Free Malware Removal Forum

by **asteroid** » June 27th, 2009, 7:40 am

Hello there - I'm in need of help.

Antivirus software shows that my computer is infected with win32/cryptor. This seems to hide as, probably among other things, avast!Antivirus.exe (not the proper avast antivirus software which I don't have). There is also another virusy problem showing up as an active process BN2.tmp (sometimes anything from BN1 to BN6). The problem has been around for at least 3 weeks but since then I've been away.

I've tried looking online to see what to delete because obviously deleting the files doesn't work and they just come back - and deleting them or disabling them from the computer startup process or using malwarebytes anti-malware software to remove them doesn't work either. Pages online tell me to delete files and registry entries that aren't on this machine.

I assume infection came from P2P software which I've deleted this morning so that won't happen again.

Any help would be appreciated in order to get computer speed back, be able to use google again and so on.

Here's the hijackthis.log made straight after restarting the computer (since when I've killed avast and bn2, again and downloaded more of the recommended software).

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:18:56, on 27/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\HP\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\HP\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\trend micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.defaulthomepage.info
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200 ... plugin.cab
O16 - DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} (ContactExtractor Class) - http://www.new.facebook.com/controls/contactx.dll
O16 - DPF: {6e32070a-766d-4ee6-879c-dc1fa91d2fc3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4369320062
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/ ... taller.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{457D0381-BF59-49BB-850D-0DEEAFCB02E3}: NameServer = 192.168.1.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - (no file)
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O23 - Service: Avira AntiVir Scheduler (antivirschedulerservice) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (antivirservice) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: avast!antivirus - Unknown owner - C:\WINDOWS\System32\avast!Antivirus.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 5984 bytes

by **askey127** » June 29th, 2009, 9:54 am

asteroid,
Since there are a few reboots to do here, you may want to print this out before beginning.
-----------------------------------------------------------
Remove Registry items with HighjackThis. Start HijackThis.
Click Do System Scan Only. When the Scan is complete, Check the following entries:
(Some of these lines may be missing)
O23 - Service: avast!antivirus - Unknown owner - C:\WINDOWS\System32\avast!Antivirus.exe
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
Make sure Every other window except HJT is closed (No other tabs showing in the bottom tray), and Click Fix Checked
Click the "X" in the upper right corner of the HiJackThis window to close it.
-----------------------------------------------------------
Remove Programs Using Control Panel(XP)
From Start, Settings, Control Panel or Start, Control Panel, click Add/Remove Programs.
Highlight each Entry, as follows, one by one, if it exists, and choose Remove :
Adobe Reader 7
Take extra care in answering questions posed by any Uninstaller. Some questions may be worded to deceive you into Keeping the program.
Now Download the newest version of Adobe Reader:

Go here and click on AdbeRdr910_en_US.exe to download the latest version of Adobe Acrobat Reader.
Save this file to your desktop and run it to install the latest version of Adobe Reader.

-----------------------------------------------------------
REBOOT Your Machine
-----------------------------------------------------------
Stop, Disable and Delete A Service
Go to Start, Run OR Start, Programs, Accessories, Command Prompt and type Services.msc and click OK.
Scroll down and find the service.

avast!antivirus

Click once on the service to highlight it.
Right-Click on the service. Click on Properties
Select the General tab.
Next to Service Status, click Stop if it shows it's running.
Click the Arrow-down tab on the right-hand side of the Start-up Type box.
From the drop-down menu, click on Disabled
Click Apply , then OK

Delete the Service
Open HiJackThis. Click on Config, Misc Tools, Delete an NT Service
Type

Code: Select all

avast! Antivirus

in the space provided and click OK
The program will ask you to REBOOT --- Accept.

Sign in to your usual account.
Using Windows Explorer, locate and DELETE the following file/folder (if it still is present):
C:\WINDOWS\System32\avast!Antivirus.exe
REBOOT one more time.
-----------------------------------------------------------
Post a New HiJackThis Log
Start HijackThis
Click Do System Scan and Save a Log File.
When the Scan is complete, select the whole log (Ctrl-A), copy and paste the log contents in a reply.
askey127

by **asteroid** » June 30th, 2009, 2:02 am

Many thanks. I've worked through your advice (several times). Unfortunately the problem remains and on turning on this machine this morning there's avast, back in place once more (and BN2.tmp running even though I'd removed BNx.tmp from windows/temp and windows/prefetch).

Why do these things have to come with the power of self-resurrection? Anyway, here's the log from Hijack This, scanned after turning on this machine today:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:55:46, on 30/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
C:\WINDOWS\System32\avast!Antivirus.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\HP\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\TEMP\BN2.tmp
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\HP\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\HP\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\trend micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.defaulthomepage.info
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice
O4 - HKLM\..\Run: [OutpostFeedBack] "C:\Program Files\Agnitum\Outpost Firewall\feedback.exe" /dump:os_startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200 ... plugin.cab
O16 - DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} (ContactExtractor Class) - http://www.new.facebook.com/controls/contactx.dll
O16 - DPF: {6e32070a-766d-4ee6-879c-dc1fa91d2fc3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4369320062
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/ ... taller.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{457D0381-BF59-49BB-850D-0DEEAFCB02E3}: NameServer = 192.168.1.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - (no file)
O20 - AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hook.dll
O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
O23 - Service: Avira AntiVir Scheduler (antivirschedulerservice) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (antivirservice) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: avast!antivirus - Unknown owner - C:\WINDOWS\System32\avast!Antivirus.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 5756 bytes

by **askey127** » June 30th, 2009, 6:47 am

asteroid,
If you want me to assist you with this machine, I need your help as follows:

Don't download or install any programs unless I ask you to.
Don't remove or delete anything unless I ask you to.
Don't try to help by using any other tools than the ones I suggest.

Malware removal is already difficult, and tracking unexpected installations and removals makes it much more complicated.

Now:
Did you install the Agnitum Outpost Security Suite in the time between the two HiJackThis logs?
What ONE antivirus do you want to keep on the machine? If you are ambivalent, I would suggest keeping Antivir, either free or paid, but in any case you need to choose.

If you agree to operate as above, and tell me what you want, I will take steps with you to make it happen. This means not uninstalling anything yet!
Please also answer these two questions:
How many users are there on this machine? Is it a regular home PC?
Is it networked with other machines?

If you are not comfortable working this way, that's OK, your decision.
If you want to proceed, let me know about the four questions.
askey127

by **asteroid** » June 30th, 2009, 9:27 am

Hello again and many thanks for everything.

Yes, I'm comfortable working in whatever way is necessary.

Your questions:

Did you install the Agnitum Outpost Security Suite in the time between the two HiJackThis logs?
What ONE antivirus do you want to keep on the machine? If you are ambivalent, I would suggest keeping Antivir, either free or paid, but in any case you need to choose.

Yes, I installed Outpost Firewall (not a full suite) after getting paranoid about the strength of the firewall that there is meant to be in the router. Is it normal for svchost.exe to be sending megabytes up and down the line?

Of the two it would be better to keep Antivir.

If you agree to operate as above, and tell me what you want, I will take steps with you to make it happen. This means not uninstalling anything yet!

Please also answer these two questions:
How many users are there on this machine?

The only user ever signed on is myself as 'Compaq Owner'. Apparently, after checking just now there is also 'Administrator' - I thought I was that but obviously not.

Is it a regular home PC?

It is a regular home PC.

Is it networked with other machines?

It is attached to a router. Also attached are two laptops. As far as I know the three machines don't communicate with each other in any way but then again I don't know a lot.

by **askey127** » June 30th, 2009, 1:18 pm

asteroid,
OK.
-----------------------------------------------------------
Review Security Center Settings
From Start, Settings, Control Panel or Start, Control Panel, click Security Center
In your next reply, tell me what it reports about the AntiVirus program name and status, the Firewall and Automatic Updates.
You can click the little arrows to the right of each item to see the details.
-----------------------------------------------------------
Disable WinPatrol
- Right Click the 'Scotty Dog' icon in the system tray
- Click Options
- At the bottom of the options page, Uncheck Automatically Run WinPatrol When Computer Starts
-Click the X to end program.
- Right Click the 'Scotty Dog' icon in the system tray again
- Click Exit Program
WinPatrol is now disabled and will not start at bootup.
-----------------------------------------------------------
DISABLE AVIRA ANTIVIR
Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background (looks like this:

)

Right click it-> untick the option AntiVir Guard enable.
You should now see a closed, white umbrella on a red background (looks like this: )

The AntiVir Guard is now disabled.
-----------------------------------------------------------
Download ComboFix from here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
or here:
http://subs.geekstogo.com/ComboFix.exe
Rename it asteroid.exe and Save it directly to your Desktop.

Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Usually if you right click the Anti-Virus icon in the system tray, you can choose to disable or exit the program.
WARNING: IF you have not already done so Combofix will disconnect your machine from the Internet when it starts
Please do not re-connect your machine back to the Internet until Combofix has completely finished.[/b]

Double click on asteroid.exe (formerly combofix.exe) & follow the prompts.
When finished, it will produce a report for you.
Please post the contents of that report, located here: "C:\ComboFix.txt", along with a new HijackThis log for further review

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze. Give it at least 20-30 minutes to finish if needed.
If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

So we are looking for the log from ComboFix and the information provided by the Security Center.
askey127

by **asteroid** » July 1st, 2009, 8:09 am

Many thanks again for all this help.

First, the Security Centre results:

Firewall - On
Auto Updates - On
Virus Protection - On

Next the ComboFix log (I first had major, major problems on June 7th and I notice a driver created on that date pretty much when I would have been turning the computer on - not that I really know what drivers are):

ComboFix 09-06-29.07 - Compaq_Owner 01/07/2009 12:34.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.447.137 [GMT 1:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\asteroid.exe
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Outpost Firewall *disabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Install.txt
c:\windows\irc.txt
c:\windows\system32\drivers\SKYNETkrjcxiwu.sys
c:\windows\system32\SKYNETdwnhoxuk.dll
c:\windows\system32\SKYNETqajqextk.dat
c:\windows\system32\SKYNETsbxvjbar.dat
c:\windows\system32\SKYNETxvymrmpx.dll
D:\Autorun.inf
D:\Desktop.ini

Infected copy of c:\windows\system32\drivers\ndis.sys was found and disinfected
Restored copy from - The cat ate it

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNETtprtexyl
-------\Legacy_6to4
-------\Legacy_avast!antivirus
-------\Legacy_dhcpsrv
-------\Legacy_msncache
-------\Legacy_sndintd
-------\Legacy_sopidkc
-------\Service_6to4
-------\Service_avast!antivirus

((((((((((((((((((((((((( Files Created from 2009-06-01 to 2009-07-01 )))))))))))))))))))))))))))))))
.

2009-06-30 09:53 . 2008-12-11 07:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-06-30 09:53 . 2009-04-03 10:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-06-30 09:53 . 2008-12-18 11:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-06-30 09:53 . 2009-06-30 09:53 -------- d-----w- c:\program files\Common Files\PC Tools
2009-06-30 09:53 . 2008-12-10 10:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-06-30 09:52 . 2009-06-30 09:52 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\PC Tools
2009-06-30 09:52 . 2009-06-30 09:52 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-06-29 12:45 . 2009-06-29 12:45 84 ---ha-w- C:\aaw7boot.cmd
2009-06-29 12:25 . 2008-10-15 10:49 53618 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\CONFIG\AVWIN.INIaebb.dll
2009-06-29 11:59 . 2009-06-29 17:06 1 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-06-28 15:42 . 2009-06-28 15:42 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\OpenOffice.org
2009-06-27 15:52 . 2009-06-27 15:55 -------- d-----w- c:\program files\SpywareBlaster
2009-06-27 15:52 . 2005-08-25 18:18 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2009-06-27 12:05 . 2009-04-06 10:37 704384 ----a-w- c:\windows\system32\drivers\SandBox.sys
2009-06-27 12:05 . 2009-02-10 15:15 257432 ----a-w- c:\windows\system32\drivers\afwcore.sys
2009-06-27 12:03 . 2009-02-18 16:30 31128 ----a-w- c:\windows\system32\drivers\afw.sys
2009-06-27 12:03 . 2009-06-27 12:03 -------- d-----w- c:\program files\Agnitum
2009-06-27 12:02 . 2009-06-27 12:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Agnitum
2009-06-27 11:52 . 2009-06-29 13:01 -------- dc----w- c:\windows\system32\DRVSTORE
2009-06-27 11:48 . 2009-06-29 13:02 -------- d-----w- c:\program files\Lavasoft
2009-06-27 11:48 . 2009-06-27 11:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-27 10:51 . 2009-06-27 11:09 -------- d-----w- c:\program files\trend micro
2009-06-27 10:24 . 2009-06-27 10:24 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\WinPatrol
2009-06-27 10:24 . 2005-12-05 16:32 0 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\WinPatrol\Config.sys
2009-06-27 10:24 . 2005-12-05 16:32 0 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\WinPatrol\Autoexec.bat
2009-06-27 10:24 . 2009-06-27 10:24 -------- d-----w- c:\program files\BillP Studios
2009-06-26 12:33 . 2009-06-24 09:21 418171 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aescript.dll
2009-06-26 12:33 . 2009-06-17 14:32 196987 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aeoffice.dll
2009-06-26 12:33 . 2009-05-27 17:10 401783 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aepack.dll
2009-06-26 12:33 . 2009-05-15 15:20 127347 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aescn.dll
2009-06-26 12:33 . 2009-04-30 14:33 106868 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aevdf.dll
2009-06-26 12:33 . 2008-11-05 07:43 438645 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aerdl.dll
2009-06-26 12:33 . 2009-06-26 16:57 1823095 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aeheur.dll
2009-06-26 12:33 . 2009-06-19 14:29 348533 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aegen.dll
2009-06-26 12:33 . 2009-06-11 12:44 205174 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aehelp.dll
2009-06-26 12:33 . 2009-05-27 17:10 180599 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aecore.dll
2009-06-26 12:33 . 2008-10-15 10:49 393588 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aeemu.dll
2009-06-26 12:33 . 2008-10-15 10:49 53618 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aebb.dll
2009-06-26 09:17 . 2009-06-26 09:17 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes
2009-06-26 09:16 . 2009-06-17 10:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-26 09:16 . 2009-06-26 09:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-26 09:16 . 2009-06-17 10:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-26 09:16 . 2009-06-26 09:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-26 09:05 . 2009-03-30 09:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-06-26 09:05 . 2009-03-24 15:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-06-26 09:05 . 2009-02-13 11:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-06-26 09:05 . 2009-02-13 11:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-06-26 09:05 . 2009-06-26 09:05 -------- d-----w- c:\program files\Avira
2009-06-26 09:05 . 2009-06-26 09:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-06-26 08:42 . 2009-06-26 08:42 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Mozilla
2009-06-25 19:31 . 2009-06-25 19:31 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-06-24 18:31 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2009-06-07 10:15 . 2009-06-25 19:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-07 10:15 . 2009-06-07 10:15 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-07 07:04 . 2009-06-25 21:52 -------- d-----w- c:\windows\dhcp
2009-06-07 07:02 . 2009-07-01 11:49 103372 ----a-w- c:\windows\system32\drivers\40cb98ce.sys
2009-06-04 17:52 . 2009-06-04 17:53 -------- d-----w- c:\program files\Virtual Villagers - The Secret City
2009-06-01 17:17 . 2009-06-01 17:17 -------- d-----w- c:\program files\Microsoft Silverlight

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-01 11:42 . 2004-08-04 04:00 182656 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-06-30 10:18 . 2007-12-29 13:53 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-29 18:21 . 2007-01-13 18:54 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-28 15:30 . 2006-10-12 04:12 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-28 09:57 . 2007-04-13 15:54 -------- d-----w- c:\program files\PowerArchiver
2009-06-26 09:02 . 2008-05-08 10:43 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-25 22:23 . 2008-04-06 10:58 -------- d-----w- c:\program files\Ubisoft
2009-06-07 07:06 . 2006-11-24 14:33 61544 ----a-w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-30 08:26 . 2009-05-23 13:32 -------- d-----w- c:\program files\Virtual Villagers
2009-05-29 21:24 . 2009-05-29 21:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Zylom
2009-05-29 18:14 . 2009-05-24 13:19 -------- d-----w- c:\program files\Virtual Villagers 2
2009-05-25 16:54 . 2009-04-11 08:56 16 ----a-w- c:\windows\popcinfo.dat
2009-05-24 07:45 . 2008-07-06 18:48 -------- d-----w- c:\program files\Escape From Paradise
2009-05-24 07:07 . 2009-05-24 07:07 -------- d-----w- c:\documents and settings\All Users\Application Data\MumboJumbo
2009-05-22 12:45 . 2006-12-06 10:58 4788 -c--a-w- c:\documents and settings\Compaq_Owner\Application Data\wklnhst.dat
2009-05-22 12:45 . 2009-05-22 12:45 -------- d-----w- c:\program files\JRE
2009-05-22 12:45 . 2009-05-22 12:44 -------- d-----w- c:\program files\OpenOffice.org 3
2009-05-21 17:38 . 2008-06-07 08:41 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Bloom
2009-05-13 15:27 . 2009-05-13 15:27 -------- d-----w- c:\program files\LEGO Media
2009-05-10 20:16 . 2009-05-10 20:16 -------- d-----w- c:\documents and settings\All Users\Application Data\MythPeople
2009-05-10 16:51 . 2009-05-10 16:50 -------- d-----w- c:\program files\Virtual Families
2009-05-09 20:13 . 2008-07-05 13:16 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\U3
2009-05-07 16:41 . 2008-07-05 16:12 -------- d-----w- c:\documents and settings\All Users\Application Data\PlayFirst
2009-05-03 09:58 . 2008-06-18 15:04 -------- d-----w- c:\program files\OpenOffice.org 2.4
2009-05-03 09:49 . 2007-05-04 21:23 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\OpenOffice.org2
2009-05-03 09:24 . 2008-07-11 08:20 1 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-04-21 10:49 . 2009-04-21 10:49 8854 ----a-r- c:\documents and settings\Compaq_Owner\Application Data\Microsoft\Installer\{3C59AF9D-4139-4D07-BCA2-3CDEFE8B28E3}\Uninstall_Puppy_Luv_125A502F2DF94948A6A3A7491D938CF0.exe
2009-04-21 10:49 . 2009-04-21 10:49 65536 ----a-r- c:\documents and settings\Compaq_Owner\Application Data\Microsoft\Installer\{3C59AF9D-4139-4D07-BCA2-3CDEFE8B28E3}\Puppy_Luv.exe1_125A502F2DF94948A6A3A7491D938CF0_1.exe
2009-04-21 10:49 . 2009-04-21 10:49 65536 ----a-r- c:\documents and settings\Compaq_Owner\Application Data\Microsoft\Installer\{3C59AF9D-4139-4D07-BCA2-3CDEFE8B28E3}\Puppy_Luv.exe_125A502F2DF94948A6A3A7491D938CF0_4.exe
2009-04-21 10:49 . 2009-04-21 10:49 13206 ----a-r- c:\documents and settings\Compaq_Owner\Application Data\Microsoft\Installer\{3C59AF9D-4139-4D07-BCA2-3CDEFE8B28E3}\ARPPRODUCTICON.exe
2009-04-14 10:05 . 2009-04-14 10:05 152576 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-06 20:16 . 2009-04-06 20:16 45056 ----a-w- c:\windows\NCUNINST.EXe
2009-04-06 20:16 . 2009-04-06 20:16 40960 ----a-w- c:\windows\NCLAUNCH.EXe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-08 282624]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"OutpostMonitor"="c:\progra~1\Agnitum\OUTPOS~1\op_mon.exe" [2009-04-28 2374464]
"OutpostFeedBack"="c:\program files\Agnitum\Outpost Firewall\feedback.exe" [2009-04-28 428032]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"ose"=3 (0x3)
"LightScribeService"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"IDriverT"=3 (0x3)
"Fax"=3 (0x3)
"CyberLink Media Library Service"=2 (0x2)
"CLSched"=2 (0x2)
"CLCapSvc"=2 (0x2)
"RDSessMgr"=3 (0x3)
"mnmsrvc"=3 (0x3)
"ERSvc"=2 (0x2)
"CiSvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerCinema\\PowerCinema.exe"=
"c:\\Program Files\\CyberLink\\PowerCinema\\PCMService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9896:TCP"= 9896:TCP:BitComet 9896 TCP
"9896:UDP"= 9896:UDP:BitComet 9896 UDP

R0 pctcore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [30/06/2009 10:53 130936]
R1 sandbox;SandBox;c:\windows\system32\drivers\SandBox.sys [27/06/2009 13:05 704384]
R2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [27/06/2009 13:03 1195008]
R2 antivirschedulerservice;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [26/06/2009 10:05 108289]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [27/06/2009 13:03 31128]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [27/06/2009 13:05 257432]
S4 sdauxservice;PC Tools Auxiliary Service; [x]
.
Contents of the 'Scheduled Tasks' folder

2007-03-27 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 1200 series5E771253C1676EBED677BF361FDFC537825E15B8166979528.job
- c:\program files\HP\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 00:52]

2009-06-30 c:\windows\Tasks\User_Feed_Synchronization-{FA8D5C72-2B15-4EED-85C5-EFF8B7434630}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TCP: {457D0381-BF59-49BB-850D-0DEEAFCB02E3} = 192.168.1.1
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.new.facebook.com/controls/contactx.dll
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\gza17we3.default\
FF - plugin: c:\documents and settings\All Users\Application Data\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-01 12:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\40cb98ce]
"ImagePath"="\SystemRoot\System32\drivers\40cb98ce.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(908)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(700)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\system32\spool\drivers\w32x86\3\HPZIPM12.EXE
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
.
**************************************************************************
.
Completion time: 2009-07-01 12:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-01 11:54

Pre-Run: 45,275,533,312 bytes free
Post-Run: 45,368,451,072 bytes free

236 --- E O F --- 2009-05-13 07:19

Finally, the Hijack This log (run immediately after ComboFix finished and saved its log)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:57:39, on 01/07/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\explorer.exe
C:\Program Files\trend micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice
O4 - HKLM\..\Run: [OutpostFeedBack] "C:\Program Files\Agnitum\Outpost Firewall\feedback.exe" /dump:os_startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200 ... plugin.cab
O16 - DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} (ContactExtractor Class) - http://www.new.facebook.com/controls/contactx.dll
O16 - DPF: {6e32070a-766d-4ee6-879c-dc1fa91d2fc3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4369320062
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/ ... taller.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{457D0381-BF59-49BB-850D-0DEEAFCB02E3}: NameServer = 192.168.1.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - (no file)
O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
O23 - Service: Avira AntiVir Scheduler (antivirschedulerservice) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (antivirservice) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 4772 bytes

Thank you again,

Ashley (asteroid)

by **askey127** » July 1st, 2009, 8:51 am

asteroid,
-------------------------------------------------------------

Open a new Notepad window (Start>All programs>accessories>notepad). Choose File, New.

Highlight the contents of the codebox below and press Ctrl+C to copy it to the clipboard

Code: Select all

Registry::
HKEY_LOCAL_MACHINE\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"9896:TCP"=-
"9896:UDP"=-

Paste the contents of the clipboard into the Notepad window by pressing Ctrl+V or Edit, Paste
Save it to your desktop as CFScript.txt
Now drag and drop the CFScript.txt icon onto combofix.exe as in the picture above, and follow the prompts.
Then post the resultant log, C:\ComboFix.txt, in your next reply.

-----------------------------------------------------------
Run a File Search
Press Start->Run, copy/paste the following command into the box and press OK:

cmd /c dir C:\*.* /L /A /B /S|Find "ndis.sys" >> "%userprofile%\desktop\look.txt"

A blank command window will open on your desktop, then close in a minute or two. This is normal.
A file called look.txt should appear on your Desktop. Please post the contents of this file.
-----------------------------------------------------------
REBOOT Your Machine
-----------------------------------------------
Run the RSIT Scanner
Please download the Scanner and save it to your desktop. The icon will be named RSIT.exe
Doubleclick the RSIT icon.
When the scan is complete, two text files will open
log.txt <- this one will be maximized
info.txt <- this one will be minimized
( Default location for both files is C:\rsit\ )
Copy/Paste the contents of both log.txt and info.txt into your next post please. Use separate posts if you prefer.

So we are looking for the contents of look.txt from your desktop, and the two logs from the RSIT Scanner.
askey127

by **asteroid** » July 1st, 2009, 9:54 am

For the first time in a while I am not too distressed by this machine. I hope I did the thing with combofix correctly. Here's that log, followed by the look log and the two RSIT scanner logs.

Thank you.

ComboFix 09-06-29.07 - Compaq_Owner 01/07/2009 14:18.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.447.111 [GMT 1:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\asteroid.exe
Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Outpost Firewall *enabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\40cb98ce.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_40cb98ce

((((((((((((((((((((((((( Files Created from 2009-06-01 to 2009-07-01 )))))))))))))))))))))))))))))))
.

2009-06-30 09:53 . 2008-12-11 07:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-06-30 09:53 . 2009-04-03 10:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-06-30 09:53 . 2008-12-18 11:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-06-30 09:53 . 2009-06-30 09:53 -------- d-----w- c:\program files\Common Files\PC Tools
2009-06-30 09:53 . 2008-12-10 10:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-06-30 09:52 . 2009-06-30 09:52 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\PC Tools
2009-06-30 09:52 . 2009-06-30 09:52 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-06-29 12:45 . 2009-06-29 12:45 84 ---ha-w- C:\aaw7boot.cmd
2009-06-29 12:25 . 2008-10-15 10:49 53618 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\CONFIG\AVWIN.INIaebb.dll
2009-06-29 11:59 . 2009-06-29 17:06 1 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-06-28 15:42 . 2009-06-28 15:42 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\OpenOffice.org
2009-06-27 15:52 . 2009-06-27 15:55 -------- d-----w- c:\program files\SpywareBlaster
2009-06-27 15:52 . 2005-08-25 18:18 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2009-06-27 12:05 . 2009-04-06 10:37 704384 ----a-w- c:\windows\system32\drivers\SandBox.sys
2009-06-27 12:05 . 2009-02-10 15:15 257432 ----a-w- c:\windows\system32\drivers\afwcore.sys
2009-06-27 12:03 . 2009-02-18 16:30 31128 ----a-w- c:\windows\system32\drivers\afw.sys
2009-06-27 12:03 . 2009-06-27 12:03 -------- d-----w- c:\program files\Agnitum
2009-06-27 12:02 . 2009-06-27 12:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Agnitum
2009-06-27 11:52 . 2009-06-29 13:01 -------- dc----w- c:\windows\system32\DRVSTORE
2009-06-27 11:48 . 2009-06-29 13:02 -------- d-----w- c:\program files\Lavasoft
2009-06-27 11:48 . 2009-06-27 11:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-27 10:51 . 2009-06-27 11:09 -------- d-----w- c:\program files\trend micro
2009-06-27 10:24 . 2009-06-27 10:24 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\WinPatrol
2009-06-27 10:24 . 2005-12-05 16:32 0 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\WinPatrol\Config.sys
2009-06-27 10:24 . 2005-12-05 16:32 0 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\WinPatrol\Autoexec.bat
2009-06-27 10:24 . 2009-06-27 10:24 -------- d-----w- c:\program files\BillP Studios
2009-06-26 12:33 . 2009-06-24 09:21 418171 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aescript.dll
2009-06-26 12:33 . 2009-06-17 14:32 196987 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aeoffice.dll
2009-06-26 12:33 . 2009-05-27 17:10 401783 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aepack.dll
2009-06-26 12:33 . 2009-05-15 15:20 127347 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aescn.dll
2009-06-26 12:33 . 2009-04-30 14:33 106868 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aevdf.dll
2009-06-26 12:33 . 2008-11-05 07:43 438645 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aerdl.dll
2009-06-26 12:33 . 2009-06-26 16:57 1823095 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aeheur.dll
2009-06-26 12:33 . 2009-06-19 14:29 348533 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aegen.dll
2009-06-26 12:33 . 2009-06-11 12:44 205174 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aehelp.dll
2009-06-26 12:33 . 2009-05-27 17:10 180599 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aecore.dll
2009-06-26 12:33 . 2008-10-15 10:49 393588 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aeemu.dll
2009-06-26 12:33 . 2008-10-15 10:49 53618 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aebb.dll
2009-06-26 09:17 . 2009-06-26 09:17 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes
2009-06-26 09:16 . 2009-06-17 10:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-26 09:16 . 2009-06-26 09:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-26 09:16 . 2009-06-17 10:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-26 09:16 . 2009-06-26 09:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-26 09:05 . 2009-03-30 09:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-06-26 09:05 . 2009-03-24 15:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-06-26 09:05 . 2009-02-13 11:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-06-26 09:05 . 2009-02-13 11:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-06-26 09:05 . 2009-06-26 09:05 -------- d-----w- c:\program files\Avira
2009-06-26 09:05 . 2009-06-26 09:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-06-26 08:42 . 2009-06-26 08:42 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Mozilla
2009-06-25 19:31 . 2009-06-25 19:31 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-06-24 18:31 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2009-06-07 10:15 . 2009-06-25 19:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-07 10:15 . 2009-06-07 10:15 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-07 07:04 . 2009-06-25 21:52 -------- d-----w- c:\windows\dhcp
2009-06-04 17:52 . 2009-06-04 17:53 -------- d-----w- c:\program files\Virtual Villagers - The Secret City
2009-06-01 17:17 . 2009-06-01 17:17 -------- d-----w- c:\program files\Microsoft Silverlight

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-01 11:42 . 2004-08-04 04:00 182656 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-06-30 10:18 . 2007-12-29 13:53 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-29 18:21 . 2007-01-13 18:54 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-28 15:30 . 2006-10-12 04:12 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-28 09:57 . 2007-04-13 15:54 -------- d-----w- c:\program files\PowerArchiver
2009-06-26 09:02 . 2008-05-08 10:43 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-25 22:23 . 2008-04-06 10:58 -------- d-----w- c:\program files\Ubisoft
2009-06-07 07:06 . 2006-11-24 14:33 61544 ----a-w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-30 08:26 . 2009-05-23 13:32 -------- d-----w- c:\program files\Virtual Villagers
2009-05-29 21:24 . 2009-05-29 21:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Zylom
2009-05-29 18:14 . 2009-05-24 13:19 -------- d-----w- c:\program files\Virtual Villagers 2
2009-05-25 16:54 . 2009-04-11 08:56 16 ----a-w- c:\windows\popcinfo.dat
2009-05-24 07:45 . 2008-07-06 18:48 -------- d-----w- c:\program files\Escape From Paradise
2009-05-24 07:07 . 2009-05-24 07:07 -------- d-----w- c:\documents and settings\All Users\Application Data\MumboJumbo
2009-05-22 12:45 . 2006-12-06 10:58 4788 -c--a-w- c:\documents and settings\Compaq_Owner\Application Data\wklnhst.dat
2009-05-22 12:45 . 2009-05-22 12:45 -------- d-----w- c:\program files\JRE
2009-05-22 12:45 . 2009-05-22 12:44 -------- d-----w- c:\program files\OpenOffice.org 3
2009-05-21 17:38 . 2008-06-07 08:41 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Bloom
2009-05-13 15:27 . 2009-05-13 15:27 -------- d-----w- c:\program files\LEGO Media
2009-05-10 20:16 . 2009-05-10 20:16 -------- d-----w- c:\documents and settings\All Users\Application Data\MythPeople
2009-05-10 16:51 . 2009-05-10 16:50 -------- d-----w- c:\program files\Virtual Families
2009-05-09 20:13 . 2008-07-05 13:16 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\U3
2009-05-07 16:41 . 2008-07-05 16:12 -------- d-----w- c:\documents and settings\All Users\Application Data\PlayFirst
2009-05-03 09:58 . 2008-06-18 15:04 -------- d-----w- c:\program files\OpenOffice.org 2.4
2009-05-03 09:49 . 2007-05-04 21:23 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\OpenOffice.org2
2009-05-03 09:24 . 2008-07-11 08:20 1 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-04-21 10:49 . 2009-04-21 10:49 8854 ----a-r- c:\documents and settings\Compaq_Owner\Application Data\Microsoft\Installer\{3C59AF9D-4139-4D07-BCA2-3CDEFE8B28E3}\Uninstall_Puppy_Luv_125A502F2DF94948A6A3A7491D938CF0.exe
2009-04-21 10:49 . 2009-04-21 10:49 65536 ----a-r- c:\documents and settings\Compaq_Owner\Application Data\Microsoft\Installer\{3C59AF9D-4139-4D07-BCA2-3CDEFE8B28E3}\Puppy_Luv.exe1_125A502F2DF94948A6A3A7491D938CF0_1.exe
2009-04-21 10:49 . 2009-04-21 10:49 65536 ----a-r- c:\documents and settings\Compaq_Owner\Application Data\Microsoft\Installer\{3C59AF9D-4139-4D07-BCA2-3CDEFE8B28E3}\Puppy_Luv.exe_125A502F2DF94948A6A3A7491D938CF0_4.exe
2009-04-21 10:49 . 2009-04-21 10:49 13206 ----a-r- c:\documents and settings\Compaq_Owner\Application Data\Microsoft\Installer\{3C59AF9D-4139-4D07-BCA2-3CDEFE8B28E3}\ARPPRODUCTICON.exe
2009-04-14 10:05 . 2009-04-14 10:05 152576 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-06 20:16 . 2009-04-06 20:16 45056 ----a-w- c:\windows\NCUNINST.EXe
2009-04-06 20:16 . 2009-04-06 20:16 40960 ----a-w- c:\windows\NCLAUNCH.EXe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-08 282624]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"OutpostMonitor"="c:\progra~1\Agnitum\OUTPOS~1\op_mon.exe" [2009-04-28 2374464]
"OutpostFeedBack"="c:\program files\Agnitum\Outpost Firewall\feedback.exe" [2009-04-28 428032]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"ose"=3 (0x3)
"LightScribeService"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"IDriverT"=3 (0x3)
"Fax"=3 (0x3)
"CyberLink Media Library Service"=2 (0x2)
"CLSched"=2 (0x2)
"CLCapSvc"=2 (0x2)
"RDSessMgr"=3 (0x3)
"mnmsrvc"=3 (0x3)
"ERSvc"=2 (0x2)
"CiSvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerCinema\\PowerCinema.exe"=
"c:\\Program Files\\CyberLink\\PowerCinema\\PCMService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9896:TCP"= 9896:TCP:BitComet 9896 TCP
"9896:UDP"= 9896:UDP:BitComet 9896 UDP

R0 pctcore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [30/06/2009 10:53 130936]
R1 sandbox;SandBox;c:\windows\system32\drivers\SandBox.sys [27/06/2009 13:05 704384]
R2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [27/06/2009 13:03 1195008]
R2 antivirschedulerservice;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [26/06/2009 10:05 108289]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [27/06/2009 13:03 31128]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [27/06/2009 13:05 257432]
S4 sdauxservice;PC Tools Auxiliary Service; [x]
.
Contents of the 'Scheduled Tasks' folder

2007-03-27 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 1200 series5E771253C1676EBED677BF361FDFC537825E15B8166979528.job
- c:\program files\HP\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 00:52]

2009-07-01 c:\windows\Tasks\User_Feed_Synchronization-{FA8D5C72-2B15-4EED-85C5-EFF8B7434630}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TCP: {457D0381-BF59-49BB-850D-0DEEAFCB02E3} = 192.168.1.1
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.new.facebook.com/controls/contactx.dll
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\gza17we3.default\
FF - plugin: c:\documents and settings\All Users\Application Data\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-01 14:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(904)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2688)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Agnitum\Outpost Firewall\acs.exe
c:\windows\system32\spool\drivers\w32x86\3\HPZIPM12.EXE
c:\program files\Agnitum\Outpost Firewall\op_mon.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
.
**************************************************************************
.
Completion time: 2009-07-01 14:37 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-01 13:37
ComboFix2.txt 2009-07-01 11:54

Pre-Run: 45,354,950,656 bytes free
Post-Run: 45,344,010,240 bytes free

220 --- E O F --- 2009-05-13 07:19

The 'look' log:

c:\windows\$ntservicepackuninstall$\ndis.sys
c:\windows\servicepackfiles\i386\ndis.sys
c:\windows\system32\dllcache\ndis.sys
c:\windows\system32\dllcache\cache\ndis.sys
c:\windows\system32\drivers\ndis.sys

RSIT log.txt:

Logfile of random's system information tool 1.06 (written by random/random)
Run by Compaq_Owner at 2009-07-01 14:47:33
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 43 GB (29%) free of 147 GB
Total RAM: 447 MB (24% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:47:53, on 01/07/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Compaq_Owner\Desktop\RSIT.exe
C:\Program Files\trend micro\HijackThis\Compaq_Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice
O4 - HKLM\..\Run: [OutpostFeedBack] "C:\Program Files\Agnitum\Outpost Firewall\feedback.exe" /dump:os_startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200 ... plugin.cab
O16 - DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} (ContactExtractor Class) - http://www.new.facebook.com/controls/contactx.dll
O16 - DPF: {6e32070a-766d-4ee6-879c-dc1fa91d2fc3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4369320062
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/ ... taller.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{457D0381-BF59-49BB-850D-0DEEAFCB02E3}: NameServer = 192.168.1.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - (no file)
O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
O23 - Service: Avira AntiVir Scheduler (antivirschedulerservice) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (antivirservice) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 4887 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1166979528.job
C:\WINDOWS\tasks\User_Feed_Synchronization-{FA8D5C72-2B15-4EED-85C5-EFF8B7434630}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18df081c-e8ad-4283-a596-fa578c2ebdc3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2007-02-08 282624]
"avgnt"=C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [2009-03-02 209153]
"OutpostMonitor"=C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe [2009-04-28 2374464]
"OutpostFeedBack"=C:\Program Files\Agnitum\Outpost Firewall\feedback.exe [2009-04-28 428032]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3
"ose"=3
"LightScribeService"=2
"JavaQuickStarterService"=2
"IDriverT"=3
"Fax"=3
"CyberLink Media Library Service"=2
"CLSched"=2
"CLCapSvc"=2
"RDSessMgr"=3
"mnmsrvc"=3
"ERSvc"=2
"CiSvc"=3

C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\Startup
OpenOffice.org 3.1.lnk - C:\Program Files\OpenOffice.org 3\program\quickstart.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2006-04-04 61440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdcoreservice]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\CyberLink\PowerCinema\PowerCinema.exe"="C:\Program Files\CyberLink\PowerCinema\PowerCinema.exe:*:Enabled:CyberLink PowerCinema"
"C:\Program Files\CyberLink\PowerCinema\PCMService.exe"="C:\Program Files\CyberLink\PowerCinema\PCMService.exe:*:Enabled:CyberLink PowerCinema Resident Program"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Java\jre6\bin\java.exe"="C:\Program Files\Java\jre6\bin\java.exe:*:Enabled:Java(TM) Platform SE binary"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\FlashFXP\FlashFXP.exe"="C:\Program Files\FlashFXP\FlashFXP.exe:*:Enabled:FlashFXP v3"

======List of files/folders created in the last 2 months======

2009-07-01 14:47:33 ----D---- C:\rsit
2009-07-01 14:47:06 ----SHD---- C:\RECYCLER
2009-07-01 14:37:48 ----D---- C:\WINDOWS\temp
2009-07-01 14:37:45 ----A---- C:\ComboFix.txt
2009-07-01 12:27:50 ----A---- C:\WINDOWS\zip.exe
2009-07-01 12:27:50 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-07-01 12:27:50 ----A---- C:\WINDOWS\SWSC.exe
2009-07-01 12:27:50 ----A---- C:\WINDOWS\SWREG.exe
2009-07-01 12:27:50 ----A---- C:\WINDOWS\sed.exe
2009-07-01 12:27:50 ----A---- C:\WINDOWS\PEV.exe
2009-07-01 12:27:50 ----A---- C:\WINDOWS\NIRCMD.exe
2009-07-01 12:27:50 ----A---- C:\WINDOWS\grep.exe
2009-07-01 12:27:33 ----D---- C:\WINDOWS\ERDNT
2009-07-01 12:27:04 ----D---- C:\Qoobox
2009-06-30 10:53:03 ----D---- C:\Program Files\Common Files\PC Tools
2009-06-30 10:52:58 ----D---- C:\Documents and Settings\Compaq_Owner\Application Data\PC Tools
2009-06-30 10:52:58 ----D---- C:\Documents and Settings\All Users\Application Data\PC Tools
2009-06-29 19:29:23 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2009-06-29 19:21:24 ----SHD---- C:\Config.Msi
2009-06-29 13:45:13 ----AH---- C:\aaw7boot.cmd
2009-06-28 16:42:54 ----D---- C:\Documents and Settings\Compaq_Owner\Application Data\OpenOffice.org
2009-06-27 16:52:45 ----D---- C:\Program Files\SpywareBlaster
2009-06-27 16:52:45 ----A---- C:\WINDOWS\system32\MSSTDFMT.DLL
2009-06-27 13:03:08 ----D---- C:\Program Files\Agnitum
2009-06-27 13:02:56 ----D---- C:\Documents and Settings\All Users\Application Data\Agnitum
2009-06-27 12:52:13 ----DC---- C:\WINDOWS\system32\DRVSTORE
2009-06-27 12:48:01 ----D---- C:\Program Files\Lavasoft
2009-06-27 12:48:01 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2009-06-27 11:51:05 ----D---- C:\Program Files\trend micro
2009-06-27 11:24:20 ----D---- C:\Documents and Settings\Compaq_Owner\Application Data\WinPatrol
2009-06-27 11:24:07 ----D---- C:\Program Files\BillP Studios
2009-06-26 10:17:02 ----D---- C:\Documents and Settings\Compaq_Owner\Application Data\Malwarebytes
2009-06-26 10:16:25 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-06-26 10:16:20 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-06-26 10:05:28 ----D---- C:\Program Files\Avira
2009-06-26 10:05:28 ----D---- C:\Documents and Settings\All Users\Application Data\Avira
2009-06-26 09:42:34 ----D---- C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla
2009-06-25 20:31:32 ----D---- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2009-06-24 19:32:03 ----A---- C:\WINDOWS\system32\hidserv.dll
2009-06-07 11:15:10 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-06-07 11:15:10 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-07 08:04:57 ----D---- C:\WINDOWS\dhcp
2009-06-04 18:52:48 ----D---- C:\Program Files\Virtual Villagers - The Secret City
2009-06-01 18:17:31 ----D---- C:\Program Files\Microsoft Silverlight
2009-05-29 22:24:42 ----D---- C:\Documents and Settings\All Users\Application Data\Zylom
2009-05-24 14:19:55 ----D---- C:\WINDOWS\Virtual Villagers 2
2009-05-24 14:19:55 ----D---- C:\Program Files\Virtual Villagers 2
2009-05-24 08:07:09 ----D---- C:\Documents and Settings\All Users\Application Data\MumboJumbo
2009-05-24 08:06:09 ----D---- C:\WINDOWS\Luxor Quest for the Afterlife
2009-05-23 14:32:25 ----D---- C:\WINDOWS\Virtual Villagers
2009-05-23 14:32:24 ----D---- C:\Program Files\Virtual Villagers
2009-05-22 13:45:14 ----D---- C:\Program Files\JRE
2009-05-22 13:44:42 ----D---- C:\Program Files\OpenOffice.org 3
2009-05-13 16:27:30 ----D---- C:\Program Files\LEGO Media
2009-05-11 09:55:24 ----D---- C:\WINDOWS\pss
2009-05-10 21:16:33 ----D---- C:\Documents and Settings\All Users\Application Data\MythPeople
2009-05-10 17:50:49 ----D---- C:\WINDOWS\Virtual Families
2009-05-10 17:50:49 ----D---- C:\Program Files\Virtual Families
2009-05-10 17:50:31 ----A---- C:\WINDOWS\Virtual Families Setup Log.txt

======List of files/folders modified in the last 2 months======

2009-07-01 14:47:34 ----D---- C:\WINDOWS\Prefetch
2009-07-01 14:44:45 ----D---- C:\WINDOWS\system32\CatRoot2
2009-07-01 14:44:30 ----D---- C:\WINDOWS
2009-07-01 14:42:34 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-07-01 14:37:50 ----D---- C:\WINDOWS\system32\drivers
2009-07-01 14:37:50 ----D---- C:\WINDOWS\system32
2009-07-01 14:30:24 ----A---- C:\WINDOWS\system.ini
2009-07-01 14:28:03 ----D---- C:\WINDOWS\system32\config
2009-07-01 14:23:31 ----D---- C:\WINDOWS\AppPatch
2009-07-01 14:23:24 ----D---- C:\Program Files\Common Files
2009-07-01 12:53:02 ----SD---- C:\WINDOWS\Tasks
2009-07-01 12:52:15 ----RSHD---- C:\WINDOWS\system32\dllcache
2009-07-01 12:22:14 ----D---- C:\Program Files\Mozilla Firefox
2009-06-30 14:08:52 ----RD---- C:\Program Files
2009-06-30 11:18:02 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-06-30 11:05:47 ----D---- C:\WINDOWS\Minidump
2009-06-29 19:30:14 ----SHD---- C:\WINDOWS\Installer
2009-06-29 19:28:54 ----D---- C:\Program Files\Adobe
2009-06-29 19:21:33 ----D---- C:\Program Files\Common Files\Adobe
2009-06-28 16:32:16 ----D---- C:\games
2009-06-28 16:30:47 ----HD---- C:\Program Files\InstallShield Installation Information
2009-06-28 16:22:38 ----D---- C:\Program Files\Outlook Express
2009-06-28 10:57:25 ----D---- C:\Program Files\PowerArchiver
2009-06-28 07:35:10 ----ASH---- C:\boot.ini
2009-06-28 07:35:10 ----A---- C:\WINDOWS\win.ini
2009-06-27 13:05:16 ----HD---- C:\WINDOWS\inf
2009-06-27 13:03:48 ----D---- C:\WINDOWS\WinSxS
2009-06-26 10:02:38 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2009-06-26 07:13:48 ----HD---- C:\$AVG8.VAULT$
2009-06-25 23:50:08 ----D---- C:\WINDOWS\system32\Restore
2009-06-25 23:23:27 ----D---- C:\Program Files\Ubisoft
2009-06-25 22:52:37 ----AC---- C:\WINDOWS\WININIT.INI
2009-06-24 19:41:03 ----AC---- C:\WINDOWS\ntbtlog.txt
2009-06-24 19:32:08 ----D---- C:\Documents and Settings
2009-06-07 11:09:49 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-06-07 11:08:26 ----D---- C:\WINDOWS\Help
2009-06-07 11:07:33 ----D---- C:\WINDOWS\SoftwareDistribution
2009-06-07 08:30:41 ----SD---- C:\Documents and Settings\Compaq_Owner\Application Data\Microsoft
2009-06-04 16:26:17 ----AC---- C:\WINDOWS\system32\LM9831Log.txt
2009-06-04 12:42:16 ----AC---- C:\WINDOWS\system32\SLIM.ini
2009-06-01 09:51:14 ----A---- C:\WINDOWS\system32\MRT.exe
2009-05-31 11:53:20 ----D---- C:\WINDOWS\network diagnostic
2009-05-29 22:24:49 ----D---- C:\Documents and Settings\Compaq_Owner\Application Data\Identities
2009-05-24 08:45:53 ----D---- C:\Program Files\Escape From Paradise
2009-05-22 13:47:33 ----RSD---- C:\WINDOWS\assembly
2009-05-22 13:46:52 ----D---- C:\WINDOWS\system32\FxsTmp
2009-05-22 13:45:45 ----SD---- C:\WINDOWS\Fonts
2009-05-21 18:38:27 ----D---- C:\Documents and Settings\Compaq_Owner\Application Data\Bloom
2009-05-13 16:34:01 ----D---- C:\WINDOWS\speech
2009-05-09 21:13:49 ----D---- C:\Documents and Settings\Compaq_Owner\Application Data\U3
2009-05-07 17:41:49 ----D---- C:\Documents and Settings\All Users\Application Data\PlayFirst
2009-05-03 10:58:17 ----D---- C:\Program Files\OpenOffice.org 2.4
2009-05-03 10:49:49 ----D---- C:\Documents and Settings\Compaq_Owner\Application Data\OpenOffice.org2

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AFS2K;AFS2k; C:\WINDOWS\system32\drivers\AFS2K.sys [2004-10-08 35840]
R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys []
R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2009-03-30 96104]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 sandbox;SandBox; \??\C:\WINDOWS\system32\drivers\SandBox.sys []
R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2009-05-11 28520]
R2 atksgt;atksgt; C:\WINDOWS\system32\DRIVERS\atksgt.sys [2009-03-29 271360]
R2 avgntflt;avgntflt; C:\WINDOWS\system32\DRIVERS\avgntflt.sys [2009-03-24 55640]
R2 lirsgt;lirsgt; C:\WINDOWS\system32\DRIVERS\lirsgt.sys [2009-03-29 18048]
R3 afw;Agnitum firewall driver; C:\WINDOWS\system32\DRIVERS\afw.sys [2009-02-18 31128]
R3 afwcore;afwcore; C:\WINDOWS\system32\drivers\afwcore.sys [2009-02-10 257432]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2006-04-04 1536000]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2006-07-24 4353024]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 Ps2;PS2; C:\WINDOWS\system32\DRIVERS\PS2.sys [2005-12-12 19072]
R3 RTL8023xp;Realtek 10/100/1000 NIC Family all in one NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys [2006-02-27 81408]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
S3 catchme;catchme; \??\C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\catchme.sys []
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2003-03-09 51024]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2003-03-09 16080]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2003-03-09 21456]
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 acssrv;Agnitum Client Security Service; C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe [2009-04-28 1195008]
R2 antivirschedulerservice;Avira AntiVir Scheduler; C:\Program Files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]
R2 antivirservice;Avira AntiVir Guard; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [2009-05-11 185089]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE [2007-08-09 73728]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S4 CLCapSvc;CyberLink Background Capture Service (CBCS); C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe [2006-05-10 266338]
S4 CLSched;CyberLink Task Scheduler (CTS); C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe [2006-05-10 114784]
S4 CyberLink Media Library Service;CyberLink Media Library Service; C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe [2006-05-10 1073152]
S4 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-14 267776]
S4 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S4 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-03-09 152984]
S4 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2006-06-20 49152]
S4 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S4 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]

-----------------EOF-----------------

RSIT info.txt:

info.txt logfile of random's system information tool 1.06 2009-07-01 14:48:00

======Uninstall list======

-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
-->c:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
-->c:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
-->c:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 9.1-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A91000000001}
Adobe Shockwave Player 11.5-->"C:\WINDOWS\system32\Adobe\Shockwave 11\uninstaller.exe"
Adobe SVG Viewer 3.0-->C:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fC:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Install.log
Amulet Of Tricolor-->"C:\WINDOWS\Amulet Of Tricolor\uninstall.exe" "/U:C:\Program Files\Amulet Of Tricolor\Uninstall\uninstall.xml"
ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Avira AntiVir Personal - Free Antivirus-->C:\Program Files\Avira\AntiVir Desktop\setup.exe /REMOVE
Blokus World Tour-->"C:\WINDOWS\Blokus World Tour\uninstall.exe" "/U:C:\Program Files\Blokus World Tour\Uninstall\uninstall.xml"
Bookstories 1.0-->"C:\Program Files\Gambana\Bookstories\unins000.exe"
Card Games-->C:\WINDOWS\uninst.exe -f"C:\Program Files\Cosmi\Card Games\DeIsL1.isu" -c"C:\Program Files\Cosmi\Card Games\_ISREG32.DLL"
Coffee Tycoon-->C:\Program Files\Coffee Tycoon\UNWISE.EXE C:\Program Files\Coffee Tycoon\INSTALL.LOG
Cradle Of Persia-->"C:\WINDOWS\Cradle Of Persia\uninstall.exe" "/U:C:\Program Files\Cradle Of Persia\Uninstall\uninstall.xml"
Cradle Of Rome-->"C:\WINDOWS\Cradle Of Rome\uninstall.exe" "/U:C:\Program Files\Cradle Of Rome\Uninstall\uninstall.xml"
Critical Update for Windows Media Player 11 (KB959772)-->"C:\WINDOWS\$NtUninstallKB959772_WM11$\spuninst\spuninst.exe"
Customer Experience Enhancement-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{23012310-3E05-46A5-88A9-C6CBCABCAC79} /l1033
dBpoweramp Shorten Codec-->"C:\WINDOWS\system32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Shorten Codec.dat
DivX Codec-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Converter-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player-->C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Plus DirectShow Filters-->C:\Program Files\DivX\DivXDSFiltersUninstall.exe /DSFILTERS
DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Efficient WMA MP3 Converter v0.99.2-->"C:\Program Files\Efficient WMA MP3 Converter\unins000.exe"
Enhanced Multimedia Keyboard Solution-->C:\HP\KBD\Install.exe /u
Escape From Paradise-->C:\Program Files\Escape From Paradise\Uninstal.exe
Eusing Free Registry Cleaner-->C:\PROGRA~1\EUSING~1\UNWISE.EXE C:\PROGRA~1\EUSING~1\INSTALL.LOG
GTK+ 2.10.6-1 runtime environment-->"C:\Program Files\Common Files\GTK\2.0\setup\unins000.exe"
High Definition Audio Driver Package - KB888111-->"C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Hotel Giant-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C4F1B9FE-F3AF-11D5-93D1-00C0CA18FDE6}\setup.exe" -uninst
Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
HP Boot Optimizer-->MsiExec.exe /X{1341D838-719C-4A05-B50F-49420CA1B4BB}
HP DVD Play 2.1-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{45D707E9-F3C4-11D9-A373-0050BAE317E1}\Setup.exe" -uninstall
HP Imaging Device Functions 7.0-->C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat
HP Memories Disc-->MsiExec.exe /X{B376402D-58EA-45EA-BD50-DD924EB67A70}
HP Photo and Imaging 2.0 - All-in-One Drivers-->MsiExec.exe /X{6ECB39BD-73C2-44DD-B1A0-898207C58D8B}
HP Photo and Imaging 2.0 - All-in-One-->MsiExec.exe /X{9867A917-5D17-40DE-83BA-BEA5293194B1}
HP Photo and Imaging 2.0 - hp psc 1200 series-->C:\Program Files\HP\Digital Imaging\{7C8BB31C-E09E-4c7d-BBF1-45E33B467FE1}\Setup\hpzscr01.exe -datfile hposcr02.dat -forcereboot
HP Photosmart Premier Software 6.5-->C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
hp psc 1200 series-->MsiExec.exe /X{C900EF06-2E76-49C7-8DB0-41F629B21DC5}
HP Update-->MsiExec.exe /X{FE57DE70-95DE-4B64-9266-84DA811053DB}
J2SE Runtime Environment 5.0 Update 11-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
Jane's Hotel-->"C:\Program Files\Realore\Janes Hotel\unins000.exe"
Java(TM) 6 Update 13-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF}
Java(TM) 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Java(TM) SE Runtime Environment 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160000}
LEGO Creator Harry Potter-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7FB70A9B-6591-42EB-BD84-6F9C55368E06}\setup.exe"
Loonyland v2.0-->"C:\Program Files\Loonyland\unins000.exe"
Mahjong Epic-->C:\Program Files\Mahjong Epic\uninstall.exe
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Marine Park Empire-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{51FB1E00-C141-46D1-9C11-B7FFEF3F2B86}\Setup.exe" -l0x9 -uninst
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Word Viewer 2003-->MsiExec.exe /I{90850409-6000-11D3-8CFE-0150048383C9}
Microsoft Reader-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B6F7DBE7-2FE2-458F-A738-B10832746036}\Setup.exe" -L0x9
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
Microsoft Works-->MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
Microsoft Zoo Tycoon-->"C:\Program Files\Microsoft Games\Zoo Tycoon\UNINSTAL.EXE" /runtemp /addremove
Moraff's World of Games-->C:\Program Files\Moraff's World of Games\uninstall.exe
Mozilla Firefox (3.0.11)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
My Tribe 1.00-->C:\Program Files\Games\My Tribe\Uninstall.exe
OpenOffice.org 3.1-->MsiExec.exe /I{E6B87DC4-2B3D-4483-ADFF-E483BF718991}
Outpost Firewall 2009-->"C:\Program Files\Agnitum\Outpost Firewall\unins000.exe"
Ozzy Bubbles-->"C:\Program Files\Realore\Ozzy Bubbles\unins000.exe"
PowerCinema-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2637C347-9DAD-11D6-9EA2-00055D0CA761}\Setup.exe" -uninstall
Puppy Luv A New Breed-->MsiExec.exe /I{3C59AF9D-4139-4D07-BCA2-3CDEFE8B28E3}
Puzzle Hero 1.1.1-->"C:\Program Files\Puzzle Hero\unins000.exe"
QuickTime-->C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
Realtek High Definition Audio Driver-->RtlUpd.exe -r -m
RTP for RM2K (Png, Wav, Midi, Fonts)-->C:\WINDOWS\UnGins.exe "C:\Program Files\ASCII\RPG2000\RTP\install.log"
Security Update for Step By Step Interactive Training (KB898458)-->"C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723)-->"C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB928090)-->"C:\WINDOWS\ie7updates\KB928090-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB929969)-->"C:\WINDOWS\ie7updates\KB929969\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB931768)-->"C:\WINDOWS\ie7updates\KB931768-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB933566)-->"C:\WINDOWS\ie7updates\KB933566-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB937143)-->"C:\WINDOWS\ie7updates\KB937143-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB939653)-->"C:\WINDOWS\ie7updates\KB939653-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB963027)-->"C:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464-v2)-->"C:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Serif PhotoPlus 6.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0609D0AF-1382-42BE-81DB-CF30F8B0F6E2}\Setup.exe" -l0x9
SleeplessHollow (remove only)-->"C:\Program Files\SleeplessHollow\uninstall.exe"
SolSuite-->C:\PROGRA~1\SolSuite\UNWISE.EXE C:\PROGRA~1\SolSuite\INSTALL.LOG
Sonic Express Labeler-->MsiExec.exe /X{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Sonic MyDVD Plus-->MsiExec.exe /X{21657574-BD54-48A2-9450-EB03B2C7FC29}
Sonic RecordNow Audio-->MsiExec.exe /X{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Sonic RecordNow Copy-->MsiExec.exe /X{B12665F4-4E93-4AB4-B7FC-37053B524629}
Sonic RecordNow Data-->MsiExec.exe /X{075473F5-846A-448B-BCB3-104AA1760205}
Sonic Update Manager-->MsiExec.exe /X{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Spooky Castle 1.2-->"C:\Program Files\Spooky Castle\unins000.exe"
SpywareBlaster 4.2-->"C:\Program Files\SpywareBlaster\unins000.exe"
Switch Sound File Converter-->C:\Program Files\NCH Swift Sound\Switch\uninst.exe
Turbo Lister 2-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{69640730-B830-4C24-BB5C-222DA1260548}
Turtle Odyssey 2 (remove only)-->C:\Program Files\Turtle Odyssey 2\Uninstall.exe
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
VC80CRTRedist - 8.0.50727.762-->MsiExec.exe /I{767CC44C-9BBC-438D-BAD3-FD4595DD148B}
Virtual Families-->"C:\WINDOWS\Virtual Families\uninstall.exe" "/U:C:\Program Files\Virtual Families\Uninstall\uninstall.xml"
Virtual Villagers - The Secret City 1.0-->C:\Program Files\Virtual Villagers - The Secret City\uninst.exe
Virtual Villagers 2-->"C:\WINDOWS\Virtual Villagers 2\uninstall.exe" "/U:C:\Program Files\Virtual Villagers 2\Uninstall\uninstall.xml"
Virtual Villagers-->"C:\WINDOWS\Virtual Villagers\uninstall.exe" "/U:C:\Program Files\Virtual Villagers\Uninstall\uninstall.xml"
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinPatrol 2009-->C:\PROGRA~1\BILLPS~1\WINPAT~1\Setup.exe /remove /q0
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe

=====HijackThis Backups=====

O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing) [2009-06-29]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = [2009-06-29]
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2009-06-29]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop [2009-06-29]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = [2009-06-29]
O23 - Service: avast!antivirus - Unknown owner - C:\WINDOWS\System32\avast!Antivirus.exe [2009-06-29]
O23 - Service: avast!antivirus - Unknown owner - C:\WINDOWS\System32\avast!Antivirus.exe [2009-06-29]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop [2009-06-29]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop [2009-06-29]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = [2009-06-29]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = [2009-06-29]
O23 - Service: avast!antivirus - Unknown owner - C:\WINDOWS\System32\avast!Antivirus.exe [2009-06-30]
O23 - Service: avast!antivirus - Unknown owner - C:\WINDOWS\System32\avast!Antivirus.exe [2009-06-30]
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file) [2009-06-30]
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - (no file) [2009-06-30]
O23 - Service: PC Tools Auxiliary Service (sdauxservice) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe [2009-06-30]
O23 - Service: PC Tools Security Service (sdcoreservice) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe [2009-06-30]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = [2009-06-30]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = [2009-06-30]

======Security center information======

AV: AntiVir Desktop
FW: Outpost Firewall

======System event log======

Computer Name: ASTEROIDMACHINE
Event Code: 7026
Message: The following boot-start or system-start driver(s) failed to load:
ftsata2

Record Number: 99199
Source Name: Service Control Manager
Time Written: 20090607084123.000000+060
Event Type: error
User:

Computer Name: ASTEROIDMACHINE
Event Code: 7022
Message: The msncache service hung on starting.

Record Number: 99198
Source Name: Service Control Manager
Time Written: 20090607084123.000000+060
Event Type: error
User:

Computer Name: ASTEROIDMACHINE
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 99197
Source Name: Tcpip
Time Written: 20090607084100.000000+060
Event Type: warning
User:

Computer Name: ASTEROIDMACHINE
Event Code: 7000
Message: The Automatic Updates service failed to start due to the following error:
The system cannot find the file specified.

Record Number: 99196
Source Name: Service Control Manager
Time Written: 20090607084000.000000+060
Event Type: error
User:

Computer Name: ASTEROIDMACHINE
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 99191
Source Name: Tcpip
Time Written: 20090607083353.000000+060
Event Type: warning
User:

=====Application event log=====

Computer Name: ASTEROIDMACHINE
Event Code: 1002
Message: Hanging application iexplore.exe, version 7.0.6000.16791, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Record Number: 25
Source Name: Application Hang
Time Written: 20090213215911.000000+000
Event Type: error
User:

Computer Name: ASTEROIDMACHINE
Event Code: 1000
Message: Faulting application iexplore.exe, version 7.0.6000.16791, faulting module unknown, version 0.0.0.0, fault address 0x00700055.

Record Number: 24
Source Name: Application Error
Time Written: 20090213211251.000000+000
Event Type: error
User:

Computer Name: ASTEROIDMACHINE
Event Code: 1002
Message: Hanging application lunatic.exe, version 0.0.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Record Number: 16
Source Name: Application Hang
Time Written: 20090213163256.000000+000
Event Type: error
User:

Computer Name: ASTEROIDMACHINE
Event Code: 1002
Message: Hanging application iexplore.exe, version 7.0.6000.16791, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Record Number: 14
Source Name: Application Hang
Time Written: 20090213102538.000000+000
Event Type: error
User:

Computer Name: ASTEROIDMACHINE
Event Code: 1000
Message: Faulting application iexplore.exe, version 7.0.6000.16791, faulting module avgssie.dll, version 8.0.0.223, fault address 0x00004189.

Record Number: 13
Source Name: Application Error
Time Written: 20090213100316.000000+000
Event Type: error
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;c:\Python22;C:\Program Files\Common Files\GTK\2.0\bin
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 4 Stepping 9, GenuineIntel
"PROCESSOR_REVISION"=0409
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"SonicCentral"=c:\Program Files\Common Files\Sonic Shared\Sonic Central\
"LANG"=C

-----------------EOF-----------------

Thank you again, as always. Whoever you are, you are wonderful.

by **askey127** » July 1st, 2009, 11:06 am

asteroid,
Got to Start, Run and type services.msc into the box. Hit <Enter>.
Look at the Status of the Automatic Updates entry. It should list Status : "Started" and Startup Type : "Automatic".
If not, right click Automatic Updates, choose Properties, and click the Start button.
If Startup Type is not "Automatic", change the Startup Type to "Automatic" and click OK.

Look at the Status of the Background Intelligent Transfer Service entry. It should list Startup Type : "Manual".
If not, right click Background Intelligent Transfer Service, and if Startup Type is "Disabled", change the Startup Type to "Manual" and click OK.
If Status is not "Started", click the Start button to be certain that it can start.

If you encounter any difficulty, please note as much detail about the error(s) as you can, and let me know.
askey127

by **asteroid** » July 1st, 2009, 1:22 pm

Things are looking a lot better - there are three less svchost.exe running, two of which were using a lot of memory and transferring goodness knows what up and down the phone line. So that's wonderful. And the fake avast!antivirus and the bxx.tmp are not appearing any more. Which is also wonderful. Thank you very much.

It seems that you've spotted another problem though:

Automatic Updates: Program name - wuauserv

Set to automatic but is not currently running.

Path to executable - %fystemroot%\system32\svchost.exe -k netsvcs

The automatic updates could not be started, giving this error message:

'Could not start the Automatic Updates service on local computer.

Error 2: The system cannot find the file specified.'

Background Intelligent Transfer Service Program name - BITS

This is set to manual and is currently stopped.

Path to executable - %fystemroot%\system32\svchost.exe -k netsvcs

Again, it could not be started, giving the same error message:

'Could not start the Background Intelligent Transfer service on local computer.

Error 2: The system cannot find the file specified.'

I guess this means that the auto-updating hasn't been happening after all.

by **askey127** » July 1st, 2009, 2:24 pm

Let's try to fix the one for BITS first. See if there are other copies on the machine.
-----------------------------------------------------------
Run a File Search
Press Start->Run, copy/paste the following command into the box and press OK:

cmd /c dir C:\*.* /L /A /B /S|Find "qmgr" >> "%userprofile%\desktop\BITSlook.txt"

A blank command window will open on your desktop, then close in a minute or two. This is normal.
A file called BITSlook.txt should appear on your Desktop. Please post the contents of this file.

by **asteroid** » July 1st, 2009, 4:09 pm

BITSlook.txt file:

c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr0.dat
c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr1.dat
c:\windows\$ntservicepackuninstall$\qmgr.dll
c:\windows\$ntservicepackuninstall$\qmgr.inf
c:\windows\$ntservicepackuninstall$\qmgrprxy.dll
c:\windows\i386\qmgr.dl_
c:\windows\i386\qmgr.in_
c:\windows\i386\qmgrprxy.dl_
c:\windows\inf\qmgr.inf
c:\windows\inf\qmgr.pnf
c:\windows\servicepackfiles\i386\qmgr.dll
c:\windows\servicepackfiles\i386\qmgr.inf
c:\windows\servicepackfiles\i386\qmgrprxy.dll
c:\windows\system32\qmgr.dll
c:\windows\system32\qmgrprxy.dll
c:\windows\system32\bits\qmgr.dll

by **askey127** » July 1st, 2009, 6:57 pm

asteroid,
Handling the automatic updates shouldn't be too bad after you get the BITS service running.
I would suggest you go to this Microsoft site, validate whatever you have to, download the installer, and re-install the BITS service.
http://www.microsoft.com/downloads/details.aspx?FamilyId=A064BF14-E54C-4E8C-85E7-1E3BE1628B2D&displaylang=en

Then you can check to be sure whether it is running properly (see whether you can start the service).

This service corruption is part of an infection's effort to prevent you from installing Windows Updates.
Let me know how it goes.

If it gets too complicated, I will recommend that you finish up with a specialty Systems forum.
We'll see if it comes to that.
We are malware specialists, but there are a lot of systems experts.

By the way, you may be able to get your updates by going to one of the Windows Updates sites and downloading what you need. That process does not use BITS. http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us

askey127

by **asteroid** » July 2nd, 2009, 4:44 am

Thank you.

Yes, a systems expert may be needed.

When trying to download bits I get this message:

'Setup has detected that the Service Pack version of this system is newer than the update you are applying. There is no need to install this update.'

When trying to download updates manually from microsoft (using Internet Explorer) this morning I've got the message:

'The website has encountered a problem and cannot display the page you are trying to view.'
It gives an error number 0x80070002

The Microsoft site gives a couple of solutions for the latter problem but neither of them work.

Free Malware Removal Forum

Help with malware/trojan/virus removal

Help with malware/trojan/virus removal

Re: Help with malware/trojan/virus removal

Re: Help with malware/trojan/virus removal

Re: Help with malware/trojan/virus removal

Re: Help with malware/trojan/virus removal

Re: Help with malware/trojan/virus removal

Re: Help with malware/trojan/virus removal

Re: Help with malware/trojan/virus removal

Re: Help with malware/trojan/virus removal

Re: Help with malware/trojan/virus removal

Re: Help with malware/trojan/virus removal

Re: Help with malware/trojan/virus removal

Re: Help with malware/trojan/virus removal

Re: Help with malware/trojan/virus removal

Re: Help with malware/trojan/virus removal

Who is online