15 replies to this topic

[scudo]

I had `system tool check` virus, I think I have cleared it but please can someone do a quick check on my log to confirm.

thanks

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 23:52:34, on 26/02/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Virgin Broadband Wireless\AffinegyService.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\WinPcap\rpcapd.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Virgin Broadband Wireless\Wireless Manager.exe
C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Virgin Broadband Wireless\ndis_events.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Wireless Manager] "C:\Program Files\Virgin Broadband Wireless\Wireless Manager.exe" startup
O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: ERUNT AutoBackup.lnk = C:\WINDOWS\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Packard Bell - {1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - C:\Apps\IECustom\script.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\msiedle.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://members.webs.com
O15 - Trusted Zone: http://www.webs.com
O15 - Trusted Zone: http://*.webs.com
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.h...tDetection2.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.ad...Plus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs:
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AffinegyService - Affinegy, Inc. - C:\Program Files\Virgin Broadband Wireless\AffinegyService.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe

--
End of file - 8305 bytes

[patndoris]

Hello and

My name is patndoris. I will be glad to take a look at your log and help you with solving any malware problems. It will be very helpful if you follow these guidelines:

• Malware logs are often lengthy and can take a lot of time to research and interpret. Please be patient while I review your logs.
• Please note that there is no "Quick Fix" to modern malware infections and we may need to use several different approaches to get your system clean.
• Please make sure to carefully read any instruction that I give you. If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
• Please follow my instructions carefully and in the order they are posted. You may also find it helpful to print out the instructions you receive.
• Please do not run any scans or install/uninstall any applications or delete anything without being directed to do so.
• Remember, absence of symptoms does not mean the infection is all gone. Please stick with me till you're given the "all clear".
• Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
• Please reply within 3 days. If I do not hear back from you in that time frame, I will post a reminder for you. Topics with no reply in 4 days are closed!

HijackThis has largely been replaced by other tools. Since being acquired by TrendMicro, HijackThis has not been regularly updated. Many infections are now able to hide partly, or completely from a HijackThis scan. DDS includes all the scan locations of HijackThis and more.
Download and Run DDS by sUBs

Please download DDS and save it to your desktop.

• Disable any script blocking protection
• Double click dds.scr to run the tool.
• When done, DDS.txt will open.
• Click Yes at the next prompt for Optional Scan.
• Save both reports to your desktop.

---------------------------------------------------

Please Please copy / paste the scan reults.

DDS.txt

Please attach the second file; Attach.txt. To attach a file, do the following:

• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

Scan With RootKitUnHooker

• Please choose one link and download Rootkit Unhooker and save it to your desktop.
  
  Link 1
  Link 2
  Link 3
• Now double-click on RKUnhookerLE.exe to run it.
• Click the Report tab, then click Scan.
• Check (Tick) Drivers and Stealth
• Uncheck the rest. then click OK
• When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
• Wait till the scanner has finished and then click File > Save Report.[/b
• Save the report somewhere where you can find it. Click Close.
• Copy the entire contents of the report and paste it in your next reply.

Note** you may get the following warning, just click OK and continue.

[b]"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

[scudo]

Thank you patndoris, Its late now so I will run the above tomorrow and post the results. thank you for taking my case. scudo

[scudo]

Logs.... DDS (Ver_09-06-26.01) Microsoft Windows XP Home Edition Boot Device: \Device\HarddiskVolume2 Install Date: 15/09/2002 17:52:37 System Uptime: 28/02/2011 08:06:55 (0 hours ago) Motherboard: NEC COMPUTERS INTERNATIONAL | | SiS650 Processor: Intel® Pentium® 4 CPU 2.00GHz | Slot-1 | 1991/100mhz ==== Disk Partitions ========================= A: is Removable C: is FIXED (NTFS) - 35 GiB total, 17.775 GiB free. D: is FIXED (NTFS) - 76 GiB total, 33.511 GiB free. E: is CDROM () H: is CDROM () N: is CDROM () ==== Disabled Device Manager Items ============= ==== System Restore Points =================== RP80: 21/01/2011 17:31:13 - System Checkpoint RP81: 22/01/2011 17:49:44 - System Checkpoint RP82: 23/01/2011 19:26:26 - System Checkpoint RP83: 25/01/2011 10:41:58 - System Checkpoint RP84: 26/01/2011 11:58:45 - System Checkpoint RP85: 27/01/2011 12:17:02 - System Checkpoint RP86: 28/01/2011 12:50:48 - System Checkpoint RP87: 29/01/2011 18:13:39 - System Checkpoint RP88: 30/01/2011 20:50:40 - System Checkpoint RP89: 01/02/2011 13:26:42 - System Checkpoint RP90: 02/02/2011 16:06:34 - System Checkpoint RP91: 03/02/2011 17:25:46 - System Checkpoint RP92: 04/02/2011 18:04:07 - System Checkpoint RP93: 05/02/2011 20:46:08 - System Checkpoint RP94: 07/02/2011 11:40:07 - System Checkpoint RP95: 08/02/2011 11:54:00 - System Checkpoint RP96: 09/02/2011 12:13:22 - System Checkpoint RP97: 10/02/2011 10:19:03 - Software Distribution Service 3.0 RP98: 11/02/2011 13:10:40 - System Checkpoint RP99: 12/02/2011 15:32:55 - System Checkpoint RP100: 13/02/2011 16:12:17 - System Checkpoint RP101: 14/02/2011 18:26:51 - System Checkpoint RP102: 15/02/2011 20:42:06 - System Checkpoint RP103: 16/02/2011 20:44:23 - System Checkpoint RP104: 17/02/2011 22:38:47 - System Checkpoint RP105: 19/02/2011 12:44:24 - System Checkpoint RP106: 20/02/2011 15:33:34 - System Checkpoint RP107: 21/02/2011 18:11:29 - System Checkpoint RP108: 22/02/2011 20:37:53 - System Checkpoint RP109: 23/02/2011 21:30:18 - System Checkpoint RP110: 25/02/2011 10:29:12 - System Checkpoint RP111: 26/02/2011 10:53:07 - System Checkpoint RP112: 26/02/2011 23:14:51 - Restore Operation RP113: 26/02/2011 23:51:31 - Installed HiJackThis RP114: 28/02/2011 00:04:59 - System Checkpoint ==== Installed Programs ====================== 1310 1310_Help 1310Tour 1310Trb Ad-Aware SE Personal Adobe AIR Adobe Flash Player 10 ActiveX Adobe Flash Player 10 Plugin Adobe Media Player Adobe Photoshop CS Adobe Reader 8.1.5 Adobe SVG Viewer 3.0 AiO_Scan AIOMinimal AiOSoftware Avira AntiVir Personal - Free Antivirus CCleaner ContentSAFER for Wizmax Copy CreativeProjects Director DocProc Email Updater ERUNT 1.1j Fax Free Hide Folder Free Mp3 Wma Converter V 1.81 Full Marks Key Stage 3 Science Google Earth Google Update Helper HiJackThis HijackThis 2.0.2 Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484) Hotfix for Windows XP (KB2158563) Hotfix for Windows XP (KB2443685) Hotfix for Windows XP (KB954550-v5) Hotfix for Windows XP (KB976002-v5) Hotfix for Windows XP (KB979306) Hotfix for Windows XP (KB981793) HP Image Zone 3.5 HP Product Detection HP PSC & OfficeJet 3.5 HP Software Update HPSystemDiagnostics Image Resizer Powertoy for Windows XP InstantShare IrfanView (remove only) Java™ 6 Update 17 Karen's Replicator KB408682 Linguata Turkish 2.4 Malwarebytes' Anti-Malware Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Security Update (KB2416447) Microsoft .NET Framework 1.1 Security Update (KB979906) Microsoft .NET Framework 2.0 Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 Microsoft .NET Framework 3.5 SP1 Microsoft ActiveSync 3.7 Microsoft Office 2007 Service Pack 2 (SP2) Microsoft Office Access MUI (English) 2007 Microsoft Office Access Setup Metadata MUI (English) 2007 Microsoft Office Enterprise 2007 Microsoft Office Excel MUI (English) 2007 Microsoft Office Groove MUI (English) 2007 Microsoft Office Groove Setup Metadata MUI (English) 2007 Microsoft Office InfoPath MUI (English) 2007 Microsoft Office OneNote MUI (English) 2007 Microsoft Office Outlook MUI (English) 2007 Microsoft Office PowerPoint MUI (English) 2007 Microsoft Office PowerPoint Viewer 2003 Microsoft Office Proof (English) 2007 Microsoft Office Proof (French) 2007 Microsoft Office Proof (Spanish) 2007 Microsoft Office Proofing (English) 2007 Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2) Microsoft Office Publisher MUI (English) 2007 Microsoft Office Shared MUI (English) 2007 Microsoft Office Shared Setup Metadata MUI (English) 2007 Microsoft Office Word MUI (English) 2007 Microsoft Software Update for Web Folders (English) 12 Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 Microsoft Visual C++ 2005 Redistributable Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 Microsoft Works 2002 Setup Launcher Motorola SM56 Speakerphone Modem Mozilla Firefox (3.6.13) MSN Messenger 7.5 MSXML 4.0 SP2 (KB927978) MSXML 4.0 SP2 (KB936181) MSXML 4.0 SP2 (KB954430) MSXML 4.0 SP2 (KB973688) MSXML 6 Service Pack 2 (KB973686) MWSnap 3 Overland Packard Bell ActivDoc Packard Bell Companion Panda ActiveScan 2.0 PhotoGallery PowerDVD PrimoPDF PrintScreen QFolder QuickProjects QuickTime Readme REALTEK GbE & FE Ethernet PCI NIC Driver Scan Secunia PSI Security Update for 2007 Microsoft Office System (KB2288621) Security Update for 2007 Microsoft Office System (KB2288931) Security Update for 2007 Microsoft Office System (KB2289158) Security Update for 2007 Microsoft Office System (KB2344875) Security Update for 2007 Microsoft Office System (KB2345043) Security Update for 2007 Microsoft Office System (KB969559) Security Update for 2007 Microsoft Office System (KB976321) Security Update for CAPICOM (KB931906) Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473) Security Update for Microsoft Office Access 2007 (KB979440) Security Update for Microsoft Office Excel 2007 (KB2345035) Security Update for Microsoft Office InfoPath 2007 (KB979441) Security Update for Microsoft Office PowerPoint 2007 (KB982158) Security Update for Microsoft Office PowerPoint Viewer (KB2413381) Security Update for Microsoft Office Publisher 2007 (KB2284697) Security Update for Microsoft Office system 2007 (972581) Security Update for Microsoft Office system 2007 (KB974234) Security Update for Microsoft Office Visio Viewer 2007 (KB973709) Security Update for Microsoft Office Word 2007 (KB2344993) Security Update for Windows Internet Explorer 8 (KB2183461) Security Update for Windows Internet Explorer 8 (KB2360131) Security Update for Windows Internet Explorer 8 (KB2416400) Security Update for Windows Internet Explorer 8 (KB2482017) Security Update for Windows Internet Explorer 8 (KB969897) Security Update for Windows Internet Explorer 8 (KB971961) Security Update for Windows Internet Explorer 8 (KB972260) Security Update for Windows Internet Explorer 8 (KB974455) Security Update for Windows Internet Explorer 8 (KB976325) Security Update for Windows Internet Explorer 8 (KB978207) Security Update for Windows Internet Explorer 8 (KB981332) Security Update for Windows Internet Explorer 8 (KB982381) Security Update for Windows Media Player (KB2378111) Security Update for Windows Media Player (KB973540) Security Update for Windows Media Player (KB975558) Security Update for Windows Media Player (KB979402) Security Update for Windows XP (KB2079403) Security Update for Windows XP (KB2115168) Security Update for Windows XP (KB2121546) Security Update for Windows XP (KB2160329) Security Update for Windows XP (KB2229593) Security Update for Windows XP (KB2259922) Security Update for Windows XP (KB2279986) Security Update for Windows XP (KB2286198) Security Update for Windows XP (KB2296011) Security Update for Windows XP (KB2296199) Security Update for Windows XP (KB2347290) Security Update for Windows XP (KB2360937) Security Update for Windows XP (KB2387149) Security Update for Windows XP (KB2393802) Security Update for Windows XP (KB2419632) Security Update for Windows XP (KB2423089) Security Update for Windows XP (KB2436673) Security Update for Windows XP (KB2440591) Security Update for Windows XP (KB2443105) Security Update for Windows XP (KB2476687) Security Update for Windows XP (KB2478960) Security Update for Windows XP (KB2478971) Security Update for Windows XP (KB2479628) Security Update for Windows XP (KB2483185) Security Update for Windows XP (KB2485376) Security Update for Windows XP (KB923561) Security Update for Windows XP (KB938464) Security Update for Windows XP (KB956744) Security Update for Windows XP (KB971468) Security Update for Windows XP (KB975560) Security Update for Windows XP (KB975561) Security Update for Windows XP (KB975562) Security Update for Windows XP (KB975713) Security Update for Windows XP (KB977165) Security Update for Windows XP (KB977816) Security Update for Windows XP (KB977914) Security Update for Windows XP (KB978037) Security Update for Windows XP (KB978251) Security Update for Windows XP (KB978262) Security Update for Windows XP (KB978338) Security Update for Windows XP (KB978542) Security Update for Windows XP (KB978601) Security Update for Windows XP (KB979309) Security Update for Windows XP (KB979482) Security Update for Windows XP (KB979559) Security Update for Windows XP (KB979683) Security Update for Windows XP (KB979687) Security Update for Windows XP (KB980195) Security Update for Windows XP (KB980218) Security Update for Windows XP (KB980232) Security Update for Windows XP (KB980436) Security Update for Windows XP (KB981322) Security Update for Windows XP (KB981852) Security Update for Windows XP (KB981957) Security Update for Windows XP (KB981997) Security Update for Windows XP (KB982132) Security Update for Windows XP (KB982214) Security Update for Windows XP (KB982665) Shockwave SkinsHP1 SkinsHP2 Spybot - Search & Destroy Star Trek Voyager Elite Force TrayApp Turbo Lister 2 Unload Update for 2007 Microsoft Office System (KB967642) Update for Microsoft .NET Framework 3.5 SP1 (KB963707) Update for Microsoft Office OneNote 2007 (KB980729) Update for Microsoft Office Outlook 2007 (KB2412171) Update for Outlook 2007 Junk Email Filter (KB2492475) Update for Windows Internet Explorer 8 (KB971930) Update for Windows Internet Explorer 8 (KB976662) Update for Windows Internet Explorer 8 (KB976749) Update for Windows Internet Explorer 8 (KB980182) Update for Windows XP (KB2141007) Update for Windows XP (KB2345886) Update for Windows XP (KB2467659) Update for Windows XP (KB951978) VERITAS RecordNow DX Viewpoint Media Player (Remove Only) Visual C++ 2008 x86 Runtime - (v9.0.30729) Visual C++ 2008 x86 Runtime - v9.0.30729.01 VLC media player 0.9.8a WebFldrs XP WebReg Windows Genuine Advantage Notifications (KB905474) Windows Genuine Advantage Validation Tool (KB892130) Windows Imaging Component Windows Internet Explorer 8 Windows Media Format 11 runtime Windows XP Service Pack 3 Wireless Manager XviD MPEG-4 Video Codec YouTube Downloader 2.6.5 ==== Event Viewer Messages From Past Week ======== 28/02/2011 08:24:43, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the rpcapd service. 26/02/2011 22:30:29, error: Service Control Manager [7034] - The IMAPI CD-Burning COM Service service terminated unexpectedly. It has done this 1 time(s). 26/02/2011 22:10:21, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334} 26/02/2011 21:57:46, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811} 26/02/2011 21:23:12, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD avgio avipbb Fips intelppm IPSec mchInjDrv MRxSmb NetBIOS NetBT pavboot RasAcd Rdbss ssmdrv Tcpip 26/02/2011 21:23:12, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning. 26/02/2011 21:23:12, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning. 26/02/2011 21:23:12, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning. 26/02/2011 21:23:12, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBT service which failed to start because of the following error: A device attached to the system is not functioning. 26/02/2011 21:22:38, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF} 26/02/2011 21:22:36, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E} 26/02/2011 21:15:49, error: Service Control Manager [7034] - The Virtual CD v4 Security service (SDK - Version) service terminated unexpectedly. It has done this 1 time(s). 26/02/2011 21:15:49, error: Service Control Manager [7034] - The Remote Packet Capture Protocol v.0 (experimental) service terminated unexpectedly. It has done this 1 time(s). 26/02/2011 21:15:49, error: Service Control Manager [7034] - The Machine Debug Manager service terminated unexpectedly. It has done this 1 time(s). 26/02/2011 21:15:49, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s). 26/02/2011 21:15:49, error: Service Control Manager [7034] - The AffinegyService service terminated unexpectedly. It has done this 1 time(s). 24/02/2011 12:19:27, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: mchInjDrv 24/02/2011 12:15:23, error: Service Control Manager [7034] - The Pml Driver HPZ12 service terminated unexpectedly. It has done this 1 time(s). 23/02/2011 12:33:03, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion. 23/02/2011 12:33:02, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect. ==== End Of File =========================== RkU Version: 3.8.388.590, Type LE (SR2) ============================================== OS Name: Windows XP Version 5.1.2600 (Service Pack 3) Number of processors #1 ============================================== >Drivers ============================================== 0xBF012000 C:\WINDOWS\System32\SiSGRV.dll 2736128 bytes (Silicon Integrated Systems Corporation, SiS Compatible Super VGA Driver) 0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2192768 bytes (Microsoft Corporation, NT Kernel & System) 0x804D7000 PnpManager 2192768 bytes 0x804D7000 RAW 2192768 bytes 0x804D7000 WMIxWDM 2192768 bytes 0xBF800000 Win32k 1855488 bytes 0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver) 0xF712F000 C:\WINDOWS\system32\DRIVERS\smserial.sys 933888 bytes (Motorola Inc., Motorola SM56 Modem WDM Driver) 0xF7F01000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver) 0xF1C58000 C:\WINDOWS\System32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr) 0xF703E000 C:\WINDOWS\System32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver) 0xF1D65000 C:\WINDOWS\System32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver) 0xF0365000 C:\WINDOWS\System32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver) 0xBF2AE000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver) 0xEFCF9000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack) 0xF72A6000 C:\WINDOWS\System32\DRIVERS\sisgrp.sys 262144 bytes (Silicon Integrated Systems Corporation, SiS Compatible Super VGA Driver) 0xF70FC000 C:\WINDOWS\system32\drivers\vinyl97.sys 208896 bytes (VIA Technologies, Inc., Vinyl AC'97 Codec Combo WDM Driver) 0xF801F000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT) 0xF04D5000 C:\WINDOWS\System32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr) 0xF7ED4000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver) 0xF1CF0000 C:\WINDOWS\System32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver) 0xF1D3D000 C:\WINDOWS\System32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver) 0xF1BE7000 C:\WINDOWS\system32\DRIVERS\avipbb.sys 155648 bytes (Avira GmbH, Avira Driver for Security Enhancement) 0xF1C32000 C:\WINDOWS\System32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator) 0xF725A000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices)) 0xF7213000 C:\WINDOWS\System32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver) 0xF7237000 C:\WINDOWS\system32\drivers\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library) 0xF1D1B000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock) 0x806EF000 ACPI_HAL 131840 bytes 0x806EF000 C:\WINDOWS\system32\hal.dll 131840 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL) 0xF7FB7000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager) 0xF70DC000 C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys 131072 bytes (Realtek Semiconductor Corporation , Realtek 10/100/1000 NDIS 5.1 Driver ) 0xF7FEF000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver) 0xF7EBA000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver) 0xF7FD7000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver) 0xF709C000 C:\WINDOWS\System32\DRIVERS\SCSIPORT.SYS 98304 bytes (Microsoft Corporation, SCSI Port Driver) 0xF7F8E000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface) 0xF70C5000 C:\WINDOWS\System32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption)) 0xF0692000 C:\WINDOWS\system32\DRIVERS\avgntflt.sys 86016 bytes (Avira GmbH, Avira Minifilter Driver) 0xF0080000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper) 0xF727E000 C:\WINDOWS\System32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver) 0xF7292000 C:\WINDOWS\System32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver) 0xF1DBE000 C:\WINDOWS\System32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver) 0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver) 0xF7FA5000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver) 0xF800E000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator) 0xF70B4000 C:\WINDOWS\System32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler) 0xF0E9D000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver) 0xF823E000 C:\WINDOWS\System32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver) 0xF820E000 C:\WINDOWS\System32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver) 0xF821E000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter) 0xF80FE000 C:\WINDOWS\System32\DRIVERS\LMouFlt2.sys 61440 bytes (Logitech, Logitech Mouse Filter Driver) 0xF824E000 C:\WINDOWS\System32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver) 0xF03DD000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter) 0xF7306000 C:\WINDOWS\System32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB) 0xF80AE000 C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll) 0xF81FE000 C:\WINDOWS\System32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver) 0xF825E000 C:\WINDOWS\System32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver) 0xF808E000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver) 0xF827E000 C:\WINDOWS\System32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol) 0xF7356000 C:\WINDOWS\System32\DRIVERS\vcsmpdrv.sys 49152 bytes (H+H Software GmbH, Virtual CD v4.3 - Windows 2000 / XP Driver (SDK)) 0xF82DE000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver) 0xF822E000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver) 0xF807E000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager) 0xF826E000 C:\WINDOWS\System32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver) 0xF806E000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver) 0xF7346000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy) 0xF7366000 C:\WINDOWS\System32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver) 0xF809E000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver) 0xF80EE000 C:\WINDOWS\System32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library) 0xF81EE000 C:\WINDOWS\System32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver) 0xF7376000 C:\WINDOWS\System32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier) 0xF82BE000 C:\WINDOWS\System32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver) 0xF044D000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver) 0xF80BE000 SISAGPX.sys 36864 bytes (Silicon Integrated Systems Corporation, SiS AGPv3.5 Filter) 0xF813E000 C:\WINDOWS\System32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver) 0xF833E000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver) 0xF83EE000 C:\WINDOWS\system32\drivers\npf.sys 32768 bytes (CACE Technologies, npf) 0xF83B6000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver) 0xF832E000 C:\WINDOWS\System32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver) 0xF839E000 C:\WINDOWS\System32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library) 0xF82EE000 C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension) 0xF8326000 C:\WINDOWS\System32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver) 0xF83D6000 C:\WINDOWS\System32\DRIVERS\LHidFlt2.sys 24576 bytes (Logitech, Logitech HID Filter Driver) 0xF835E000 C:\WINDOWS\System32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver) 0xF82FE000 pavboot.sys 24576 bytes (Panda Security, S.L., Panda Boot Driver) 0xF83BE000 C:\WINDOWS\system32\DRIVERS\ssmdrv.sys 24576 bytes (Avira GmbH, AVIRA SnapShot Driver) 0xF83A6000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver) 0xF8386000 C:\WINDOWS\System32\Drivers\AFGSp50.sys 20480 bytes (Printing Communications Assoc., Inc. (PCAUSA), PCAUSA NDIS 5.0 SPR Protocol Driver) 0xF836E000 C:\WINDOWS\System32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver) 0xF83AE000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver) 0xF82F6000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager) 0xF834E000 C:\WINDOWS\System32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library) 0xF8356000 C:\WINDOWS\System32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver) 0xF8346000 C:\WINDOWS\System32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper) 0xF8336000 C:\WINDOWS\System32\DRIVERS\usbohci.sys 20480 bytes (Microsoft Corporation, OHCI USB Miniport Driver) 0xF8376000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver) 0xF75B8000 C:\WINDOWS\system32\drivers\MODEMCSA.sys 16384 bytes (Microsoft Corporation, Unimodem CSA Filter) 0xF75D8000 C:\WINDOWS\System32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver) 0xF06D7000 C:\WINDOWS\System32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver) 0xF8482000 PxHelp20.sys 16384 bytes (VERITAS Software, Inc., PxHelper Device Driver for Windows 2000) 0xF8486000 RecAgent.sys 16384 bytes (Smart Link, ) 0xF7E7E000 C:\WINDOWS\System32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator) 0xF847E000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver) 0xF1AB8000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver) 0xF7E7A000 C:\WINDOWS\System32\DRIVERS\gameenum.sys 12288 bytes (Microsoft Corporation, Game Port Enumerator) 0xF855A000 C:\WINDOWS\System32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices) 0xF855E000 C:\WINDOWS\System32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver) 0xF850E000 C:\WINDOWS\System32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver) 0xF8536000 C:\WINDOWS\System32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver) 0xF853E000 C:\WINDOWS\system32\DRIVERS\srvkp.sys 12288 bytes (Silicon Integrated Systems Corporation, SiS VGA Driver Manager) 0xF85C0000 C:\Program Files\Avira\AntiVir Desktop\avgio.sys 8192 bytes (Avira GmbH, Avira AntiVir Support for Minifilter) 0xF85B8000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver) 0xF85B6000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver) 0xF856E000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL) 0xF8598000 C:\WINDOWS\System32\DRIVERS\LKbdFlt2.sys 8192 bytes (Logitech, Logitech Keyboard Filter Driver) 0xF85BA000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator) 0xF859A000 C:\WINDOWS\System32\DRIVERS\msikbd2k.sys 8192 bytes (Netropa Corporation, Multimedia Keyboard Driver for Windows 2000) 0xF861A000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver) 0xF85BC000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport) 0xF859C000 C:\WINDOWS\System32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator) 0xF85A0000 C:\WINDOWS\System32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver) 0xF8570000 C:\WINDOWS\System32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll) 0xF86EF000 C:\WINDOWS\System32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver) 0xF868D000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk) 0xF86EB000 C:\WINDOWS\system32\drivers\msmpu401.sys 4096 bytes (Microsoft Corporation, MPU401 Adapter Driver) 0xF872A000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver) 0xF8636000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver) ============================================== >Stealth ============================================== WARNING: Virus alike driver modification [ndistapi.sys] WARNING: Virus alike driver modification [bthpan.sys] WARNING: Virus alike driver modification [sffp_mmc.sys] WARNING: Virus alike driver modification [hidusb.sys] WARNING: Virus alike driver modification [wceusbsh.sys] WARNING: Virus alike driver modification [dxapi.sys] WARNING: Virus alike driver modification [mup.sys] WARNING: Virus alike driver modification [gameenum.sys] WARNING: Virus alike driver modification [sffp_sd.sys] WARNING: Virus alike driver modification [irenum.sys] WARNING: Virus alike driver modification [sfloppy.sys] WARNING: Virus alike driver modification [acpiec.sys] WARNING: Virus alike driver modification [cpqdap01.sys] WARNING: Virus alike driver modification [sffdisk.sys] WARNING: Virus alike driver modification [pcmcia.sys] WARNING: Virus alike driver modification [nikedrv.sys] WARNING: Virus alike driver modification [rio8drv.sys] WARNING: Virus alike driver modification [riodrv.sys] WARNING: Virus alike driver modification [ws2ifsl.sys] WARNING: Virus alike driver modification [tdpipe.sys] WARNING: Virus alike driver modification [fsvga.sys] WARNING: Virus alike driver modification [mouhid.sys] WARNING: Virus alike driver modification [usbvideo.sys] WARNING: Virus alike driver modification [tunmp.sys] WARNING: Virus alike driver modification [nwlnkflt.sys] WARNING: Virus alike driver modification [ftdisk.sys] WARNING: Virus alike driver modification [mtlmnt5.sys] WARNING: Virus alike driver modification [mutohpen.sys] WARNING: Virus alike driver modification [usb8023.sys] WARNING: Virus alike driver modification [usb8023x.sys] WARNING: Virus alike driver modification [fltmgr.sys] WARNING: Virus alike driver modification [LCCFLTR.SYS] WARNING: Virus alike driver modification [mtlstrm.sys] WARNING: Virus alike driver modification [slwdmsup.sys] WARNING: Virus alike driver modification [recagent.sys] WARNING: Virus alike driver modification [cbidf2k.sys] WARNING: Virus alike driver modification [rdpwd.sys] WARNING: Virus alike driver modification [ks.sys] WARNING: Virus alike driver modification [diskdump.sys] WARNING: Virus alike driver modification [wacompen.sys] WARNING: Virus alike driver modification [v90drv.sys] WARNING: Virus alike driver modification [asyncmac.sys] WARNING: Virus alike driver modification [fastfat.sys] WARNING: Virus alike driver modification [usbport.sys] WARNING: Virus alike driver modification [hdaudbus.sys] WARNING: Virus alike driver modification [kbdhid.sys] WARNING: Virus alike driver modification [ndisuio.sys] WARNING: Virus alike driver modification [smclib.sys] WARNING: Virus alike driver modification [portcls.sys] WARNING: Virus alike driver modification [tape.sys] WARNING: Virus alike driver modification [usbscan.sys] WARNING: Virus alike driver modification [ipnat.sys] WARNING: Virus alike driver modification [dmio.sys] WARNING: Virus alike driver modification [mssmbios.sys] WARNING: Virus alike driver modification [mbam.sys] WARNING: Virus alike driver modification [serenum.sys] WARNING: Virus alike driver modification [usbintel.sys] WARNING: Virus alike driver modification [netbt.sys] WARNING: Virus alike driver modification [pxhelp20.sys] WARNING: Virus alike driver modification [HPZipr12.sys] WARNING: Virus alike driver modification [raspti.sys] WARNING: Virus alike driver modification [bthenum.sys] WARNING: Virus alike driver modification [usbohci.sys] WARNING: Virus alike driver modification [kmixer.sys] WARNING: Virus alike driver modification [packet.sys] WARNING: Virus alike driver modification [rdbss.sys] WARNING: Virus alike driver modification [ptilink.sys] WARNING: Virus alike driver modification [ntmtlfax.sys] WARNING: Virus alike driver modification [mrxdav.sys] WARNING: Virus alike driver modification [gt680x.sys] WARNING: Virus alike driver modification [ndis.sys] WARNING: Virus alike driver modification [cdaudio.sys] WARNING: Virus alike driver modification [acpi.sys] WARNING: Virus alike driver modification [bthusb.sys] WARNING: Virus alike driver modification [msfs.sys] WARNING: Virus alike driver modification [tdi.sys] WARNING: Virus alike driver modification [hidir.sys] WARNING: Virus alike driver modification [rdpdr.sys] WARNING: Virus alike driver modification [partmgr.sys] WARNING: Virus alike driver modification [detectdr.sys] WARNING: Virus alike driver modification [GDNdisIc.sys] WARNING: Virus alike driver modification [flpydisk.sys] WARNING: Virus alike driver modification [secdrv.sys] WARNING: Virus alike driver modification [ipinip.sys] WARNING: Virus alike driver modification [vga.sys] WARNING: Virus alike driver modification [tsbvcap.sys] WARNING: Virus alike driver modification [HPZius12.sys] WARNING: Virus alike driver modification [tdtcp.sys] WARNING: Virus alike driver modification [LHIDFLT2.SYS] WARNING: Virus alike driver modification [mouclass.sys] WARNING: Virus alike driver modification [stac97nh.sys] WARNING: Virus alike driver modification [kbdclass.sys] WARNING: Virus alike driver modification [hidparse.sys] WARNING: Virus alike driver modification [pciidex.sys] WARNING: Virus alike driver modification [sonydcam.sys] WARNING: Virus alike driver modification [RTL8139.sys] WARNING: Virus alike driver modification [hidbth.sys] WARNING: Virus alike driver modification [usbcamd.sys] WARNING: Virus alike driver modification [usbcamd2.sys] WARNING: Virus alike driver modification [usbprint.sys] WARNING: Virus alike driver modification [cinemst2.sys] WARNING: Virus alike driver modification [usbstor.sys] WARNING: Virus alike driver modification [SISAGP.SYS] WARNING: Virus alike driver modification [AFGSp50.sys] WARNING: Virus alike driver modification [GDTdiIcpt.sys] WARNING: Virus alike driver modification [fdc.sys] WARNING: Virus alike driver modification [pavboot.sys] WARNING: Virus alike driver modification [stac97na.sys] WARNING: Virus alike driver modification [modem.sys] WARNING: Virus alike driver modification [usbehci.sys] WARNING: Virus alike driver modification [rndismp.sys] WARNING: Virus alike driver modification [rndismpx.sys] WARNING: Virus alike driver modification [npfs.sys] WARNING: Virus alike driver modification [atmepvc.sys] WARNING: Virus alike driver modification [usbccgp.sys] WARNING: Virus alike driver modification [npf.sys] WARNING: Virus alike driver modification [nwlnkfwd.sys] WARNING: Virus alike driver modification [ipfltdrv.sys] WARNING: Virus alike driver modification [rawwan.sys] WARNING: Virus alike driver modification [wanarp.sys] WARNING: Virus alike driver modification [netbios.sys] WARNING: Virus alike driver modification [msgpc.sys] WARNING: Virus alike driver modification [msgame.sys] WARNING: Virus alike driver modification [atmuni.sys] WARNING: Virus alike driver modification [srv.sys] WARNING: Virus alike driver modification [processr.sys] WARNING: Virus alike driver modification [disk.sys] WARNING: Virus alike driver modification [intelppm.sys] WARNING: Virus alike driver modification [bthprint.sys] WARNING: Virus alike driver modification [ip6fw.sys] WARNING: Virus alike driver modification [crusoe.sys] WARNING: Virus alike driver modification [hidclass.sys] WARNING: Virus alike driver modification [isapnp.sys] WARNING: Virus alike driver modification [amdk6.sys] WARNING: Virus alike driver modification [amdk7.sys] WARNING: Virus alike driver modification [bthmodem.sys] WARNING: Virus alike driver modification [update.sys] WARNING: Virus alike driver modification [mbamswissarmy.sys] WARNING: Virus alike driver modification [wpdusb.sys] WARNING: Virus alike driver modification [LHIDUSB.SYS] WARNING: Virus alike driver modification [nmnt.sys] WARNING: Virus alike driver modification [slntamr.sys] WARNING: Virus alike driver modification [termdd.sys] WARNING: Virus alike driver modification [raspppoe.sys] WARNING: Virus alike driver modification [imapi.sys] WARNING: Virus alike driver modification [beep.sys] WARNING: Virus alike driver modification [mnmdd.sys] WARNING: Virus alike driver modification [rdpcdd.sys] WARNING: Virus alike driver modification [viaagp.sys] WARNING: Virus alike driver modification [agp440.sys] WARNING: Virus alike driver modification [mountmgr.sys] WARNING: Virus alike driver modification [alim1541.sys] WARNING: Virus alike driver modification [p3.sys] WARNING: Virus alike driver modification [amdagp.sys] WARNING: Virus alike driver modification [swenum.sys] WARNING: Virus alike driver modification [wmilib.sys] WARNING: Virus alike driver modification [fips.sys] WARNING: Virus alike driver modification [uagp35.sys] WARNING: Virus alike driver modification [agpcpq.sys] WARNING: Virus alike driver modification [gagp30kx.sys] WARNING: Virus alike driver modification [usbd.sys] WARNING: Virus alike driver modification [raspptp.sys] WARNING: Virus alike driver modification [vcsmpdrv.sys] WARNING: Virus alike driver modification [stream.sys] WARNING: Virus alike driver modification [classpnp.sys] WARNING: Virus alike driver modification [mspqm.sys] WARNING: Virus alike driver modification [L8042PR2.SYS] WARNING: Virus alike driver modification [hpzid412.sys] WARNING: Virus alike driver modification [rasl2tp.sys] WARNING: Virus alike driver modification [tosdvd.sys] WARNING: Virus alike driver modification [volsnap.sys] WARNING: Virus alike driver modification [i8042prt.sys] WARNING: Virus alike driver modification [dmusic.sys] WARNING: Virus alike driver modification [mspclock.sys] WARNING: Virus alike driver modification [atmlane.sys] WARNING: Virus alike driver modification [nwlnkspx.sys] WARNING: Virus alike driver modification [swmidi.sys] WARNING: Virus alike driver modification [ntfs.sys] WARNING: Virus alike driver modification [redbook.sys] WARNING: Virus alike driver modification [vdmindvd.sys] WARNING: Virus alike driver modification [lkbdflt2.sys] WARNING: Virus alike driver modification [dmload.sys] WARNING: Virus alike driver modification [rootmdm.sys] WARNING: Virus alike driver modification [smbali.sys] WARNING: Virus alike driver modification [rfcomm.sys] WARNING: Virus alike driver modification [usbhub.sys] WARNING: Virus alike driver modification [atmarpc.sys] WARNING: Virus alike driver modification [drmk.sys] WARNING: Virus alike driver modification [arp1394.sys] WARNING: Virus alike driver modification [sysaudio.sys] WARNING: Virus alike driver modification [nic1394.sys] WARNING: Virus alike driver modification [splitter.sys] WARNING: Virus alike driver modification [cdrom.sys] WARNING: Virus alike driver modification [nwlnknb.sys] WARNING: Virus alike driver modification [cdfs.sys] WARNING: Virus alike driver modification [mf.sys] WARNING: Virus alike driver modification [serial.sys] WARNING: Virus alike driver modification [udfs.sys] WARNING: Virus alike driver modification [lmouflt2.sys] WARNING: Virus alike driver modification [parvdm.sys] WARNING: Virus alike driver modification [pci.sys] WARNING: Virus alike driver modification [psched.sys] WARNING: Virus alike driver modification [Msikbd2k.sys] WARNING: Virus alike driver modification [bridge.sys] WARNING: Virus alike driver modification [sr.sys] WARNING: Virus alike driver modification [ipsec.sys] WARNING: Virus alike driver modification [mskssrv.sys] WARNING: Virus alike driver modification [mcd.sys] WARNING: Virus alike driver modification [psi_mf.sys] WARNING: Virus alike driver modification [sdbus.sys] WARNING: Virus alike driver modification [fs_rec.sys] WARNING: Virus alike driver modification [dmboot.sys]  DDS_2.txt   23.35KB   264 downloadsWARNING: Virus alike driver modification [videoprt.sys] WARNING: Virus alike driver modification [wdmaud.sys] WARNING: Virus alike driver modification [rasacd.sys] WARNING: Virus alike driver modification [nwlnkipx.sys] WARNING: Virus alike driver modification [ndiswan.sys] WARNING: Virus alike driver modification [SBREDrv.sys] WARNING: Virus alike driver modification [slnthal.sys] WARNING: Virus alike driver modification [scsiport.sys] WARNING: Virus alike driver modification [atapi.sys] !!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)  DDS_2.txt   23.35KB   264 downloads

[patndoris]

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[scudo]

This is the log,During running I had this pop up message....

PEV.exe encountered a problem and needs to close. I ignored, done nothing, and continued.

ComboFix 11-02-28.02 - TOM 28/02/2011 23:57:19.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.703.483 [GMT 0:00]
Running from: c:\documents and settings\TOM\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\TOM\Application Data\.#
c:\documents and settings\TOM\Favorites\Thumbs.db
c:\documents and settings\TOM\My Documents\DPE.DUS
c:\program files\AskSearch\bin\DefaultSearch.dll
c:\program files\WinPCap
c:\program files\WinPCap\daemon_mgm.exe
c:\program files\WinPCap\npf_mgm.exe
c:\program files\WinPCap\rpcapd.exe
c:\windows\system\MFC42.DLL
c:\windows\system\MSVCRT.DLL
c:\windows\system\OLEAUT32.DLL
c:\windows\system\OLEPRO32.DLL
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2011-02-01 to 2011-03-01 )))))))))))))))))))))))))))))))
.

2011-02-26 23:51 . 2011-02-26 23:51 388096 ----a-r- c:\documents and settings\TOM\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-02-26 23:16 . 2011-02-26 23:16 -------- d-----w- c:\windows\system32\wbem\Repository
2011-02-26 21:17 . 2011-02-26 21:17 0 ----a-w- c:\documents and settings\TOM\ntuser.tmp
2011-02-26 21:05 . 2011-02-26 23:15 -------- d-----w- c:\documents and settings\All Users\Application Data\eMpLpHo06300

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-21 14:44 . 1979-12-31 23:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 1979-12-31 23:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 1979-12-31 23:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-23 09:47 . 2009-05-28 16:12 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-12-22 12:34 . 1979-12-31 23:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2004-01-08 14:23 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 1979-12-31 23:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 1979-12-31 23:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26 . 1979-12-31 23:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2010-12-09 15:15 . 1979-12-31 23:00 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 1979-12-31 23:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:38 . 1979-12-31 23:00 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2001-08-17 12:48 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-11-02 19:46 . 2009-11-02 19:45 30286808 -c--a-w- c:\program files\Turbo uk.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EM_EXEC"="c:\progra~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2002-01-28 35328]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-03 281768]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-20 413696]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Wireless Manager"="c:\program files\Virgin Broadband Wireless\Wireless Manager.exe" [2008-05-26 585728]
"VCSPlayer"="c:\program files\Virtual CD v4 SDK\system\vcsplay.exe" [2002-06-07 299008]

c:\documents and settings\TOM\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\windows\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-4-24 113664]
HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2003-9-16 237568]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^TOM^Start Menu^Programs^Startup^Secunia PSI.lnk]
path=c:\documents and settings\TOM\Start Menu\Programs\Startup\Secunia PSI.lnk
backup=c:\windows\pss\Secunia PSI.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ActivSurf]
2002-08-12 15:15 16384 -c--a-w- c:\apps\ActivSurf\4448364\Program\backWeb-4448364.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-11-20 17:05 413696 -c--a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2006-01-31 21:14 544768 -c--a-r- c:\windows\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 15:07 2260480 ------w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 04:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"nhksrv"=2 (0x2)
"gusvc"=3 (0x3)
"gupdate"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65500:TCP"= 65500:TCP:auzurus

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundRouterRequest"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)
"AllowRedirect"= 1 (0x1)

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [09/11/2008 16:41 28544]
R1 msikbd2k;Multimedia Keyboard Filter Driver;c:\windows\system32\drivers\Msikbd2k.sys [12/08/2002 15:16 6942]
R1 vcsmpdrv;vcsmpdrv;c:\windows\system32\drivers\vcsmpdrv.sys [12/08/2002 15:20 49232]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [28/05/2009 16:12 135336]
R2 VCSSecS;Virtual CD v4 Security service (SDK - Version);c:\program files\Virtual CD v4 SDK\System\vcssecs.exe [12/08/2002 15:20 139264]
S1 mchInjDrv;madCodeHook DLL injection driver;\??\c:\windows\system32\Drivers\mchInjDrv.sys --> c:\windows\system32\Drivers\mchInjDrv.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [28/10/2009 12:12 133104]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [10/12/2008 14:17 7808]
S3 STAC97NA;SigmaTel 3D Environmental Audio;c:\windows\system32\drivers\stac97na.sys [31/12/1979 23:00 296179]
S3 STAC97NH;STAC97NH;c:\windows\system32\drivers\stac97nh.sys [31/12/1979 23:00 231855]
S3 V90drv;v90drv;c:\windows\system32\drivers\v90drv.sys [31/12/1979 23:00 1432836]
S4 Fliisrv;Fliisrv; [x]
S4 nhksrv;Netropa NHK Server;c:\apps\ActivBoard\nhksrv.exe --> c:\apps\ActivBoard\nhksrv.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2011-03-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-28 12:12]

2011-02-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-28 12:12]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: {{1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - c:\apps\IECustom\script.htm
Trusted Zone: webs.com
Trusted Zone: webs.com\members
Trusted Zone: webs.com\www
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\TOM\Application Data\Mozilla\Firefox\Profiles\pz0t0osv.default\
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-UnlockerAssistant - c:\program files\Unlocker\UnlockerAssistant.exe
AddRemove-Elite Force Expansion Pack - c:\program files\Raven\EForceXP\DeIsL1.isu
AddRemove-Full Marks Key Stage 3 Science - c:\program files\Full Marks\Key Stage 3 Science\Uninst.isu
AddRemove-Star Trek Voyager Elite Force - c:\program files\Raven\Star Trek Voyager Elite Force\Ef.isu



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-01 00:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1659004503-1454471165-839522115-1005\RemoteAccess\Profile\x *]
"EnableAutodisconnect"=dword:00000001
"EnableExitDisconnect"=dword:00000001
"DisconnectIdleTime"=dword:00000014

[HKEY_USERS\S-1-5-21-1659004503-1454471165-839522115-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3676)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Virgin Broadband Wireless\AffinegyService.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Microsoft ActiveSync\WCESCOMM.EXE
c:\program files\Virgin Broadband Wireless\ndis_events.exe
.
**************************************************************************
.
Completion time: 2011-03-01 00:17:01 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-01 00:16
ComboFix2.txt 2008-11-10 21:19

Pre-Run: 19,106,111,488 bytes free
Post-Run: 19,178,242,048 bytes free

- - End Of File - - CF1EC4D4B006A4C1AFBB7EC1ADA3D697

[patndoris]

I see you have Malwarebytes already on your machine. Please run it by double clicking the icon on the desktop.

• Click on the tab labeled Update and then click on the button Check for updates.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected .
• When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
• Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.

http://www.eset.eu/online-scanner
Go here to run an online scannner from ESET.
Click the green ESET Online Scanner button.
Read the End User License Agreement and check the box: YES, I accept the Terms of Use.
Click on the Start button next to it.
You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then click Insall ActiveX component.
A new window will appear asking "Do you want to install this software?"".
Answer Yes to download and install the ActiveX controls that allows the scan to run.
Click Start.
Check Remove found threats and Scan potentially unwanted applications.
Click Scan to begin.
If offered the option to get information or buy software. Just close the window.
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic.



Download ATF Cleaner by Atribune.
Note: Close all browsers before running ATF Cleaner: IE, FireFox, etc.

Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

It's normal after running ATF cleaner that the PC will be slower to boot the first time or two.


Can you please also tell me how the machine is running now?

[scudo]

The machine appears to be running ok with no apparent issues. Logs... Malware wouldnt allow an update but run the scan, as below. Malwarebytes' Anti-Malware 1.32 Database version: 1619 Windows 5.1.2600 Service Pack 3 01/03/2011 08:50:01 mbam-log-2011-03-01 (08-50-01).txt Scan type: Quick Scan Objects scanned: 67266 Time elapsed: 8 minute(s), 45 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) eset log... ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=7 # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) # OnlineScanner.ocx=1.0.0.6425 # api_version=3.0.2 # EOSSerial=3ce75c750bd63e4abf8f92b93546ec01 # end=finished # remove_checked=true # archives_checked=false # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2011-03-01 10:31:26 # local_time=2011-03-01 10:31:26 (+0000, GMT Standard Time) # country="United Kingdom" # lang=9 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=512 16777215 100 0 72739325 72739325 0 0 # compatibility_mode=1024 16777215 100 0 62121550 62121550 0 0 # compatibility_mode=1797 16775125 100 100 864449 73862753 773151 0 # compatibility_mode=8192 67108863 100 0 3757 3757 0 0 # scanned=99185 # found=4 # cleaned=4 # scan_time=5700 C:\Program Files\Unlocker\eBay_shortcuts_1016.exe Win32/Adware.ADON application (deleted - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{F34C1E31-9081-4D41-B672-727C6E4059DF}\RP112\A0005944.dll Win32/Cimag.DU trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{F34C1E31-9081-4D41-B672-727C6E4059DF}\RP112\A0005945.exe Win32/Adware.SystemSecurity.AD application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{F34C1E31-9081-4D41-B672-727C6E4059DF}\RP114\A0006187.exe Win32/Adware.ADON application (deleted - quarantined) 00000000000000000000000000000000 C

[patndoris]

I'm glad things seem to be running OK. Remember, absence of symptoms does not mean absence of infection. Since the ESET scan did find and remove a few more files, it is important we get a scan with Malwarebytes that is done with up to date definitions. When the definitions are not up to date, it does not look for the newly released infections. The version of Malwarebytes on your machine is an older version. Let's try again with the current version.

Normally, Malwarebytes would prompt you to install the newer version automatically. Since the updates were not allowed, it's best if we try to start with a clean version of Malwarebytes. Please uninstall the version of Malwarebytes that is on your machine by going to the Control Panel > Add/Remove Programs and choosing to uninstall Malwarebytes. Then do the following:


Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected .
• When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
• Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.

[scudo]

Everything still running ok. Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 5914 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 01/03/2011 12:18:04 mbam-log-2011-03-01 (12-18-04).txt Scan type: Quick scan Objects scanned: 181617 Time elapsed: 8 minute(s), 44 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

[patndoris]

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

• Download the latest version of Java Runtime Environment (JRE) 24 and save it to your desktop.
• Scroll down to where it says JDK 6 Update 24 (JDK or JRE)
• Click the Download JRE button to the right
• Select the Windows platform from the dropdown menu.
• Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u24 with JavaFX 1 License Agreement". Click on Continue.The page will refresh.
• Click on the link to download Windows Offline Installation and save the file to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
• Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u24-windows-i586-p.exe to install the newest version.

• After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH CheckedApplications and Applets
    Trace and Log Files
• Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
• Click OK to leave the Temporary Files Window
• Click OK to leave the Java Control Panel.

Update Adobe Reader
There have been updates to Adobe Reader to address security vulnerabilities. You should download the latest version from the Adobe website.



The following will implement some cleanup procedures as well as reset System Restore points:

• Click Start > Run
• Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
• 

Things are looking good There won't be any logs to post back so just let me know when you are done with these steps and I'll give you some final tips/information.

[scudo]

I have had a look at the downloads for java in order to update. your instructions are not agreeing with what I am reading on their site. I will go back in tomorrow and see if I can fathom it out. And report back. regards scudo

[patndoris]

I can give you another link for the download that may be easier. http://www.filehippo...ownload_jre_32/. In the right hand column you will see "Download latest version". Please save the file to your desktop. You can then pick up from removing the older versions in the previous instructions. I hope that works out a little easier. Tomorrow is absolutely fine. Let me know if you still have problems with it.

[scudo]

The other link you posted was much easier to follow.
Everything has been run now.
PC running good, no apparent issues.

It would appear that the system tool virus was likely to have come (in my case) via ebay as was reported in the media.
link to one of the reports.
http://www.theregist...light_uk_sites/

Many thanks for your time and help with my issues.

Scudo

[patndoris]

Great job! Your logs appear to be malware free and you do not appear to be experiencing any malware related problems.
Please follow these simple steps in order to keep your computer malware free and secure:

Visit Microsoft's Windows Update Site Frequently
It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Use and Update your AntiVirus Software
It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall
Your log doesn't appear to show a third-party software firewall installed - if you have one, and I've missed it, please ignore this. I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this. Simply using a Firewall in its default configuration can lower your risk greatly.

Use only one antivirus and one firewall on your machine
Having more than one anti-virus program and one firewall on your machine, even if only one is running, can cause conflicts and slowdowns in the performance of the machine.

Make your Internet Explorer more secure
This can be done by following these simple instructions:
1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click once on the Security tab
3. Click once on the Internet icon so it becomes highlighted.
4. Click once on the Custom Level button.
5. Change the Download signed ActiveX controls to Prompt
6. Change the Download unsigned ActiveX controls to Disable
7. Change the Initialize and script ActiveX controls not marked as safe to Disable
8. Change the Installation of desktop items to Prompt
9. Change the Launching programs and files in an IFRAME to Prompt
10. Change the Navigate sub-frames across different domains to Prompt
11. When all these settings have been made, click on the OK button.
12. If it prompts you as to whether or not you want to save the settings, press the Yes button.
13. Next press the Apply button and then the OK to exit the Internet Properties page.

Keep your Java, Adobe Reader and Adobe Flash Up to Date
Older versions of these programs can contain security vulnerabilities. It is very important to keep them updated.

Update and Run Malwarebytes Anti-Malware
Scan your computer with this program on a regular basis just as you would an antivirus software making sure you update definitions each time you scan.

To simplify making sure you have the latest version of many of your security programs and applications, you may want to consider:
Secunia's Personal Software Inspector (PSI). It is a free utility that scans your computer for installed applications and checks to see if they have the latest security patches and updates. If it finds any applications with possible security issues, links and/or instructions are provided for the necessariy updates.

Filehippo's Update Checker. It is free utilitiy that scan your computer for installed software, checks the versions and then sends this information to see if there are any newer releases. Available software updates are displayed and you can decide which ones to download and install. Among many other types of programs, they includes a number of the Anti-Spyware, Firewall/Security and Anti-Virus programs that have been recommended (though not all of them). Note: Definition files should be updated from within the programs themselves. The Update Checker look for newer versions of the software program, not definition files.

I would suggest you read:
Tony Klein's excellent article: How I got Infected in the First Place
PC Safety and Security--What Do I Need?
How to Prevent Malware

Good luck & Happy surfing!