduled tasks to modify or delete them:
Access Scheduled Tasks with Click on Start> All Programs> Accessories> System Tools> Scheduled Tasks.
To change the settings for a task: right-click the Task> click Properties> do any of the following:
  1. To change the schedule for the task, click the Schedule tab.
  2. To customize the settings for the task, such as the maximum run time, idle time requirements, and power management options, click the Settings tab.
  3. To delete a task> right-click the task> click Delete.
  4. To prevent a task from running until you want to let it run again> right-click the task> Properties> On the General tab> clear the Enabled check box. Select the check box again to enable the task when you are ready to let the task scheduler run it again.
========================================
P2P or 'file sharing Warning:
Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall uTorrent for the following reasons:
  • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
  • Malware writers use these program to include malicious content.
  • File sharing is usually unmonitored and there is a danger that your private files might be accessed.
  • The 'sharing' also includes malware that the shared system has on it.
  • Files that are illegal can be spread through file sharing.

Please read the information on P2P Warning to help you better understand these dangers.
=============================================
Removing all of the tools we used and the files and folders they created
  • Uninstall ComboFix and all Backups of the files it deleted
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    CF_Uninstall-1.jpg
  • Download OTCleanIt by OldTimer and save it to your Desktop.
  • Double click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
-----
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
------------------------------------------
  • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
  • Go to Start > All Programs > Accessories > System Tools
  • Click "System Restore".
  • Choose "Create a Restore Point" on the first screen then click "Next".
  • Give the Restore Point a name> click "Create".
  • Go back and follow the path to > System Tools.
    [*]Choose Disc Cleanup
    [*]Click "OK" to select the partition or drive you want.
    [*]Click the "More Options" Tab.
    [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


Empty the Recycle Bin
 
You must log in or register to reply here.

Similar threads

wshknwntlprtmn
  • Locked
Inactive Not sure what's going on here....
Replies
12
Views
2K
Broni
Broni
E
Solved Svchost.exe launching multiple iexplore.exe - unknown cause
Replies
23
Views
3K
Broni
Broni
R
Solved Data Hijacking, Help Please
2
Replies
37
Views
5K
Broni
Broni

Latest posts

Back