Help needed - Infection even preventing DDS from running

L

lather

New member
Once again, one of my family's computers has picked up an infection that has defeated me!

This morning, when my dad booted up his laptop to check out something online, he got a whole load of virus warning messages from "XP Home Security 2011". It didn't take me long to realise it was a scareware-type infection, and a quick online search seemed to offer the solution at the McAfee website. Following the instructions there seemed to get rid of it, and after a couple of scans, MBAM showed no trace of the infection. However, Windows Security Centre was still reporting that Auto Update and the Firewall were both disabled (and yes, I know he should have a better firewall than that, but he's in his 70s and struggles a bit with the technical aspects of computing!). AVG showed and removed a trojan, and another online search seemed to offer a solution to the firewall issue. However, the solution that seemed to work for others to restore the firewall hasn't worked in this case.

So here's the situation as it currently stands:

When the computer boots up, the firewall shows as being on, but after a few seconds switches to "Not Monitored", and any attempts to change the settings just brings up the "Windows Firewall settings cannot be displayed because the associated service is not running" message. Also, all attempts to turn on auto updates are being blocked. Both MBAM and AVG show clean, so that makes me think the infection is buried deep somewhere.

I've used Erunt to back up the registry, and tried running DDS. However, DDS starts to run, but then the whole system seems to just hang - Even the clock stops, the whole system becomes unresponsive, and I have to do a hard reboot to get it back. So I'm unable to post a DDS log here at the moment, but am hoping that someone can help out just the same.

System details:
IBM Thinkpad T41 running XP Pro SP3 with all the latest updates.


If it comes to it, I do have a full set of system restore disks, as that's what I had to do with the last infection I had on my similar machine.....
 
hi lather,

We can see what combofix can dig up. I assume you do not have a 64bit OS. There is a guide to read first. Read through the guide then apply the directions on your own machine. Post the log:

Guide to using Combofix
 
Thanks for getting back to me. Unfortunately, I've hit a brick wall with ComboFix too!

I downloaded it OK, but for some reason can't deactivate the copy of AVG 9.0 that's installed on the computer, and that's stopping ComboFix from running. I followed all of the instructions on temporarily deactivating AVG to the letter, and that didn't work, so I then tried uninstalling it, and that failed too. I even tried booting in safe mode to see if that helped, but it didn't. According to the AVG user interface, both Anti-Virus and Anti-Spyware are showing as active, although Resident Shield is shown as disabled.

Currently, when I run ComboFix, the installer starts to launch, and then comes up with a pop-up warning that it can't run when AVG is installed, and asking that AVG be uninstalled - Which of course I can't, because the uninstall always fails!!

So it seems like I'm a bit stuck at the moment, and can't seem to get anywhere at all with running any of the programs that could help sort the problem out. It's got me stumped, but hopefully you'll have some idea of where to go from here!
 
OK, the AVG remover worked fine and deleted it from the system. However, I'm still having problems with ComboFix.

With AVG gone, the ComboFix installer ran OK and installed the Windows Recovery Console. ComboFix then created the new restore point and started to prepare to scan. However, once it got to the line about how scan times can double for badly infected machines, it then froze and the whole machine locked up in a similar way to how it locks up when trying to run DDS - The only difference this time is that with ComboFix, the on-screen clock carries on running. With the machine locked up, the only option is another hard reboot. I've tried several times, and each time I try to run ComboFix, the result is exactly the same.

So it seems like whatever is lurking on the machine is stopping both DDS and ComboFix from running their scans and making the machine lock up. So is there anything else I can try, or is it looking more like a complete wipe and reinstall of Windows?
 
Try running combofix in safe mode. To reach safe mode you would tap the f8 key during a computer restart, chose the first option on the list: safe mode. Log into your usual account. Once at the safe mode desktop try running combofix.
 
Hadn't thought of trying to run it in Safe Mode, but have done so now. Unfortunately, even in Safe Mode, exactly the same happened again, with ComboFix freezing at the same point as before, followed by the machine locking up and requiring a hard reboot. So it seems that ComboFix, like DDS, won't run in either normal or safe modes...

So, at the moment, it seems like the only scan I can probably run is Mbam, which is still installed and ran OK last time I tried it before my first post in this thread. AVG also ran OK the last time I ran it (again before starting this thread, and its now deleted from the system). But I just can't get either DDS or ComboFix to run, even in Safe Mode, and any attempt to do so causes the machine to lock up.
 
Sometimes malware tricks can cause apps not to run. In my experience they wont run from the start. Yours just seem to stop in the middle after starting.
Try this;

Please download rkill.com by Grinler and save it to your desktop:

Double-click on the Rkill desktop icon to run the tool.

A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
After its finished try running DDS. If DDS runs post its log, if not continue:

If DDS dosnt run download rkill.scr
Double-click on the Rkill.scr desktop icon to run the tool.

A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
After its finished try running DDS

If DDS dosnt run download eXplorer.exe
Double-click on the eXplorer.exe desktop icon to run the tool.

A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
After its finished try running DDS

If DDS dosnt run download iExplore.exe
Double-click on the iExplorer.exe desktop icon to run the tool.

A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
After its finished try running DDS

If DDS dosnt run download uSeRinit.exe

Double-click on the uSeRiNiT.exe desktop icon to run the tool.

A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
After its finished try running DDS

These tools do not delete any malware. They only terminate malware related processes that may be running-allowing you to run DDS or other tools. If you can get DDS to run that will be a start.
 
Tried all of those versions of Rkill (most of which were already on the machine from previous efforts to get rid of XP Home Security 2011). Unfortunately, none of them have had any effect, and DDS still stalls at the same point as before, followed by the machine locking up and requiring a hard reboot via the power switch.

Each version of Rkill did find and stop one process, C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe, but that's all...
 
ok yet another download;


Download OTL to your desktop or other convenient location.
OTL does not need to be installed, simply click OTL.exe to run.
Click the Quick Scan button.
A log will open in notepad, and OTL.txt will be saved to the same location as OTL.exe (i.e.: desktop)
Please post both logs.
 
Finally, a scanner that works!! :)

Here's the logs:

OTL logfile created on: 04/06/2011 00:39:21 - Run 1
OTL by OldTimer - Version 3.2.23.0 Folder = C:\Documents and Settings\user\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

766.92 Mb Total Physical Memory | 525.96 Mb Available Physical Memory | 68.58% Memory free
2.21 Gb Paging File | 2.01 Gb Available in Paging File | 91.09% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 19.55 Gb Free Space | 52.46% Space Free | Partition Type: NTFS

Computer Name: USER-27F08180D0 | User Name: user | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/06/04 00:38:23 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user\Desktop\OTL.com
PRC - [2009/12/03 17:44:42 | 000,128,296 | ---- | M] (Synaptics Incorporated) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
PRC - [2009/06/12 10:55:48 | 000,028,672 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\System Update\SUService.exe
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/09/26 17:34:46 | 000,644,408 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
PRC - [2006/11/19 23:04:12 | 000,634,880 | ---- | M] () -- C:\Program Files\802.11 Wireless LAN\802.11g Wireless Adapter HW.15 V.1.00\WlanCU.exe
PRC - [2006/06/29 21:57:50 | 000,032,768 | ---- | M] () -- C:\WINDOWS\system32\TpKmpSvc.exe
PRC - [2006/06/16 15:58:42 | 000,426,051 | ---- | M] (Intel Corporation ) -- C:\WINDOWS\system32\S24EvMon.exe
PRC - [2006/06/16 15:55:14 | 000,122,880 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\RegSrvc.exe
PRC - [2006/05/30 15:05:42 | 000,086,016 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
PRC - [2005/07/05 14:57:12 | 000,077,824 | ---- | M] () -- C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
PRC - [2004/10/14 09:11:10 | 001,388,544 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
PRC - [2002/09/20 14:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
PRC - [1997/08/19 00:00:00 | 000,111,376 | ---- | M] () -- C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
PRC - [1997/08/19 00:00:00 | 000,051,984 | ---- | M] () -- C:\Program Files\Microsoft Office\Office\OSA.EXE


========== Modules (SafeList) ==========

MOD - [2011/06/04 00:38:23 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user\Desktop\OTL.com
MOD - [2010/08/23 17:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (PEVSystemStart)
SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - [2009/06/12 10:55:48 | 000,028,672 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Program Files\Lenovo\System Update\SUService.exe -- (SUService)
SRV - [2007/09/26 17:34:46 | 000,644,408 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe -- (ThinkVantage Registry Monitor Service)
SRV - [2006/06/29 21:57:50 | 000,032,768 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\TpKmpSvc.exe -- (TpKmpSVC)
SRV - [2006/06/16 15:58:42 | 000,426,051 | ---- | M] (Intel Corporation ) [Auto | Running] -- C:\WINDOWS\system32\S24EvMon.exe -- (S24EventMonitor)
SRV - [2006/06/16 15:55:14 | 000,122,880 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\WINDOWS\system32\RegSrvc.exe -- (RegSrvc)
SRV - [2002/09/20 14:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))


========== Driver Services (SafeList) ==========

DRV - [2009/10/09 12:12:02 | 000,120,360 | ---- | M] (Lenovo.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\Apsx86.sys -- (Shockprf)
DRV - [2009/10/09 12:10:24 | 000,020,520 | ---- | M] (Lenovo.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\ApsHM86.sys -- (TPDIGIMN)
DRV - [2007/03/09 02:57:02 | 000,007,168 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\TSMAPIP.SYS -- (TSMAPIP)
DRV - [2007/02/19 06:56:46 | 000,021,376 | ---- | M] (Lenovo (United States) Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\psadd.sys -- (psadd)
DRV - [2007/02/06 23:38:32 | 001,133,568 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2006/10/02 01:55:00 | 000,014,848 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SMAPINT.SYS -- (Smapint)
DRV - [2006/10/02 01:55:00 | 000,009,343 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\TDSMAPI.SYS -- (TDSMAPI)
DRV - [2006/07/13 12:33:08 | 000,674,560 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\w70n51.sys -- (w70n51) Intel(R)
DRV - [2006/06/16 15:50:46 | 000,010,970 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2003/06/27 08:53:44 | 001,196,352 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2002/10/02 09:57:12 | 000,013,532 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SjyPkt.sys -- (SjyPkt)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.3
FF - prefs.js..extensions.enabledItems: externalip@erik.morlin:0.9.9.6
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.17\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/05/05 11:01:10 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.17\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/05/05 11:01:10 | 000,000,000 | ---D | M]

[2010/07/22 20:53:13 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\user\Application Data\Mozilla\Extensions
[2011/06/01 14:58:49 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\d9aw179y.default\extensions
[2010/12/25 21:11:41 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\d9aw179y.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/07/22 22:09:41 | 000,000,000 | ---D | M] (external IP) -- C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\d9aw179y.default\extensions\externalip@erik.morlin
[2011/05/23 15:44:01 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/07/22 21:52:49 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/10/31 17:40:03 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2010/07/22 21:52:39 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2010/07/23 23:48:05 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION
[2010/09/15 05:50:38 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2010/07/13 22:44:53 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2010/07/13 22:44:53 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2010/07/13 22:44:53 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2010/07/13 22:44:53 | 000,001,135 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2004/08/04 12:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe ()
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [TP4EX] C:\WINDOWS\System32\TP4EX.exe (Lenovo Group Limited)
O4 - HKLM..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe (Lenovo)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Wireless Configuration Utility HW.15.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Adapter HW.15 V.1.00\WlanCU.exe ()
O4 - Startup: C:\Documents and Settings\user\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O4 - Startup: C:\Documents and Settings\user\Start Menu\Programs\Startup\Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.EXE ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - Reg Error: Key error. File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - Explorer.exe ()
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - File not found
O20 - Winlogon\Notify\tpfnf2: DllName - notifyf2.dll - C:\WINDOWS\System32\notifyf2.dll ()
O20 - Winlogon\Notify\tphotkey: DllName - tphklock.dll - C:\WINDOWS\System32\tphklock.dll ()
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/06/16 09:52:55 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/06/04 00:38:23 | 000,580,096 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\user\Desktop\OTL.com
[2011/06/03 00:31:16 | 000,000,000 | --SD | C] -- C:\ComboFix
[2011/06/02 10:22:46 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/06/02 10:20:08 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/06/02 10:20:08 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/06/02 10:20:08 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/06/02 10:20:08 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/06/02 10:08:20 | 000,718,104 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Documents and Settings\user\Desktop\avgremover.exe
[2011/06/01 15:03:15 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/06/01 14:52:02 | 004,109,346 | R--- | C] (Swearware) -- C:\Documents and Settings\user\Desktop\ComboFix.exe
[2011/05/26 16:45:02 | 000,000,000 | R--D | C] -- C:\Documents and Settings\user\My Documents\My Videos
[2011/05/26 16:45:02 | 000,000,000 | R--D | C] -- C:\Documents and Settings\user\Start Menu\Programs\Administrative Tools
[2011/05/26 16:44:12 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/05/26 16:42:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ERUNT
[2011/05/26 16:42:52 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2011/05/26 16:40:47 | 000,606,738 | R--- | C] (Swearware) -- C:\Documents and Settings\user\Desktop\dds.scr
[2011/05/26 16:39:18 | 000,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\user\Desktop\erunt-setup.exe
[2011/05/26 15:35:27 | 000,000,000 | -H-D | C] -- C:\$AVG
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/06/04 00:38:23 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user\Desktop\OTL.com
[2011/06/04 00:36:35 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/06/04 00:35:53 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/06/03 16:32:40 | 000,003,584 | ---- | M] () -- C:\Documents and Settings\user\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/06/03 15:27:38 | 001,007,108 | ---- | M] () -- C:\Documents and Settings\user\Desktop\uSeRiNiT.exe
[2011/06/03 15:27:26 | 001,007,108 | ---- | M] () -- C:\Documents and Settings\user\Desktop\eXplorer.exe
[2011/06/03 15:27:10 | 001,007,108 | ---- | M] () -- C:\Documents and Settings\user\Desktop\iExplore.exe
[2011/06/02 10:22:56 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2011/06/02 10:08:21 | 000,718,104 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Documents and Settings\user\Desktop\avgremover.exe
[2011/06/01 14:52:10 | 004,109,346 | R--- | M] (Swearware) -- C:\Documents and Settings\user\Desktop\ComboFix.exe
[2011/05/26 16:43:22 | 000,000,767 | ---- | M] () -- C:\Documents and Settings\user\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2011/05/26 16:42:57 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\user\Desktop\ERUNT.lnk
[2011/05/26 16:40:48 | 000,606,738 | R--- | M] (Swearware) -- C:\Documents and Settings\user\Desktop\dds.scr
[2011/05/26 16:39:19 | 000,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\user\Desktop\erunt-setup.exe
[2011/05/26 11:03:54 | 000,010,276 | -HS- | M] () -- C:\Documents and Settings\user\Local Settings\Application Data\5111732e22216eo0mc0417
[2011/05/26 11:03:54 | 000,010,276 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\5111732e22216eo0mc0417
[2011/05/26 11:03:11 | 001,007,108 | ---- | M] () -- C:\Documents and Settings\user\Desktop\rkill.scr
[2011/05/26 11:02:53 | 001,007,108 | ---- | M] () -- C:\Documents and Settings\user\Desktop\rkill.com
[2011/05/26 11:00:35 | 000,001,134 | ---- | M] () -- C:\Documents and Settings\user\Desktop\FixNCR.reg
[2011/05/25 22:08:43 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\user\Application Data\889143.exe
[2011/05/25 22:08:43 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\user\Application Data\8879796.exe
[2011/05/25 22:08:43 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\user\Application Data\6874230.exe
[2011/05/25 22:08:43 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\user\Application Data\2581366.exe
[2011/05/18 22:52:31 | 001,150,976 | -H-- | M] () -- C:\ffastun0.ffx
[2011/05/18 22:52:31 | 000,229,376 | -H-- | M] () -- C:\ffastun.ffl
[2011/05/18 22:52:31 | 000,102,400 | -H-- | M] () -- C:\ffastun.ffo
[2011/05/18 22:52:31 | 000,005,196 | -H-- | M] () -- C:\ffastun.ffa
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/06/03 16:32:40 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\user\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/06/03 15:27:35 | 001,007,108 | ---- | C] () -- C:\Documents and Settings\user\Desktop\uSeRiNiT.exe
[2011/06/03 15:27:09 | 001,007,108 | ---- | C] () -- C:\Documents and Settings\user\Desktop\iExplore.exe
[2011/06/03 14:27:14 | 001,007,108 | ---- | C] () -- C:\Documents and Settings\user\Desktop\eXplorer.exe
[2011/06/02 10:22:55 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2011/06/02 10:22:51 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/06/02 10:20:08 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/06/02 10:20:08 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/06/02 10:20:08 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/06/02 10:20:08 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/06/02 10:20:08 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/05/26 16:43:22 | 000,000,767 | ---- | C] () -- C:\Documents and Settings\user\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2011/05/26 16:42:57 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\user\Desktop\ERUNT.lnk
[2011/05/26 11:10:02 | 001,007,108 | ---- | C] () -- C:\Documents and Settings\user\Desktop\rkill.scr
[2011/05/26 11:10:02 | 001,007,108 | ---- | C] () -- C:\Documents and Settings\user\Desktop\rkill.com
[2011/05/26 11:09:57 | 000,001,134 | ---- | C] () -- C:\Documents and Settings\user\Desktop\FixNCR.reg
[2011/05/25 22:08:44 | 000,010,276 | -HS- | C] () -- C:\Documents and Settings\user\Local Settings\Application Data\5111732e22216eo0mc0417
[2011/05/25 22:08:44 | 000,010,276 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\5111732e22216eo0mc0417
[2011/05/25 22:08:43 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\user\Application Data\889143.exe
[2011/05/25 22:08:43 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\user\Application Data\8879796.exe
[2011/05/25 22:08:43 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\user\Application Data\6874230.exe
[2011/05/25 22:08:43 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\user\Application Data\2581366.exe
[2010/12/25 22:05:41 | 000,000,369 | ---- | C] () -- C:\WINDOWS\Hornby.INI
[2010/12/25 21:09:05 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll
[2010/07/22 21:11:01 | 000,000,000 | ---- | C] () -- C:\WINDOWS\WINHELP.INI
[2010/07/22 20:53:07 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/07/22 20:51:21 | 000,131,072 | ---- | C] () -- C:\WINDOWS\System32\SpoonUninstall.exe
[2010/07/22 20:51:21 | 000,036,104 | ---- | C] () -- C:\WINDOWS\System32\SpoonUninstall-dBpowerAMP Music Converter.dat
[2010/06/16 11:30:17 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\FPCALL.dll
[2010/06/16 11:27:29 | 000,009,343 | ---- | C] () -- C:\WINDOWS\System32\drivers\TDSMAPI.SYS
[2010/06/16 11:25:44 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\TpKmpSvc.exe
[2010/06/16 10:30:45 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/06/16 10:29:16 | 000,212,080 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/06/16 09:56:19 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/06/16 09:49:14 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2006/06/16 16:09:52 | 000,045,124 | ---- | C] () -- C:\WINDOWS\System32\LsaWrApi.dll
[2006/06/16 15:57:32 | 000,528,453 | ---- | C] () -- C:\WINDOWS\System32\C1XStngs.dll
[2006/06/16 15:56:10 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\D8021Xps.dll
[2005/11/30 20:16:02 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\tphklock.dll
[2005/07/05 23:45:08 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\notifyf2.dll
[2005/04/08 17:42:06 | 000,087,540 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2005/01/13 03:00:14 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2005/01/13 03:00:10 | 000,651,264 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2004/08/04 12:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/04 12:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/04 12:00:00 | 000,432,690 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/04 12:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/04 12:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/04 12:00:00 | 000,067,646 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/04 12:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/04 12:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/04 12:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/04 12:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/04 12:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/04 12:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[1997/08/19 00:00:00 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\DOCOBJ.DLL
[1997/08/19 00:00:00 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\HLINKPRX.DLL
[1995/07/20 00:00:00 | 000,053,760 | ---- | C] () -- C:\WINDOWS\System32\OPENENU.DLL
[1995/07/20 00:00:00 | 000,006,352 | ---- | C] () -- C:\WINDOWS\System32\VISXUTIL.DLL

========== LOP Check ==========

[2011/06/02 10:15:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2011/03/14 20:48:11 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files

========== Purity Check ==========



< End of report >

Here's the second log:

OTL Extras logfile created on: 04/06/2011 00:39:21 - Run 1
OTL by OldTimer - Version 3.2.23.0 Folder = C:\Documents and Settings\user\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

766.92 Mb Total Physical Memory | 525.96 Mb Available Physical Memory | 68.58% Memory free
2.21 Gb Paging File | 2.01 Gb Available in Paging File | 91.09% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 19.55 Gb Free Space | 52.46% Space Free | Partition Type: NTFS

Computer Name: USER-27F08180D0 | User Name: user | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 1
"FirewallOverride" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\AVG\AVG9\avgemc.exe" = C:\Program Files\AVG\AVG9\avgemc.exe:*:Enabled:avgemc.exe
"C:\Program Files\AVG\AVG9\avgupd.exe" = C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe
"C:\Program Files\AVG\AVG9\avgnsx.exe" = C:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe
"C:\DOCUME~1\user\LOCALS~1\Temp\pw2o9i05_wait.exe" = C:\DOCUME~1\user\LOCALS~1\Temp\pw2o9i05_wait.exe:*:Enabled:ldrsoft -- (Sun Microsystems, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{1297C681-92D7-40EF-93BF-03F66EC5105C}" = ThinkPad EasyEject Utility
"{17CBC505-D1AE-459D-B445-3D2000A85842}" = ThinkPad UltraNav Utility
"{2111B23F-7FDA-4A41-8309-E5A1663CA296}" = ThinkPad Keyboard Customizer Utility
"{26A24AE4-039D-4CA4-87B4-2F83216021FF}" = Java(TM) 6 Update 22
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{46A84694-59EC-48F0-964C-7E76E9F8A2ED}" = ThinkVantage Active Protection System
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{67D7BC74-E8DF-4811-9B41-6023A8C9BB3F}" = Intel(R) Sebring API
"{77086DA4-957D-11D6-8FD3-004854516C39}" = Hornby Virtual Railway Add-On Pack 2
"{82512BC9-BD5D-4C50-BE4D-B98E7DF78687}" = ThinkPad UltraNav Wizard
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{8675339C-128C-44DD-83BF-0A5D6ABD8297}" = System Update
"{87FA7400-6AF4-11D5-8FCA-024C41534154}" = Hornby Virtual Railway Add-On Pack 1
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A4D7B764-4140-11D4-88EB-0050DA3579C0}" = Nero - Burning Rom
"{A7B42408-C6FB-11D6-8FD4-004854516C39}" = Hornby Virtual Railway Add-On Pack 3
"{AC76BA86-7AD7-1033-7B44-A82000000003}" = Adobe Reader 8.2.0
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{EA664480-3844-11D5-8C25-444553540000}" = TrackPoint Accessibility Features
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F266A90C-3F4A-4F65-9901-3DBBB0D77D80}" = 802.11g Wireless Adapter HW.15 V.1.00
"{FC081D4D-DF1B-4CF1-B530-027E4118D846}" = ThinkPad Configuration
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Agere Systems Soft Modem" = Agere Systems AC'97 Modem
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"Audacity_is1" = Audacity 1.2.6
"dBpowerAMP Music Converter" = dBpowerAMP Music Converter
"ERUNT_is1" = ERUNT 1.1j
"Excel" = Microsoft Excel 7.0
"FLV Player" = FLV Player 2.0 (build 25)
"Hornby Virtual Railway" = Hornby Virtual Railway
"ie8" = Windows Internet Explorer 8
"InstallShield_{F266A90C-3F4A-4F65-9901-3DBBB0D77D80}" = 802.11g Wireless Adapter HW.15 V.1.00
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.17)" = Mozilla Firefox (3.6.17)
"Power Management Driver" = ThinkPad Power Management Driver
"Presentation Director" = ThinkPad Presentation Director
"PROSet" = Intel(R) PRO Network Connections Drivers
"Shockwave 7.0.3 Player" = Shockwave 7.0.3 Player
"Superscape 3D Control" = Superscape 3D Control
"SynTPDeinstKey" = ThinkPad UltraNav Driver
"ThinkPad FullScreen Magnifier" = ThinkPad FullScreen Magnifier
"Wdf01009" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
"Windows XP Service Pack" = Windows XP Service Pack 3
"Word8.0" = Microsoft Word 97
"xp-AntiSpy" = xp-AntiSpy 3.92

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 26/02/2011 15:11:19 | Computer Name = USER-27F08180D0 | Source = Application Error | ID = 1000
Description = Faulting application Setup.exe, version 0.0.0.0, faulting module Setup.exe,
version 0.0.0.0, fault address 0x00037002.

Error - 09/03/2011 16:50:50 | Computer Name = USER-27F08180D0 | Source = ESENT | ID = 490
Description = svchost (1328) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

Error - 09/03/2011 16:50:50 | Computer Name = USER-27F08180D0 | Source = ESENT | ID = 439
Description = Catalog Database (1328) Unable to write a shadowed header for file
C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb. Error
-1032.

Error - 09/03/2011 16:50:51 | Computer Name = USER-27F08180D0 | Source = ESENT | ID = 473
Description = Catalog Database (1328) Database C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb
was partially detached. Error -1032 encountered updating database headers.

Error - 25/05/2011 17:08:56 | Computer Name = USER-27F08180D0 | Source = Application Error | ID = 1000
Description = Faulting application pw2o9i05_wait.exe, version 6.0.220.4, faulting
module pw2o9i05_wait.exe, version 6.0.220.4, fault address 0x0000410a.

Error - 02/06/2011 06:15:57 | Computer Name = USER-27F08180D0 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 0.0.0.0, faulting module
, version 0.0.0.0, fault address 0x00000000.

[ System Events ]
Error - 02/06/2011 19:26:17 | Computer Name = USER-27F08180D0 | Source = Service Control Manager | ID = 7001
Description = The TCP/IP NetBIOS Helper service depends on the AFD service which
failed to start because of the following error: %%31

Error - 02/06/2011 19:26:17 | Computer Name = USER-27F08180D0 | Source = Service Control Manager | ID = 7001
Description = The IPSEC Services service depends on the IPSEC driver service which
failed to start because of the following error: %%31

Error - 02/06/2011 19:26:17 | Computer Name = USER-27F08180D0 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Smapint Tcpip TDSMAPI TPHKDRV TSMAPIP

Error - 02/06/2011 19:28:16 | Computer Name = USER-27F08180D0 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 02/06/2011 19:29:58 | Computer Name = USER-27F08180D0 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 02/06/2011 19:31:01 | Computer Name = USER-27F08180D0 | Source = Service Control Manager | ID = 7001
Description = The DHCP Client service depends on the NetBios over Tcpip service
which failed to start because of the following error: %%31

Error - 02/06/2011 19:31:01 | Computer Name = USER-27F08180D0 | Source = Service Control Manager | ID = 7001
Description = The DNS Client service depends on the TCP/IP Protocol Driver service
which failed to start because of the following error: %%31

Error - 02/06/2011 19:31:01 | Computer Name = USER-27F08180D0 | Source = Service Control Manager | ID = 7001
Description = The TCP/IP NetBIOS Helper service depends on the AFD service which
failed to start because of the following error: %%31

Error - 02/06/2011 19:31:02 | Computer Name = USER-27F08180D0 | Source = Service Control Manager | ID = 7001
Description = The IPSEC Services service depends on the IPSEC driver service which
failed to start because of the following error: %%31

Error - 02/06/2011 19:31:02 | Computer Name = USER-27F08180D0 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Smapint Tcpip TDSMAPI TPHKDRV TSMAPIP


< End of report >
 
Ok. To help show all files do this:

On the desktop double click my computer, at the top click on> tools>folder options>view> then select "show hidden files and folders", then UNcheck "hide protected operating system files " also UNcheck "hide extensions for known file types" click apply to all folders, apply then ok.

Right click on start and using explorer navigate to:
C:\Documents and Settings\user\Application Data
then pick out any two of these .exe:

889143.exe
8879796.exe
6874230.exe
2581366.exe

Go to here and upload them one by one by using the browse button on the website to locate the .exe then the Send File button to upload them.
I will check them out as soon as I can.
Hopefully it will amount to something. Since you dont have a active AV installed I would stay off the internet as much as possible for now also.
 
Tried uploading the files you requested, but all of the upload attemps failed because all four are zero-byte files.

And don't worry about any unnessecary internet use - There's more than one computer in the house, and the infected machine is only connected as and when needed to do whatever is requested here.
 
Not much there as far as malware goes. You still have the problem with Windows firewall that you described originally?
You can also do a online scan as another check for malware;

ESET online scanner:

http://www.eset.com/onlinescan/

Use Internet Explorer
check "YES" to accept terms
click start button
allow the ActiveX component to install
click the start button. the Scanner will update.
check both "Remove found threats" and "Scan archives" Leave the defaults checked under Advanced settings
click scan. When it completes click "List found threats"
click "Export to text file.." and save it to your desktop. Post the saved log.
Click "back" and "finish"
 
Yes, still having the same problem with the firewall showing as "Not Monitored" and getting the message about the ICS service not running.

Here's the ESET log:

C:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\6.0\54\4fae7cb6-20801779 a variant of Win32/Kryptik.OEV trojan deleted - quarantined
C:\Documents and Settings\user\Local Settings\Temp\pw2o9i05_wait.exe a variant of Win32/Kryptik.OEV trojan deleted - quarantined
 
ok, not much there from the Eset scan. You can delete those .exe
files you tried to upload.
Try this:

start>run and type in cmd
At the DOS prompt type in Netsh firewall reset
click enter

Next go to start>run and type in firewall.cpl
In the firewall window make sure its selected as ON
 
OK, tried that, and it all seemed to go fine until I got as far as typing in firewall.cpl and clicking OK. At that point, instead of the firewall control panel window, I got the same old pop-up message saying that the firewall settings could not be displayed because the associated service is not running, and asking if I wanted to start the ICS service. Not knowing what to do next, I picked the safe option of "No", which cancels the message. Should I still be getting that message, or is that an indication that there's still a problem of some kind?
 
Starting the service was going to be the next step if the previous ones didnt work. So...
Go to start>run and type in services.msc and click ok or enter
Windows service panel will open.
Under the name column find Windows firewall/Internet connection Sharing (ICS)

Right click on it and select properties:
Under the start up type: make sure its set to automatic, if its not change it
For service status: make sure its started, if its not change using the Start button. Click Apply ok after the changes. A reboot of the machine wouldnt hurt.

That should start the service, see how it goes.
 
OK, the firewall is now up and running, and Windows Security Centre shows it as being on!

At present, there's no AV software installed, as AVG was removed to allow other programs to run, and Windows Security Centre is showing AV as "Not Monitored" - I'm sure that, in the past with other machines that haven't had AV installed yet, it has said "Not Installed", rather than "Not Monitored", so of course that's still making me a little suspicious...
 
You must log in or register to reply here.
Back
Top