Once again, one of my family's computers has picked up an infection that has defeated me!

This morning, when my dad booted up his laptop to check out something online, he got a whole load of virus warning messages from "XP Home Security 2011". It didn't take me long to realise it was a scareware-type infection, and a quick online search seemed to offer the solution at the McAfee website. Following the instructions there seemed to get rid of it, and after a couple of scans, MBAM showed no trace of the infection. However, Windows Security Centre was still reporting that Auto Update and the Firewall were both disabled (and yes, I know he should have a better firewall than that, but he's in his 70s and struggles a bit with the technical aspects of computing!). AVG showed and removed a trojan, and another online search seemed to offer a solution to the firewall issue. However, the solution that seemed to work for others to restore the firewall hasn't worked in this case.

So here's the situation as it currently stands:

When the computer boots up, the firewall shows as being on, but after a few seconds switches to "Not Monitored", and any attempts to change the settings just brings up the "Windows Firewall settings cannot be displayed because the associated service is not running" message. Also, all attempts to turn on auto updates are being blocked. Both MBAM and AVG show clean, so that makes me think the infection is buried deep somewhere.

I've used Erunt to back up the registry, and tried running DDS. However, DDS starts to run, but then the whole system seems to just hang - Even the clock stops, the whole system becomes unresponsive, and I have to do a hard reboot to get it back. So I'm unable to post a DDS log here at the moment, but am hoping that someone can help out just the same.

System details:
IBM Thinkpad T41 running XP Pro SP3 with all the latest updates.


If it comes to it, I do have a full set of system restore disks, as that's what I had to do with the last infection I had on my similar machine.....

hi lather,

We can see what combofix can dig up. I assume you do not have a 64bit OS. There is a guide to read first. Read through the guide then apply the directions on your own machine. Post the log:

Guide to using Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

Thanks for getting back to me. Unfortunately, I've hit a brick wall with ComboFix too!

I downloaded it OK, but for some reason can't deactivate the copy of AVG 9.0 that's installed on the computer, and that's stopping ComboFix from running. I followed all of the instructions on temporarily deactivating AVG to the letter, and that didn't work, so I then tried uninstalling it, and that failed too. I even tried booting in safe mode to see if that helped, but it didn't. According to the AVG user interface, both Anti-Virus and Anti-Spyware are showing as active, although Resident Shield is shown as disabled.

Currently, when I run ComboFix, the installer starts to launch, and then comes up with a pop-up warning that it can't run when AVG is installed, and asking that AVG be uninstalled - Which of course I can't, because the uninstall always fails!!

So it seems like I'm a bit stuck at the moment, and can't seem to get anywhere at all with running any of the programs that could help sort the problem out. It's got me stumped, but hopefully you'll have some idea of where to go from here!

AVG had a uninstaller you can try. See if that will remove it then try running combofix.

AVG remover (http://forums.avg.com/gb-en/avg-free-forum?sec=thread&act=show&id=24401)

OK, the AVG remover worked fine and deleted it from the system. However, I'm still having problems with ComboFix.

With AVG gone, the ComboFix installer ran OK and installed the Windows Recovery Console. ComboFix then created the new restore point and started to prepare to scan. However, once it got to the line about how scan times can double for badly infected machines, it then froze and the whole machine locked up in a similar way to how it locks up when trying to run DDS - The only difference this time is that with ComboFix, the on-screen clock carries on running. With the machine locked up, the only option is another hard reboot. I've tried several times, and each time I try to run ComboFix, the result is exactly the same.

So it seems like whatever is lurking on the machine is stopping both DDS and ComboFix from running their scans and making the machine lock up. So is there anything else I can try, or is it looking more like a complete wipe and reinstall of Windows?

Try running combofix in safe mode. To reach safe mode you would tap the f8 key during a computer restart, chose the first option on the list: safe mode. Log into your usual account. Once at the safe mode desktop try running combofix.

Hadn't thought of trying to run it in Safe Mode, but have done so now. Unfortunately, even in Safe Mode, exactly the same happened again, with ComboFix freezing at the same point as before, followed by the machine locking up and requiring a hard reboot. So it seems that ComboFix, like DDS, won't run in either normal or safe modes...

So, at the moment, it seems like the only scan I can probably run is Mbam, which is still installed and ran OK last time I tried it before my first post in this thread. AVG also ran OK the last time I ran it (again before starting this thread, and its now deleted from the system). But I just can't get either DDS or ComboFix to run, even in Safe Mode, and any attempt to do so causes the machine to lock up.

Sometimes malware tricks can cause apps not to run. In my experience they wont run from the start. Yours just seem to stop in the middle after starting.
Try this;

Please download rkill.com (http://download.bleepingcomputer.com/grinler/rkill.com) by Grinler and save it to your desktop:

Double-click on the Rkill desktop icon to run the tool.

A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
After its finished try running DDS. If DDS runs post its log, if not continue:

If DDS dosnt run download rkill.scr (http://download.bleepingcomputer.com/grinler/rkill.scr)
Double-click on the Rkill.scr desktop icon to run the tool.

A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
After its finished try running DDS

If DDS dosnt run download eXplorer.exe (http://download.bleepingcomputer.com/grinler/eXplorer.exe)
Double-click on the eXplorer.exe desktop icon to run the tool.

A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
After its finished try running DDS

If DDS dosnt run download iExplore.exe (http://download.bleepingcomputer.com/grinler/iExplore.exe)
Double-click on the iExplorer.exe desktop icon to run the tool.

A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
After its finished try running DDS

If DDS dosnt run download uSeRinit.exe (http://download.bleepingcomputer.com/grinler/uSeRiNiT.exe)

Double-click on the uSeRiNiT.exe desktop icon to run the tool.

A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
After its finished try running DDS

These tools do not delete any malware. They only terminate malware related processes that may be running-allowing you to run DDS or other tools. If you can get DDS to run that will be a start.

Tried all of those versions of Rkill (most of which were already on the machine from previous efforts to get rid of XP Home Security 2011). Unfortunately, none of them have had any effect, and DDS still stalls at the same point as before, followed by the machine locking up and requiring a hard reboot via the power switch.

Each version of Rkill did find and stop one process, C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe, but that's all...

ok yet another download;


Download OTL (http://oldtimer.geekstogo.com/OTL.com) to your desktop or other convenient location.
OTL does not need to be installed, simply click OTL.exe to run.
Click the Quick Scan button.
A log will open in notepad, and OTL.txt will be saved to the same location as OTL.exe (i.e.: desktop)
Please post both logs.

Finally, a scanner that works!! :)

Here's the logs:

OTL logfile created on: 04/06/2011 00:39:21 - Run 1
OTL by OldTimer - Version 3.2.23.0 Folder = C:\Documents and Settings\user\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

766.92 Mb Total Physical Memory | 525.96 Mb Available Physical Memory | 68.58% Memory free
2.21 Gb Paging File | 2.01 Gb Available in Paging File | 91.09% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 19.55 Gb Free Space | 52.46% Space Free | Partition Type: NTFS

Computer Name: USER-27F08180D0 | User Name: user | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/06/04 00:38:23 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user\Desktop\OTL.com
PRC - [2009/12/03 17:44:42 | 000,128,296 | ---- | M] (Synaptics Incorporated) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
PRC - [2009/06/12 10:55:48 | 000,028,672 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\System Update\SUService.exe
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/09/26 17:34:46 | 000,644,408 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
PRC - [2006/11/19 23:04:12 | 000,634,880 | ---- | M] () -- C:\Program Files\802.11 Wireless LAN\802.11g Wireless Adapter HW.15 V.1.00\WlanCU.exe
PRC - [2006/06/29 21:57:50 | 000,032,768 | ---- | M] () -- C:\WINDOWS\system32\TpKmpSvc.exe
PRC - [2006/06/16 15:58:42 | 000,426,051 | ---- | M] (Intel Corporation ) -- C:\WINDOWS\system32\S24EvMon.exe
PRC - [2006/06/16 15:55:14 | 000,122,880 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\RegSrvc.exe
PRC - [2006/05/30 15:05:42 | 000,086,016 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
PRC - [2005/07/05 14:57:12 | 000,077,824 | ---- | M] () -- C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
PRC - [2004/10/14 09:11:10 | 001,388,544 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
PRC - [2002/09/20 14:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
PRC - [1997/08/19 00:00:00 | 000,111,376 | ---- | M] () -- C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
PRC - [1997/08/19 00:00:00 | 000,051,984 | ---- | M] () -- C:\Program Files\Microsoft Office\Office\OSA.EXE


========== Modules (SafeList) ==========

MOD - [2011/06/04 00:38:23 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user\Desktop\OTL.com
MOD - [2010/08/23 17:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (PEVSystemStart)
SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - [2009/06/12 10:55:48 | 000,028,672 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Program Files\Lenovo\System Update\SUService.exe -- (SUService)
SRV - [2007/09/26 17:34:46 | 000,644,408 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe -- (ThinkVantage Registry Monitor Service)
SRV - [2006/06/29 21:57:50 | 000,032,768 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\TpKmpSvc.exe -- (TpKmpSVC)
SRV - [2006/06/16 15:58:42 | 000,426,051 | ---- | M] (Intel Corporation ) [Auto | Running] -- C:\WINDOWS\system32\S24EvMon.exe -- (S24EventMonitor)
SRV - [2006/06/16 15:55:14 | 000,122,880 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\WINDOWS\system32\RegSrvc.exe -- (RegSrvc)
SRV - [2002/09/20 14:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))


========== Driver Services (SafeList) ==========

DRV - [2009/10/09 12:12:02 | 000,120,360 | ---- | M] (Lenovo.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\Apsx86.sys -- (Shockprf)
DRV - [2009/10/09 12:10:24 | 000,020,520 | ---- | M] (Lenovo.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\ApsHM86.sys -- (TPDIGIMN)
DRV - [2007/03/09 02:57:02 | 000,007,168 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\TSMAPIP.SYS -- (TSMAPIP)
DRV - [2007/02/19 06:56:46 | 000,021,376 | ---- | M] (Lenovo (United States) Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\psadd.sys -- (psadd)
DRV - [2007/02/06 23:38:32 | 001,133,568 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2006/10/02 01:55:00 | 000,014,848 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SMAPINT.SYS -- (Smapint)
DRV - [2006/10/02 01:55:00 | 000,009,343 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\TDSMAPI.SYS -- (TDSMAPI)
DRV - [2006/07/13 12:33:08 | 000,674,560 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\w70n51.sys -- (w70n51) Intel(R)
DRV - [2006/06/16 15:50:46 | 000,010,970 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2003/06/27 08:53:44 | 001,196,352 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2002/10/02 09:57:12 | 000,013,532 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SjyPkt.sys -- (SjyPkt)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.3
FF - prefs.js..extensions.enabledItems: externalip@erik.morlin:0.9.9.6
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.17\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/05/05 11:01:10 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.17\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/05/05 11:01:10 | 000,000,000 | ---D | M]

[2010/07/22 20:53:13 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\user\Application Data\Mozilla\Extensions
[2011/06/01 14:58:49 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\d9aw179y.default\extensions
[2010/12/25 21:11:41 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\d9aw179y.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/07/22 22:09:41 | 000,000,000 | ---D | M] (external IP) -- C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\d9aw179y.default\extensions\externalip@erik.morlin
[2011/05/23 15:44:01 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/07/22 21:52:49 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/10/31 17:40:03 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2010/07/22 21:52:39 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2010/07/23 23:48:05 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION
[2010/09/15 05:50:38 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2010/07/13 22:44:53 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2010/07/13 22:44:53 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2010/07/13 22:44:53 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2010/07/13 22:44:53 | 000,001,135 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2004/08/04 12:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe ()
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [TP4EX] C:\WINDOWS\System32\TP4EX.exe (Lenovo Group Limited)
O4 - HKLM..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe (Lenovo)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Wireless Configuration Utility HW.15.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Adapter HW.15 V.1.00\WlanCU.exe ()
O4 - Startup: C:\Documents and Settings\user\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O4 - Startup: C:\Documents and Settings\user\Start Menu\Programs\Startup\Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.EXE ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - Reg Error: Key error. File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - Explorer.exe ()
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - File not found
O20 - Winlogon\Notify\tpfnf2: DllName - notifyf2.dll - C:\WINDOWS\System32\notifyf2.dll ()
O20 - Winlogon\Notify\tphotkey: DllName - tphklock.dll - C:\WINDOWS\System32\tphklock.dll ()
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/06/16 09:52:55 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/06/04 00:38:23 | 000,580,096 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\user\Desktop\OTL.com
[2011/06/03 00:31:16 | 000,000,000 | --SD | C] -- C:\ComboFix
[2011/06/02 10:22:46 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/06/02 10:20:08 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/06/02 10:20:08 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/06/02 10:20:08 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/06/02 10:20:08 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/06/02 10:08:20 | 000,718,104 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Documents and Settings\user\Desktop\avgremover.exe
[2011/06/01 15:03:15 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/06/01 14:52:02 | 004,109,346 | R--- | C] (Swearware) -- C:\Documents and Settings\user\Desktop\ComboFix.exe
[2011/05/26 16:45:02 | 000,000,000 | R--D | C] -- C:\Documents and Settings\user\My Documents\My Videos
[2011/05/26 16:45:02 | 000,000,000 | R--D | C] -- C:\Documents and Settings\user\Start Menu\Programs\Administrative Tools
[2011/05/26 16:44:12 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/05/26 16:42:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ERUNT
[2011/05/26 16:42:52 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2011/05/26 16:40:47 | 000,606,738 | R--- | C] (Swearware) -- C:\Documents and Settings\user\Desktop\dds.scr
[2011/05/26 16:39:18 | 000,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\user\Desktop\erunt-setup.exe
[2011/05/26 15:35:27 | 000,000,000 | -H-D | C] -- C:\$AVG
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/06/04 00:38:23 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user\Desktop\OTL.com
[2011/06/04 00:36:35 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/06/04 00:35:53 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/06/03 16:32:40 | 000,003,584 | ---- | M] () -- C:\Documents and Settings\user\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/06/03 15:27:38 | 001,007,108 | ---- | M] () -- C:\Documents and Settings\user\Desktop\uSeRiNiT.exe
[2011/06/03 15:27:26 | 001,007,108 | ---- | M] () -- C:\Documents and Settings\user\Desktop\eXplorer.exe
[2011/06/03 15:27:10 | 001,007,108 | ---- | M] () -- C:\Documents and Settings\user\Desktop\iExplore.exe
[2011/06/02 10:22:56 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2011/06/02 10:08:21 | 000,718,104 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Documents and Settings\user\Desktop\avgremover.exe
[2011/06/01 14:52:10 | 004,109,346 | R--- | M] (Swearware) -- C:\Documents and Settings\user\Desktop\ComboFix.exe
[2011/05/26 16:43:22 | 000,000,767 | ---- | M] () -- C:\Documents and Settings\user\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2011/05/26 16:42:57 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\user\Desktop\ERUNT.lnk
[2011/05/26 16:40:48 | 000,606,738 | R--- | M] (Swearware) -- C:\Documents and Settings\user\Desktop\dds.scr
[2011/05/26 16:39:19 | 000,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\user\Desktop\erunt-setup.exe
[2011/05/26 11:03:54 | 000,010,276 | -HS- | M] () -- C:\Documents and Settings\user\Local Settings\Application Data\5111732e22216eo0mc0417
[2011/05/26 11:03:54 | 000,010,276 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\5111732e22216eo0mc0417
[2011/05/26 11:03:11 | 001,007,108 | ---- | M] () -- C:\Documents and Settings\user\Desktop\rkill.scr
[2011/05/26 11:02:53 | 001,007,108 | ---- | M] () -- C:\Documents and Settings\user\Desktop\rkill.com
[2011/05/26 11:00:35 | 000,001,134 | ---- | M] () -- C:\Documents and Settings\user\Desktop\FixNCR.reg
[2011/05/25 22:08:43 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\user\Application Data\889143.exe
[2011/05/25 22:08:43 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\user\Application Data\8879796.exe
[2011/05/25 22:08:43 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\user\Application Data\6874230.exe
[2011/05/25 22:08:43 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\user\Application Data\2581366.exe
[2011/05/18 22:52:31 | 001,150,976 | -H-- | M] () -- C:\ffastun0.ffx
[2011/05/18 22:52:31 | 000,229,376 | -H-- | M] () -- C:\ffastun.ffl
[2011/05/18 22:52:31 | 000,102,400 | -H-- | M] () -- C:\ffastun.ffo
[2011/05/18 22:52:31 | 000,005,196 | -H-- | M] () -- C:\ffastun.ffa
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/06/03 16:32:40 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\user\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/06/03 15:27:35 | 001,007,108 | ---- | C] () -- C:\Documents and Settings\user\Desktop\uSeRiNiT.exe
[2011/06/03 15:27:09 | 001,007,108 | ---- | C] () -- C:\Documents and Settings\user\Desktop\iExplore.exe
[2011/06/03 14:27:14 | 001,007,108 | ---- | C] () -- C:\Documents and Settings\user\Desktop\eXplorer.exe
[2011/06/02 10:22:55 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2011/06/02 10:22:51 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/06/02 10:20:08 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/06/02 10:20:08 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/06/02 10:20:08 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/06/02 10:20:08 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/06/02 10:20:08 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/05/26 16:43:22 | 000,000,767 | ---- | C] () -- C:\Documents and Settings\user\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2011/05/26 16:42:57 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\user\Desktop\ERUNT.lnk
[2011/05/26 11:10:02 | 001,007,108 | ---- | C] () -- C:\Documents and Settings\user\Desktop\rkill.scr
[2011/05/26 11:10:02 | 001,007,108 | ---- | C] () -- C:\Documents and Settings\user\Desktop\rkill.com
[2011/05/26 11:09:57 | 000,001,134 | ---- | C] () -- C:\Documents and Settings\user\Desktop\FixNCR.reg
[2011/05/25 22:08:44 | 000,010,276 | -HS- | C] () -- C:\Documents and Settings\user\Local Settings\Application Data\5111732e22216eo0mc0417
[2011/05/25 22:08:44 | 000,010,276 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\5111732e22216eo0mc0417
[2011/05/25 22:08:43 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\user\Application Data\889143.exe
[2011/05/25 22:08:43 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\user\Application Data\8879796.exe
[2011/05/25 22:08:43 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\user\Application Data\6874230.exe
[2011/05/25 22:08:43 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\user\Application Data\2581366.exe
[2010/12/25 22:05:41 | 000,000,369 | ---- | C] () -- C:\WINDOWS\Hornby.INI
[2010/12/25 21:09:05 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll
[2010/07/22 21:11:01 | 000,000,000 | ---- | C] () -- C:\WINDOWS\WINHELP.INI
[2010/07/22 20:53:07 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/07/22 20:51:21 | 000,131,072 | ---- | C] () -- C:\WINDOWS\System32\SpoonUninstall.exe
[2010/07/22 20:51:21 | 000,036,104 | ---- | C] () -- C:\WINDOWS\System32\SpoonUninstall-dBpowerAMP Music Converter.dat
[2010/06/16 11:30:17 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\FPCALL.dll
[2010/06/16 11:27:29 | 000,009,343 | ---- | C] () -- C:\WINDOWS\System32\drivers\TDSMAPI.SYS
[2010/06/16 11:25:44 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\TpKmpSvc.exe
[2010/06/16 10:30:45 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/06/16 10:29:16 | 000,212,080 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/06/16 09:56:19 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/06/16 09:49:14 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2006/06/16 16:09:52 | 000,045,124 | ---- | C] () -- C:\WINDOWS\System32\LsaWrApi.dll
[2006/06/16 15:57:32 | 000,528,453 | ---- | C] () -- C:\WINDOWS\System32\C1XStngs.dll
[2006/06/16 15:56:10 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\D8021Xps.dll
[2005/11/30 20:16:02 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\tphklock.dll
[2005/07/05 23:45:08 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\notifyf2.dll
[2005/04/08 17:42:06 | 000,087,540 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2005/01/13 03:00:14 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2005/01/13 03:00:10 | 000,651,264 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2004/08/04 12:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/04 12:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/04 12:00:00 | 000,432,690 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/04 12:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/04 12:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/04 12:00:00 | 000,067,646 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/04 12:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/04 12:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/04 12:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/04 12:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/04 12:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/04 12:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[1997/08/19 00:00:00 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\DOCOBJ.DLL
[1997/08/19 00:00:00 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\HLINKPRX.DLL
[1995/07/20 00:00:00 | 000,053,760 | ---- | C] () -- C:\WINDOWS\System32\OPENENU.DLL
[1995/07/20 00:00:00 | 000,006,352 | ---- | C] () -- C:\WINDOWS\System32\VISXUTIL.DLL

========== LOP Check ==========

[2011/06/02 10:15:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2011/03/14 20:48:11 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files

========== Purity Check ==========



< End of report >

Here's the second log:

OTL Extras logfile created on: 04/06/2011 00:39:21 - Run 1
OTL by OldTimer - Version 3.2.23.0 Folder = C:\Documents and Settings\user\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

766.92 Mb Total Physical Memory | 525.96 Mb Available Physical Memory | 68.58% Memory free
2.21 Gb Paging File | 2.01 Gb Available in Paging File | 91.09% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 19.55 Gb Free Space | 52.46% Space Free | Partition Type: NTFS

Computer Name: USER-27F08180D0 | User Name: user | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 1
"FirewallOverride" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\AVG\AVG9\avgemc.exe" = C:\Program Files\AVG\AVG9\avgemc.exe:*:Enabled:avgemc.exe
"C:\Program Files\AVG\AVG9\avgupd.exe" = C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe
"C:\Program Files\AVG\AVG9\avgnsx.exe" = C:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe
"C:\DOCUME~1\user\LOCALS~1\Temp\pw2o9i05_wait.exe" = C:\DOCUME~1\user\LOCALS~1\Temp\pw2o9i05_wait.exe:*:Enabled:ldrsoft -- (Sun Microsystems, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{1297C681-92D7-40EF-93BF-03F66EC5105C}" = ThinkPad EasyEject Utility
"{17CBC505-D1AE-459D-B445-3D2000A85842}" = ThinkPad UltraNav Utility
"{2111B23F-7FDA-4A41-8309-E5A1663CA296}" = ThinkPad Keyboard Customizer Utility
"{26A24AE4-039D-4CA4-87B4-2F83216021FF}" = Java(TM) 6 Update 22
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{46A84694-59EC-48F0-964C-7E76E9F8A2ED}" = ThinkVantage Active Protection System
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{67D7BC74-E8DF-4811-9B41-6023A8C9BB3F}" = Intel(R) Sebring API
"{77086DA4-957D-11D6-8FD3-004854516C39}" = Hornby Virtual Railway Add-On Pack 2
"{82512BC9-BD5D-4C50-BE4D-B98E7DF78687}" = ThinkPad UltraNav Wizard
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{8675339C-128C-44DD-83BF-0A5D6ABD8297}" = System Update
"{87FA7400-6AF4-11D5-8FCA-024C41534154}" = Hornby Virtual Railway Add-On Pack 1
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A4D7B764-4140-11D4-88EB-0050DA3579C0}" = Nero - Burning Rom
"{A7B42408-C6FB-11D6-8FD4-004854516C39}" = Hornby Virtual Railway Add-On Pack 3
"{AC76BA86-7AD7-1033-7B44-A82000000003}" = Adobe Reader 8.2.0
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{EA664480-3844-11D5-8C25-444553540000}" = TrackPoint Accessibility Features
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F266A90C-3F4A-4F65-9901-3DBBB0D77D80}" = 802.11g Wireless Adapter HW.15 V.1.00
"{FC081D4D-DF1B-4CF1-B530-027E4118D846}" = ThinkPad Configuration
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Agere Systems Soft Modem" = Agere Systems AC'97 Modem
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"Audacity_is1" = Audacity 1.2.6
"dBpowerAMP Music Converter" = dBpowerAMP Music Converter
"ERUNT_is1" = ERUNT 1.1j
"Excel" = Microsoft Excel 7.0
"FLV Player" = FLV Player 2.0 (build 25)
"Hornby Virtual Railway" = Hornby Virtual Railway
"ie8" = Windows Internet Explorer 8
"InstallShield_{F266A90C-3F4A-4F65-9901-3DBBB0D77D80}" = 802.11g Wireless Adapter HW.15 V.1.00
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.17)" = Mozilla Firefox (3.6.17)
"Power Management Driver" = ThinkPad Power Management Driver
"Presentation Director" = ThinkPad Presentation Director
"PROSet" = Intel(R) PRO Network Connections Drivers
"Shockwave 7.0.3 Player" = Shockwave 7.0.3 Player
"Superscape 3D Control" = Superscape 3D Control
"SynTPDeinstKey" = ThinkPad UltraNav Driver
"ThinkPad FullScreen Magnifier" = ThinkPad FullScreen Magnifier
"Wdf01009" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
"Windows XP Service Pack" = Windows XP Service Pack 3
"Word8.0" = Microsoft Word 97
"xp-AntiSpy" = xp-AntiSpy 3.92

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 26/02/2011 15:11:19 | Computer Name = USER-27F08180D0 | Source = Application Error | ID = 1000
Description = Faulting application Setup.exe, version 0.0.0.0, faulting module Setup.exe,
version 0.0.0.0, fault address 0x00037002.

Error - 09/03/2011 16:50:50 | Computer Name = USER-27F08180D0 | Source = ESENT | ID = 490
Description = svchost (1328) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

Error - 09/03/2011 16:50:50 | Computer Name = USER-27F08180D0 | Source = ESENT | ID = 439
Description = Catalog Database (1328) Unable to write a shadowed header for file
C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb. Error
-1032.

Error - 09/03/2011 16:50:51 | Computer Name = USER-27F08180D0 | Source = ESENT | ID = 473
Description = Catalog Database (1328) Database C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb
was partially detached. Error -1032 encountered updating database headers.

Error - 25/05/2011 17:08:56 | Computer Name = USER-27F08180D0 | Source = Application Error | ID = 1000
Description = Faulting application pw2o9i05_wait.exe, version 6.0.220.4, faulting
module pw2o9i05_wait.exe, version 6.0.220.4, fault address 0x0000410a.

Error - 02/06/2011 06:15:57 | Computer Name = USER-27F08180D0 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 0.0.0.0, faulting module
, version 0.0.0.0, fault address 0x00000000.

[ System Events ]
Error - 02/06/2011 19:26:17 | Computer Name = USER-27F08180D0 | Source = Service Control Manager | ID = 7001
Description = The TCP/IP NetBIOS Helper service depends on the AFD service which
failed to start because of the following error: %%31

Error - 02/06/2011 19:26:17 | Computer Name = USER-27F08180D0 | Source = Service Control Manager | ID = 7001
Description = The IPSEC Services service depends on the IPSEC driver service which
failed to start because of the following error: %%31

Error - 02/06/2011 19:26:17 | Computer Name = USER-27F08180D0 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Smapint Tcpip TDSMAPI TPHKDRV TSMAPIP

Error - 02/06/2011 19:28:16 | Computer Name = USER-27F08180D0 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 02/06/2011 19:29:58 | Computer Name = USER-27F08180D0 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 02/06/2011 19:31:01 | Computer Name = USER-27F08180D0 | Source = Service Control Manager | ID = 7001
Description = The DHCP Client service depends on the NetBios over Tcpip service
which failed to start because of the following error: %%31

Error - 02/06/2011 19:31:01 | Computer Name = USER-27F08180D0 | Source = Service Control Manager | ID = 7001
Description = The DNS Client service depends on the TCP/IP Protocol Driver service
which failed to start because of the following error: %%31

Error - 02/06/2011 19:31:01 | Computer Name = USER-27F08180D0 | Source = Service Control Manager | ID = 7001
Description = The TCP/IP NetBIOS Helper service depends on the AFD service which
failed to start because of the following error: %%31

Error - 02/06/2011 19:31:02 | Computer Name = USER-27F08180D0 | Source = Service Control Manager | ID = 7001
Description = The IPSEC Services service depends on the IPSEC driver service which
failed to start because of the following error: %%31

Error - 02/06/2011 19:31:02 | Computer Name = USER-27F08180D0 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Smapint Tcpip TDSMAPI TPHKDRV TSMAPIP


< End of report >

Ok. To help show all files do this:

On the desktop double click my computer, at the top click on> tools>folder options>view> then select "show hidden files and folders", then UNcheck "hide protected operating system files " also UNcheck "hide extensions for known file types" click apply to all folders, apply then ok.

Right click on start and using explorer navigate to:
C:\Documents and Settings\user\Application Data
then pick out any two of these .exe:

889143.exe
8879796.exe
6874230.exe
2581366.exe

Go to here (http://www.bleepingcomputer.com/submit-malware.php?channel=67) and upload them one by one by using the browse button on the website to locate the .exe then the Send File button to upload them.
I will check them out as soon as I can.
Hopefully it will amount to something. Since you dont have a active AV installed I would stay off the internet as much as possible for now also.

Tried uploading the files you requested, but all of the upload attemps failed because all four are zero-byte files.

And don't worry about any unnessecary internet use - There's more than one computer in the house, and the infected machine is only connected as and when needed to do whatever is requested here.

Not much there as far as malware goes. You still have the problem with Windows firewall that you described originally?
You can also do a online scan as another check for malware;

ESET online scanner:

http://www.eset.com/onlinescan/

Use Internet Explorer
check "YES" to accept terms
click start button
allow the ActiveX component to install
click the start button. the Scanner will update.
check both "Remove found threats" and "Scan archives" Leave the defaults checked under Advanced settings
click scan. When it completes click "List found threats"
click "Export to text file.." and save it to your desktop. Post the saved log.
Click "back" and "finish"

Yes, still having the same problem with the firewall showing as "Not Monitored" and getting the message about the ICS service not running.

Here's the ESET log:

C:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\6.0\54\4fae7cb6-20801779 a variant of Win32/Kryptik.OEV trojan deleted - quarantined
C:\Documents and Settings\user\Local Settings\Temp\pw2o9i05_wait.exe a variant of Win32/Kryptik.OEV trojan deleted - quarantined

ok, not much there from the Eset scan. You can delete those .exe
files you tried to upload.
Try this:

start>run and type in cmd
At the DOS prompt type in Netsh firewall reset
click enter

Next go to start>run and type in firewall.cpl
In the firewall window make sure its selected as ON

OK, tried that, and it all seemed to go fine until I got as far as typing in firewall.cpl and clicking OK. At that point, instead of the firewall control panel window, I got the same old pop-up message saying that the firewall settings could not be displayed because the associated service is not running, and asking if I wanted to start the ICS service. Not knowing what to do next, I picked the safe option of "No", which cancels the message. Should I still be getting that message, or is that an indication that there's still a problem of some kind?

Starting the service was going to be the next step if the previous ones didnt work. So...
Go to start>run and type in services.msc and click ok or enter
Windows service panel will open.
Under the name column find Windows firewall/Internet connection Sharing (ICS)

Right click on it and select properties:
Under the start up type: make sure its set to automatic, if its not change it
For service status: make sure its started, if its not change using the Start button. Click Apply ok after the changes. A reboot of the machine wouldnt hurt.

That should start the service, see how it goes.

OK, the firewall is now up and running, and Windows Security Centre shows it as being on!

At present, there's no AV software installed, as AVG was removed to allow other programs to run, and Windows Security Centre is showing AV as "Not Monitored" - I'm sure that, in the past with other machines that haven't had AV installed yet, it has said "Not Installed", rather than "Not Monitored", so of course that's still making me a little suspicious...

go ahead and get a AV on the machine. Some other choices other than AVG, up to you really. I would do a full scan of the machine after you get one installed. Then we will get one more download as a check for malware.

Avast (http://www.avast.com/free-antivirus-download)
Avira (http://www.avira.com/en/avira-free-antivirus)
Panda (http://www.cloudantivirus.com/en/)
MS Security Essentials (http://www.microsoft.com/en-us/security_essentials/default.aspx)

Just tried installing AVG, and the installation failed with the same error message I got when attempting to uninstall it.

Here's the error message:

Local machine: installation failed
Installation:
Error: Action failed for registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: creating registry key....
Access is denied.


Haven't tried any of the alternatives you listed, as I'd prefer to stick with AVG if possible - I'm familiar with it, and it has come out top in tests of free AV in the main computer magazine I tend to read.

So is that error message indicating that there's still a problem lurking, or is it just a case of a settings change needed somewhere?

Download and run this (http://www.avg.com/filedir/util/support/reset_access_avg9_en.exe). See if that helps

OK, AVG 9 now installed, but not updated to the very latest version - For some reason, it says that no newer updates are available even though its at v9.0.872 and I know that my own machine running AVG is at v9.0.901. Also the virus DB isn't updating to the very latest version either. However, I guess that's an issue for the AVG support forum, not here...

But, anyway, AV is now installed and running (if not fully updated). So what's the next step?

another download;

Download Gmer (http://www2.gmer.net/gmer.zip) utility and save to your desktop.
Extract the contents of the zipped file to your desktop
Double click GMER.exe to start.
If it gives you a warning about rootkit activity and asks if you want to run a scan...select--> NO

In the right panel, you will see several boxes that, by default, have already been checked. Please mkae sure the following are not checked.

* IAT/EAT
* Drives/Partition other than your main System drive (typically C:\)
* Show All
click the Scan button & wait for it to finish.
Please dont use the computer while Gmer is running.

When the scan is complete, click Save and save the log to your desktop. Post the log in your reply.

Tried running Gmer, but hit another problem. Partway through the scan, just as it's scanning the system resore info, the system goes to one of the dreaded blue screens. This one has a whole load of text all over it, and disappears so quickly that the only bit I can really read is the bit saying something like

"A problem has been detected and Windows is being shut down to prevent damage to your computer"

The system then reboots, and comes back with the old message box about how Windows had recovered from a serious error.

Ok. Run this utility instead:

Please download TDSS Killer.exe (http://support.kaspersky.com/downloads/utils/tdsskiller.exe) and save it to your desktop
Double click to launch the utility. After it initializes click the start scan button.

Once the scan completes you can click the continue button.

"The utility will automatically select an action (Cure or Delete) for known malcious objects. A suspicious object will be skipped by default."

"After clicking Next, the utility applies selected actions and outputs the result."

"A reboot might require after disinfection."

A report will be found in your Root drive Local Disk (C) as TDSSKiller.2.4.2.1_09.08.2010_17.32.21_log.txt (name, version, date, time)
Please post the log report

Ran the program, but it didn't seem to find anything...

Here's the log:

2011/06/11 19:39:19.0385 3972 TDSS rootkit removing tool 2.5.4.0 Jun 7 2011 17:31:48
2011/06/11 19:39:20.0357 3972 ================================================================================
2011/06/11 19:39:20.0377 3972 SystemInfo:
2011/06/11 19:39:20.0377 3972
2011/06/11 19:39:20.0377 3972 OS Version: 5.1.2600 ServicePack: 3.0
2011/06/11 19:39:20.0377 3972 Product type: Workstation
2011/06/11 19:39:20.0377 3972 ComputerName: USER-27F08180D0
2011/06/11 19:39:20.0377 3972 UserName: user
2011/06/11 19:39:20.0377 3972 Windows directory: C:\WINDOWS
2011/06/11 19:39:20.0377 3972 System windows directory: C:\WINDOWS
2011/06/11 19:39:20.0377 3972 Processor architecture: Intel x86
2011/06/11 19:39:20.0377 3972 Number of processors: 1
2011/06/11 19:39:20.0377 3972 Page size: 0x1000
2011/06/11 19:39:20.0377 3972 Boot type: Normal boot
2011/06/11 19:39:20.0377 3972 ================================================================================
2011/06/11 19:39:25.0915 3972 Initialize success
2011/06/11 19:39:30.0752 3388 ================================================================================
2011/06/11 19:39:30.0752 3388 Scan started
2011/06/11 19:39:30.0752 3388 Mode: Manual;
2011/06/11 19:39:30.0752 3388 ================================================================================
2011/06/11 19:39:40.0626 3388 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/06/11 19:39:48.0417 3388 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2011/06/11 19:39:53.0484 3388 aeaudio (9f59ae2de835641fbb0c6afd80d8fa9b) C:\WINDOWS\system32\drivers\aeaudio.sys
2011/06/11 19:39:56.0629 3388 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/06/11 19:39:59.0413 3388 AegisP (58a8273918eef2bf9204b12ed171513a) C:\WINDOWS\system32\DRIVERS\AegisP.sys
2011/06/11 19:40:01.0846 3388 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys
2011/06/11 19:40:05.0402 3388 AgereSoftModem (aff071b6290776e1fa162837c35eac78) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
2011/06/11 19:40:14.0925 3388 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/06/11 19:41:10.0996 3388 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/06/11 19:41:20.0450 3388 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/06/11 19:41:40.0899 3388 ati2mtag (5719f857136ee618f6ec7a5ccd9fb7ab) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/06/11 19:41:47.0659 3388 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/06/11 19:41:50.0543 3388 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/06/11 19:41:52.0526 3388 AvgLdx86 (b8c187439d27aba430dd69fdcf1fa657) C:\WINDOWS\system32\Drivers\avgldx86.sys
2011/06/11 19:41:54.0559 3388 AvgMfx86 (53b3f979930a786a614d29cafe99f645) C:\WINDOWS\system32\Drivers\avgmfx86.sys
2011/06/11 19:41:57.0853 3388 AvgTdiX (9a7a93388f503a34e7339ae7f9997449) C:\WINDOWS\system32\Drivers\avgtdix.sys
2011/06/11 19:42:02.0690 3388 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/06/11 19:42:04.0383 3388 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/06/11 19:42:15.0569 3388 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/06/11 19:42:30.0040 3388 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/06/11 19:42:46.0794 3388 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/06/11 19:43:17.0668 3388 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/06/11 19:43:40.0571 3388 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/06/11 19:44:34.0008 3388 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/06/11 19:44:39.0516 3388 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/06/11 19:44:45.0004 3388 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/06/11 19:44:49.0680 3388 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/06/11 19:44:55.0649 3388 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/06/11 19:45:08.0537 3388 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/06/11 19:45:13.0815 3388 E1000 (4de4bae4accb5a49fa85801d4f226355) C:\WINDOWS\system32\DRIVERS\e1000325.sys
2011/06/11 19:45:16.0940 3388 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/06/11 19:45:19.0684 3388 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/06/11 19:45:22.0858 3388 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/06/11 19:45:25.0031 3388 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/06/11 19:45:27.0144 3388 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/06/11 19:45:30.0018 3388 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/06/11 19:45:33.0353 3388 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/06/11 19:45:37.0159 3388 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/06/11 19:45:42.0126 3388 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/06/11 19:46:12.0529 3388 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/06/11 19:46:17.0296 3388 IBMPMDRV (400d7095d5ae08970f839bcac1843106) C:\WINDOWS\system32\DRIVERS\ibmpmdrv.sys
2011/06/11 19:46:22.0574 3388 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/06/11 19:46:40.0309 3388 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/06/11 19:46:46.0458 3388 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/06/11 19:46:50.0774 3388 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/06/11 19:46:54.0139 3388 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/06/11 19:46:56.0603 3388 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/06/11 19:46:58.0956 3388 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/06/11 19:47:01.0079 3388 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/06/11 19:47:03.0262 3388 irda (aca5e7b54409f9cb5eed97ed0c81120e) C:\WINDOWS\system32\DRIVERS\irda.sys
2011/06/11 19:47:05.0726 3388 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/06/11 19:47:07.0909 3388 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/06/11 19:47:10.0162 3388 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/06/11 19:47:12.0325 3388 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/06/11 19:47:14.0809 3388 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/06/11 19:47:19.0436 3388 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/06/11 19:47:22.0560 3388 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/06/11 19:47:25.0414 3388 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/06/11 19:47:27.0888 3388 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/06/11 19:47:32.0995 3388 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/06/11 19:47:35.0879 3388 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/06/11 19:47:38.0213 3388 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/06/11 19:47:41.0107 3388 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/06/11 19:47:43.0671 3388 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/06/11 19:47:46.0304 3388 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/06/11 19:47:48.0688 3388 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/06/11 19:47:51.0532 3388 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/06/11 19:47:53.0845 3388 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/06/11 19:47:56.0169 3388 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/06/11 19:47:58.0302 3388 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/06/11 19:48:00.0965 3388 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/06/11 19:48:03.0609 3388 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/06/11 19:48:05.0822 3388 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/06/11 19:48:08.0436 3388 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/06/11 19:48:11.0521 3388 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/06/11 19:48:14.0655 3388 NSCIRDA (2adc0ca9945c65284b3d19bc18765974) C:\WINDOWS\system32\DRIVERS\nscirda.sys
2011/06/11 19:48:17.0579 3388 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/06/11 19:48:20.0534 3388 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/06/11 19:48:22.0947 3388 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/06/11 19:48:26.0041 3388 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/06/11 19:48:29.0597 3388 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/06/11 19:48:33.0212 3388 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/06/11 19:48:36.0887 3388 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/06/11 19:48:39.0411 3388 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/06/11 19:48:45.0029 3388 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/06/11 19:48:47.0873 3388 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2011/06/11 19:49:07.0080 3388 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/06/11 19:49:09.0905 3388 psadd (651d3abc1d82d61b6cfb40cb947b3db3) C:\WINDOWS\system32\DRIVERS\psadd.sys
2011/06/11 19:49:12.0709 3388 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/06/11 19:49:15.0152 3388 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/06/11 19:49:31.0175 3388 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/06/11 19:49:34.0199 3388 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys
2011/06/11 19:49:36.0823 3388 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/06/11 19:49:39.0527 3388 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/06/11 19:49:42.0061 3388 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/06/11 19:49:44.0564 3388 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/06/11 19:49:47.0489 3388 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/06/11 19:49:50.0263 3388 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/06/11 19:49:52.0686 3388 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/06/11 19:49:54.0649 3388 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/06/11 19:49:57.0223 3388 rtl8185 (88b63f291ae10c1b66d2b9ed6921a7df) C:\WINDOWS\system32\DRIVERS\rtl8185.sys
2011/06/11 19:49:59.0796 3388 s24trans (d40f1e33d9153df7f5e2881b1f9c56e9) C:\WINDOWS\system32\DRIVERS\s24trans.sys
2011/06/11 19:50:02.0731 3388 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/06/11 19:50:05.0034 3388 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/06/11 19:50:07.0477 3388 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/06/11 19:50:09.0500 3388 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/06/11 19:50:11.0513 3388 Shockprf (486a1bd22dd66d0a8542ebb0cd792bdb) C:\WINDOWS\system32\DRIVERS\Apsx86.sys
2011/06/11 19:50:15.0359 3388 SjyPkt (3d7ef286e806f9bd9339aa52e28dcd67) C:\WINDOWS\System32\Drivers\SjyPkt.sys
2011/06/11 19:50:18.0233 3388 Smapint (26341d0dd225d19fd50e0ee3c3c77502) C:\WINDOWS\system32\drivers\Smapint.sys
2011/06/11 19:50:20.0266 3388 smwdm (1319ea66a96250d59665d133c0ff7cd0) C:\WINDOWS\system32\drivers\smwdm.sys
2011/06/11 19:50:25.0313 3388 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/06/11 19:50:27.0917 3388 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/06/11 19:50:31.0141 3388 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/06/11 19:50:33.0675 3388 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/06/11 19:50:36.0880 3388 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/06/11 19:50:45.0822 3388 SynTP (0953d53a2d272de4c4be1e6c6a2c90d4) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2011/06/11 19:50:47.0635 3388 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/06/11 19:50:51.0060 3388 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/06/11 19:50:54.0365 3388 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/06/11 19:50:57.0670 3388 TDSMAPI (564b337034271b7bddcabfddc91c6b7a) C:\WINDOWS\system32\drivers\TDSMAPI.SYS
2011/06/11 19:50:59.0682 3388 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/06/11 19:51:01.0886 3388 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/06/11 19:51:05.0791 3388 TPDIGIMN (20a439d6475d6fe1909159c0143d0466) C:\WINDOWS\system32\DRIVERS\ApsHM86.sys
2011/06/11 19:51:07.0393 3388 TPHKDRV (29f3601d4233a53f819010fee8c04a60) C:\WINDOWS\system32\drivers\TPHKDRV.sys
2011/06/11 19:51:09.0126 3388 TSMAPIP (f2aba3066d7921d7fcdbd66dea88be11) C:\WINDOWS\system32\drivers\TSMAPIP.SYS
2011/06/11 19:51:10.0999 3388 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/06/11 19:51:14.0313 3388 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/06/11 19:51:16.0096 3388 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/06/11 19:51:17.0678 3388 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/06/11 19:51:19.0301 3388 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/06/11 19:51:20.0913 3388 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/06/11 19:51:22.0535 3388 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/06/11 19:51:25.0790 3388 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/06/11 19:51:27.0653 3388 w70n51 (8e5cf571c00c806ed7c08dbb74356646) C:\WINDOWS\system32\DRIVERS\w70n51.sys
2011/06/11 19:51:29.0495 3388 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/06/11 19:51:31.0518 3388 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys
2011/06/11 19:51:34.0843 3388 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/06/11 19:51:35.0093 3388 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
2011/06/11 19:51:35.0304 3388 ================================================================================
2011/06/11 19:51:35.0304 3388 Scan finished
2011/06/11 19:51:35.0304 3388 ================================================================================
2011/06/11 19:51:35.0344 1544 Detected object count: 0
2011/06/11 19:51:35.0344 1544 Actual detected object count: 0

Tdsskiller didnt find anything, this is good of course. You can try running Gmer in safe mode. To reach safe mode you would tap the f8 key during a computer restart, chose the first option from the list; safe mode. Log into your usual account. Once at the safe mode desktop try running Gmer.

Booting into Safe Mode seemed to do the trick for Gmer - Here's the log:

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-06-13 00:36:51
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 TOSHIBA_MK4026GAX rev.PA106E
Running: gmer.exe; Driver: C:\DOCUME~1\user\LOCALS~1\Temp\awacipog.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Not much in the Gmer log. Not seeing any malware which is good and the firewall is now functioning. How is it looking on your end.

Looks OK - It boots up no problem, seems stable, nothing unexpected seems to be happening, it doesn't seem unusually slow, and shuts down fine too.

Any other checks or scans to run?

Ok as another check for a rootkit you can run this:

Download aswMBR (http://public.avast.com/~gmerek/aswMBR.exe).exe to your desktop.

Double click the aswMBR.exe to run it
Click the "Scan" button to start scan
On completion of the scan click save log, save it to your desktop and post in your next reply.

Done the scan, here's the log:

aswMBR version 0.9.6.399 Copyright(c) 2011 AVAST Software
Run date: 2011-06-15 13:30:04
-----------------------------
13:30:04.763 OS Version: Windows 5.1.2600 Service Pack 3
13:30:04.763 Number of processors: 1 586 0x905
13:30:04.763 ComputerName: USER-27F08180D0 UserName: user
13:30:06.315 Initialize success
13:30:17.351 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
13:30:17.351 Disk 0 Vendor: TOSHIBA_MK4026GAX PA106E Size: 38154MB BusType: 3
13:30:17.371 Disk 0 MBR read successfully
13:30:17.371 Disk 0 MBR scan
13:30:17.371 Disk 0 Windows XP default MBR code
13:30:17.381 Disk 0 scanning sectors +78140160
13:30:17.391 Disk 0 scanning C:\WINDOWS\system32\drivers
13:30:42.948 Service scanning
13:30:46.303 Disk 0 trace - called modules:
13:30:46.323 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys
13:30:46.323 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x82f6dab8]
13:30:46.323 3 CLASSPNP.SYS[f75a0fd7] -> nt!IofCallDriver -> \Device\00000079[0x82f50138]
13:30:46.323 5 ACPI.sys[f7517620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x82f05d98]
13:30:46.323 Scan finished successfully
13:47:27.372 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\user\Desktop\MBR.dat"
13:47:27.382 The log file has been saved successfully to "C:\Documents and Settings\user\Desktop\aswMBR.txt"

hi,

Looks like we are done. You can double click the OTL icon then click the CleanUp button. That should remove alot to the tools we used. Not sure about Tdsskiller or aswMBR. You can delete those icons and logs if OTL dosnt get them for you.
You can also make a new restore point. The how and the why:

One of the features of Windows XP, Vista and Windows7 is the System Restore option, however if malware infects a computer it is possible that the malware could be backed up in the System Restore archive. Therefore, clearing the restore points is a good idea after malware is removed and your computer appears to be functioning ok.



To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.


(winXP)

1. Turn off System Restore. (deletes old possibly infected restore point)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.(creates a new restore points on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK, then reboot

And last, some tips for you:

10 Tips for Prevention and Avoidance of Malware:
There is no reason why your computer can not stay malware free.

No software can think for you. Help yourself. In no special order:

1) It is essential to keep your operating system (Windows) browser (IE, FireFox, Chrome, Opera) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update (http://www.update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us) frequently or use the Windows auto-update feature. (http://www.microsoft.com/windows/downloads/windowsupdate/automaticupdate.mspx) Staying updated is also essential for other web based applications like Java, Adobe Flash/Reader, iTunes etc. More and more third party applications are being targeted. Use the auto-update features available in most software. Not sure if you are using the latest version of software? Check their version status and get the updates here. (http://secunia.com/vulnerability_scanning/online/)

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. More and more legitimate software is installing useless toolbars if not unchecked first. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and you are then prompted to install software to remedy this. See also the signs (http://www.malwarevault.com/signs.html)that you may have malware on your computer.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If either of these frequently find malware then its time to *review your computer habits*.

4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem. See also E-mail phishing Tricks (http://www.fraud.org/tips/internet/phishing.htm).

5) Do not click on ads/pop ups or offers from websites requesting that you need to install software to your computer--*for any reason*. Use the Alt+F4 keys to close the window.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website to install components?

7) Consider the use of limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts (http://www.microsoft.com/protect/computer/advanced/useraccount.mspx) can help prevent *malware from installing and lessen its potential impact.* This is exactly what user account control (UAC) in Windows Vista and Windows 7 attempts to address.

8) Install and understand the *limitations* of a software firewall.

9) Your browser risks: The why and how (http://www.cert.org/tech_tips/securing_browser/) to secure your browser for safer surfing.

10) Warez, cracks etc are very popular for carrying malware payloads. If you look for these you will encounter malware. If you download/install files via p2p networks you will encounter malware. Can you really trust the source of the file?


More info/tips with pictures, links below

Happy Safe Surfing.

OK, thanks for all the help!

And yes, I will reset the restore point - Was going to do that anyway once the system was clean, so that there's a new baseline point to work from.