Author Topic: No virus but Combo log attached just in case (Read 4900 times)

willythecat · « **on:** June 15, 2011, 05:07:53 PM »

No panic.
MBAM has recently been ballooning various messages saying it is blocking incoming ip sites from access, so it is doing its job!
To be on the safe side l've just run Avast AV, HJTHIS, SAS, and MBAM scans and all run clean, with no errors showing.
Can't remember where, but l read that running Combofix also solves some problems. Googled it and it seems a powerful program but l couldn't see why l shouldn't run it, as long as l didn't attempt to correct anything myself, without help from yourselves.
Here's the "blimmin" long log from Combo. Would someone be kind enough to have a quick glance and see if you think l have any issues that need resolving?
NB: I noticed mentions somewhere in there of AVG and IOBIT but l thought l had deleted these?
Anyway, thank you.

ComboFix 11-06-15.01 - briann 15/06/2011 17:41:19.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.3327.2726 [GMT 2:00]
Running from: c:\documents and settings\briann\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.
ADS - WINDOWS: deleted 24 bytes in 1 streams.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\briann\Application Data\briannlog.dat
c:\documents and settings\briann\Application Data\EurekaLog
c:\documents and settings\briann\Application Data\inst.exe
c:\documents and settings\briann\Application Data\OfferBox
c:\documents and settings\briann\Application Data\OfferBox\config.xml
c:\documents and settings\briann\WINDOWS
.
.
((((((((((((((((((((((((( Files Created from 2011-05-15 to 2011-06-15 )))))))))))))))))))))))))))))))
.
.
2011-06-15 06:11 . 2011-06-15 06:11   --------   d-----w-   c:\windows\LastGood
2011-06-12 22:56 . 2011-06-12 22:56   --------   d-----w-   c:\documents and settings\All Users\Application Data\IObit
2011-06-12 22:55 . 2011-06-12 22:57   --------   d-----w-   c:\documents and settings\briann\Application Data\IObit
2011-06-11 22:28 . 2011-06-11 22:28   --------   d-----w-   c:\documents and settings\briann\Application Data\SUPERAntiSpyware.com
2011-06-11 22:28 . 2011-06-11 22:28   --------   d-----w-   c:\program files\SUPERAntiSpyware
2011-06-11 06:05 . 2011-06-11 06:05   404640   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-07 17:44 . 2011-06-07 17:44   --------   d-----w-   c:\documents and settings\briann\Application Data\Rovio
2011-06-06 09:22 . 2011-05-10 12:03   307928   ----a-w-   c:\windows\system32\drivers\aswSP.sys
2011-06-06 09:22 . 2011-05-10 11:59   19544   ----a-w-   c:\windows\system32\drivers\aswFsBlk.sys
2011-06-06 09:22 . 2011-05-10 12:03   441176   ----a-w-   c:\windows\system32\drivers\aswSnx.sys
2011-06-06 09:22 . 2011-05-10 12:02   49240   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
2011-06-06 09:22 . 2011-05-10 11:59   25432   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
2011-06-06 09:22 . 2011-05-10 12:02   102616   ----a-w-   c:\windows\system32\drivers\aswmon2.sys
2011-06-06 09:22 . 2011-05-10 12:02   96344   ----a-w-   c:\windows\system32\drivers\aswmon.sys
2011-06-06 09:22 . 2011-05-10 11:59   30808   ----a-w-   c:\windows\system32\drivers\aavmker4.sys
2011-06-06 09:22 . 2011-05-10 12:10   40112   ----a-w-   c:\windows\avastSS.scr
2011-06-06 09:22 . 2011-05-10 12:10   199304   ----a-w-   c:\windows\system32\aswBoot.exe
2011-06-06 09:22 . 2011-06-06 09:22   --------   d-----w-   c:\program files\AVAST Software
2011-06-05 21:48 . 2011-06-05 21:48   --------   d-----w-   c:\documents and settings\briann\Application Data\A0261641-01B1-467E-9DE5-2FFFBF73C059
2011-06-02 19:02 . 2011-06-02 19:02   --------   d-----w-   c:\documents and settings\briann\Application Data\AVG10
2011-06-02 19:00 . 2011-06-02 19:00   --------   d--h--w-   c:\documents and settings\All Users\Application Data\Common Files
2011-06-02 18:49 . 2011-06-04 20:27   --------   d-----w-   c:\documents and settings\All Users\Application Data\AVG10
2011-06-02 18:48 . 2011-06-04 20:27   --------   d-----w-   c:\documents and settings\All Users\Application Data\MFAData
2011-05-29 17:25 . 2011-05-29 17:25   --------   d-----w-   C:\DVDVideoSoft
2011-05-19 15:46 . 2011-05-19 15:46   --------   d-----w-   c:\windows\system32\wbem\Repository
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-05 21:48 . 2011-05-08 21:19   167968   ----a-w-   c:\windows\system32\drivers\afcdp.sys
2011-06-05 21:48 . 2011-05-08 21:19   752128   ----a-w-   c:\windows\system32\drivers\tdrpm273.sys
2011-06-05 21:48 . 2011-01-24 18:32   600928   ----a-w-   c:\windows\system32\drivers\timntr.sys
2011-05-29 07:11 . 2010-10-06 15:07   39984   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 07:11 . 2010-10-06 15:07   22712   ----a-w-   c:\windows\system32\drivers\mbam.sys
2011-05-08 21:19 . 2011-01-24 18:32   170528   ----a-w-   c:\windows\system32\drivers\snapman.sys
2011-03-30 18:38 . 2011-03-30 18:38   28752   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E3544FD3-0E42-4B6D-875F-784AE3705A58}\MpKsla6a28098.sys
2011-03-30 18:32 . 2011-03-30 18:32   28752   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E3544FD3-0E42-4B6D-875F-784AE3705A58}\MpKsl09f40d0c.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-05-10 12:10   122512   ----a-w-   c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-05-10 3459712]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLinkedConnections"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^briann^Start Menu^Programs^Startup^Secunia PSI.lnk]
backup=c:\windows\pss\Secunia PSI.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2011-02-01 17:53   390720   ----a-w-   c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
2002-10-15 16:00   1818624   ----a-w-   c:\windows\mixer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-10-14 19:17   49152   ----a-w-   c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2008-08-20 09:54   150016   ----a-w-   c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 12:42   1695232   --sh--w-   c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2009-10-06 08:34   18750976   ----a-w-   c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SAOB Monitor]
2011-05-10 16:57   2536440   ----a-w-   c:\program files\Acronis\TrueImageHome\OnlineBackupStandalone\TrueImageMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2009-09-19 04:25   98304   ----a-w-   c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-10-29 12:49   249064   ----a-w-   c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2011-06-10 16:26   2424192   ----a-w-   c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2011-05-17 20:13   5550792   ----a-w-   c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Secunia Update Agent"=2 (0x2)
"Secunia PSI Agent"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"AcrSch2Svc"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\DC++\\DCPlusPlus.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=
.
R0 tdrpman273;Acronis Try&Decide and Restore Points filter (build 273);c:\windows\system32\drivers\tdrpm273.sys [08/05/2011 23:19 752128]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [06/06/2011 11:22 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [06/06/2011 11:22 307928]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 20:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 20:41 67656]
R2 afcdpsrv;Acronis Nonstop Backup Service;c:\program files\Common Files\Acronis\CDP\afcdpsrv.exe [08/05/2011 23:19 3246040]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [06/06/2011 11:22 19544]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [06/10/2010 17:07 366640]
R3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [08/05/2011 23:19 167968]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [06/10/2010 17:07 22712]
S1 MpKsl27aa9cbe;MpKsl27aa9cbe;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5CBE358E-FB9E-42B0-91C3-0ED11A46499B}\MpKsl27aa9cbe.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5CBE358E-FB9E-42B0-91C3-0ED11A46499B}\MpKsl27aa9cbe.sys [?]
S1 MpKsl4965f692;MpKsl4965f692;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B94C2A1F-2A70-45B2-8BDB-24A63750906F}\MpKsl4965f692.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B94C2A1F-2A70-45B2-8BDB-24A63750906F}\MpKsl4965f692.sys [?]
S1 MpKsl82abaab5;MpKsl82abaab5;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F553CFB7-36B1-404E-8DC1-3F6E5D6A268A}\MpKsl82abaab5.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F553CFB7-36B1-404E-8DC1-3F6E5D6A268A}\MpKsl82abaab5.sys [?]
S1 MpKsla6a28098;MpKsla6a28098;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E3544FD3-0E42-4B6D-875F-784AE3705A58}\MpKsla6a28098.sys [30/03/2011 20:38 28752]
S2 KMService;KMService;c:\windows\system32\srvany.exe [21/11/2010 02:33 8192]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [06/10/2010 16:44 1684736]
S3 appliandMP;appliandMP;

S3 MSICDSetup;MSICDSetup;\??\d:\cdriver.sys --> d:\CDriver.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-30 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-861567501-1035525444-682003330-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 01:02]
.
2011-06-10 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-861567501-1035525444-682003330-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 01:02]
.
2011-06-15 c:\windows\Tasks\User_Feed_Synchronization-{12FB04A5-A76E-4C86-A1A2-0A1F5DA00FA1}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 02:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://portail.free.fr/
Trusted Zone: dailymail.co.uk\www
Trusted Zone: telegraph.co.uk\puzzles
TCP: DhcpNameServer = 212.27.40.240 212.27.40.241
.
- - - - ORPHANS REMOVED - - - -
.
Notify-SDWinLogon - SDWinLogon.dll
MSConfigStartUp-00PCTFW - c:\program files\PC Tools Firewall Plus\FirewallGUI.exe
MSConfigStartUp-MSSE - c:\program files\Microsoft Security Essentials\msseces.exe
MSConfigStartUp-Spybot-S&D Cleaning - c:\program files\Spybot - Search & Destroy 2\SDCleaner.exe
MSConfigStartUp-Startup Manager - c:\program files\Advanced System Optimizer\startUp manager.exe
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-15 17:45
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
@DACL=(02 0000)
@="Microsoft Disk Quota"
"NoMachinePolicy"=dword:00000000
"NoUserPolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"RequiresSuccessfulRegistry"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000000
"DllName"=expand:"dskquota.dll"
"ProcessGroupPolicy"="ProcessGroupPolicy"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
@DACL=(02 0000)
@="Internet Explorer Zonemapping"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"
"NoGPOListChanges"=dword:00000001
"RequiresSucessfulRegistry"=dword:00000001
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"RequiresSuccessfulRegistry"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}]
@DACL=(02 0000)
@="Internet Explorer User Accelerators"
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"NoGPOListChanges"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
"RequiresSuccessfulRegistry"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"
"GenerateGroupPolicy"="SceGenerateGroupPolicy"
"ExtensionRsopPlanningDebugLevel"=dword:00000001
"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"
"ExtensionDebugLevel"=dword:00000001
"DllName"=expand:"scecli.dll"
@="Security"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
"MaxNoGPOListChangesInterval"=dword:000003c0
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
@DACL=(02 0000)
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"ProcessGroupPolicy"="ProcessGroupPolicy"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
@="Internet Explorer Branding"
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000001
"NoMachinePolicy"=dword:00000001
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3014"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
"ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"
"DllName"=expand:"scecli.dll"
@="EFS recovery"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"RequiresSuccessfulRegistry"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}]
@DACL=(02 0000)
@="802.3 Group Policy"
"DisplayName"=expand:"@dot3gpclnt.dll,-100"
"ProcessGroupPolicyEx"="ProcessLANPolicyEx"
"GenerateGroupPolicy"="GenerateLANPolicy"
"DllName"=expand:"dot3gpclnt.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]
@DACL=(02 0000)
@="Microsoft Offline Files"
"DllName"=expand:"%SystemRoot%\\System32\\cscui.dll"
"EnableAsynchronousProcessing"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000000
"NoMachinePolicy"=dword:00000000
"NoSlowLink"=dword:00000000
"NoUserPolicy"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"ProcessGroupPolicy"="ProcessGroupPolicy"
"RequiresSuccessfulRegistry"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
@DACL=(02 0000)
@="Software Installation"
"DllName"=expand:"appmgmts.dll"
"ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"NoBackgroundPolicy"=dword:00000000
"RequiresSucessfulRegistry"=dword:00000000
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"EventSources"=multi:"(Application Management,Application)\00(MsiInstaller,Application)\00\00"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}]
@DACL=(02 0000)
@="Internet Explorer Machine Accelerators"
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"NoGPOListChanges"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
"RequiresSuccessfulRegistry"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
@DACL=(02 0000)
"DllName"="c:\\Program Files\\SUPERAntiSpyware\\SASWINLO.DLL"
"Logon"="SABWINLOLogon"
"Logoff"="SABWINLOLogoff"
"Startup"="SABWINLOStartup"
"Shutdown"="SABWINLOShutdown"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
@DACL=(02 0000)
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=expand:"crypt32.dll"
"Logoff"="ChainWlxLogoffEvent"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=expand:"cryptnet.dll"
"Logoff"="CryptnetWlxLogoffEvent"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
@DACL=(02 0000)
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]
@DACL=(02 0000)
"Asynchronous"=dword:00000001
"DllName"=expand:"%SystemRoot%\\System32\\dimsntfy.dll"
"Startup"="WlDimsStartup"
"Shutdown"="WlDimsShutdown"
"Logon"="WlDimsLogon"
"Logoff"="WlDimsLogoff"
"StartShell"="WlDimsStartShell"
"Lock"="WlDimsLock"
"Unlock"="WlDimsUnlock"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
@DACL=(02 0000)
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"DllName"=expand:"wlnotify.dll"
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
@DACL=(02 0000)
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=expand:"sclgntfy.dll"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
@DACL=(02 0000)
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"DllName"=expand:"wlnotify.dll"
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
@DACL=(02 0000)
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEven t"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
@DACL=(02 0000)
"HelpAssistant"=dword:00000000
"TsInternetUser"=dword:00000000
"SQLAgentCmdExec"=dword:00000000
"NetShowServices"=dword:00000000
"IWAM_"=dword:00010000
"IUSR_"=dword:00010000
"VUSR_"=dword:00010000
.
Completion time: 2011-06-15 17:47:46
ComboFix-quarantined-files.txt 2011-06-15 15:47
.
Pre-Run: 36,801,867,776 bytes free
Post-Run: 36,803,469,312 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 2FA1A556B7F7212176187E13F8EAD57D

SuperDave · « **Reply #1 on:** June 15, 2011, 07:01:00 PM »

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
******************************************************
First of all, you have two AV programs running on your computer which is a no-no. Either avast! Antivirus or AV: Microsoft Security Essentials will have to be disabled/uninstalled. I would stick with MSE, if I were you.

Re-running ComboFix to remove infections:

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:
Quote
KillAll::

DDS::
Trusted Zone: dailymail.co.uk\www
Trusted Zone: telegraph.co.uk\puzzles
Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
I don't need to see the log from this action.

******************************************************
SUPERAntiSpyware

If you already have SUPERAntiSpyware be sure to check for updates before scanning!

Download SuperAntispyware Free Edition (SAS)
* Double-click the icon on your desktop to run the installer.
* When asked to Update the program definitions, click Yes
* If you encounter any problems while downloading the updates, manually download and unzip them from here
* Next click the Preferences button.

•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
* Click the Scanning Control tab.
* Under Scanner Options make sure only the following are checked:

•Close browsers before scanning
•Scan for tracking cookies
•Terminate memory threats before quarantining
•Please leave the others unchecked

•Click the Close button to leave the control center screen.

* On the main screen click Scan your computer
* On the left check the box for the drive you are scanning.
* On the right choose Perform Complete Scan
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK
* Make sure everything in the white box has a check next to it, then click Next
* It will quarantine what it found and if it asks if you want to reboot, click Yes

•To retrieve the removal information please do the following:
•After reboot, double-click the SUPERAntiSpyware icon on your desktop.
•Click Preferences. Click the Statistics/Logs tab.

•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

•It will open in your default text editor (preferably Notepad).
•Save the notepad file to your desktop by clicking (in notepad) File > Save As...

* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
*Copy and Paste the log in your post.
*********************************************

Please download Malwarebytes Anti-Malware from here.
Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
Please save the log to a location you will remember.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
*********************************************************
Download DDS from HERE or HERE and save it to your desktop.

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.

1) DDS.txt
2) Attach.txt

* Save both logs to your desktop.
* Please copy and paste the entire contents of both logs in your next reply.

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copying and pasting it into the reply.

willythecat · « **Reply #2 on:** June 16, 2011, 07:56:29 AM »

Thank you SD.
Can l just point out that l did have MSE and AVG Firewall but these were both removed. They are no longer in msconfig, don't appear in task manager, and l have reoved all folders. Can't see why Combofix is still highlighting these??
Anyway, logs requested are as follows -

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/16/2011 at 03:29 PM

Application Version : 4.54.1000

Core Rules Database Version : 7274
Trace Rules Database Version: 5086

Scan type : Complete Scan
Total Scan Time : 00:17:21

Memory items scanned : 378
Memory threats detected : 0
Registry items scanned : 5460
Registry threats detected : 0
File items scanned : 36531
File threats detected : 32

Adware.Tracking Cookie
   C:\Documents and Settings\briann\Cookies\briann@yieldmanager[1].txt
   C:\Documents and Settings\briann\Cookies\[email protected][1].txt
   C:\Documents and Settings\briann\Cookies\[email protected][2].txt
   C:\Documents and Settings\briann\Cookies\[email protected][2].txt
   C:\Documents and Settings\briann\Cookies\[email protected][2].txt
   C:\Documents and Settings\briann\Cookies\[email protected][1].txt
   C:\Documents and Settings\briann\Cookies\briann@revsci[1].txt
   C:\Documents and Settings\briann\Cookies\briann@invitemedia[2].txt
   C:\Documents and Settings\briann\Cookies\briann@mediabrandsww[1].txt
   C:\Documents and Settings\briann\Cookies\[email protected][1].txt
   C:\Documents and Settings\briann\Cookies\[email protected][1].txt
   C:\Documents and Settings\briann\Cookies\briann@nextag[2].txt
   C:\Documents and Settings\briann\Cookies\[email protected][2].txt
   C:\Documents and Settings\briann\Cookies\briann@weborama[2].txt
   C:\Documents and Settings\briann\Cookies\briann@dmtracker[1].txt
   C:\Documents and Settings\briann\Cookies\briann@legolas-media[1].txt
   C:\Documents and Settings\briann\Cookies\[email protected][2].txt
   C:\Documents and Settings\briann\Cookies\[email protected][2].txt
   C:\Documents and Settings\briann\Cookies\briann@zanox[1].txt
   C:\Documents and Settings\briann\Cookies\briann@lucidmedia[2].txt
   C:\Documents and Settings\briann\Cookies\[email protected][1].txt
   C:\Documents and Settings\briann\Cookies\[email protected][2].txt
   C:\Documents and Settings\briann\Cookies\briann@tacoda[1].txt
   C:\Documents and Settings\briann\Cookies\briann@media6degrees[1].txt
   C:\Documents and Settings\briann\Cookies\briann@collective-media[1].txt
   C:\Documents and Settings\briann\Cookies\[email protected][1].txt
   C:\Documents and Settings\briann\Cookies\[email protected][2].txt
   C:\Documents and Settings\briann\Cookies\[email protected][2].txt
   C:\Documents and Settings\briann\Cookies\[email protected][2].txt
   C:\Documents and Settings\briann\Cookies\briann@interclick[2].txt
   C:\Documents and Settings\briann\Cookies\briann@xiti[1].txt
   C:\Documents and Settings\briann\Cookies\briann@kontera[2].txt

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6870

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

16/06/2011 15:42:25
mbam-log-2011-06-16 (15-42-25).txt

Scan type: Full scan (C:\|)
Objects scanned: 182958
Time elapsed: 6 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

.
DDS (Ver_2011-06-12.02) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by briann at 15:43:53 on 2011-06-16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.3327.2582 [GMT 2:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: AVG Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://portail.free.fr/
mURLSearchHooks: H - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: WOT Helper: {c920e44a-7f78-4e64-bdd7-a57026e7feb7} - c:\program files\wot\WOT.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: WOT: {71576546-354d-41c9-aae8-31f2ec22bf0d} - c:\program files\wot\WOT.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SunJavaUpdateSched] c:\program files\common files\java\java update\jusched.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mPolicies-system: EnableLinkedConnections = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 212.27.40.241 212.27.40.240
TCP: Interfaces\{381EBDF8-7D99-4A61-A37E-CDBB7702D333} : DhcpNameServer = 212.27.40.241 212.27.40.240
Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - c:\program files\wot\WOT.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 tdrpman273;Acronis Try&Decide and Restore Points filter (build 273);c:\windows\system32\drivers\tdrpm273.sys [2011-5-8 752128]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-6-6 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-6-6 307928]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 afcdpsrv;Acronis Nonstop Backup Service;c:\program files\common files\acronis\cdp\afcdpsrv.exe [2011-5-8 3246040]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-6-6 19544]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-6-6 42184]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-10-6 366640]
R3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [2011-5-8 167968]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-10-6 22712]
S1 MpKsl27aa9cbe;MpKsl27aa9cbe;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5cbe358e-fb9e-42b0-91c3-0ed11a46499b}\mpksl27aa9cbe.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5cbe358e-fb9e-42b0-91c3-0ed11a46499b}\MpKsl27aa9cbe.sys [?]
S1 MpKsl4965f692;MpKsl4965f692;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b94c2a1f-2a70-45b2-8bdb-24a63750906f}\mpksl4965f692.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b94c2a1f-2a70-45b2-8bdb-24a63750906f}\MpKsl4965f692.sys [?]
S1 MpKsl82abaab5;MpKsl82abaab5;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f553cfb7-36b1-404e-8dc1-3f6e5d6a268a}\mpksl82abaab5.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f553cfb7-36b1-404e-8dc1-3f6e5d6a268a}\MpKsl82abaab5.sys [?]
S1 MpKsla6a28098;MpKsla6a28098;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e3544fd3-0e42-4b6d-875f-784ae3705a58}\MpKsla6a28098.sys [2011-3-30 28752]
S2 KMService;KMService;c:\windows\system32\srvany.exe [2010-11-21 8192]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-10-6 1684736]
S3 appliandMP;appliandMP;

S3 MSICDSetup;MSICDSetup;\??\d:\cdriver.sys --> d:\CDriver.sys [?]
.
=============== Created Last 30 ================
.
2011-06-16 12:55:40   98816   ----a-w-   c:\windows\sed.exe
2011-06-16 12:55:40   518144   ----a-w-   c:\windows\SWREG.exe
2011-06-16 12:55:40   256512   ----a-w-   c:\windows\PEV.exe
2011-06-16 12:55:40   208896   ----a-w-   c:\windows\MBR.exe
2011-06-16 12:47:43   --------   d-----w-   c:\documents and settings\briann\application data\SUPERAntiSpyware.com
2011-06-16 12:47:43   --------   d-----w-   c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-06-16 12:47:38   --------   d-----w-   c:\program files\SUPERAntiSpyware
2011-06-16 00:24:22   --------   d-----w-   c:\windows\SxsCaPendDel
2011-06-15 15:40:33   --------   d-sha-r-   C:\cmdcons
2011-06-12 22:56:56   --------   d-----w-   c:\documents and settings\all users\application data\IObit
2011-06-12 22:55:18   --------   d-----w-   c:\documents and settings\briann\application data\IObit
2011-06-11 06:05:25   404640   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-07 17:44:03   --------   d-----w-   c:\documents and settings\briann\application data\Rovio
2011-06-06 09:22:19   441176   ----a-w-   c:\windows\system32\drivers\aswSnx.sys
2011-06-06 09:22:13   40112   ----a-w-   c:\windows\avastSS.scr
2011-06-06 09:22:08   --------   d-----w-   c:\program files\AVAST Software
2011-06-05 21:48:22   --------   d-----w-   c:\documents and settings\briann\application data\A0261641-01B1-467E-9DE5-2FFFBF73C059
2011-06-02 19:00:56   --------   d--h--w-   c:\documents and settings\all users\application data\Common Files
2011-06-02 18:48:00   --------   d-----w-   c:\documents and settings\all users\application data\MFAData
2011-05-29 17:25:52   --------   d-----w-   C:\DVDVideoSoft
2011-05-19 15:46:51   --------   d-----w-   c:\windows\system32\wbem\repository\FS
2011-05-19 15:46:51   --------   d-----w-   c:\windows\system32\wbem\Repository
.
==================== Find3M ====================
.
2011-06-05 21:48:22   167968   ----a-w-   c:\windows\system32\drivers\afcdp.sys
2011-06-05 21:48:19   752128   ----a-w-   c:\windows\system32\drivers\tdrpm273.sys
2011-06-05 21:48:18   600928   ----a-w-   c:\windows\system32\drivers\timntr.sys
2011-05-29 07:11:30   39984   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 07:11:20   22712   ----a-w-   c:\windows\system32\drivers\mbam.sys
2011-05-08 21:19:24   170528   ----a-w-   c:\windows\system32\drivers\snapman.sys
2011-05-02 15:31:52   692736   ----a-w-   c:\windows\system32\inetcomm.dll
2011-04-29 16:19:43   456320   ----a-w-   c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11:12   916480   ----a-w-   c:\windows\system32\wininet.dll
2011-04-25 16:11:11   43520   ----a-w-   c:\windows\system32\licmgr10.dll
2011-04-25 16:11:11   1469440   ------w-   c:\windows\system32\inetcpl.cpl
2011-04-25 12:01:22   385024   ----a-w-   c:\windows\system32\html.iec
2011-04-21 13:37:43   105472   ----a-w-   c:\windows\system32\drivers\mup.sys
.
============= FINISH: 15:45:53.62 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-12.02)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 07/10/2010 07:12:24
System Uptime: 16/06/2011 15:00:58 (0 hours ago)
.
Motherboard: MICRO-STAR INTERNATIONAL CO.,LTD | | 760GM -E51 (MS-7596)
Processor: AMD Sempron(tm) 140 Processor | CPU1 | 3105/200mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 49 GiB total, 33.387 GiB free.
D: is FIXED (NTFS) - 466 GiB total, 441.431 GiB free.
E: is CDROM ()
F: is FIXED (NTFS) - 416 GiB total, 310.061 GiB free.
G: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1: 16/06/2011 14:55:43 - System Checkpoint
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
Acronis True Image Home 2011
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Any Video Converter 3.2.3
ATI - Software Uninstall Utility
ATI AVIVO Codecs
ATI Catalyst Control Center
ATI Display Driver
Auslogics Registry Cleaner
avast! Free Antivirus
BufferChm
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Localization All
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
CCleaner
ConvertXtoDVD 3.4.7.121
Copy
CustomerResearchQFolder
DC++ 0.689
DeepBurner v1.9.0.228
Defraggler
Destination Component
Device drivers for Simple Backup
DeviceDiscovery
DeviceManagementQFolder
DJ_AIO_03_F2200_ProductContext
DJ_AIO_03_F2200_Software
DJ_AIO_03_F2200_Software_Min
DocProc
DocProcQFolder
EasyCleaner
eSupportQFolder
F2200
F2200_Help
Foxit Reader
Free Video Dub version 1.8
GPBaseService
High Definition Audio Driver Package - KB835221
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
HP Customer Participation Program 10.0
HP Deskjet F2200 All-In-One Driver Software 10.0 Rel .3
HP Imaging Device Functions 10.0
HP Smart Web Printing
HP Solution Center 10.0
HPDiagnosticAlert
HPPhotoSmartDiscLabelContent1
HPProductAssistant
HPSSupply
ImgBurn
Java Auto Updater
Java(TM) 6 Update 24
K-Lite Codec Pack 4.7.5 (Full)
Malwarebytes' Anti-Malware version 1.51.0.1200
MarketResearch
MFC RunTime files
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Office 97, Professional Edition
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
MiPony 1.3.0
MozBackup 1.4.10
Mozilla Thunderbird (3.1.10)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
OCR Software by I.R.I.S. 10.0
PartitionMagic
PCI Audio Driver
Picture Collage Maker
PowerQuest PartitionMagic 8.0
PSSWCORE
RealPlayer
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
RealUpgrade 1.0
Recuva
Replay Media Catcher 4
Replay Music
Scan
Screen Capturer
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2183461)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Shop for HP Supplies
Skins
SmartWebPrintingOC
SolutionCenter
Speccy
Spotify
SpywareBlaster 4.4
Status
SUPERAntiSpyware
SureThing CD Labeler Deluxe
TeamViewer 6
Toolbox
TrayApp
Ultra Video Joiner 4.7.1127
Uninstall 1.0.0.1
UnloadSupport
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB2362765)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VideoToolkit01
WebFldrs XP
WebReg
Windows Internet Explorer 8
Windows PowerShell(TM) 1.0
WinRAR archiver
WOT for Internet Explorer
.
==== Event Viewer Messages From Past Week ========
.
16/06/2011 14:56:56, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s).
16/06/2011 14:56:56, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).
15/06/2011 23:14:51, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
14/06/2011 23:21:05, error: Dhcp [1002] - The IP address lease 82.248.195.76 for the Network Card with network address 406186C9E263 has been denied by the DHCP server 82.248.195.254 (The DHCP Server sent a DHCPNACK message).
13/06/2011 23:20:34, error: Dhcp [1002] - The IP address lease 83.159.15.236 for the Network Card with network address 406186C9E263 has been denied by the DHCP server 83.159.15.254 (The DHCP Server sent a DHCPNACK message).
12/06/2011 23:20:51, error: Dhcp [1002] - The IP address lease 82.251.231.98 for the Network Card with network address 406186C9E263 has been denied by the DHCP server 82.251.231.254 (The DHCP Server sent a DHCPNACK message).
12/06/2011 08:00:41, error: Service Control Manager [7022] - The HP CUE DeviceDiscovery Service service hung on starting.
12/06/2011 01:14:11, error: Service Control Manager [7034] - The MBAMService service terminated unexpectedly. It has done this 1 time(s).
12/06/2011 01:14:11, error: Service Control Manager [7034] - The Acronis Nonstop Backup Service service terminated unexpectedly. It has done this 1 time(s).
12/06/2011 00:13:16, error: PlugPlayManager [11] - The device Root\LEGACY_SASKUTIL\0000 disappeared from the system without first being prepared for removal.
12/06/2011 00:13:16, error: PlugPlayManager [11] - The device Root\LEGACY_SASDIFSV\0000 disappeared from the system without first being prepared for removal.
11/06/2011 23:20:27, error: Dhcp [1002] - The IP address lease 82.64.79.130 for the Network Card with network address 406186C9E263 has been denied by the DHCP server 82.64.79.254 (The DHCP Server sent a DHCPNACK message).
10/06/2011 23:20:25, error: Dhcp [1002] - The IP address lease 82.253.220.111 for the Network Card with network address 406186C9E263 has been denied by the DHCP server 82.253.220.254 (The DHCP Server sent a DHCPNACK message).
09/06/2011 23:20:01, error: Dhcp [1002] - The IP address lease 82.64.209.201 for the Network Card with network address 406186C9E263 has been denied by the DHCP server 82.64.209.254 (The DHCP Server sent a DHCPNACK message).
.
==== End Of File ===========================

SuperDave · « **Reply #3 on:** June 16, 2011, 04:59:34 PM »

Registry cleaners are extremely powerful applications and their potential for harming your OS far outweighs any small potential for improving your computer's performance.
Auslogics Registry Cleaner
There are a number of them available and some are more safe than others. Keep in mind that no two registry cleaners work entirely the same way. Each vendor uses different criteria as to what constitutes a "bad" entry. One cleaner may find entries on your system that will not cause a problem when removed, another may not find the same entries, and still another may want to remove entries required for a program to work. Without research into what the registry entry selected for deletion is, a registry cleaner can end up being an automated method to cause problems with the registry.

For routine use by those not familiar with the registry, the benefits to your computer are negligible while the potential risks are great.

Further reading: XP Fixes Myth #1: Registry Cleaners
******************************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
*****************************************************
SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

Double click Sysprot.exe to start the program.
Click on the Log tab.
In the Write to log box select the following items.

Process << Selected
Kernel Modules << Selected
SSDT << Selected
Kernel Hooks << Selected
IRP Hooks << NOT Selected
Ports << NOT Selected
Hidden Files << Selected

At the bottom of the page

Hidden Objects Only << Selected

Click on the Create Log button on the bottom right.
After a few seconds a new window should appear.
Select Scan Root Drive. Click on the Start button.
When it is complete a new window will appear to indicate that the scan is finished.
The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

willythecat · « **Reply #4 on:** June 17, 2011, 03:44:00 AM »

Thanks SD, logs as requested.

Results of screen317's Security Check version 0.99.13
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
avast! Free Antivirus
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
CCleaner
Auslogics Registry Cleaner
EasyCleaner
Java(TM) 6 Update 24
Out of date Java installed!
Flash Player Out of Date!
Adobe Flash Player 10.1.102.64
Mozilla Thunderbird (3.1.10) Thunderbird Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Malwarebytes' Anti-Malware mbamservice.exe
Malwarebytes' Anti-Malware mbamgui.exe
AVAST Software Avast AvastSvc.exe
AVAST Software Avast avastUI.exe
``````````End of Log````````````
SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: A8507000
Module End: A851F000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: BA644000
Module End: BA646000
Hidden: Yes

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwAddBootEntry
Address: A8622202
Driver Base: A860F000
Driver End: A867F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwAllocateVirtualMemory
Address: A8688CB2
Driver Base: A867F000
Driver End: A86C9000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwClose
Address: A86466C1
Driver Base: A860F000
Driver End: A867F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwCreateEvent
Address: A862481C
Driver Base: A860F000
Driver End: A867F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwCreateEventPair
Address: A8624874
Driver Base: A860F000
Driver End: A867F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwCreateIoCompletion
Address: A862498A
Driver Base: A860F000
Driver End: A867F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwCreateKey
Address: A8646075
Driver Base: A860F000
Driver End: A867F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwCreateMutant
Address: A8624772
Driver Base: A860F000
Driver End: A867F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwCreateSection
Address: A86248C4
Driver Base: A860F000
Driver End: A867F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwCreateSemaphore
Address: A86247C6
Driver Base: A860F000
Driver End: A867F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwCreateTimer
Address: A8624938
Driver Base: A860F000
Driver End: A867F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwDeleteBootEntry
Address: A8622226
Driver Base: A860F000
Driver End: A867F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwDeleteKey
Address: A8646D87
Driver Base: A860F000
Driver End: A867F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwDeleteValueKey
Address: A864703D
Driver Base: A860F000
Driver End: A867F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwDuplicateObject
Address: A8624C0E
Driver Base: A860F000
Driver End: A867F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwEnumerateKey
Address: A8646BF2
Driver Base: A860F000
Driver End: A867F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwEnumerateValueKey
Address: A8646A5D
Driver Base: A860F000
Driver End: A867F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwFreeVirtualMemory
Address: A8688D62
Driver Base: A867F000
Driver End: A86C9000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwLoadDriver
Address: A8621FF0
Driver Base: A860F000
Driver End: A867F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwModifyBootEntry
Address: A862224A
Driver Base: A860F000
Driver End: A867F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwNotifyChangeKey
Address: A8624D82
Driver Base: A860F000
Driver End: A867F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwNotifyChangeMultipleKeys
Address: A8622CDA
Driver Base: A860F000
Driver End: A867F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwOpenEvent
Address: A862484C
Driver Base: A860F000
Driver End: A867F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwOpenEventPair
Address: A862489C
Driver Base: A860F000
Driver End: A867F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwOpenIoCompletion
Address: A86249B4
Driver Base: A860F000
Driver End: A867F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwOpenKey
Address: A86463D1
Driver Base: A860F000
Driver End: A867F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwOpenMutant
Address: A862479E
Driver Base: A860F000
Driver End: A867F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwOpenProcess
Address: A8624A46
Driver Base: A860F000
Driver End: A867F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwOpenSection
Address: A8624904
Driver Base: A860F000
Driver End: A867F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwOpenSemaphore
Address: A86247F4
Driver Base: A860F000
Driver End: A867F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwOpenThread
Address: A8624B2A
Driver Base: A860F000
Driver End: A867F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwOpenTimer
Address: A8624962
Driver Base: A860F000
Driver End: A867F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwProtectVirtualMemory
Address: A8688DFA
Driver Base: A867F000
Driver End: A86C9000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwQueryKey
Address: A86468D8
Driver Base: A860F000
Driver End: A867F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwQueryObject
Address: A8622BA0
Driver Base: A860F000
Driver End: A867F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwQueryValueKey
Address: A864672A
Driver Base: A860F000
Driver End: A867F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwRenameKey
Address: A8691E48
Driver Base: A867F000
Driver End: A86C9000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwRestoreKey
Address: A86456E8
Driver Base: A860F000
Driver End: A867F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwSetBootEntryOrder
Address: A862226E
Driver Base: A860F000
Driver End: A867F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwSetBootOptions
Address: A8622292
Driver Base: A860F000
Driver End: A867F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwSetSystemInformation
Address: A862204A
Driver Base: A860F000
Driver End: A867F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwSetSystemPowerState
Address: A8622186
Driver Base: A860F000
Driver End: A867F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwSetValueKey
Address: A8646E8E
Driver Base: A860F000
Driver End: A867F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwShutdownSystem
Address: A8622162
Driver Base: A860F000
Driver End: A867F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwSystemDebugControl
Address: A86221AA
Driver Base: A860F000
Driver End: A867F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwVdmControl
Address: A86222B6
Driver Base: A860F000
Driver End: A867F000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

******************************************************************************************
******************************************************************************************
Kernel Hooks:
Hooked Function: ZwCreateProcessEx
At Address: 805C74CC
Jump To: A869E906
Module Name: C:\WINDOWS\System32\Drivers\aswSP.SYS

Hooked Function: ZwClose
At Address: 805B1DB4
Jump To: A869A2BE
Module Name: C:\WINDOWS\System32\Drivers\aswSP.SYS

Hooked Function: PsCreateSystemThread
At Address: 805C74CC
Jump To: A869E906
Module Name: C:\WINDOWS\System32\Drivers\aswSP.SYS

Hooked Function: ObMakeTemporaryObject
At Address: 805B1DB4
Jump To: A869A2BE
Module Name: C:\WINDOWS\System32\Drivers\aswSP.SYS

Hooked Function: ObInsertObject
At Address: 805B8C2C
Jump To: A869BD5C
Module Name: C:\WINDOWS\System32\Drivers\aswSP.SYS

Hooked Function: ObCloseHandle
At Address: 805B1DB4
Jump To: A869A2BE
Module Name: C:\WINDOWS\System32\Drivers\aswSP.SYS

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\Qoobox\BackEnv\AppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cache.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cookies.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Desktop.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Favorites.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\History.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalAppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalSettings.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Music.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\NetHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Personal.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Pictures.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\PrintHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Programs.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Recent.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SendTo.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SetPath.bat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartMenu.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartUp.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SysPath.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Templates.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\VikPev00
Status: Access denied

SuperDave · « **Reply #5 on:** June 17, 2011, 04:48:16 PM »

Update Your Java (JRE)

Old versions of Java have vulnerabilities that malware can use to infect your system.

First Verify your Java Version

If there are any other version(s) installed then update now.

Get the new version (if needed)

If your version is out of date install the newest version of the Sun Java Runtime Environment.

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close ALL open web browsers before starting the installation.

Remove any old versions

1. Download JavaRa and unzip the file to your Desktop.
2. Open JavaRA.exe and choose Remove Older Versions
3. Once complete exit JavaRA.

Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.
*************************************************
Please download the newest version of Adobe Acrobat Reader from Adobe.com

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.
****************************************************
I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the

button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

Click on to download the ESET Smart Installer. Save it to your desktop.
Double click on the icon on your desktop.

•Check

•Click the

button.
•Accept any security warnings from your browser.
•Check

•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push

•Push

, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the

button.
•Push

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

willythecat · « **Reply #6 on:** June 18, 2011, 04:25:01 PM »

Sorry SD, got tied up.
All programs now up to date and ESET log is as follows.
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6526
# api_version=3.0.2
# EOSSerial=7e0d20dfcc64494e9c93b2f68bdcb13f
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-06-18 01:16:55
# local_time=2011-06-18 03:16:55 (+0100, W. Europe Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 21872299 21872299 0 0
# compatibility_mode=2560 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=39631
# found=0
# cleaned=0
# scan_time=1473

SuperDave · « **Reply #7 on:** June 18, 2011, 05:09:03 PM »

That looks good. If there are no other issues, let's do some cleanup.

To uninstall ComboFix

Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
In the field, type in ComboFix /uninstall

(Note: Make sure there's a space between the word ComboFix and the forward-slash.)

Then, press Enter, or click OK.
This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.

*********************************************
Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
***********************************************
Use the Secunia Software Inspector to check for out of date software.

•Click Start Now

•Check the box next to Enable thorough system inspection.

•Click Start

•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!

willythecat · « **Reply #8 on:** June 19, 2011, 11:48:46 AM »

Have now followed all instructions.
Thanks very much for all your help SD.
Regards

SuperDave · « **Reply #9 on:** June 19, 2011, 04:25:08 PM »

You're welcome. I will lock this thread. If you need it reopened, please send me a pm.

Computer Hope Forum

News:

Author Topic: No virus but Combo log attached just in case (Read 4900 times)

willythecat

No virus but Combo log attached just in case

SuperDave

Re: No virus but Combo log attached just in case

willythecat

Re: No virus but Combo log attached just in case

SuperDave

Re: No virus but Combo log attached just in case

willythecat

Re: No virus but Combo log attached just in case

SuperDave

Re: No virus but Combo log attached just in case

willythecat

Re: No virus but Combo log attached just in case

SuperDave

Re: No virus but Combo log attached just in case

willythecat

Re: No virus but Combo log attached just in case

SuperDave

Re: No virus but Combo log attached just in case